diff --git a/go.mod b/go.mod
index 14781faf..4c6bfc38 100644
--- a/go.mod
+++ b/go.mod
@@ -5,51 +5,55 @@ go 1.23.5
 toolchain go1.24.1
 
 require (
-	coopcloud.tech/tagcmp v0.0.0-20230809071031-eb3e7758d4eb
+	coopcloud.tech/tagcmp v0.0.0-20250427094623-9ea3bbbde8e5
 	git.coopcloud.tech/toolshed/godotenv v1.5.2-0.20250103171850-4d0ca41daa5c
 	github.com/AlecAivazis/survey/v2 v2.3.7
-	github.com/charmbracelet/bubbletea v1.3.4
+	github.com/charmbracelet/bubbletea v1.3.6
 	github.com/charmbracelet/lipgloss v1.1.0
-	github.com/charmbracelet/log v0.4.1
+	github.com/charmbracelet/log v0.4.2
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v28.0.1+incompatible
-	github.com/docker/docker v28.0.1+incompatible
+	github.com/docker/cli v28.3.3+incompatible
+	github.com/docker/docker v28.3.3+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/go-git/go-git/v5 v5.14.0
+	github.com/go-git/go-git/v5 v5.16.2
 	github.com/google/go-cmp v0.7.0
 	github.com/leonelquinteros/gotext v1.7.2
 	github.com/moby/sys/signal v0.7.1
 	github.com/moby/term v0.5.2
 	github.com/pkg/errors v0.9.1
 	github.com/schollz/progressbar/v3 v3.18.0
-	golang.org/x/term v0.30.0
+	golang.org/x/term v0.34.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 )
 
 require (
-	dario.cat/mergo v1.0.1 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	dario.cat/mergo v1.0.2 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/colorprofile v0.3.1 // indirect
+	github.com/charmbracelet/x/ansi v0.10.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/cloudflare/circl v1.6.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -60,13 +64,13 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -83,8 +87,10 @@ require (
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
-	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
@@ -95,42 +101,42 @@ require (
 	github.com/opencontainers/runc v1.1.13 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.4.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/net v0.37.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
-	google.golang.org/grpc v1.71.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20250811191247-51f88131bc50 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/grpc v1.74.2 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
@@ -143,15 +149,15 @@ require (
 	github.com/fvbommel/sortorder v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7
+	github.com/hashicorp/go-retryablehttp v0.7.8
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/prometheus/client_golang v1.21.1 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/prometheus/client_golang v1.23.0 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
-	golang.org/x/sys v0.31.0
+	golang.org/x/sys v0.35.0
 )
diff --git a/go.sum b/go.sum
index 62c6ce16..8db9fdbd 100644
--- a/go.sum
+++ b/go.sum
@@ -24,13 +24,19 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 coopcloud.tech/tagcmp v0.0.0-20230809071031-eb3e7758d4eb h1:Ws6WEwKXeaYEkfdkX6AqX1XLPuaCeyStEtxbmEJPllk=
 coopcloud.tech/tagcmp v0.0.0-20230809071031-eb3e7758d4eb/go.mod h1:ESVm0wQKcbcFi06jItF3rI7enf4Jt2PvbkWpDDHk1DQ=
+coopcloud.tech/tagcmp v0.0.0-20250427094623-9ea3bbbde8e5 h1:tphJCjFJw9fdjyKnbU0f7f3z5KtYE8VbUcAfu+oHKg8=
+coopcloud.tech/tagcmp v0.0.0-20250427094623-9ea3bbbde8e5/go.mod h1:ESVm0wQKcbcFi06jItF3rI7enf4Jt2PvbkWpDDHk1DQ=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 git.coopcloud.tech/toolshed/godotenv v1.5.2-0.20250103171850-4d0ca41daa5c h1:oeKnUB79PKYD8D0/unYuu7MRcWryQQWOns8+JL+acrs=
 git.coopcloud.tech/toolshed/godotenv v1.5.2-0.20250103171850-4d0ca41daa5c/go.mod h1:fQuhwrpg6qb9NlFXKYi/LysWu1wxjraS8sxyW12CUF0=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
 github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
@@ -51,6 +57,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
@@ -81,6 +89,8 @@ github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDe
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
 github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
@@ -130,21 +140,32 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3k
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
 github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
+github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
+github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
+github.com/charmbracelet/colorprofile v0.3.1 h1:k8dTHMd7fgw4bnFd7jXTLZrSU/CQrKnL3m+AxCzDz40=
+github.com/charmbracelet/colorprofile v0.3.1/go.mod h1:/GkGusxNs8VB/RSOh3fu0TJmQ4ICMMPApIIVn0KszZ0=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/log v0.4.1 h1:6AYnoHKADkghm/vt4neaNEXkxcXLSV2g1rdyFDOpTyk=
 github.com/charmbracelet/log v0.4.1/go.mod h1:pXgyTsqsVu4N9hGdHmQ0xEA4RsXof402LX9ZgiITn2I=
+github.com/charmbracelet/log v0.4.2 h1:hYt8Qj6a8yLnvR+h7MwsJv/XvmBJXiueUcI3cIxsyig=
+github.com/charmbracelet/log v0.4.2/go.mod h1:qifHGX/tc7eluv2R6pWIpyHDDrrb/AG71Pf2ysQu5nw=
 github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
 github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=
+github.com/charmbracelet/x/ansi v0.10.1/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a h1:G99klV19u0QnhiizODirwVksQB91TJKV/UaTnACcG30=
@@ -170,6 +191,8 @@ github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004 h1:lkAMpLVBDaj17e
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
 github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
@@ -215,6 +238,10 @@ github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cE
 github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y=
 github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
 github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
@@ -237,6 +264,8 @@ github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3
 github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
 github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
+github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
+github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
 github.com/containerd/stargz-snapshotter/estargz v0.11.0/go.mod h1:/KsZXsJRllMbTKFfG0miFQWViQKdI9+9aSXs+HN0+ac=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
@@ -285,6 +314,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
+github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
@@ -314,6 +345,8 @@ github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyG
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v28.0.1+incompatible h1:g0h5NQNda3/CxIsaZfH4Tyf6vpxFth7PYl3hgCPOKzs=
 github.com/docker/cli v28.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
+github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
@@ -322,6 +355,8 @@ github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc
 github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
 github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
@@ -330,6 +365,8 @@ github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c/go.mod h1:CADgU4DSXK
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
@@ -391,6 +428,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
 github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
+github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
+github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -406,6 +445,8 @@ github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTg
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
@@ -424,6 +465,8 @@ github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
 github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
@@ -528,9 +571,12 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -544,6 +590,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
@@ -663,14 +711,20 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
 github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
 github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
@@ -678,6 +732,8 @@ github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5Xt
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
 github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
@@ -766,6 +822,8 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pjbgf/sha1cd v0.4.0 h1:NXzbL1RvjTUi6kgYZCX3fPwwl27Q1LJndxtUDVfJGRY=
+github.com/pjbgf/sha1cd v0.4.0/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -783,6 +841,8 @@ github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQ
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
 github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
+github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -790,6 +850,8 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
@@ -798,6 +860,8 @@ github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
 github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -811,6 +875,8 @@ github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -820,6 +886,7 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -832,6 +899,8 @@ github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvW
 github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
@@ -872,6 +941,8 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
 github.com/spf13/viper v1.4.0 h1:yXHLWeravcrgGyFSyCgdYpXQ9dR9c/WED3pg1RhxqEU=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
@@ -950,27 +1021,47 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
 go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
 go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 h1:QcFwRrZLc82r8wODjvyCbP7Ifp3UANaBSmhDSFjnqSc=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0/go.mod h1:CXIWhUomyWBG/oY2/r/kLp6K/cmx9e/7DLpBuuGdLCA=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 h1:zG8GlgXCJQd5BU98C0hZnBbElszTmUgCNCfYneaDL0A=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0/go.mod h1:hOfBCz8kv/wuq73Mx2H2QnWokh/kHZxkh6SNF2bdKtw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0/go.mod h1:QjUEoiGCPkvFZ/MjK6ZZfNOS6mfVEVKYE99dFhuN2LI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
 go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
 go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
 go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
 go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
+go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -997,6 +1088,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1009,6 +1102,8 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
+golang.org/x/exp v0.0.0-20250811191247-51f88131bc50 h1:3yiSh9fhy5/RhCSntf4Sy0Tnx50DmMpQ4MQdKKk4yg4=
+golang.org/x/exp v0.0.0-20250811191247-51f88131bc50/go.mod h1:rT6SFzZ7oxADUDx58pcaKFTcZ+inxAa9fTrYx/uVYwg=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1074,6 +1169,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
 golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1093,6 +1190,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1174,11 +1273,15 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
 golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1190,6 +1293,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1198,6 +1303,8 @@ golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1293,8 +1400,12 @@ google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7Fc
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto/googleapis/api v0.0.0-20250313205543-e70fdf4c4cb4 h1:IFnXJq3UPB3oBREOodn1v1aGQeZYQclEmvWRMN0PSsY=
 google.golang.org/genproto/googleapis/api v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:c8q6Z6OCqnfVIqUFJkCzKcrj8eCvUrz+K4KRzSTuANg=
+google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a h1:DMCgtIAIQGZqJXMVzJF4MV8BlWoJh2ZuFiRdAleyr58=
+google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a/go.mod h1:y2yVLIE/CSMCPXaHnSKXxu1spLPnglFLegmgdY23uuE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a h1:tPE/Kp+x9dMSwUm/uM0JKK0IfdiJkwAbSMSeZBXXJXc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1316,6 +1427,8 @@ google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1331,6 +1444,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
+google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
@@ -1370,6 +1485,7 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
diff --git a/vendor/coopcloud.tech/tagcmp/renovate.json b/vendor/coopcloud.tech/tagcmp/renovate.json
deleted file mode 100644
index 7190a60b..00000000
--- a/vendor/coopcloud.tech/tagcmp/renovate.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
-}
diff --git a/vendor/dario.cat/mergo/FUNDING.json b/vendor/dario.cat/mergo/FUNDING.json
new file mode 100644
index 00000000..0585e1fe
--- /dev/null
+++ b/vendor/dario.cat/mergo/FUNDING.json
@@ -0,0 +1,7 @@
+{
+  "drips": {
+    "ethereum": {
+      "ownedBy": "0x6160020e7102237aC41bdb156e94401692D76930"
+    }
+  }
+}
diff --git a/vendor/dario.cat/mergo/README.md b/vendor/dario.cat/mergo/README.md
index 0b3c4888..0e4a59af 100644
--- a/vendor/dario.cat/mergo/README.md
+++ b/vendor/dario.cat/mergo/README.md
@@ -85,7 +85,6 @@ Mergo is used by [thousands](https://deps.dev/go/dario.cat%2Fmergo/v1.0.0/depend
 * [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser)
 * [go-micro/go-micro](https://github.com/go-micro/go-micro)
 * [grafana/loki](https://github.com/grafana/loki)
-* [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
 * [masterminds/sprig](github.com/Masterminds/sprig)
 * [moby/moby](https://github.com/moby/moby)
 * [slackhq/nebula](https://github.com/slackhq/nebula)
@@ -191,10 +190,6 @@ func main() {
 }
 ```
 
-Note: if test are failing due missing package, please execute:
-
-    go get gopkg.in/yaml.v3
-
 ### Transformers
 
 Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, `time.Time` is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero `time.Time`?
diff --git a/vendor/dario.cat/mergo/SECURITY.md b/vendor/dario.cat/mergo/SECURITY.md
index a5de61f7..3788fcc1 100644
--- a/vendor/dario.cat/mergo/SECURITY.md
+++ b/vendor/dario.cat/mergo/SECURITY.md
@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.3.x   | :white_check_mark: |
-| < 0.3   | :x:                |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
 
 ## Security contact information
 
diff --git a/vendor/github.com/BurntSushi/toml/README.md b/vendor/github.com/BurntSushi/toml/README.md
index 639e6c39..235496ee 100644
--- a/vendor/github.com/BurntSushi/toml/README.md
+++ b/vendor/github.com/BurntSushi/toml/README.md
@@ -3,7 +3,7 @@ reflection interface similar to Go's standard library `json` and `xml` packages.
 
 Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).
 
-Documentation: https://godocs.io/github.com/BurntSushi/toml
+Documentation: https://pkg.go.dev/github.com/BurntSushi/toml
 
 See the [releases page](https://github.com/BurntSushi/toml/releases) for a
 changelog; this information is also in the git tag annotations (e.g. `git show
diff --git a/vendor/github.com/BurntSushi/toml/decode.go b/vendor/github.com/BurntSushi/toml/decode.go
index 7aaf462c..3fa516ca 100644
--- a/vendor/github.com/BurntSushi/toml/decode.go
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -196,6 +196,19 @@ func (md *MetaData) PrimitiveDecode(primValue Primitive, v any) error {
 	return md.unify(primValue.undecoded, rvalue(v))
 }
 
+// markDecodedRecursive is a helper to mark any key under the given tmap as
+// decoded, recursing as needed
+func markDecodedRecursive(md *MetaData, tmap map[string]any) {
+	for key := range tmap {
+		md.decoded[md.context.add(key).String()] = struct{}{}
+		if tmap, ok := tmap[key].(map[string]any); ok {
+			md.context = append(md.context, key)
+			markDecodedRecursive(md, tmap)
+			md.context = md.context[0 : len(md.context)-1]
+		}
+	}
+}
+
 // unify performs a sort of type unification based on the structure of `rv`,
 // which is the client representation.
 //
@@ -222,6 +235,16 @@ func (md *MetaData) unify(data any, rv reflect.Value) error {
 		if err != nil {
 			return md.parseErr(err)
 		}
+		// Assume the Unmarshaler decoded everything, so mark all keys under
+		// this table as decoded.
+		if tmap, ok := data.(map[string]any); ok {
+			markDecodedRecursive(md, tmap)
+		}
+		if aot, ok := data.([]map[string]any); ok {
+			for _, tmap := range aot {
+				markDecodedRecursive(md, tmap)
+			}
+		}
 		return nil
 	}
 	if v, ok := rvi.(encoding.TextUnmarshaler); ok {
@@ -540,12 +563,14 @@ func (md *MetaData) badtype(dst string, data any) error {
 
 func (md *MetaData) parseErr(err error) error {
 	k := md.context.String()
+	d := string(md.data)
 	return ParseError{
-		LastKey:  k,
-		Position: md.keyInfo[k].pos,
-		Line:     md.keyInfo[k].pos.Line,
+		Message:  err.Error(),
 		err:      err,
-		input:    string(md.data),
+		LastKey:  k,
+		Position: md.keyInfo[k].pos.withCol(d),
+		Line:     md.keyInfo[k].pos.Line,
+		input:    d,
 	}
 }
 
diff --git a/vendor/github.com/BurntSushi/toml/encode.go b/vendor/github.com/BurntSushi/toml/encode.go
index 73366c0d..ac196e7d 100644
--- a/vendor/github.com/BurntSushi/toml/encode.go
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -402,31 +402,30 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 
 	// Sort keys so that we have deterministic output. And write keys directly
 	// underneath this key first, before writing sub-structs or sub-maps.
-	var mapKeysDirect, mapKeysSub []string
+	var mapKeysDirect, mapKeysSub []reflect.Value
 	for _, mapKey := range rv.MapKeys() {
-		k := mapKey.String()
 		if typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) {
-			mapKeysSub = append(mapKeysSub, k)
+			mapKeysSub = append(mapKeysSub, mapKey)
 		} else {
-			mapKeysDirect = append(mapKeysDirect, k)
+			mapKeysDirect = append(mapKeysDirect, mapKey)
 		}
 	}
 
-	var writeMapKeys = func(mapKeys []string, trailC bool) {
-		sort.Strings(mapKeys)
+	writeMapKeys := func(mapKeys []reflect.Value, trailC bool) {
+		sort.Slice(mapKeys, func(i, j int) bool { return mapKeys[i].String() < mapKeys[j].String() })
 		for i, mapKey := range mapKeys {
-			val := eindirect(rv.MapIndex(reflect.ValueOf(mapKey)))
+			val := eindirect(rv.MapIndex(mapKey))
 			if isNil(val) {
 				continue
 			}
 
 			if inline {
-				enc.writeKeyValue(Key{mapKey}, val, true)
+				enc.writeKeyValue(Key{mapKey.String()}, val, true)
 				if trailC || i != len(mapKeys)-1 {
 					enc.wf(", ")
 				}
 			} else {
-				enc.encode(key.add(mapKey), val)
+				enc.encode(key.add(mapKey.String()), val)
 			}
 		}
 	}
@@ -441,8 +440,6 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	}
 }
 
-const is32Bit = (32 << (^uint(0) >> 63)) == 32
-
 func pointerTo(t reflect.Type) reflect.Type {
 	if t.Kind() == reflect.Ptr {
 		return pointerTo(t.Elem())
@@ -477,15 +474,14 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 
 			frv := eindirect(rv.Field(i))
 
-			if is32Bit {
-				// Copy so it works correct on 32bit archs; not clear why this
-				// is needed. See #314, and https://www.reddit.com/r/golang/comments/pnx8v4
-				// This also works fine on 64bit, but 32bit archs are somewhat
-				// rare and this is a wee bit faster.
-				copyStart := make([]int, len(start))
-				copy(copyStart, start)
-				start = copyStart
-			}
+			// Need to make a copy because ... ehm, I don't know why... I guess
+			// allocating a new array can cause it to fail(?)
+			//
+			// Done for: https://github.com/BurntSushi/toml/issues/430
+			// Previously only on 32bit for: https://github.com/BurntSushi/toml/issues/314
+			copyStart := make([]int, len(start))
+			copy(copyStart, start)
+			start = copyStart
 
 			// Treat anonymous struct fields with tag names as though they are
 			// not anonymous, like encoding/json does.
@@ -507,7 +503,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	}
 	addFields(rt, rv, nil)
 
-	writeFields := func(fields [][]int) {
+	writeFields := func(fields [][]int, totalFields int) {
 		for _, fieldIndex := range fields {
 			fieldType := rt.FieldByIndex(fieldIndex)
 			fieldVal := rv.FieldByIndex(fieldIndex)
@@ -537,7 +533,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 
 			if inline {
 				enc.writeKeyValue(Key{keyName}, fieldVal, true)
-				if fieldIndex[0] != len(fields)-1 {
+				if fieldIndex[0] != totalFields-1 {
 					enc.wf(", ")
 				}
 			} else {
@@ -549,8 +545,10 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	if inline {
 		enc.wf("{")
 	}
-	writeFields(fieldsDirect)
-	writeFields(fieldsSub)
+
+	l := len(fieldsDirect) + len(fieldsSub)
+	writeFields(fieldsDirect, l)
+	writeFields(fieldsSub, l)
 	if inline {
 		enc.wf("}")
 	}
diff --git a/vendor/github.com/BurntSushi/toml/error.go b/vendor/github.com/BurntSushi/toml/error.go
index b45a3f45..b7077d3a 100644
--- a/vendor/github.com/BurntSushi/toml/error.go
+++ b/vendor/github.com/BurntSushi/toml/error.go
@@ -67,21 +67,36 @@ type ParseError struct {
 // Position of an error.
 type Position struct {
 	Line  int // Line number, starting at 1.
+	Col   int // Error column, starting at 1.
 	Start int // Start of error, as byte offset starting at 0.
-	Len   int // Lenght in bytes.
+	Len   int // Length of the error in bytes.
+}
+
+func (p Position) withCol(tomlFile string) Position {
+	var (
+		pos   int
+		lines = strings.Split(tomlFile, "\n")
+	)
+	for i := range lines {
+		ll := len(lines[i]) + 1 // +1 for the removed newline
+		if pos+ll >= p.Start {
+			p.Col = p.Start - pos + 1
+			if p.Col < 1 { // Should never happen, but just in case.
+				p.Col = 1
+			}
+			break
+		}
+		pos += ll
+	}
+	return p
 }
 
 func (pe ParseError) Error() string {
-	msg := pe.Message
-	if msg == "" { // Error from errorf()
-		msg = pe.err.Error()
-	}
-
 	if pe.LastKey == "" {
-		return fmt.Sprintf("toml: line %d: %s", pe.Position.Line, msg)
+		return fmt.Sprintf("toml: line %d: %s", pe.Position.Line, pe.Message)
 	}
 	return fmt.Sprintf("toml: line %d (last key %q): %s",
-		pe.Position.Line, pe.LastKey, msg)
+		pe.Position.Line, pe.LastKey, pe.Message)
 }
 
 // ErrorWithPosition returns the error with detailed location context.
@@ -92,26 +107,19 @@ func (pe ParseError) ErrorWithPosition() string {
 		return pe.Error()
 	}
 
-	var (
-		lines = strings.Split(pe.input, "\n")
-		col   = pe.column(lines)
-		b     = new(strings.Builder)
-	)
-
-	msg := pe.Message
-	if msg == "" {
-		msg = pe.err.Error()
-	}
-
 	// TODO: don't show control characters as literals? This may not show up
 	// well everywhere.
 
+	var (
+		lines = strings.Split(pe.input, "\n")
+		b     = new(strings.Builder)
+	)
 	if pe.Position.Len == 1 {
 		fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d:\n\n",
-			msg, pe.Position.Line, col+1)
+			pe.Message, pe.Position.Line, pe.Position.Col)
 	} else {
 		fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d-%d:\n\n",
-			msg, pe.Position.Line, col, col+pe.Position.Len)
+			pe.Message, pe.Position.Line, pe.Position.Col, pe.Position.Col+pe.Position.Len-1)
 	}
 	if pe.Position.Line > 2 {
 		fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line-2, expandTab(lines[pe.Position.Line-3]))
@@ -129,7 +137,7 @@ func (pe ParseError) ErrorWithPosition() string {
 	diff := len(expanded) - len(lines[pe.Position.Line-1])
 
 	fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line, expanded)
-	fmt.Fprintf(b, "% 10s%s%s\n", "", strings.Repeat(" ", col+diff), strings.Repeat("^", pe.Position.Len))
+	fmt.Fprintf(b, "% 10s%s%s\n", "", strings.Repeat(" ", pe.Position.Col-1+diff), strings.Repeat("^", pe.Position.Len))
 	return b.String()
 }
 
@@ -151,23 +159,6 @@ func (pe ParseError) ErrorWithUsage() string {
 	return m
 }
 
-func (pe ParseError) column(lines []string) int {
-	var pos, col int
-	for i := range lines {
-		ll := len(lines[i]) + 1 // +1 for the removed newline
-		if pos+ll >= pe.Position.Start {
-			col = pe.Position.Start - pos
-			if col < 0 { // Should never happen, but just in case.
-				col = 0
-			}
-			break
-		}
-		pos += ll
-	}
-
-	return col
-}
-
 func expandTab(s string) string {
 	var (
 		b    strings.Builder
diff --git a/vendor/github.com/BurntSushi/toml/lex.go b/vendor/github.com/BurntSushi/toml/lex.go
index a1016d98..1c3b4770 100644
--- a/vendor/github.com/BurntSushi/toml/lex.go
+++ b/vendor/github.com/BurntSushi/toml/lex.go
@@ -275,7 +275,9 @@ func (lx *lexer) errorPos(start, length int, err error) stateFn {
 func (lx *lexer) errorf(format string, values ...any) stateFn {
 	if lx.atEOF {
 		pos := lx.getPos()
-		pos.Line--
+		if lx.pos >= 1 && lx.input[lx.pos-1] == '\n' {
+			pos.Line--
+		}
 		pos.Len = 1
 		pos.Start = lx.pos - 1
 		lx.items <- item{typ: itemError, pos: pos, err: fmt.Errorf(format, values...)}
@@ -492,6 +494,9 @@ func lexKeyEnd(lx *lexer) stateFn {
 		lx.emit(itemKeyEnd)
 		return lexSkip(lx, lexValue)
 	default:
+		if r == '\n' {
+			return lx.errorPrevLine(fmt.Errorf("expected '.' or '=', but got %q instead", r))
+		}
 		return lx.errorf("expected '.' or '=', but got %q instead", r)
 	}
 }
@@ -560,6 +565,9 @@ func lexValue(lx *lexer) stateFn {
 	if r == eof {
 		return lx.errorf("unexpected EOF; expected value")
 	}
+	if r == '\n' {
+		return lx.errorPrevLine(fmt.Errorf("expected value but found %q instead", r))
+	}
 	return lx.errorf("expected value but found %q instead", r)
 }
 
@@ -1111,7 +1119,7 @@ func lexBaseNumberOrDate(lx *lexer) stateFn {
 	case 'x':
 		r = lx.peek()
 		if !isHex(r) {
-			lx.errorf("not a hexidecimal number: '%s%c'", lx.current(), r)
+			lx.errorf("not a hexadecimal number: '%s%c'", lx.current(), r)
 		}
 		return lexHexInteger
 	}
@@ -1259,23 +1267,6 @@ func isBinary(r rune) bool { return r == '0' || r == '1' }
 func isOctal(r rune) bool  { return r >= '0' && r <= '7' }
 func isHex(r rune) bool    { return (r >= '0' && r <= '9') || (r|0x20 >= 'a' && r|0x20 <= 'f') }
 func isBareKeyChar(r rune, tomlNext bool) bool {
-	if tomlNext {
-		return (r >= 'A' && r <= 'Z') ||
-			(r >= 'a' && r <= 'z') ||
-			(r >= '0' && r <= '9') ||
-			r == '_' || r == '-' ||
-			r == 0xb2 || r == 0xb3 || r == 0xb9 || (r >= 0xbc && r <= 0xbe) ||
-			(r >= 0xc0 && r <= 0xd6) || (r >= 0xd8 && r <= 0xf6) || (r >= 0xf8 && r <= 0x037d) ||
-			(r >= 0x037f && r <= 0x1fff) ||
-			(r >= 0x200c && r <= 0x200d) || (r >= 0x203f && r <= 0x2040) ||
-			(r >= 0x2070 && r <= 0x218f) || (r >= 0x2460 && r <= 0x24ff) ||
-			(r >= 0x2c00 && r <= 0x2fef) || (r >= 0x3001 && r <= 0xd7ff) ||
-			(r >= 0xf900 && r <= 0xfdcf) || (r >= 0xfdf0 && r <= 0xfffd) ||
-			(r >= 0x10000 && r <= 0xeffff)
-	}
-
-	return (r >= 'A' && r <= 'Z') ||
-		(r >= 'a' && r <= 'z') ||
-		(r >= '0' && r <= '9') ||
-		r == '_' || r == '-'
+	return (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') ||
+		(r >= '0' && r <= '9') || r == '_' || r == '-'
 }
diff --git a/vendor/github.com/BurntSushi/toml/meta.go b/vendor/github.com/BurntSushi/toml/meta.go
index e6145373..0d337026 100644
--- a/vendor/github.com/BurntSushi/toml/meta.go
+++ b/vendor/github.com/BurntSushi/toml/meta.go
@@ -135,9 +135,6 @@ func (k Key) maybeQuoted(i int) string {
 
 // Like append(), but only increase the cap by 1.
 func (k Key) add(piece string) Key {
-	if cap(k) > len(k) {
-		return append(k, piece)
-	}
 	newKey := make(Key, len(k)+1)
 	copy(newKey, k)
 	newKey[len(k)] = piece
diff --git a/vendor/github.com/BurntSushi/toml/parse.go b/vendor/github.com/BurntSushi/toml/parse.go
index 11ac3108..e3ea8a9a 100644
--- a/vendor/github.com/BurntSushi/toml/parse.go
+++ b/vendor/github.com/BurntSushi/toml/parse.go
@@ -50,7 +50,6 @@ func parse(data string) (p *parser, err error) {
 	// it anyway.
 	if strings.HasPrefix(data, "\xff\xfe") || strings.HasPrefix(data, "\xfe\xff") { // UTF-16
 		data = data[2:]
-		//lint:ignore S1017 https://github.com/dominikh/go-tools/issues/1447
 	} else if strings.HasPrefix(data, "\xef\xbb\xbf") { // UTF-8
 		data = data[3:]
 	}
@@ -65,7 +64,7 @@ func parse(data string) (p *parser, err error) {
 	if i := strings.IndexRune(data[:ex], 0); i > -1 {
 		return nil, ParseError{
 			Message:  "files cannot contain NULL bytes; probably using UTF-16; TOML files must be UTF-8",
-			Position: Position{Line: 1, Start: i, Len: 1},
+			Position: Position{Line: 1, Col: 1, Start: i, Len: 1},
 			Line:     1,
 			input:    data,
 		}
@@ -92,8 +91,9 @@ func parse(data string) (p *parser, err error) {
 
 func (p *parser) panicErr(it item, err error) {
 	panic(ParseError{
+		Message:  err.Error(),
 		err:      err,
-		Position: it.pos,
+		Position: it.pos.withCol(p.lx.input),
 		Line:     it.pos.Len,
 		LastKey:  p.current(),
 	})
@@ -102,7 +102,7 @@ func (p *parser) panicErr(it item, err error) {
 func (p *parser) panicItemf(it item, format string, v ...any) {
 	panic(ParseError{
 		Message:  fmt.Sprintf(format, v...),
-		Position: it.pos,
+		Position: it.pos.withCol(p.lx.input),
 		Line:     it.pos.Len,
 		LastKey:  p.current(),
 	})
@@ -111,7 +111,7 @@ func (p *parser) panicItemf(it item, format string, v ...any) {
 func (p *parser) panicf(format string, v ...any) {
 	panic(ParseError{
 		Message:  fmt.Sprintf(format, v...),
-		Position: p.pos,
+		Position: p.pos.withCol(p.lx.input),
 		Line:     p.pos.Line,
 		LastKey:  p.current(),
 	})
@@ -123,10 +123,11 @@ func (p *parser) next() item {
 	if it.typ == itemError {
 		if it.err != nil {
 			panic(ParseError{
-				Position: it.pos,
+				Message:  it.err.Error(),
+				err:      it.err,
+				Position: it.pos.withCol(p.lx.input),
 				Line:     it.pos.Line,
 				LastKey:  p.current(),
-				err:      it.err,
 			})
 		}
 
@@ -527,7 +528,7 @@ func numUnderscoresOK(s string) bool {
 			}
 		}
 
-		// isHexis a superset of all the permissable characters surrounding an
+		// isHex is a superset of all the permissible characters surrounding an
 		// underscore.
 		accept = isHex(r)
 	}
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go
index e44b4573..2e341507 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go
@@ -180,6 +180,16 @@ func (dke ErrMalformedMessage) Error() string {
 	return "openpgp: malformed message " + string(dke)
 }
 
+type messageTooLargeError int
+
+func (e messageTooLargeError) Error() string {
+	return "openpgp: decompressed message size exceeds provided limit"
+}
+
+// ErrMessageTooLarge is returned if the read data from
+// a compressed packet exceeds the provided limit.
+var ErrMessageTooLarge error = messageTooLargeError(0)
+
 // ErrEncryptionKeySelection is returned if encryption key selection fails (v2 API).
 type ErrEncryptionKeySelection struct {
 	PrimaryKeyId      string
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go
index fec41a0e..ef100d37 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go
@@ -37,7 +37,7 @@ func (conf *AEADConfig) Mode() AEADMode {
 
 // ChunkSizeByte returns the byte indicating the chunk size. The effective
 // chunk size is computed with the formula uint64(1) << (chunkSizeByte + 6)
-// limit to 16 = 4 MiB
+// limit chunkSizeByte to 16 which equals to 2^22 = 4 MiB
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (conf *AEADConfig) ChunkSizeByte() byte {
 	if conf == nil || conf.ChunkSize == 0 {
@@ -49,8 +49,8 @@ func (conf *AEADConfig) ChunkSizeByte() byte {
 	switch {
 	case exponent < 6:
 		exponent = 6
-	case exponent > 16:
-		exponent = 16
+	case exponent > 22:
+		exponent = 22
 	}
 
 	return byte(exponent - 6)
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go
index 0bcb38ca..931f55a4 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go
@@ -98,6 +98,16 @@ func (c *Compressed) parse(r io.Reader) error {
 	return err
 }
 
+// LimitedBodyReader wraps the provided body reader with a limiter that restricts
+// the number of bytes read to the specified limit.
+// If limit is nil, the reader is unbounded.
+func (c *Compressed) LimitedBodyReader(limit *int64) io.Reader {
+	if limit == nil {
+		return c.Body
+	}
+	return &LimitReader{R: c.Body, N: *limit}
+}
+
 // compressedWriterCloser represents the serialized compression stream
 // header and the compressor. Its Close() method ensures that both the
 // compressor and serialized stream header are closed. Its Write()
@@ -159,3 +169,24 @@ func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *Compression
 
 	return
 }
+
+// LimitReader is an io.Reader that fails with MessageToLarge if read bytes exceed N.
+type LimitReader struct {
+	R io.Reader // underlying reader
+	N int64     // max bytes allowed
+}
+
+func (l *LimitReader) Read(p []byte) (int, error) {
+	if l.N <= 0 {
+		return 0, errors.ErrMessageTooLarge
+	}
+
+	n, err := l.R.Read(p)
+	l.N -= int64(n)
+
+	if err == nil && l.N <= 0 {
+		err = errors.ErrMessageTooLarge
+	}
+
+	return n, err
+}
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
index 257398d9..30167ed9 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
@@ -178,6 +178,11 @@ type Config struct {
 	// When set to true, a key without flags is treated as if all flags are enabled.
 	// This behavior is consistent with GPG.
 	InsecureAllowAllKeyFlagsWhenMissing bool
+
+	// MaxDecompressedMessageSize specifies the maximum number of bytes that can be
+	// read from a compressed packet. This serves as an upper limit to prevent
+	// excessively large decompressed messages.
+	MaxDecompressedMessageSize *int64
 }
 
 func (c *Config) Random() io.Reader {
@@ -415,6 +420,13 @@ func (c *Config) AllowAllKeyFlagsWhenMissing() bool {
 	return c.InsecureAllowAllKeyFlagsWhenMissing
 }
 
+func (c *Config) DecompressedMessageSizeLimit() *int64 {
+	if c == nil {
+		return nil
+	}
+	return c.MaxDecompressedMessageSize
+}
+
 // BoolPointer is a helper function to set a boolean pointer in the Config.
 // e.g., config.CheckPacketSequence = BoolPointer(true)
 func BoolPointer(value bool) *bool {
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go
index e6dd9b5f..5578797e 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/read.go
@@ -259,7 +259,7 @@ FindLiteralData:
 		}
 		switch p := p.(type) {
 		case *packet.Compressed:
-			if err := packets.Push(p.Body); err != nil {
+			if err := packets.Push(p.LimitedBodyReader(config.DecompressedMessageSizeLimit())); err != nil {
 				return nil, err
 			}
 		case *packet.OnePassSignature:
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/write.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/write.go
index b0f6ef7b..84bc27d8 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/write.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/write.go
@@ -253,34 +253,12 @@ func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entit
 	}
 
 	var hash crypto.Hash
-	for _, hashId := range candidateHashes {
-		if h, ok := algorithm.HashIdToHash(hashId); ok && h.Available() {
-			hash = h
-			break
-		}
-	}
-
-	// If the hash specified by config is a candidate, we'll use that.
-	if configuredHash := config.Hash(); configuredHash.Available() {
-		for _, hashId := range candidateHashes {
-			if h, ok := algorithm.HashIdToHash(hashId); ok && h == configuredHash {
-				hash = h
-				break
-			}
-		}
-	}
-
-	if hash == 0 {
-		hashId := candidateHashes[0]
-		name, ok := algorithm.HashIdToString(hashId)
-		if !ok {
-			name = "#" + strconv.Itoa(int(hashId))
-		}
-		return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
-	}
-
 	var salt []byte
 	if signer != nil {
+		if hash, err = selectHash(candidateHashes, config.Hash(), signer); err != nil {
+			return nil, err
+		}
+
 		var opsVersion = 3
 		if signer.Version == 6 {
 			opsVersion = signer.Version
@@ -558,13 +536,34 @@ func (s signatureWriter) Close() error {
 	return s.encryptedData.Close()
 }
 
+func selectHashForSigningKey(config *packet.Config, signer *packet.PublicKey) crypto.Hash {
+	acceptableHashes := acceptableHashesToWrite(signer)
+	hash, ok := algorithm.HashToHashId(config.Hash())
+	if !ok {
+		return config.Hash()
+	}
+	for _, acceptableHashes := range acceptableHashes {
+		if acceptableHashes == hash {
+			return config.Hash()
+		}
+	}
+	if len(acceptableHashes) > 0 {
+		defaultAcceptedHash, ok := algorithm.HashIdToHash(acceptableHashes[0])
+		if ok {
+			return defaultAcceptedHash
+		}
+	}
+	return config.Hash()
+}
+
 func createSignaturePacket(signer *packet.PublicKey, sigType packet.SignatureType, config *packet.Config) *packet.Signature {
 	sigLifetimeSecs := config.SigLifetime()
+	hash := selectHashForSigningKey(config, signer)
 	return &packet.Signature{
 		Version:           signer.Version,
 		SigType:           sigType,
 		PubKeyAlgo:        signer.PubKeyAlgo,
-		Hash:              config.Hash(),
+		Hash:              hash,
 		CreationTime:      config.Now(),
 		IssuerKeyId:       &signer.KeyId,
 		IssuerFingerprint: signer.Fingerprint,
@@ -618,3 +617,74 @@ func handleCompression(compressed io.WriteCloser, candidateCompression []uint8,
 	}
 	return data, nil
 }
+
+// selectHash selects the preferred hash given the candidateHashes and the configuredHash
+func selectHash(candidateHashes []byte, configuredHash crypto.Hash, signer *packet.PrivateKey) (hash crypto.Hash, err error) {
+	acceptableHashes := acceptableHashesToWrite(&signer.PublicKey)
+	candidateHashes = intersectPreferences(acceptableHashes, candidateHashes)
+
+	for _, hashId := range candidateHashes {
+		if h, ok := algorithm.HashIdToHash(hashId); ok && h.Available() {
+			hash = h
+			break
+		}
+	}
+
+	// If the hash specified by config is a candidate, we'll use that.
+	if configuredHash.Available() {
+		for _, hashId := range candidateHashes {
+			if h, ok := algorithm.HashIdToHash(hashId); ok && h == configuredHash {
+				hash = h
+				break
+			}
+		}
+	}
+
+	if hash == 0 {
+		if len(acceptableHashes) > 0 {
+			if h, ok := algorithm.HashIdToHash(acceptableHashes[0]); ok {
+				hash = h
+			} else {
+				return 0, errors.UnsupportedError("no candidate hash functions are compiled in.")
+			}
+		} else {
+			return 0, errors.UnsupportedError("no candidate hash functions are compiled in.")
+		}
+	}
+	return
+}
+
+func acceptableHashesToWrite(singingKey *packet.PublicKey) []uint8 {
+	switch singingKey.PubKeyAlgo {
+	case packet.PubKeyAlgoEd448:
+		return []uint8{
+			hashToHashId(crypto.SHA512),
+			hashToHashId(crypto.SHA3_512),
+		}
+	case packet.PubKeyAlgoECDSA, packet.PubKeyAlgoEdDSA:
+		if curve, err := singingKey.Curve(); err == nil {
+			if curve == packet.Curve448 ||
+				curve == packet.CurveNistP521 ||
+				curve == packet.CurveBrainpoolP512 {
+				return []uint8{
+					hashToHashId(crypto.SHA512),
+					hashToHashId(crypto.SHA3_512),
+				}
+			} else if curve == packet.CurveBrainpoolP384 ||
+				curve == packet.CurveNistP384 {
+				return []uint8{
+					hashToHashId(crypto.SHA384),
+					hashToHashId(crypto.SHA512),
+					hashToHashId(crypto.SHA3_512),
+				}
+			}
+		}
+	}
+	return []uint8{
+		hashToHashId(crypto.SHA256),
+		hashToHashId(crypto.SHA384),
+		hashToHashId(crypto.SHA512),
+		hashToHashId(crypto.SHA3_256),
+		hashToHashId(crypto.SHA3_512),
+	}
+}
diff --git a/vendor/github.com/cenkalti/backoff/v4/context.go b/vendor/github.com/cenkalti/backoff/v4/context.go
deleted file mode 100644
index 48482330..00000000
--- a/vendor/github.com/cenkalti/backoff/v4/context.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package backoff
-
-import (
-	"context"
-	"time"
-)
-
-// BackOffContext is a backoff policy that stops retrying after the context
-// is canceled.
-type BackOffContext interface { // nolint: golint
-	BackOff
-	Context() context.Context
-}
-
-type backOffContext struct {
-	BackOff
-	ctx context.Context
-}
-
-// WithContext returns a BackOffContext with context ctx
-//
-// ctx must not be nil
-func WithContext(b BackOff, ctx context.Context) BackOffContext { // nolint: golint
-	if ctx == nil {
-		panic("nil context")
-	}
-
-	if b, ok := b.(*backOffContext); ok {
-		return &backOffContext{
-			BackOff: b.BackOff,
-			ctx:     ctx,
-		}
-	}
-
-	return &backOffContext{
-		BackOff: b,
-		ctx:     ctx,
-	}
-}
-
-func getContext(b BackOff) context.Context {
-	if cb, ok := b.(BackOffContext); ok {
-		return cb.Context()
-	}
-	if tb, ok := b.(*backOffTries); ok {
-		return getContext(tb.delegate)
-	}
-	return context.Background()
-}
-
-func (b *backOffContext) Context() context.Context {
-	return b.ctx
-}
-
-func (b *backOffContext) NextBackOff() time.Duration {
-	select {
-	case <-b.ctx.Done():
-		return Stop
-	default:
-		return b.BackOff.NextBackOff()
-	}
-}
diff --git a/vendor/github.com/cenkalti/backoff/v4/exponential.go b/vendor/github.com/cenkalti/backoff/v4/exponential.go
deleted file mode 100644
index aac99f19..00000000
--- a/vendor/github.com/cenkalti/backoff/v4/exponential.go
+++ /dev/null
@@ -1,216 +0,0 @@
-package backoff
-
-import (
-	"math/rand"
-	"time"
-)
-
-/*
-ExponentialBackOff is a backoff implementation that increases the backoff
-period for each retry attempt using a randomization function that grows exponentially.
-
-NextBackOff() is calculated using the following formula:
-
- randomized interval =
-     RetryInterval * (random value in range [1 - RandomizationFactor, 1 + RandomizationFactor])
-
-In other words NextBackOff() will range between the randomization factor
-percentage below and above the retry interval.
-
-For example, given the following parameters:
-
- RetryInterval = 2
- RandomizationFactor = 0.5
- Multiplier = 2
-
-the actual backoff period used in the next retry attempt will range between 1 and 3 seconds,
-multiplied by the exponential, that is, between 2 and 6 seconds.
-
-Note: MaxInterval caps the RetryInterval and not the randomized interval.
-
-If the time elapsed since an ExponentialBackOff instance is created goes past the
-MaxElapsedTime, then the method NextBackOff() starts returning backoff.Stop.
-
-The elapsed time can be reset by calling Reset().
-
-Example: Given the following default arguments, for 10 tries the sequence will be,
-and assuming we go over the MaxElapsedTime on the 10th try:
-
- Request #  RetryInterval (seconds)  Randomized Interval (seconds)
-
-  1          0.5                     [0.25,   0.75]
-  2          0.75                    [0.375,  1.125]
-  3          1.125                   [0.562,  1.687]
-  4          1.687                   [0.8435, 2.53]
-  5          2.53                    [1.265,  3.795]
-  6          3.795                   [1.897,  5.692]
-  7          5.692                   [2.846,  8.538]
-  8          8.538                   [4.269, 12.807]
-  9         12.807                   [6.403, 19.210]
- 10         19.210                   backoff.Stop
-
-Note: Implementation is not thread-safe.
-*/
-type ExponentialBackOff struct {
-	InitialInterval     time.Duration
-	RandomizationFactor float64
-	Multiplier          float64
-	MaxInterval         time.Duration
-	// After MaxElapsedTime the ExponentialBackOff returns Stop.
-	// It never stops if MaxElapsedTime == 0.
-	MaxElapsedTime time.Duration
-	Stop           time.Duration
-	Clock          Clock
-
-	currentInterval time.Duration
-	startTime       time.Time
-}
-
-// Clock is an interface that returns current time for BackOff.
-type Clock interface {
-	Now() time.Time
-}
-
-// ExponentialBackOffOpts is a function type used to configure ExponentialBackOff options.
-type ExponentialBackOffOpts func(*ExponentialBackOff)
-
-// Default values for ExponentialBackOff.
-const (
-	DefaultInitialInterval     = 500 * time.Millisecond
-	DefaultRandomizationFactor = 0.5
-	DefaultMultiplier          = 1.5
-	DefaultMaxInterval         = 60 * time.Second
-	DefaultMaxElapsedTime      = 15 * time.Minute
-)
-
-// NewExponentialBackOff creates an instance of ExponentialBackOff using default values.
-func NewExponentialBackOff(opts ...ExponentialBackOffOpts) *ExponentialBackOff {
-	b := &ExponentialBackOff{
-		InitialInterval:     DefaultInitialInterval,
-		RandomizationFactor: DefaultRandomizationFactor,
-		Multiplier:          DefaultMultiplier,
-		MaxInterval:         DefaultMaxInterval,
-		MaxElapsedTime:      DefaultMaxElapsedTime,
-		Stop:                Stop,
-		Clock:               SystemClock,
-	}
-	for _, fn := range opts {
-		fn(b)
-	}
-	b.Reset()
-	return b
-}
-
-// WithInitialInterval sets the initial interval between retries.
-func WithInitialInterval(duration time.Duration) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.InitialInterval = duration
-	}
-}
-
-// WithRandomizationFactor sets the randomization factor to add jitter to intervals.
-func WithRandomizationFactor(randomizationFactor float64) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.RandomizationFactor = randomizationFactor
-	}
-}
-
-// WithMultiplier sets the multiplier for increasing the interval after each retry.
-func WithMultiplier(multiplier float64) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.Multiplier = multiplier
-	}
-}
-
-// WithMaxInterval sets the maximum interval between retries.
-func WithMaxInterval(duration time.Duration) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.MaxInterval = duration
-	}
-}
-
-// WithMaxElapsedTime sets the maximum total time for retries.
-func WithMaxElapsedTime(duration time.Duration) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.MaxElapsedTime = duration
-	}
-}
-
-// WithRetryStopDuration sets the duration after which retries should stop.
-func WithRetryStopDuration(duration time.Duration) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.Stop = duration
-	}
-}
-
-// WithClockProvider sets the clock used to measure time.
-func WithClockProvider(clock Clock) ExponentialBackOffOpts {
-	return func(ebo *ExponentialBackOff) {
-		ebo.Clock = clock
-	}
-}
-
-type systemClock struct{}
-
-func (t systemClock) Now() time.Time {
-	return time.Now()
-}
-
-// SystemClock implements Clock interface that uses time.Now().
-var SystemClock = systemClock{}
-
-// Reset the interval back to the initial retry interval and restarts the timer.
-// Reset must be called before using b.
-func (b *ExponentialBackOff) Reset() {
-	b.currentInterval = b.InitialInterval
-	b.startTime = b.Clock.Now()
-}
-
-// NextBackOff calculates the next backoff interval using the formula:
-// 	Randomized interval = RetryInterval * (1 ± RandomizationFactor)
-func (b *ExponentialBackOff) NextBackOff() time.Duration {
-	// Make sure we have not gone over the maximum elapsed time.
-	elapsed := b.GetElapsedTime()
-	next := getRandomValueFromInterval(b.RandomizationFactor, rand.Float64(), b.currentInterval)
-	b.incrementCurrentInterval()
-	if b.MaxElapsedTime != 0 && elapsed+next > b.MaxElapsedTime {
-		return b.Stop
-	}
-	return next
-}
-
-// GetElapsedTime returns the elapsed time since an ExponentialBackOff instance
-// is created and is reset when Reset() is called.
-//
-// The elapsed time is computed using time.Now().UnixNano(). It is
-// safe to call even while the backoff policy is used by a running
-// ticker.
-func (b *ExponentialBackOff) GetElapsedTime() time.Duration {
-	return b.Clock.Now().Sub(b.startTime)
-}
-
-// Increments the current interval by multiplying it with the multiplier.
-func (b *ExponentialBackOff) incrementCurrentInterval() {
-	// Check for overflow, if overflow is detected set the current interval to the max interval.
-	if float64(b.currentInterval) >= float64(b.MaxInterval)/b.Multiplier {
-		b.currentInterval = b.MaxInterval
-	} else {
-		b.currentInterval = time.Duration(float64(b.currentInterval) * b.Multiplier)
-	}
-}
-
-// Returns a random value from the following interval:
-// 	[currentInterval - randomizationFactor * currentInterval, currentInterval + randomizationFactor * currentInterval].
-func getRandomValueFromInterval(randomizationFactor, random float64, currentInterval time.Duration) time.Duration {
-	if randomizationFactor == 0 {
-		return currentInterval // make sure no randomness is used when randomizationFactor is 0.
-	}
-	var delta = randomizationFactor * float64(currentInterval)
-	var minInterval = float64(currentInterval) - delta
-	var maxInterval = float64(currentInterval) + delta
-
-	// Get a random value from the range [minInterval, maxInterval].
-	// The formula used below has a +1 because if the minInterval is 1 and the maxInterval is 3 then
-	// we want a 33% chance for selecting either 1, 2 or 3.
-	return time.Duration(minInterval + (random * (maxInterval - minInterval + 1)))
-}
diff --git a/vendor/github.com/cenkalti/backoff/v4/retry.go b/vendor/github.com/cenkalti/backoff/v4/retry.go
deleted file mode 100644
index b9c0c51c..00000000
--- a/vendor/github.com/cenkalti/backoff/v4/retry.go
+++ /dev/null
@@ -1,146 +0,0 @@
-package backoff
-
-import (
-	"errors"
-	"time"
-)
-
-// An OperationWithData is executing by RetryWithData() or RetryNotifyWithData().
-// The operation will be retried using a backoff policy if it returns an error.
-type OperationWithData[T any] func() (T, error)
-
-// An Operation is executing by Retry() or RetryNotify().
-// The operation will be retried using a backoff policy if it returns an error.
-type Operation func() error
-
-func (o Operation) withEmptyData() OperationWithData[struct{}] {
-	return func() (struct{}, error) {
-		return struct{}{}, o()
-	}
-}
-
-// Notify is a notify-on-error function. It receives an operation error and
-// backoff delay if the operation failed (with an error).
-//
-// NOTE that if the backoff policy stated to stop retrying,
-// the notify function isn't called.
-type Notify func(error, time.Duration)
-
-// Retry the operation o until it does not return error or BackOff stops.
-// o is guaranteed to be run at least once.
-//
-// If o returns a *PermanentError, the operation is not retried, and the
-// wrapped error is returned.
-//
-// Retry sleeps the goroutine for the duration returned by BackOff after a
-// failed operation returns.
-func Retry(o Operation, b BackOff) error {
-	return RetryNotify(o, b, nil)
-}
-
-// RetryWithData is like Retry but returns data in the response too.
-func RetryWithData[T any](o OperationWithData[T], b BackOff) (T, error) {
-	return RetryNotifyWithData(o, b, nil)
-}
-
-// RetryNotify calls notify function with the error and wait duration
-// for each failed attempt before sleep.
-func RetryNotify(operation Operation, b BackOff, notify Notify) error {
-	return RetryNotifyWithTimer(operation, b, notify, nil)
-}
-
-// RetryNotifyWithData is like RetryNotify but returns data in the response too.
-func RetryNotifyWithData[T any](operation OperationWithData[T], b BackOff, notify Notify) (T, error) {
-	return doRetryNotify(operation, b, notify, nil)
-}
-
-// RetryNotifyWithTimer calls notify function with the error and wait duration using the given Timer
-// for each failed attempt before sleep.
-// A default timer that uses system timer is used when nil is passed.
-func RetryNotifyWithTimer(operation Operation, b BackOff, notify Notify, t Timer) error {
-	_, err := doRetryNotify(operation.withEmptyData(), b, notify, t)
-	return err
-}
-
-// RetryNotifyWithTimerAndData is like RetryNotifyWithTimer but returns data in the response too.
-func RetryNotifyWithTimerAndData[T any](operation OperationWithData[T], b BackOff, notify Notify, t Timer) (T, error) {
-	return doRetryNotify(operation, b, notify, t)
-}
-
-func doRetryNotify[T any](operation OperationWithData[T], b BackOff, notify Notify, t Timer) (T, error) {
-	var (
-		err  error
-		next time.Duration
-		res  T
-	)
-	if t == nil {
-		t = &defaultTimer{}
-	}
-
-	defer func() {
-		t.Stop()
-	}()
-
-	ctx := getContext(b)
-
-	b.Reset()
-	for {
-		res, err = operation()
-		if err == nil {
-			return res, nil
-		}
-
-		var permanent *PermanentError
-		if errors.As(err, &permanent) {
-			return res, permanent.Err
-		}
-
-		if next = b.NextBackOff(); next == Stop {
-			if cerr := ctx.Err(); cerr != nil {
-				return res, cerr
-			}
-
-			return res, err
-		}
-
-		if notify != nil {
-			notify(err, next)
-		}
-
-		t.Start(next)
-
-		select {
-		case <-ctx.Done():
-			return res, ctx.Err()
-		case <-t.C():
-		}
-	}
-}
-
-// PermanentError signals that the operation should not be retried.
-type PermanentError struct {
-	Err error
-}
-
-func (e *PermanentError) Error() string {
-	return e.Err.Error()
-}
-
-func (e *PermanentError) Unwrap() error {
-	return e.Err
-}
-
-func (e *PermanentError) Is(target error) bool {
-	_, ok := target.(*PermanentError)
-	return ok
-}
-
-// Permanent wraps the given err in a *PermanentError.
-func Permanent(err error) error {
-	if err == nil {
-		return nil
-	}
-	return &PermanentError{
-		Err: err,
-	}
-}
diff --git a/vendor/github.com/cenkalti/backoff/v4/tries.go b/vendor/github.com/cenkalti/backoff/v4/tries.go
deleted file mode 100644
index 28d58ca3..00000000
--- a/vendor/github.com/cenkalti/backoff/v4/tries.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package backoff
-
-import "time"
-
-/*
-WithMaxRetries creates a wrapper around another BackOff, which will
-return Stop if NextBackOff() has been called too many times since
-the last time Reset() was called
-
-Note: Implementation is not thread-safe.
-*/
-func WithMaxRetries(b BackOff, max uint64) BackOff {
-	return &backOffTries{delegate: b, maxTries: max}
-}
-
-type backOffTries struct {
-	delegate BackOff
-	maxTries uint64
-	numTries uint64
-}
-
-func (b *backOffTries) NextBackOff() time.Duration {
-	if b.maxTries == 0 {
-		return Stop
-	}
-	if b.maxTries > 0 {
-		if b.maxTries <= b.numTries {
-			return Stop
-		}
-		b.numTries++
-	}
-	return b.delegate.NextBackOff()
-}
-
-func (b *backOffTries) Reset() {
-	b.numTries = 0
-	b.delegate.Reset()
-}
diff --git a/vendor/github.com/cenkalti/backoff/v4/.gitignore b/vendor/github.com/cenkalti/backoff/v5/.gitignore
similarity index 100%
rename from vendor/github.com/cenkalti/backoff/v4/.gitignore
rename to vendor/github.com/cenkalti/backoff/v5/.gitignore
diff --git a/vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md b/vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md
new file mode 100644
index 00000000..658c3743
--- /dev/null
+++ b/vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md
@@ -0,0 +1,29 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [5.0.0] - 2024-12-19
+
+### Added
+
+- RetryAfterError can be returned from an operation to indicate how long to wait before the next retry.
+
+### Changed
+
+- Retry function now accepts additional options for specifying max number of tries and max elapsed time.
+- Retry function now accepts a context.Context.
+- Operation function signature changed to return result (any type) and error.
+
+### Removed
+
+- RetryNotify* and RetryWithData functions. Only single Retry function remains.
+- Optional arguments from ExponentialBackoff constructor.
+- Clock and Timer interfaces.
+
+### Fixed
+
+- The original error is returned from Retry if there's a PermanentError. (#144)
+- The Retry function respects the wrapped PermanentError. (#140)
diff --git a/vendor/github.com/cenkalti/backoff/v4/LICENSE b/vendor/github.com/cenkalti/backoff/v5/LICENSE
similarity index 100%
rename from vendor/github.com/cenkalti/backoff/v4/LICENSE
rename to vendor/github.com/cenkalti/backoff/v5/LICENSE
diff --git a/vendor/github.com/cenkalti/backoff/v4/README.md b/vendor/github.com/cenkalti/backoff/v5/README.md
similarity index 64%
rename from vendor/github.com/cenkalti/backoff/v4/README.md
rename to vendor/github.com/cenkalti/backoff/v5/README.md
index 9433004a..4611b1d1 100644
--- a/vendor/github.com/cenkalti/backoff/v4/README.md
+++ b/vendor/github.com/cenkalti/backoff/v5/README.md
@@ -1,4 +1,4 @@
-# Exponential Backoff [![GoDoc][godoc image]][godoc] [![Coverage Status][coveralls image]][coveralls]
+# Exponential Backoff [![GoDoc][godoc image]][godoc]
 
 This is a Go port of the exponential backoff algorithm from [Google's HTTP Client Library for Java][google-http-java-client].
 
@@ -9,9 +9,11 @@ The retries exponentially increase and stop increasing when a certain threshold
 
 ## Usage
 
-Import path is `github.com/cenkalti/backoff/v4`. Please note the version part at the end.
+Import path is `github.com/cenkalti/backoff/v5`. Please note the version part at the end.
 
-Use https://pkg.go.dev/github.com/cenkalti/backoff/v4 to view the documentation.
+For most cases, use `Retry` function. See [example_test.go][example] for an example.
+
+If you have specific needs, copy `Retry` function (from [retry.go][retry-src]) into your code and modify it as needed.
 
 ## Contributing
 
@@ -19,12 +21,11 @@ Use https://pkg.go.dev/github.com/cenkalti/backoff/v4 to view the documentation.
 * Please don't send a PR without opening an issue and discussing it first.
 * If proposed change is not a common use case, I will probably not accept it.
 
-[godoc]: https://pkg.go.dev/github.com/cenkalti/backoff/v4
+[godoc]: https://pkg.go.dev/github.com/cenkalti/backoff/v5
 [godoc image]: https://godoc.org/github.com/cenkalti/backoff?status.png
-[coveralls]: https://coveralls.io/github/cenkalti/backoff?branch=master
-[coveralls image]: https://coveralls.io/repos/github/cenkalti/backoff/badge.svg?branch=master
 
 [google-http-java-client]: https://github.com/google/google-http-java-client/blob/da1aa993e90285ec18579f1553339b00e19b3ab5/google-http-client/src/main/java/com/google/api/client/util/ExponentialBackOff.java
 [exponential backoff wiki]: http://en.wikipedia.org/wiki/Exponential_backoff
 
-[advanced example]: https://pkg.go.dev/github.com/cenkalti/backoff/v4?tab=doc#pkg-examples
+[retry-src]: https://github.com/cenkalti/backoff/blob/v5/retry.go
+[example]: https://github.com/cenkalti/backoff/blob/v5/example_test.go
diff --git a/vendor/github.com/cenkalti/backoff/v4/backoff.go b/vendor/github.com/cenkalti/backoff/v5/backoff.go
similarity index 87%
rename from vendor/github.com/cenkalti/backoff/v4/backoff.go
rename to vendor/github.com/cenkalti/backoff/v5/backoff.go
index 3676ee40..dd2b24ca 100644
--- a/vendor/github.com/cenkalti/backoff/v4/backoff.go
+++ b/vendor/github.com/cenkalti/backoff/v5/backoff.go
@@ -15,16 +15,16 @@ import "time"
 // BackOff is a backoff policy for retrying an operation.
 type BackOff interface {
 	// NextBackOff returns the duration to wait before retrying the operation,
-	// or backoff. Stop to indicate that no more retries should be made.
+	// backoff.Stop to indicate that no more retries should be made.
 	//
 	// Example usage:
 	//
-	// 	duration := backoff.NextBackOff();
-	// 	if (duration == backoff.Stop) {
-	// 		// Do not retry operation.
-	// 	} else {
-	// 		// Sleep for duration and retry operation.
-	// 	}
+	//     duration := backoff.NextBackOff()
+	//     if duration == backoff.Stop {
+	//         // Do not retry operation.
+	//     } else {
+	//         // Sleep for duration and retry operation.
+	//     }
 	//
 	NextBackOff() time.Duration
 
diff --git a/vendor/github.com/cenkalti/backoff/v5/error.go b/vendor/github.com/cenkalti/backoff/v5/error.go
new file mode 100644
index 00000000..beb2b38a
--- /dev/null
+++ b/vendor/github.com/cenkalti/backoff/v5/error.go
@@ -0,0 +1,46 @@
+package backoff
+
+import (
+	"fmt"
+	"time"
+)
+
+// PermanentError signals that the operation should not be retried.
+type PermanentError struct {
+	Err error
+}
+
+// Permanent wraps the given err in a *PermanentError.
+func Permanent(err error) error {
+	if err == nil {
+		return nil
+	}
+	return &PermanentError{
+		Err: err,
+	}
+}
+
+// Error returns a string representation of the Permanent error.
+func (e *PermanentError) Error() string {
+	return e.Err.Error()
+}
+
+// Unwrap returns the wrapped error.
+func (e *PermanentError) Unwrap() error {
+	return e.Err
+}
+
+// RetryAfterError signals that the operation should be retried after the given duration.
+type RetryAfterError struct {
+	Duration time.Duration
+}
+
+// RetryAfter returns a RetryAfter error that specifies how long to wait before retrying.
+func RetryAfter(seconds int) error {
+	return &RetryAfterError{Duration: time.Duration(seconds) * time.Second}
+}
+
+// Error returns a string representation of the RetryAfter error.
+func (e *RetryAfterError) Error() string {
+	return fmt.Sprintf("retry after %s", e.Duration)
+}
diff --git a/vendor/github.com/cenkalti/backoff/v5/exponential.go b/vendor/github.com/cenkalti/backoff/v5/exponential.go
new file mode 100644
index 00000000..79d425e8
--- /dev/null
+++ b/vendor/github.com/cenkalti/backoff/v5/exponential.go
@@ -0,0 +1,118 @@
+package backoff
+
+import (
+	"math/rand/v2"
+	"time"
+)
+
+/*
+ExponentialBackOff is a backoff implementation that increases the backoff
+period for each retry attempt using a randomization function that grows exponentially.
+
+NextBackOff() is calculated using the following formula:
+
+	randomized interval =
+	    RetryInterval * (random value in range [1 - RandomizationFactor, 1 + RandomizationFactor])
+
+In other words NextBackOff() will range between the randomization factor
+percentage below and above the retry interval.
+
+For example, given the following parameters:
+
+	RetryInterval = 2
+	RandomizationFactor = 0.5
+	Multiplier = 2
+
+the actual backoff period used in the next retry attempt will range between 1 and 3 seconds,
+multiplied by the exponential, that is, between 2 and 6 seconds.
+
+Note: MaxInterval caps the RetryInterval and not the randomized interval.
+
+Example: Given the following default arguments, for 9 tries the sequence will be:
+
+	Request #  RetryInterval (seconds)  Randomized Interval (seconds)
+
+	 1          0.5                     [0.25,   0.75]
+	 2          0.75                    [0.375,  1.125]
+	 3          1.125                   [0.562,  1.687]
+	 4          1.687                   [0.8435, 2.53]
+	 5          2.53                    [1.265,  3.795]
+	 6          3.795                   [1.897,  5.692]
+	 7          5.692                   [2.846,  8.538]
+	 8          8.538                   [4.269, 12.807]
+	 9         12.807                   [6.403, 19.210]
+
+Note: Implementation is not thread-safe.
+*/
+type ExponentialBackOff struct {
+	InitialInterval     time.Duration
+	RandomizationFactor float64
+	Multiplier          float64
+	MaxInterval         time.Duration
+
+	currentInterval time.Duration
+}
+
+// Default values for ExponentialBackOff.
+const (
+	DefaultInitialInterval     = 500 * time.Millisecond
+	DefaultRandomizationFactor = 0.5
+	DefaultMultiplier          = 1.5
+	DefaultMaxInterval         = 60 * time.Second
+)
+
+// NewExponentialBackOff creates an instance of ExponentialBackOff using default values.
+func NewExponentialBackOff() *ExponentialBackOff {
+	return &ExponentialBackOff{
+		InitialInterval:     DefaultInitialInterval,
+		RandomizationFactor: DefaultRandomizationFactor,
+		Multiplier:          DefaultMultiplier,
+		MaxInterval:         DefaultMaxInterval,
+	}
+}
+
+// Reset the interval back to the initial retry interval and restarts the timer.
+// Reset must be called before using b.
+func (b *ExponentialBackOff) Reset() {
+	b.currentInterval = b.InitialInterval
+}
+
+// NextBackOff calculates the next backoff interval using the formula:
+//
+//	Randomized interval = RetryInterval * (1 ± RandomizationFactor)
+func (b *ExponentialBackOff) NextBackOff() time.Duration {
+	if b.currentInterval == 0 {
+		b.currentInterval = b.InitialInterval
+	}
+
+	next := getRandomValueFromInterval(b.RandomizationFactor, rand.Float64(), b.currentInterval)
+	b.incrementCurrentInterval()
+	return next
+}
+
+// Increments the current interval by multiplying it with the multiplier.
+func (b *ExponentialBackOff) incrementCurrentInterval() {
+	// Check for overflow, if overflow is detected set the current interval to the max interval.
+	if float64(b.currentInterval) >= float64(b.MaxInterval)/b.Multiplier {
+		b.currentInterval = b.MaxInterval
+	} else {
+		b.currentInterval = time.Duration(float64(b.currentInterval) * b.Multiplier)
+	}
+}
+
+// Returns a random value from the following interval:
+//
+//	[currentInterval - randomizationFactor * currentInterval, currentInterval + randomizationFactor * currentInterval].
+func getRandomValueFromInterval(randomizationFactor, random float64, currentInterval time.Duration) time.Duration {
+	if randomizationFactor == 0 {
+		return currentInterval // make sure no randomness is used when randomizationFactor is 0.
+	}
+	var delta = randomizationFactor * float64(currentInterval)
+	var minInterval = float64(currentInterval) - delta
+	var maxInterval = float64(currentInterval) + delta
+
+	// Get a random value from the range [minInterval, maxInterval].
+	// The formula used below has a +1 because if the minInterval is 1 and the maxInterval is 3 then
+	// we want a 33% chance for selecting either 1, 2 or 3.
+	return time.Duration(minInterval + (random * (maxInterval - minInterval + 1)))
+}
diff --git a/vendor/github.com/cenkalti/backoff/v5/retry.go b/vendor/github.com/cenkalti/backoff/v5/retry.go
new file mode 100644
index 00000000..32a7f988
--- /dev/null
+++ b/vendor/github.com/cenkalti/backoff/v5/retry.go
@@ -0,0 +1,139 @@
+package backoff
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+// DefaultMaxElapsedTime sets a default limit for the total retry duration.
+const DefaultMaxElapsedTime = 15 * time.Minute
+
+// Operation is a function that attempts an operation and may be retried.
+type Operation[T any] func() (T, error)
+
+// Notify is a function called on operation error with the error and backoff duration.
+type Notify func(error, time.Duration)
+
+// retryOptions holds configuration settings for the retry mechanism.
+type retryOptions struct {
+	BackOff        BackOff       // Strategy for calculating backoff periods.
+	Timer          timer         // Timer to manage retry delays.
+	Notify         Notify        // Optional function to notify on each retry error.
+	MaxTries       uint          // Maximum number of retry attempts.
+	MaxElapsedTime time.Duration // Maximum total time for all retries.
+}
+
+type RetryOption func(*retryOptions)
+
+// WithBackOff configures a custom backoff strategy.
+func WithBackOff(b BackOff) RetryOption {
+	return func(args *retryOptions) {
+		args.BackOff = b
+	}
+}
+
+// withTimer sets a custom timer for managing delays between retries.
+func withTimer(t timer) RetryOption {
+	return func(args *retryOptions) {
+		args.Timer = t
+	}
+}
+
+// WithNotify sets a notification function to handle retry errors.
+func WithNotify(n Notify) RetryOption {
+	return func(args *retryOptions) {
+		args.Notify = n
+	}
+}
+
+// WithMaxTries limits the number of all attempts.
+func WithMaxTries(n uint) RetryOption {
+	return func(args *retryOptions) {
+		args.MaxTries = n
+	}
+}
+
+// WithMaxElapsedTime limits the total duration for retry attempts.
+func WithMaxElapsedTime(d time.Duration) RetryOption {
+	return func(args *retryOptions) {
+		args.MaxElapsedTime = d
+	}
+}
+
+// Retry attempts the operation until success, a permanent error, or backoff completion.
+// It ensures the operation is executed at least once.
+//
+// Returns the operation result or error if retries are exhausted or context is cancelled.
+func Retry[T any](ctx context.Context, operation Operation[T], opts ...RetryOption) (T, error) {
+	// Initialize default retry options.
+	args := &retryOptions{
+		BackOff:        NewExponentialBackOff(),
+		Timer:          &defaultTimer{},
+		MaxElapsedTime: DefaultMaxElapsedTime,
+	}
+
+	// Apply user-provided options to the default settings.
+	for _, opt := range opts {
+		opt(args)
+	}
+
+	defer args.Timer.Stop()
+
+	startedAt := time.Now()
+	args.BackOff.Reset()
+	for numTries := uint(1); ; numTries++ {
+		// Execute the operation.
+		res, err := operation()
+		if err == nil {
+			return res, nil
+		}
+
+		// Stop retrying if maximum tries exceeded.
+		if args.MaxTries > 0 && numTries >= args.MaxTries {
+			return res, err
+		}
+
+		// Handle permanent errors without retrying.
+		var permanent *PermanentError
+		if errors.As(err, &permanent) {
+			return res, permanent.Unwrap()
+		}
+
+		// Stop retrying if context is cancelled.
+		if cerr := context.Cause(ctx); cerr != nil {
+			return res, cerr
+		}
+
+		// Calculate next backoff duration.
+		next := args.BackOff.NextBackOff()
+		if next == Stop {
+			return res, err
+		}
+
+		// Reset backoff if RetryAfterError is encountered.
+		var retryAfter *RetryAfterError
+		if errors.As(err, &retryAfter) {
+			next = retryAfter.Duration
+			args.BackOff.Reset()
+		}
+
+		// Stop retrying if maximum elapsed time exceeded.
+		if args.MaxElapsedTime > 0 && time.Since(startedAt)+next > args.MaxElapsedTime {
+			return res, err
+		}
+
+		// Notify on error if a notifier function is provided.
+		if args.Notify != nil {
+			args.Notify(err, next)
+		}
+
+		// Wait for the next backoff period or context cancellation.
+		args.Timer.Start(next)
+		select {
+		case <-args.Timer.C():
+		case <-ctx.Done():
+			return res, context.Cause(ctx)
+		}
+	}
+}
diff --git a/vendor/github.com/cenkalti/backoff/v4/ticker.go b/vendor/github.com/cenkalti/backoff/v5/ticker.go
similarity index 80%
rename from vendor/github.com/cenkalti/backoff/v4/ticker.go
rename to vendor/github.com/cenkalti/backoff/v5/ticker.go
index df9d68bc..f0d4b2ae 100644
--- a/vendor/github.com/cenkalti/backoff/v4/ticker.go
+++ b/vendor/github.com/cenkalti/backoff/v5/ticker.go
@@ -1,7 +1,6 @@
 package backoff
 
 import (
-	"context"
 	"sync"
 	"time"
 )
@@ -14,8 +13,7 @@ type Ticker struct {
 	C        <-chan time.Time
 	c        chan time.Time
 	b        BackOff
-	ctx      context.Context
-	timer    Timer
+	timer    timer
 	stop     chan struct{}
 	stopOnce sync.Once
 }
@@ -27,22 +25,12 @@ type Ticker struct {
 // provided backoff policy (notably calling NextBackOff or Reset)
 // while the ticker is running.
 func NewTicker(b BackOff) *Ticker {
-	return NewTickerWithTimer(b, &defaultTimer{})
-}
-
-// NewTickerWithTimer returns a new Ticker with a custom timer.
-// A default timer that uses system timer is used when nil is passed.
-func NewTickerWithTimer(b BackOff, timer Timer) *Ticker {
-	if timer == nil {
-		timer = &defaultTimer{}
-	}
 	c := make(chan time.Time)
 	t := &Ticker{
 		C:     c,
 		c:     c,
 		b:     b,
-		ctx:   getContext(b),
-		timer: timer,
+		timer: &defaultTimer{},
 		stop:  make(chan struct{}),
 	}
 	t.b.Reset()
@@ -73,8 +61,6 @@ func (t *Ticker) run() {
 		case <-t.stop:
 			t.c = nil // Prevent future ticks from being sent to the channel.
 			return
-		case <-t.ctx.Done():
-			return
 		}
 	}
 }
diff --git a/vendor/github.com/cenkalti/backoff/v4/timer.go b/vendor/github.com/cenkalti/backoff/v5/timer.go
similarity index 96%
rename from vendor/github.com/cenkalti/backoff/v4/timer.go
rename to vendor/github.com/cenkalti/backoff/v5/timer.go
index 8120d021..a8953097 100644
--- a/vendor/github.com/cenkalti/backoff/v4/timer.go
+++ b/vendor/github.com/cenkalti/backoff/v5/timer.go
@@ -2,7 +2,7 @@ package backoff
 
 import "time"
 
-type Timer interface {
+type timer interface {
 	Start(duration time.Duration)
 	Stop()
 	C() <-chan time.Time
diff --git a/vendor/github.com/charmbracelet/bubbletea/.golangci-soft.yml b/vendor/github.com/charmbracelet/bubbletea/.golangci-soft.yml
deleted file mode 100644
index d325d4fc..00000000
--- a/vendor/github.com/charmbracelet/bubbletea/.golangci-soft.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-run:
-  tests: false
-  issues-exit-code: 0
-
-issues:
-  include:
-    - EXC0001
-    - EXC0005
-    - EXC0011
-    - EXC0012
-    - EXC0013
-
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
-linters:
-  enable:
-    - exhaustive
-    - goconst
-    - godot
-    - godox
-    - mnd
-    - gomoddirectives
-    - goprintffuncname
-    - misspell
-    - nakedret
-    - nestif
-    - noctx
-    - nolintlint
-    - prealloc
-    - wrapcheck
-
-  # disable default linters, they are already enabled in .golangci.yml
-  disable:
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - unused
diff --git a/vendor/github.com/charmbracelet/bubbletea/.golangci.yml b/vendor/github.com/charmbracelet/bubbletea/.golangci.yml
index d6789e01..4fac29c2 100644
--- a/vendor/github.com/charmbracelet/bubbletea/.golangci.yml
+++ b/vendor/github.com/charmbracelet/bubbletea/.golangci.yml
@@ -1,24 +1,22 @@
+version: "2"
 run:
   tests: false
-
-issues:
-  include:
-    - EXC0001
-    - EXC0005
-    - EXC0011
-    - EXC0012
-    - EXC0013
-
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
 linters:
   enable:
     - bodyclose
-    - gofumpt
-    - goimports
+    - exhaustive
+    - goconst
+    - godot
+    - gomoddirectives
+    - goprintffuncname
     - gosec
+    - misspell
+    - nakedret
+    - nestif
     - nilerr
+    - noctx
+    - nolintlint
+    - prealloc
     - revive
     - rowserrcheck
     - sqlclosecheck
@@ -26,3 +24,17 @@ linters:
     - unconvert
     - unparam
     - whitespace
+    - wrapcheck
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
diff --git a/vendor/github.com/charmbracelet/bubbletea/README.md b/vendor/github.com/charmbracelet/bubbletea/README.md
index 58dd1828..b3acf900 100644
--- a/vendor/github.com/charmbracelet/bubbletea/README.md
+++ b/vendor/github.com/charmbracelet/bubbletea/README.md
@@ -1,11 +1,15 @@
 # Bubble Tea
 
 <p>
-    <a href="https://stuff.charm.sh/bubbletea/bubbletea-4k.png"><img src="https://github.com/charmbracelet/bubbletea/assets/25087/108d4fdb-d554-4910-abed-2a5f5586a60e" width="313" alt="Bubble Tea Title Treatment"></a><br>
+    <picture>
+      <source media="(prefers-color-scheme: light)" srcset="https://stuff.charm.sh/bubbletea/bubble-tea-v2-light.png" width="308">
+      <source media="(prefers-color-scheme: dark)" srcset="https://stuff.charm.sh/bubbletea/bubble-tea-v2-dark.png" width="312">
+      <img src="https://stuff.charm.sh/bubbletea/bubble-tea-v2-light.png" width="308" />
+    </picture>
+    <br>
     <a href="https://github.com/charmbracelet/bubbletea/releases"><img src="https://img.shields.io/github/release/charmbracelet/bubbletea.svg" alt="Latest Release"></a>
     <a href="https://pkg.go.dev/github.com/charmbracelet/bubbletea?tab=doc"><img src="https://godoc.org/github.com/charmbracelet/bubbletea?status.svg" alt="GoDoc"></a>
     <a href="https://github.com/charmbracelet/bubbletea/actions"><img src="https://github.com/charmbracelet/bubbletea/actions/workflows/build.yml/badge.svg" alt="Build Status"></a>
-    <a href="https://www.phorm.ai/query?projectId=a0e324b6-b706-4546-b951-6671ea60c13f"><img src="https://stuff.charm.sh/misc/phorm-badge.svg" alt="phorm.ai"></a>
 </p>
 
 The fun, functional and stateful way to build terminal apps. A Go framework
diff --git a/vendor/github.com/charmbracelet/bubbletea/Taskfile.yaml b/vendor/github.com/charmbracelet/bubbletea/Taskfile.yaml
new file mode 100644
index 00000000..35072035
--- /dev/null
+++ b/vendor/github.com/charmbracelet/bubbletea/Taskfile.yaml
@@ -0,0 +1,14 @@
+# https://taskfile.dev
+
+version: '3'
+
+tasks:
+  lint:
+    desc: Run lint
+    cmds:
+      - golangci-lint run
+
+  test:
+    desc: Run tests
+    cmds:
+      - go test ./... {{.CLI_ARGS}}
diff --git a/vendor/github.com/charmbracelet/bubbletea/exec.go b/vendor/github.com/charmbracelet/bubbletea/exec.go
index 7a14d2a7..80484145 100644
--- a/vendor/github.com/charmbracelet/bubbletea/exec.go
+++ b/vendor/github.com/charmbracelet/bubbletea/exec.go
@@ -114,6 +114,7 @@ func (p *Program) exec(c ExecCommand, fn ExecCallback) {
 
 	// Execute system command.
 	if err := c.Run(); err != nil {
+		p.renderer.resetLinesRendered()
 		_ = p.RestoreTerminal() // also try to restore the terminal.
 		if fn != nil {
 			go p.Send(fn(err))
@@ -121,6 +122,9 @@ func (p *Program) exec(c ExecCommand, fn ExecCallback) {
 		return
 	}
 
+	// Maintain the existing output from the command
+	p.renderer.resetLinesRendered()
+
 	// Have the program re-capture input.
 	err := p.RestoreTerminal()
 	if fn != nil {
diff --git a/vendor/github.com/charmbracelet/bubbletea/inputreader_other.go b/vendor/github.com/charmbracelet/bubbletea/inputreader_other.go
index 3426a177..1d1b1761 100644
--- a/vendor/github.com/charmbracelet/bubbletea/inputreader_other.go
+++ b/vendor/github.com/charmbracelet/bubbletea/inputreader_other.go
@@ -4,11 +4,16 @@
 package tea
 
 import (
+	"fmt"
 	"io"
 
 	"github.com/muesli/cancelreader"
 )
 
 func newInputReader(r io.Reader, _ bool) (cancelreader.CancelReader, error) {
-	return cancelreader.NewReader(r)
+	cr, err := cancelreader.NewReader(r)
+	if err != nil {
+		return nil, fmt.Errorf("bubbletea: error creating cancel reader: %w", err)
+	}
+	return cr, nil
 }
diff --git a/vendor/github.com/charmbracelet/bubbletea/inputreader_windows.go b/vendor/github.com/charmbracelet/bubbletea/inputreader_windows.go
index 9af89428..d76617d3 100644
--- a/vendor/github.com/charmbracelet/bubbletea/inputreader_windows.go
+++ b/vendor/github.com/charmbracelet/bubbletea/inputreader_windows.go
@@ -67,6 +67,8 @@ func newInputReader(r io.Reader, enableMouse bool) (cancelreader.CancelReader, e
 func (r *conInputReader) Cancel() bool {
 	r.setCanceled()
 
+	// Warning: These cancel methods do not reliably work on console input
+	// 			and should not be counted on.
 	return windows.CancelIoEx(r.conin, nil) == nil || windows.CancelIo(r.conin) == nil
 }
 
diff --git a/vendor/github.com/charmbracelet/bubbletea/key.go b/vendor/github.com/charmbracelet/bubbletea/key.go
index ab4792ac..12a161a7 100644
--- a/vendor/github.com/charmbracelet/bubbletea/key.go
+++ b/vendor/github.com/charmbracelet/bubbletea/key.go
@@ -622,7 +622,7 @@ func detectOneMsg(b []byte, canHaveMoreData bool) (w int, msg Msg) {
 		case '<':
 			if matchIndices := mouseSGRRegex.FindSubmatchIndex(b[3:]); matchIndices != nil {
 				// SGR mouse events length is the length of the match plus the length of the escape sequence
-				mouseEventSGRLen := matchIndices[1] + 3 //nolint:gomnd
+				mouseEventSGRLen := matchIndices[1] + 3 //nolint:mnd
 				return mouseEventSGRLen, MouseMsg(parseSGRMouseEvent(b))
 			}
 		}
diff --git a/vendor/github.com/charmbracelet/bubbletea/key_sequences.go b/vendor/github.com/charmbracelet/bubbletea/key_sequences.go
index 15483ef5..dce9bf48 100644
--- a/vendor/github.com/charmbracelet/bubbletea/key_sequences.go
+++ b/vendor/github.com/charmbracelet/bubbletea/key_sequences.go
@@ -119,13 +119,12 @@ func detectBracketedPaste(input []byte) (hasBp bool, width int, msg Msg) {
 }
 
 // detectReportFocus detects a focus report sequence.
-// nolint: gomnd
 func detectReportFocus(input []byte) (hasRF bool, width int, msg Msg) {
 	switch {
 	case bytes.Equal(input, []byte("\x1b[I")):
-		return true, 3, FocusMsg{}
+		return true, 3, FocusMsg{} //nolint:mnd
 	case bytes.Equal(input, []byte("\x1b[O")):
-		return true, 3, BlurMsg{}
+		return true, 3, BlurMsg{} //nolint:mnd
 	}
 	return false, 0, nil
 }
diff --git a/vendor/github.com/charmbracelet/bubbletea/key_windows.go b/vendor/github.com/charmbracelet/bubbletea/key_windows.go
index d59ff1c4..ac983739 100644
--- a/vendor/github.com/charmbracelet/bubbletea/key_windows.go
+++ b/vendor/github.com/charmbracelet/bubbletea/key_windows.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"time"
 
 	"github.com/erikgeiser/coninput"
 	localereader "github.com/mattn/go-localereader"
@@ -25,14 +26,10 @@ func readConInputs(ctx context.Context, msgsch chan<- Msg, con *conInputReader)
 	var ps coninput.ButtonState                 // keep track of previous mouse state
 	var ws coninput.WindowBufferSizeEventRecord // keep track of the last window size event
 	for {
-		events, err := coninput.ReadNConsoleInputs(con.conin, 16)
+		events, err := peekAndReadConsInput(con)
 		if err != nil {
-			if con.isCanceled() {
-				return cancelreader.ErrCanceled
-			}
-			return fmt.Errorf("read coninput events: %w", err)
+			return err
 		}
-
 		for _, event := range events {
 			var msgs []Msg
 			switch e := event.Unwrap().(type) {
@@ -87,13 +84,57 @@ func readConInputs(ctx context.Context, msgsch chan<- Msg, con *conInputReader)
 					if err != nil {
 						return fmt.Errorf("coninput context error: %w", err)
 					}
-					return err
+					return nil
 				}
 			}
 		}
 	}
 }
 
+// Peek for new input in a tight loop and then read the input.
+// windows.CancelIo* does not work reliably so peek first and only use the data if
+// the console input is not cancelled.
+func peekAndReadConsInput(con *conInputReader) ([]coninput.InputRecord, error) {
+	events, err := peekConsInput(con)
+	if err != nil {
+		return events, err
+	}
+	events, err = coninput.ReadNConsoleInputs(con.conin, intToUint32OrDie(len(events)))
+	if con.isCanceled() {
+		return events, cancelreader.ErrCanceled
+	}
+	if err != nil {
+		return events, fmt.Errorf("read coninput events: %w", err)
+	}
+	return events, nil
+}
+
+// Convert i to unit32 or panic if it cannot be converted. Check satisifes lint G115.
+func intToUint32OrDie(i int) uint32 {
+	if i < 0 {
+		panic("cannot convert numEvents " + fmt.Sprint(i) + " to uint32")
+	}
+	return uint32(i)
+}
+
+// Keeps peeking until there is data or the input is cancelled.
+func peekConsInput(con *conInputReader) ([]coninput.InputRecord, error) {
+	for {
+		events, err := coninput.PeekNConsoleInputs(con.conin, 16)
+		if con.isCanceled() {
+			return events, cancelreader.ErrCanceled
+		}
+		if err != nil {
+			return events, fmt.Errorf("peek coninput events: %w", err)
+		}
+		if len(events) > 0 {
+			return events, nil
+		}
+		// Sleep for a bit to avoid busy waiting.
+		time.Sleep(16 * time.Millisecond)
+	}
+}
+
 func mouseEventButton(p, s coninput.ButtonState) (button MouseButton, action MouseAction) {
 	btn := p ^ s
 	action = MouseActionPress
@@ -114,7 +155,7 @@ func mouseEventButton(p, s coninput.ButtonState) (button MouseButton, action Mou
 		case s&coninput.FROM_LEFT_4TH_BUTTON_PRESSED > 0:
 			button = MouseButtonForward
 		}
-		return
+		return button, action
 	}
 
 	switch {
@@ -147,7 +188,7 @@ func mouseEvent(p coninput.ButtonState, e coninput.MouseEventRecord) MouseMsg {
 		if ev.Action == MouseActionRelease {
 			ev.Type = MouseRelease
 		}
-		switch ev.Button {
+		switch ev.Button { //nolint:exhaustive
 		case MouseButtonLeft:
 			ev.Type = MouseLeft
 		case MouseButtonMiddle:
@@ -190,7 +231,7 @@ func keyType(e coninput.KeyEventRecord) KeyType {
 	shiftPressed := e.ControlKeyState.Contains(coninput.SHIFT_PRESSED)
 	ctrlPressed := e.ControlKeyState.Contains(coninput.LEFT_CTRL_PRESSED | coninput.RIGHT_CTRL_PRESSED)
 
-	switch code {
+	switch code { //nolint:exhaustive
 	case coninput.VK_RETURN:
 		return KeyEnter
 	case coninput.VK_BACK:
@@ -276,6 +317,46 @@ func keyType(e coninput.KeyEventRecord) KeyType {
 		return KeyPgDown
 	case coninput.VK_DELETE:
 		return KeyDelete
+	case coninput.VK_F1:
+		return KeyF1
+	case coninput.VK_F2:
+		return KeyF2
+	case coninput.VK_F3:
+		return KeyF3
+	case coninput.VK_F4:
+		return KeyF4
+	case coninput.VK_F5:
+		return KeyF5
+	case coninput.VK_F6:
+		return KeyF6
+	case coninput.VK_F7:
+		return KeyF7
+	case coninput.VK_F8:
+		return KeyF8
+	case coninput.VK_F9:
+		return KeyF9
+	case coninput.VK_F10:
+		return KeyF10
+	case coninput.VK_F11:
+		return KeyF11
+	case coninput.VK_F12:
+		return KeyF12
+	case coninput.VK_F13:
+		return KeyF13
+	case coninput.VK_F14:
+		return KeyF14
+	case coninput.VK_F15:
+		return KeyF15
+	case coninput.VK_F16:
+		return KeyF16
+	case coninput.VK_F17:
+		return KeyF17
+	case coninput.VK_F18:
+		return KeyF18
+	case coninput.VK_F19:
+		return KeyF19
+	case coninput.VK_F20:
+		return KeyF20
 	default:
 		switch {
 		case e.ControlKeyState.Contains(coninput.LEFT_CTRL_PRESSED) && e.ControlKeyState.Contains(coninput.RIGHT_ALT_PRESSED):
@@ -348,7 +429,7 @@ func keyType(e coninput.KeyEventRecord) KeyType {
 			return KeyCtrlUnderscore
 		}
 
-		switch code {
+		switch code { //nolint:exhaustive
 		case coninput.VK_OEM_4:
 			return KeyCtrlOpenBracket
 		case coninput.VK_OEM_6:
diff --git a/vendor/github.com/charmbracelet/bubbletea/logging.go b/vendor/github.com/charmbracelet/bubbletea/logging.go
index a5311819..349758cb 100644
--- a/vendor/github.com/charmbracelet/bubbletea/logging.go
+++ b/vendor/github.com/charmbracelet/bubbletea/logging.go
@@ -33,7 +33,7 @@ type LogOptionsSetter interface {
 
 // LogToFileWith does allows to call LogToFile with a custom LogOptionsSetter.
 func LogToFileWith(path string, prefix string, log LogOptionsSetter) (*os.File, error) {
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o600) //nolint:gomnd
+	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o600) //nolint:mnd
 	if err != nil {
 		return nil, fmt.Errorf("error opening file for logging: %w", err)
 	}
diff --git a/vendor/github.com/charmbracelet/bubbletea/mouse.go b/vendor/github.com/charmbracelet/bubbletea/mouse.go
index 6ec51cc0..490f49ac 100644
--- a/vendor/github.com/charmbracelet/bubbletea/mouse.go
+++ b/vendor/github.com/charmbracelet/bubbletea/mouse.go
@@ -172,7 +172,7 @@ const (
 func parseSGRMouseEvent(buf []byte) MouseEvent {
 	str := string(buf[3:])
 	matches := mouseSGRRegex.FindStringSubmatch(str)
-	if len(matches) != 5 { //nolint:gomnd
+	if len(matches) != 5 { //nolint:mnd
 		// Unreachable, we already checked the regex in `detectOneMsg`.
 		panic("invalid mouse event")
 	}
diff --git a/vendor/github.com/charmbracelet/bubbletea/nil_renderer.go b/vendor/github.com/charmbracelet/bubbletea/nil_renderer.go
index 0bc4a172..1bc909b6 100644
--- a/vendor/github.com/charmbracelet/bubbletea/nil_renderer.go
+++ b/vendor/github.com/charmbracelet/bubbletea/nil_renderer.go
@@ -26,3 +26,4 @@ func (n nilRenderer) setWindowTitle(_ string)    {}
 func (n nilRenderer) reportFocus() bool          { return false }
 func (n nilRenderer) enableReportFocus()         {}
 func (n nilRenderer) disableReportFocus()        {}
+func (n nilRenderer) resetLinesRendered()        {}
diff --git a/vendor/github.com/charmbracelet/bubbletea/options.go b/vendor/github.com/charmbracelet/bubbletea/options.go
index c509353b..49cf378b 100644
--- a/vendor/github.com/charmbracelet/bubbletea/options.go
+++ b/vendor/github.com/charmbracelet/bubbletea/options.go
@@ -19,7 +19,7 @@ type ProgramOption func(*Program)
 // cancelled it will exit with an error ErrProgramKilled.
 func WithContext(ctx context.Context) ProgramOption {
 	return func(p *Program) {
-		p.ctx = ctx
+		p.externalCtx = ctx
 	}
 }
 
diff --git a/vendor/github.com/charmbracelet/bubbletea/renderer.go b/vendor/github.com/charmbracelet/bubbletea/renderer.go
index 9eb7943b..5b6df66a 100644
--- a/vendor/github.com/charmbracelet/bubbletea/renderer.go
+++ b/vendor/github.com/charmbracelet/bubbletea/renderer.go
@@ -79,6 +79,9 @@ type renderer interface {
 
 	// disableReportFocus stops reporting focus events to the program.
 	disableReportFocus()
+
+	// resetLinesRendered ensures exec output remains on screen on exit
+	resetLinesRendered()
 }
 
 // repaintMsg forces a full repaint.
diff --git a/vendor/github.com/charmbracelet/bubbletea/standard_renderer.go b/vendor/github.com/charmbracelet/bubbletea/standard_renderer.go
index 45e8c82d..d6dce6db 100644
--- a/vendor/github.com/charmbracelet/bubbletea/standard_renderer.go
+++ b/vendor/github.com/charmbracelet/bubbletea/standard_renderer.go
@@ -545,6 +545,10 @@ func (r *standardRenderer) clearIgnoredLines() {
 	r.ignoreLines = nil
 }
 
+func (r *standardRenderer) resetLinesRendered() {
+	r.linesRendered = 0
+}
+
 // insertTop effectively scrolls up. It inserts lines at the top of a given
 // area designated to be a scrollable region, pushing everything else down.
 // This is roughly how ncurses does it.
diff --git a/vendor/github.com/charmbracelet/bubbletea/tea.go b/vendor/github.com/charmbracelet/bubbletea/tea.go
index 0bc915e5..c4866f22 100644
--- a/vendor/github.com/charmbracelet/bubbletea/tea.go
+++ b/vendor/github.com/charmbracelet/bubbletea/tea.go
@@ -27,6 +27,9 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
+// ErrProgramPanic is returned by [Program.Run] when the program recovers from a panic.
+var ErrProgramPanic = errors.New("program experienced a panic")
+
 // ErrProgramKilled is returned by [Program.Run] when the program gets killed.
 var ErrProgramKilled = errors.New("program was killed")
 
@@ -147,6 +150,12 @@ type Program struct {
 
 	inputType inputType
 
+	// externalCtx is a context that was passed in via WithContext, otherwise defaulting
+	// to ctx.Background() (in case it was not), the internal context is derived from it.
+	externalCtx context.Context
+
+	// ctx is the programs's internal context for signalling internal teardown.
+	// It is built and derived from the externalCtx in NewProgram().
 	ctx    context.Context
 	cancel context.CancelFunc
 
@@ -243,11 +252,11 @@ func NewProgram(model Model, opts ...ProgramOption) *Program {
 
 	// A context can be provided with a ProgramOption, but if none was provided
 	// we'll use the default background context.
-	if p.ctx == nil {
-		p.ctx = context.Background()
+	if p.externalCtx == nil {
+		p.externalCtx = context.Background()
 	}
 	// Initialize context and teardown channel.
-	p.ctx, p.cancel = context.WithCancel(p.ctx)
+	p.ctx, p.cancel = context.WithCancel(p.externalCtx)
 
 	// if no output was set, set it to stdout
 	if p.output == nil {
@@ -346,7 +355,11 @@ func (p *Program) handleCommands(cmds chan Cmd) chan struct{} {
 				go func() {
 					// Recover from panics.
 					if !p.startupOptions.has(withoutCatchPanics) {
-						defer p.recoverFromPanic()
+						defer func() {
+							if r := recover(); r != nil {
+								p.recoverFromGoPanic(r)
+							}
+						}()
 					}
 
 					msg := cmd() // this can be long.
@@ -422,7 +435,7 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 				// work.
 				if runtime.GOOS == "windows" && !p.mouseMode {
 					p.mouseMode = true
-					p.initCancelReader(true) //nolint:errcheck
+					p.initCancelReader(true) //nolint:errcheck,gosec
 				}
 
 			case disableMouseMsg:
@@ -433,7 +446,7 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 				// mouse events.
 				if runtime.GOOS == "windows" && p.mouseMode {
 					p.mouseMode = false
-					p.initCancelReader(true) //nolint:errcheck
+					p.initCancelReader(true) //nolint:errcheck,gosec
 				}
 
 			case showCursorMsg:
@@ -460,7 +473,11 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 
 			case BatchMsg:
 				for _, cmd := range msg {
-					cmds <- cmd
+					select {
+					case <-p.ctx.Done():
+						return model, nil
+					case cmds <- cmd:
+					}
 				}
 				continue
 
@@ -483,7 +500,7 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 								})
 							}
 
-							//nolint:errcheck
+							//nolint:errcheck,gosec
 							g.Wait() // wait for all commands from batch msg to finish
 							continue
 						}
@@ -506,7 +523,13 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 
 			var cmd Cmd
 			model, cmd = model.Update(msg) // run update
-			cmds <- cmd                    // process command (if any)
+
+			select {
+			case <-p.ctx.Done():
+				return model, nil
+			case cmds <- cmd: // process command (if any)
+			}
+
 			p.renderer.write(model.View()) // send view to renderer
 		}
 	}
@@ -515,11 +538,15 @@ func (p *Program) eventLoop(model Model, cmds chan Cmd) (Model, error) {
 // Run initializes the program and runs its event loops, blocking until it gets
 // terminated by either [Program.Quit], [Program.Kill], or its signal handler.
 // Returns the final model.
-func (p *Program) Run() (Model, error) {
+func (p *Program) Run() (returnModel Model, returnErr error) {
 	p.handlers = channelHandlers{}
 	cmds := make(chan Cmd)
-	p.errs = make(chan error)
-	p.finished = make(chan struct{}, 1)
+	p.errs = make(chan error, 1)
+
+	p.finished = make(chan struct{})
+	defer func() {
+		close(p.finished)
+	}()
 
 	defer p.cancel()
 
@@ -568,7 +595,12 @@ func (p *Program) Run() (Model, error) {
 
 	// Recover from panics.
 	if !p.startupOptions.has(withoutCatchPanics) {
-		defer p.recoverFromPanic()
+		defer func() {
+			if r := recover(); r != nil {
+				returnErr = fmt.Errorf("%w: %w", ErrProgramKilled, ErrProgramPanic)
+				p.recoverFromPanic(r)
+			}
+		}()
 	}
 
 	// If no renderer is set use the standard one.
@@ -645,11 +677,27 @@ func (p *Program) Run() (Model, error) {
 
 	// Run event loop, handle updates and draw.
 	model, err := p.eventLoop(model, cmds)
-	killed := p.ctx.Err() != nil || err != nil
-	if killed && err == nil {
-		err = fmt.Errorf("%w: %s", ErrProgramKilled, p.ctx.Err())
+
+	if err == nil && len(p.errs) > 0 {
+		err = <-p.errs // Drain a leftover error in case eventLoop crashed
 	}
-	if err == nil {
+
+	killed := p.externalCtx.Err() != nil || p.ctx.Err() != nil || err != nil
+	if killed {
+		if err == nil && p.externalCtx.Err() != nil {
+			// Return also as context error the cancellation of an external context.
+			// This is the context the user knows about and should be able to act on.
+			err = fmt.Errorf("%w: %w", ErrProgramKilled, p.externalCtx.Err())
+		} else if err == nil && p.ctx.Err() != nil {
+			// Return only that the program was killed (not the internal mechanism).
+			// The user does not know or need to care about the internal program context.
+			err = ErrProgramKilled
+		} else {
+			// Return that the program was killed and also the error that caused it.
+			err = fmt.Errorf("%w: %w", ErrProgramKilled, err)
+		}
+	} else {
+		// Graceful shutdown of the program (not killed):
 		// Ensure we rendered the final state of the model.
 		p.renderer.write(model.View())
 	}
@@ -704,11 +752,11 @@ func (p *Program) Quit() {
 	p.Send(Quit())
 }
 
-// Kill stops the program immediately and restores the former terminal state.
+// Kill signals the program to stop immediately and restore the former terminal state.
 // The final render that you would normally see when quitting will be skipped.
 // [program.Run] returns a [ErrProgramKilled] error.
 func (p *Program) Kill() {
-	p.shutdown(true)
+	p.cancel()
 }
 
 // Wait waits/blocks until the underlying Program finished shutting down.
@@ -717,7 +765,11 @@ func (p *Program) Wait() {
 }
 
 // shutdown performs operations to free up resources and restore the terminal
-// to its original state.
+// to its original state. It is called once at the end of the program's lifetime.
+//
+// This method should not be called to signal the program to be killed/shutdown.
+// Doing so can lead to race conditions with the eventual call at the program's end.
+// As alternatives, the [Quit] or [Kill] convenience methods should be used instead.
 func (p *Program) shutdown(kill bool) {
 	p.cancel()
 
@@ -744,19 +796,30 @@ func (p *Program) shutdown(kill bool) {
 	}
 
 	_ = p.restoreTerminalState()
-	if !kill {
-		p.finished <- struct{}{}
-	}
 }
 
 // recoverFromPanic recovers from a panic, prints the stack trace, and restores
 // the terminal to a usable state.
-func (p *Program) recoverFromPanic() {
-	if r := recover(); r != nil {
-		p.shutdown(true)
-		fmt.Printf("Caught panic:\n\n%s\n\nRestoring terminal...\n\n", r)
-		debug.PrintStack()
+func (p *Program) recoverFromPanic(r interface{}) {
+	select {
+	case p.errs <- ErrProgramPanic:
+	default:
 	}
+	p.shutdown(true) // Ok to call here, p.Run() cannot do it anymore.
+	fmt.Printf("Caught panic:\n\n%s\n\nRestoring terminal...\n\n", r)
+	debug.PrintStack()
+}
+
+// recoverFromGoPanic recovers from a goroutine panic, prints a stack trace and
+// signals for the program to be killed and terminal restored to a usable state.
+func (p *Program) recoverFromGoPanic(r interface{}) {
+	select {
+	case p.errs <- ErrProgramPanic:
+	default:
+	}
+	p.cancel()
+	fmt.Printf("Caught goroutine panic:\n\n%s\n\nRestoring terminal...\n\n", r)
+	debug.PrintStack()
 }
 
 // ReleaseTerminal restores the original terminal state and cancels the input
diff --git a/vendor/github.com/charmbracelet/bubbletea/tty.go b/vendor/github.com/charmbracelet/bubbletea/tty.go
index 9490faca..6812bfc5 100644
--- a/vendor/github.com/charmbracelet/bubbletea/tty.go
+++ b/vendor/github.com/charmbracelet/bubbletea/tty.go
@@ -52,7 +52,7 @@ func (p *Program) restoreTerminalState() error {
 			p.renderer.exitAltScreen()
 
 			// give the terminal a moment to catch up
-			time.Sleep(time.Millisecond * 10) //nolint:gomnd
+			time.Sleep(time.Millisecond * 10) //nolint:mnd
 		}
 	}
 
@@ -109,7 +109,7 @@ func (p *Program) readLoop() {
 func (p *Program) waitForReadLoop() {
 	select {
 	case <-p.readLoopDone:
-	case <-time.After(500 * time.Millisecond): //nolint:gomnd
+	case <-time.After(500 * time.Millisecond): //nolint:mnd
 		// The read loop hangs, which means the input
 		// cancelReader's cancel function has returned true even
 		// though it was not able to cancel the read.
diff --git a/vendor/github.com/charmbracelet/bubbletea/tty_windows.go b/vendor/github.com/charmbracelet/bubbletea/tty_windows.go
index a3a2525b..154491a6 100644
--- a/vendor/github.com/charmbracelet/bubbletea/tty_windows.go
+++ b/vendor/github.com/charmbracelet/bubbletea/tty_windows.go
@@ -19,7 +19,7 @@ func (p *Program) initInput() (err error) {
 		p.ttyInput = f
 		p.previousTtyInputState, err = term.MakeRaw(p.ttyInput.Fd())
 		if err != nil {
-			return err
+			return fmt.Errorf("error making raw: %w", err)
 		}
 
 		// Enable VT input
@@ -38,7 +38,7 @@ func (p *Program) initInput() (err error) {
 		p.ttyOutput = f
 		p.previousOutputState, err = term.GetState(f.Fd())
 		if err != nil {
-			return err
+			return fmt.Errorf("error getting state: %w", err)
 		}
 
 		var mode uint32
@@ -51,14 +51,14 @@ func (p *Program) initInput() (err error) {
 		}
 	}
 
-	return
+	return nil
 }
 
 // Open the Windows equivalent of a TTY.
 func openInputTTY() (*os.File, error) {
 	f, err := os.OpenFile("CONIN$", os.O_RDWR, 0o644)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error opening file: %w", err)
 	}
 	return f, nil
 }
diff --git a/vendor/github.com/charmbracelet/colorprofile/.golangci-soft.yml b/vendor/github.com/charmbracelet/colorprofile/.golangci-soft.yml
deleted file mode 100644
index d325d4fc..00000000
--- a/vendor/github.com/charmbracelet/colorprofile/.golangci-soft.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-run:
-  tests: false
-  issues-exit-code: 0
-
-issues:
-  include:
-    - EXC0001
-    - EXC0005
-    - EXC0011
-    - EXC0012
-    - EXC0013
-
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
-linters:
-  enable:
-    - exhaustive
-    - goconst
-    - godot
-    - godox
-    - mnd
-    - gomoddirectives
-    - goprintffuncname
-    - misspell
-    - nakedret
-    - nestif
-    - noctx
-    - nolintlint
-    - prealloc
-    - wrapcheck
-
-  # disable default linters, they are already enabled in .golangci.yml
-  disable:
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - unused
diff --git a/vendor/github.com/charmbracelet/colorprofile/.golangci.yml b/vendor/github.com/charmbracelet/colorprofile/.golangci.yml
index d6789e01..be61d89b 100644
--- a/vendor/github.com/charmbracelet/colorprofile/.golangci.yml
+++ b/vendor/github.com/charmbracelet/colorprofile/.golangci.yml
@@ -1,24 +1,23 @@
+version: "2"
 run:
   tests: false
-
-issues:
-  include:
-    - EXC0001
-    - EXC0005
-    - EXC0011
-    - EXC0012
-    - EXC0013
-
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
 linters:
   enable:
     - bodyclose
-    - gofumpt
-    - goimports
+    - exhaustive
+    - goconst
+    - godot
+    - godox
+    - gomoddirectives
+    - goprintffuncname
     - gosec
+    - misspell
+    - nakedret
+    - nestif
     - nilerr
+    - noctx
+    - nolintlint
+    - prealloc
     - revive
     - rowserrcheck
     - sqlclosecheck
@@ -26,3 +25,17 @@ linters:
     - unconvert
     - unparam
     - whitespace
+    - wrapcheck
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
diff --git a/vendor/github.com/charmbracelet/colorprofile/doc.go b/vendor/github.com/charmbracelet/colorprofile/doc.go
new file mode 100644
index 00000000..bd522e90
--- /dev/null
+++ b/vendor/github.com/charmbracelet/colorprofile/doc.go
@@ -0,0 +1,4 @@
+// Package colorprofile provides a way to downsample ANSI escape sequence
+// colors and styles automatically based on output, environment variables, and
+// Terminfo databases.
+package colorprofile
diff --git a/vendor/github.com/charmbracelet/colorprofile/env.go b/vendor/github.com/charmbracelet/colorprofile/env.go
index 8df3d8f7..749f989e 100644
--- a/vendor/github.com/charmbracelet/colorprofile/env.go
+++ b/vendor/github.com/charmbracelet/colorprofile/env.go
@@ -12,6 +12,8 @@ import (
 	"github.com/xo/terminfo"
 )
 
+const dumbTerm = "dumb"
+
 // Detect returns the color profile based on the terminal output, and
 // environment variables. This respects NO_COLOR, CLICOLOR, and CLICOLOR_FORCE
 // environment variables.
@@ -29,10 +31,10 @@ import (
 // See https://no-color.org/ and https://bixense.com/clicolors/ for more information.
 func Detect(output io.Writer, env []string) Profile {
 	out, ok := output.(term.File)
-	isatty := ok && term.IsTerminal(out.Fd())
 	environ := newEnviron(env)
-	term := environ.get("TERM")
-	isDumb := term == "dumb"
+	isatty := isTTYForced(environ) || (ok && term.IsTerminal(out.Fd()))
+	term, ok := environ.lookup("TERM")
+	isDumb := !ok || term == dumbTerm
 	envp := colorProfile(isatty, environ)
 	if envp == TrueColor || envNoColor(environ) {
 		// We already know we have TrueColor, or NO_COLOR is set.
@@ -69,7 +71,8 @@ func Env(env []string) (p Profile) {
 }
 
 func colorProfile(isatty bool, env environ) (p Profile) {
-	isDumb := env.get("TERM") == "dumb"
+	term, ok := env.lookup("TERM")
+	isDumb := (!ok && runtime.GOOS != "windows") || term == dumbTerm
 	envp := envColorProfile(env)
 	if !isatty || isDumb {
 		// Check if the output is a terminal.
@@ -83,7 +86,7 @@ func colorProfile(isatty bool, env environ) (p Profile) {
 		if p > Ascii {
 			p = Ascii
 		}
-		return
+		return //nolint:nakedret
 	}
 
 	if cliColorForced(env) {
@@ -94,7 +97,7 @@ func colorProfile(isatty bool, env environ) (p Profile) {
 			p = envp
 		}
 
-		return
+		return //nolint:nakedret
 	}
 
 	if cliColor(env) {
@@ -123,6 +126,11 @@ func cliColorForced(env environ) bool {
 	return cliColorForce
 }
 
+func isTTYForced(env environ) bool {
+	skip, _ := strconv.ParseBool(env.get("TTY_FORCE"))
+	return skip
+}
+
 func colorTerm(env environ) bool {
 	colorTerm := strings.ToLower(env.get("COLORTERM"))
 	return colorTerm == "truecolor" || colorTerm == "24bit" ||
@@ -132,7 +140,7 @@ func colorTerm(env environ) bool {
 // envColorProfile returns infers the color profile from the environment.
 func envColorProfile(env environ) (p Profile) {
 	term, ok := env.lookup("TERM")
-	if !ok || len(term) == 0 || term == "dumb" {
+	if !ok || len(term) == 0 || term == dumbTerm {
 		p = NoTTY
 		if runtime.GOOS == "windows" {
 			// Use Windows API to detect color profile. Windows Terminal and
@@ -184,7 +192,12 @@ func envColorProfile(env environ) (p Profile) {
 		p = ANSI256
 	}
 
-	return
+	// Direct color terminals support true colors.
+	if strings.HasSuffix(term, "direct") {
+		return TrueColor
+	}
+
+	return //nolint:nakedret
 }
 
 // Terminfo returns the color profile based on the terminal's terminfo
@@ -278,10 +291,3 @@ func (e environ) get(key string) string {
 	v, _ := e.lookup(key)
 	return v
 }
-
-func max[T ~byte | ~int](a, b T) T {
-	if a > b {
-		return a
-	}
-	return b
-}
diff --git a/vendor/github.com/charmbracelet/colorprofile/profile.go b/vendor/github.com/charmbracelet/colorprofile/profile.go
index 97e37ac3..2bcb37c6 100644
--- a/vendor/github.com/charmbracelet/colorprofile/profile.go
+++ b/vendor/github.com/charmbracelet/colorprofile/profile.go
@@ -12,15 +12,15 @@ import (
 type Profile byte
 
 const (
-	// NoTTY, not a terminal profile.
+	// NoTTY is a profile with no terminal support.
 	NoTTY Profile = iota
-	// Ascii, uncolored profile.
+	// Ascii is a profile with no color support.
 	Ascii //nolint:revive
-	// ANSI, 4-bit color profile.
+	// ANSI is a profile with 16 colors (4-bit).
 	ANSI
-	// ANSI256, 8-bit color profile.
+	// ANSI256 is a profile with 256 colors (8-bit).
 	ANSI256
-	// TrueColor, 24-bit color profile.
+	// TrueColor is a profile with 16 million colors (24-bit).
 	TrueColor
 )
 
diff --git a/vendor/github.com/charmbracelet/colorprofile/writer.go b/vendor/github.com/charmbracelet/colorprofile/writer.go
index d04b3b99..47f0c6eb 100644
--- a/vendor/github.com/charmbracelet/colorprofile/writer.go
+++ b/vendor/github.com/charmbracelet/colorprofile/writer.go
@@ -2,6 +2,7 @@ package colorprofile
 
 import (
 	"bytes"
+	"fmt"
 	"image/color"
 	"io"
 	"strconv"
@@ -37,11 +38,13 @@ type Writer struct {
 func (w *Writer) Write(p []byte) (int, error) {
 	switch w.Profile {
 	case TrueColor:
-		return w.Forward.Write(p)
+		return w.Forward.Write(p) //nolint:wrapcheck
 	case NoTTY:
-		return io.WriteString(w.Forward, ansi.Strip(string(p)))
-	default:
+		return io.WriteString(w.Forward, ansi.Strip(string(p))) //nolint:wrapcheck
+	case Ascii, ANSI, ANSI256:
 		return w.downsample(p)
+	default:
+		return 0, fmt.Errorf("invalid profile: %v", w.Profile)
 	}
 }
 
@@ -63,7 +66,7 @@ func (w *Writer) downsample(p []byte) (int, error) {
 		default:
 			// If we're not a style SGR sequence, just write the bytes.
 			if n, err := buf.Write(seq); err != nil {
-				return n, err
+				return n, err //nolint:wrapcheck
 			}
 		}
 
@@ -71,7 +74,7 @@ func (w *Writer) downsample(p []byte) (int, error) {
 		state = newState
 	}
 
-	return w.Forward.Write(buf.Bytes())
+	return w.Forward.Write(buf.Bytes()) //nolint:wrapcheck
 }
 
 // WriteString writes the given text to the underlying writer.
diff --git a/vendor/github.com/charmbracelet/log/.golangci.yml b/vendor/github.com/charmbracelet/log/.golangci.yml
index 90c5c08b..be61d89b 100644
--- a/vendor/github.com/charmbracelet/log/.golangci.yml
+++ b/vendor/github.com/charmbracelet/log/.golangci.yml
@@ -1,17 +1,6 @@
+version: "2"
 run:
   tests: false
-
-issues:
-  include:
-    - EXC0001
-    - EXC0005
-    - EXC0011
-    - EXC0012
-    - EXC0013
-
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
 linters:
   enable:
     - bodyclose
@@ -19,8 +8,6 @@ linters:
     - goconst
     - godot
     - godox
-    - gofumpt
-    - goimports
     - gomoddirectives
     - goprintffuncname
     - gosec
@@ -39,3 +26,16 @@ linters:
     - unparam
     - whitespace
     - wrapcheck
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
diff --git a/vendor/github.com/charmbracelet/log/json.go b/vendor/github.com/charmbracelet/log/json.go
index 19d4ddd1..f84083d4 100644
--- a/vendor/github.com/charmbracelet/log/json.go
+++ b/vendor/github.com/charmbracelet/log/json.go
@@ -88,7 +88,13 @@ func (l *Logger) writeSlogValue(jw *jsonWriter, v slogValue) {
 		}
 		jw.end()
 	default:
-		jw.objectValue(v.Any())
+		a := v.Any()
+		_, jm := a.(json.Marshaler)
+		if err, ok := a.(error); ok && !jm {
+			jw.objectValue(err.Error())
+		} else {
+			jw.objectValue(a)
+		}
 	}
 }
 
diff --git a/vendor/github.com/charmbracelet/log/logger_121.go b/vendor/github.com/charmbracelet/log/logger_121.go
index b5cf9564..478e1a0d 100644
--- a/vendor/github.com/charmbracelet/log/logger_121.go
+++ b/vendor/github.com/charmbracelet/log/logger_121.go
@@ -17,6 +17,8 @@ type (
 	slogLogValuer = slog.LogValuer
 )
 
+var slogAnyValue = slog.AnyValue
+
 const slogKindGroup = slog.KindGroup
 
 // Enabled reports whether the logger is enabled for the given level.
diff --git a/vendor/github.com/charmbracelet/log/logger_no121.go b/vendor/github.com/charmbracelet/log/logger_no121.go
index ce8b8a2f..ea8bb108 100644
--- a/vendor/github.com/charmbracelet/log/logger_no121.go
+++ b/vendor/github.com/charmbracelet/log/logger_no121.go
@@ -18,6 +18,8 @@ type (
 	slogLogValuer = slog.LogValuer
 )
 
+var slogAnyValue = slog.AnyValue
+
 const slogKindGroup = slog.KindGroup
 
 // Enabled reports whether the logger is enabled for the given level.
diff --git a/vendor/github.com/charmbracelet/x/ansi/ansi.go b/vendor/github.com/charmbracelet/x/ansi/ansi.go
index 48d873c3..d5a2f251 100644
--- a/vendor/github.com/charmbracelet/x/ansi/ansi.go
+++ b/vendor/github.com/charmbracelet/x/ansi/ansi.go
@@ -7,5 +7,5 @@ import "io"
 //
 // This is a syntactic sugar over [io.WriteString].
 func Execute(w io.Writer, s string) (int, error) {
-	return io.WriteString(w, s)
+	return io.WriteString(w, s) //nolint:wrapcheck
 }
diff --git a/vendor/github.com/charmbracelet/x/ansi/background.go b/vendor/github.com/charmbracelet/x/ansi/background.go
index 2383cf09..46f82142 100644
--- a/vendor/github.com/charmbracelet/x/ansi/background.go
+++ b/vendor/github.com/charmbracelet/x/ansi/background.go
@@ -3,63 +3,93 @@ package ansi
 import (
 	"fmt"
 	"image/color"
+
+	"github.com/lucasb-eyer/go-colorful"
 )
 
-// Colorizer is a [color.Color] interface that can be formatted as a string.
-type Colorizer interface {
-	color.Color
-	fmt.Stringer
+// HexColor is a [color.Color] that can be formatted as a hex string.
+type HexColor string
+
+// RGBA returns the RGBA values of the color.
+func (h HexColor) RGBA() (r, g, b, a uint32) {
+	hex := h.color()
+	if hex == nil {
+		return 0, 0, 0, 0
+	}
+	return hex.RGBA()
 }
 
-// HexColorizer is a [color.Color] that can be formatted as a hex string.
-type HexColorizer struct{ color.Color }
-
-var _ Colorizer = HexColorizer{}
+// Hex returns the hex representation of the color. If the color is invalid, it
+// returns an empty string.
+func (h HexColor) Hex() string {
+	hex := h.color()
+	if hex == nil {
+		return ""
+	}
+	return hex.Hex()
+}
 
 // String returns the color as a hex string. If the color is nil, an empty
 // string is returned.
-func (h HexColorizer) String() string {
-	if h.Color == nil {
-		return ""
-	}
-	r, g, b, _ := h.RGBA()
-	// Get the lower 8 bits
-	r &= 0xff
-	g &= 0xff
-	b &= 0xff
-	return fmt.Sprintf("#%02x%02x%02x", uint8(r), uint8(g), uint8(b)) //nolint:gosec
+func (h HexColor) String() string {
+	return h.Hex()
 }
 
-// XRGBColorizer is a [color.Color] that can be formatted as an XParseColor
+// color returns the underlying color of the HexColor.
+func (h HexColor) color() *colorful.Color {
+	hex, err := colorful.Hex(string(h))
+	if err != nil {
+		return nil
+	}
+	return &hex
+}
+
+// XRGBColor is a [color.Color] that can be formatted as an XParseColor
 // rgb: string.
 //
 // See: https://linux.die.net/man/3/xparsecolor
-type XRGBColorizer struct{ color.Color }
+type XRGBColor struct {
+	color.Color
+}
 
-var _ Colorizer = XRGBColorizer{}
+// RGBA returns the RGBA values of the color.
+func (x XRGBColor) RGBA() (r, g, b, a uint32) {
+	if x.Color == nil {
+		return 0, 0, 0, 0
+	}
+	return x.Color.RGBA()
+}
 
 // String returns the color as an XParseColor rgb: string. If the color is nil,
 // an empty string is returned.
-func (x XRGBColorizer) String() string {
+func (x XRGBColor) String() string {
 	if x.Color == nil {
 		return ""
 	}
-	r, g, b, _ := x.RGBA()
+	r, g, b, _ := x.Color.RGBA()
 	// Get the lower 8 bits
 	return fmt.Sprintf("rgb:%04x/%04x/%04x", r, g, b)
 }
 
-// XRGBAColorizer is a [color.Color] that can be formatted as an XParseColor
+// XRGBAColor is a [color.Color] that can be formatted as an XParseColor
 // rgba: string.
 //
 // See: https://linux.die.net/man/3/xparsecolor
-type XRGBAColorizer struct{ color.Color }
+type XRGBAColor struct {
+	color.Color
+}
 
-var _ Colorizer = XRGBAColorizer{}
+// RGBA returns the RGBA values of the color.
+func (x XRGBAColor) RGBA() (r, g, b, a uint32) {
+	if x.Color == nil {
+		return 0, 0, 0, 0
+	}
+	return x.Color.RGBA()
+}
 
 // String returns the color as an XParseColor rgba: string. If the color is nil,
 // an empty string is returned.
-func (x XRGBAColorizer) String() string {
+func (x XRGBAColor) String() string {
 	if x.Color == nil {
 		return ""
 	}
@@ -74,19 +104,12 @@ func (x XRGBAColorizer) String() string {
 //	OSC 10 ; color ST
 //	OSC 10 ; color BEL
 //
-// Where color is the encoded color number.
+// Where color is the encoded color number. Most terminals support hex,
+// XParseColor rgb: and rgba: strings. You could use [HexColor], [XRGBColor],
+// or [XRGBAColor] to format the color.
 //
 // See: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Operating-System-Commands
-func SetForegroundColor(c color.Color) string {
-	var s string
-	switch c := c.(type) {
-	case Colorizer:
-		s = c.String()
-	case fmt.Stringer:
-		s = c.String()
-	default:
-		s = HexColorizer{c}.String()
-	}
+func SetForegroundColor(s string) string {
 	return "\x1b]10;" + s + "\x07"
 }
 
@@ -108,19 +131,12 @@ const ResetForegroundColor = "\x1b]110\x07"
 //	OSC 11 ; color ST
 //	OSC 11 ; color BEL
 //
-// Where color is the encoded color number.
+// Where color is the encoded color number. Most terminals support hex,
+// XParseColor rgb: and rgba: strings. You could use [HexColor], [XRGBColor],
+// or [XRGBAColor] to format the color.
 //
 // See: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Operating-System-Commands
-func SetBackgroundColor(c color.Color) string {
-	var s string
-	switch c := c.(type) {
-	case Colorizer:
-		s = c.String()
-	case fmt.Stringer:
-		s = c.String()
-	default:
-		s = HexColorizer{c}.String()
-	}
+func SetBackgroundColor(s string) string {
 	return "\x1b]11;" + s + "\x07"
 }
 
@@ -141,19 +157,12 @@ const ResetBackgroundColor = "\x1b]111\x07"
 //	OSC 12 ; color ST
 //	OSC 12 ; color BEL
 //
-// Where color is the encoded color number.
+// Where color is the encoded color number. Most terminals support hex,
+// XParseColor rgb: and rgba: strings. You could use [HexColor], [XRGBColor],
+// or [XRGBAColor] to format the color.
 //
 // See: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Operating-System-Commands
-func SetCursorColor(c color.Color) string {
-	var s string
-	switch c := c.(type) {
-	case Colorizer:
-		s = c.String()
-	case fmt.Stringer:
-		s = c.String()
-	default:
-		s = HexColorizer{c}.String()
-	}
+func SetCursorColor(s string) string {
 	return "\x1b]12;" + s + "\x07"
 }
 
diff --git a/vendor/github.com/charmbracelet/x/ansi/charset.go b/vendor/github.com/charmbracelet/x/ansi/charset.go
index 50fff51f..02edfe7a 100644
--- a/vendor/github.com/charmbracelet/x/ansi/charset.go
+++ b/vendor/github.com/charmbracelet/x/ansi/charset.go
@@ -39,17 +39,17 @@ func SCS(gset byte, charset byte) string {
 	return SelectCharacterSet(gset, charset)
 }
 
-// Locking Shift 1 Right (LS1R) shifts G1 into GR character set.
+// LS1R (Locking Shift 1 Right) shifts G1 into GR character set.
 const LS1R = "\x1b~"
 
-// Locking Shift 2 (LS2) shifts G2 into GL character set.
+// LS2 (Locking Shift 2) shifts G2 into GL character set.
 const LS2 = "\x1bn"
 
-// Locking Shift 2 Right (LS2R) shifts G2 into GR character set.
+// LS2R (Locking Shift 2 Right) shifts G2 into GR character set.
 const LS2R = "\x1b}"
 
-// Locking Shift 3 (LS3) shifts G3 into GL character set.
+// LS3 (Locking Shift 3) shifts G3 into GL character set.
 const LS3 = "\x1bo"
 
-// Locking Shift 3 Right (LS3R) shifts G3 into GR character set.
+// LS3R (Locking Shift 3 Right) shifts G3 into GR character set.
 const LS3R = "\x1b|"
diff --git a/vendor/github.com/charmbracelet/x/ansi/color.go b/vendor/github.com/charmbracelet/x/ansi/color.go
index 77f8a08d..09feb975 100644
--- a/vendor/github.com/charmbracelet/x/ansi/color.go
+++ b/vendor/github.com/charmbracelet/x/ansi/color.go
@@ -2,34 +2,9 @@ package ansi
 
 import (
 	"image/color"
-)
 
-// Technically speaking, the 16 basic ANSI colors are arbitrary and can be
-// customized at the terminal level. Given that, we're returning what we feel
-// are good defaults.
-//
-// This could also be a slice, but we use a map to make the mappings very
-// explicit.
-//
-// See: https://www.ditig.com/publications/256-colors-cheat-sheet
-var lowANSI = map[uint32]uint32{
-	0:  0x000000, // black
-	1:  0x800000, // red
-	2:  0x008000, // green
-	3:  0x808000, // yellow
-	4:  0x000080, // blue
-	5:  0x800080, // magenta
-	6:  0x008080, // cyan
-	7:  0xc0c0c0, // white
-	8:  0x808080, // bright black
-	9:  0xff0000, // bright red
-	10: 0x00ff00, // bright green
-	11: 0xffff00, // bright yellow
-	12: 0x0000ff, // bright blue
-	13: 0xff00ff, // bright magenta
-	14: 0x00ffff, // bright cyan
-	15: 0xffffff, // bright white
-}
+	"github.com/lucasb-eyer/go-colorful"
+)
 
 // Color is a color that can be used in a terminal. ANSI (including
 // ANSI256) and 24-bit "true colors" fall under this category.
@@ -100,28 +75,33 @@ func (c BasicColor) RGBA() (uint32, uint32, uint32, uint32) {
 		return 0, 0, 0, 0xffff
 	}
 
-	r, g, b := ansiToRGB(ansi)
-	return toRGBA(r, g, b)
+	return ansiToRGB(byte(ansi)).RGBA()
 }
 
-// ExtendedColor is an ANSI 256 (8-bit) color with a value from 0 to 255.
-type ExtendedColor uint8
+// IndexedColor is an ANSI 256 (8-bit) color with a value from 0 to 255.
+type IndexedColor uint8
 
-var _ Color = ExtendedColor(0)
+var _ Color = IndexedColor(0)
 
 // RGBA returns the red, green, blue and alpha components of the color. It
 // satisfies the color.Color interface.
-func (c ExtendedColor) RGBA() (uint32, uint32, uint32, uint32) {
-	r, g, b := ansiToRGB(uint32(c))
-	return toRGBA(r, g, b)
+func (c IndexedColor) RGBA() (uint32, uint32, uint32, uint32) {
+	return ansiToRGB(byte(c)).RGBA()
 }
 
+// ExtendedColor is an ANSI 256 (8-bit) color with a value from 0 to 255.
+//
+// Deprecated: use [IndexedColor] instead.
+type ExtendedColor = IndexedColor
+
 // TrueColor is a 24-bit color that can be used in the terminal.
 // This can be used to represent RGB colors.
 //
 // For example, the color red can be represented as:
 //
 //	TrueColor(0xff0000)
+//
+// Deprecated: use [RGBColor] instead.
 type TrueColor uint32
 
 var _ Color = TrueColor(0)
@@ -133,44 +113,25 @@ func (c TrueColor) RGBA() (uint32, uint32, uint32, uint32) {
 	return toRGBA(r, g, b)
 }
 
+// RGBColor is a 24-bit color that can be used in the terminal.
+// This can be used to represent RGB colors.
+type RGBColor struct {
+	R uint8
+	G uint8
+	B uint8
+}
+
+// RGBA returns the red, green, blue and alpha components of the color. It
+// satisfies the color.Color interface.
+func (c RGBColor) RGBA() (uint32, uint32, uint32, uint32) {
+	return toRGBA(uint32(c.R), uint32(c.G), uint32(c.B))
+}
+
 // ansiToRGB converts an ANSI color to a 24-bit RGB color.
 //
 //	r, g, b := ansiToRGB(57)
-func ansiToRGB(ansi uint32) (uint32, uint32, uint32) {
-	// For out-of-range values return black.
-	if ansi > 255 {
-		return 0, 0, 0
-	}
-
-	// Low ANSI.
-	if ansi < 16 {
-		h, ok := lowANSI[ansi]
-		if !ok {
-			return 0, 0, 0
-		}
-		r, g, b := hexToRGB(h)
-		return r, g, b
-	}
-
-	// Grays.
-	if ansi > 231 {
-		s := (ansi-232)*10 + 8
-		return s, s, s
-	}
-
-	// ANSI256.
-	n := ansi - 16
-	b := n % 6
-	g := (n - b) / 6 % 6
-	r := (n - b - g*6) / 36 % 6
-	for _, v := range []*uint32{&r, &g, &b} {
-		if *v > 0 {
-			c := *v*40 + 55
-			*v = c
-		}
-	}
-
-	return r, g, b
+func ansiToRGB(ansi byte) color.Color {
+	return ansiHex[ansi]
 }
 
 // hexToRGB converts a number in hexadecimal format to red, green, and blue
@@ -194,3 +155,630 @@ func toRGBA(r, g, b uint32) (uint32, uint32, uint32, uint32) {
 	b |= b << 8
 	return r, g, b, 0xffff
 }
+
+//nolint:unused
+func distSq(r1, g1, b1, r2, g2, b2 int) int {
+	return ((r1-r2)*(r1-r2) + (g1-g2)*(g1-g2) + (b1-b2)*(b1-b2))
+}
+
+func to6Cube[T int | float64](v T) int {
+	if v < 48 {
+		return 0
+	}
+	if v < 115 {
+		return 1
+	}
+	return int((v - 35) / 40)
+}
+
+// Convert256 converts a [color.Color], usually a 24-bit color, to xterm(1) 256
+// color palette.
+//
+// xterm provides a 6x6x6 color cube (16 - 231) and 24 greys (232 - 255). We
+// map our RGB color to the closest in the cube, also work out the closest
+// grey, and use the nearest of the two based on the lightness of the color.
+//
+// Note that the xterm has much lower resolution for darker colors (they are
+// not evenly spread out), so our 6 levels are not evenly spread: 0x0, 0x5f
+// (95), 0x87 (135), 0xaf (175), 0xd7 (215) and 0xff (255). Greys are more
+// evenly spread (8, 18, 28 ... 238).
+func Convert256(c color.Color) IndexedColor {
+	// If the color is already an IndexedColor, return it.
+	if i, ok := c.(IndexedColor); ok {
+		return i
+	}
+
+	// Note: this is mostly ported from tmux/colour.c.
+	col, ok := colorful.MakeColor(c)
+	if !ok {
+		return IndexedColor(0)
+	}
+
+	r := col.R * 255
+	g := col.G * 255
+	b := col.B * 255
+
+	q2c := [6]int{0x00, 0x5f, 0x87, 0xaf, 0xd7, 0xff}
+
+	// Map RGB to 6x6x6 cube.
+	qr := to6Cube(r)
+	cr := q2c[qr]
+	qg := to6Cube(g)
+	cg := q2c[qg]
+	qb := to6Cube(b)
+	cb := q2c[qb]
+
+	// If we have hit the color exactly, return early.
+	ci := (36 * qr) + (6 * qg) + qb
+	if cr == int(r) && cg == int(g) && cb == int(b) {
+		return IndexedColor(16 + ci) //nolint:gosec
+	}
+
+	// Work out the closest grey (average of RGB).
+	greyAvg := int(r+g+b) / 3
+	var greyIdx int
+	if greyAvg > 238 {
+		greyIdx = 23
+	} else {
+		greyIdx = (greyAvg - 3) / 10
+	}
+	grey := 8 + (10 * greyIdx)
+
+	// Return the one which is nearer to the original input rgb value
+	// XXX: This is where it differs from tmux's implementation, we prefer the
+	// closer color to the original in terms of light distances rather than the
+	// cube distance.
+	c2 := colorful.Color{R: float64(cr) / 255.0, G: float64(cg) / 255.0, B: float64(cb) / 255.0}
+	g2 := colorful.Color{R: float64(grey) / 255.0, G: float64(grey) / 255.0, B: float64(grey) / 255.0}
+	colorDist := col.DistanceHSLuv(c2)
+	grayDist := col.DistanceHSLuv(g2)
+
+	if colorDist <= grayDist {
+		return IndexedColor(16 + ci) //nolint:gosec
+	}
+	return IndexedColor(232 + greyIdx) //nolint:gosec
+
+	// // Is grey or 6x6x6 color closest?
+	// d := distSq(cr, cg, cb, int(r), int(g), int(b))
+	// if distSq(grey, grey, grey, int(r), int(g), int(b)) < d {
+	// 	return IndexedColor(232 + greyIdx) //nolint:gosec
+	// }
+	// return IndexedColor(16 + ci) //nolint:gosec
+}
+
+// Convert16 converts a [color.Color] to a 16-color ANSI color. It will first
+// try to find a match in the 256 xterm(1) color palette, and then map that to
+// the 16-color ANSI palette.
+func Convert16(c color.Color) BasicColor {
+	switch c := c.(type) {
+	case BasicColor:
+		// If the color is already a BasicColor, return it.
+		return c
+	case IndexedColor:
+		// If the color is already an IndexedColor, return the corresponding
+		// BasicColor.
+		return ansi256To16[c]
+	default:
+		c256 := Convert256(c)
+		return ansi256To16[c256]
+	}
+}
+
+// RGB values of ANSI colors (0-255).
+var ansiHex = [...]color.RGBA{
+	0:   {R: 0x00, G: 0x00, B: 0x00, A: 0xff}, //   "#000000"
+	1:   {R: 0x80, G: 0x00, B: 0x00, A: 0xff}, //   "#800000"
+	2:   {R: 0x00, G: 0x80, B: 0x00, A: 0xff}, //   "#008000"
+	3:   {R: 0x80, G: 0x80, B: 0x00, A: 0xff}, //   "#808000"
+	4:   {R: 0x00, G: 0x00, B: 0x80, A: 0xff}, //   "#000080"
+	5:   {R: 0x80, G: 0x00, B: 0x80, A: 0xff}, //   "#800080"
+	6:   {R: 0x00, G: 0x80, B: 0x80, A: 0xff}, //   "#008080"
+	7:   {R: 0xc0, G: 0xc0, B: 0xc0, A: 0xff}, //   "#c0c0c0"
+	8:   {R: 0x80, G: 0x80, B: 0x80, A: 0xff}, //   "#808080"
+	9:   {R: 0xff, G: 0x00, B: 0x00, A: 0xff}, //   "#ff0000"
+	10:  {R: 0x00, G: 0xff, B: 0x00, A: 0xff}, //  "#00ff00"
+	11:  {R: 0xff, G: 0xff, B: 0x00, A: 0xff}, //  "#ffff00"
+	12:  {R: 0x00, G: 0x00, B: 0xff, A: 0xff}, //  "#0000ff"
+	13:  {R: 0xff, G: 0x00, B: 0xff, A: 0xff}, //  "#ff00ff"
+	14:  {R: 0x00, G: 0xff, B: 0xff, A: 0xff}, //  "#00ffff"
+	15:  {R: 0xff, G: 0xff, B: 0xff, A: 0xff}, //  "#ffffff"
+	16:  {R: 0x00, G: 0x00, B: 0x00, A: 0xff}, //  "#000000"
+	17:  {R: 0x00, G: 0x00, B: 0x5f, A: 0xff}, //  "#00005f"
+	18:  {R: 0x00, G: 0x00, B: 0x87, A: 0xff}, //  "#000087"
+	19:  {R: 0x00, G: 0x00, B: 0xaf, A: 0xff}, //  "#0000af"
+	20:  {R: 0x00, G: 0x00, B: 0xd7, A: 0xff}, //  "#0000d7"
+	21:  {R: 0x00, G: 0x00, B: 0xff, A: 0xff}, //  "#0000ff"
+	22:  {R: 0x00, G: 0x5f, B: 0x00, A: 0xff}, //  "#005f00"
+	23:  {R: 0x00, G: 0x5f, B: 0x5f, A: 0xff}, //  "#005f5f"
+	24:  {R: 0x00, G: 0x5f, B: 0x87, A: 0xff}, //  "#005f87"
+	25:  {R: 0x00, G: 0x5f, B: 0xaf, A: 0xff}, //  "#005faf"
+	26:  {R: 0x00, G: 0x5f, B: 0xd7, A: 0xff}, //  "#005fd7"
+	27:  {R: 0x00, G: 0x5f, B: 0xff, A: 0xff}, //  "#005fff"
+	28:  {R: 0x00, G: 0x87, B: 0x00, A: 0xff}, //  "#008700"
+	29:  {R: 0x00, G: 0x87, B: 0x5f, A: 0xff}, //  "#00875f"
+	30:  {R: 0x00, G: 0x87, B: 0x87, A: 0xff}, //  "#008787"
+	31:  {R: 0x00, G: 0x87, B: 0xaf, A: 0xff}, //  "#0087af"
+	32:  {R: 0x00, G: 0x87, B: 0xd7, A: 0xff}, //  "#0087d7"
+	33:  {R: 0x00, G: 0x87, B: 0xff, A: 0xff}, //  "#0087ff"
+	34:  {R: 0x00, G: 0xaf, B: 0x00, A: 0xff}, //  "#00af00"
+	35:  {R: 0x00, G: 0xaf, B: 0x5f, A: 0xff}, //  "#00af5f"
+	36:  {R: 0x00, G: 0xaf, B: 0x87, A: 0xff}, //  "#00af87"
+	37:  {R: 0x00, G: 0xaf, B: 0xaf, A: 0xff}, //  "#00afaf"
+	38:  {R: 0x00, G: 0xaf, B: 0xd7, A: 0xff}, //  "#00afd7"
+	39:  {R: 0x00, G: 0xaf, B: 0xff, A: 0xff}, //  "#00afff"
+	40:  {R: 0x00, G: 0xd7, B: 0x00, A: 0xff}, //  "#00d700"
+	41:  {R: 0x00, G: 0xd7, B: 0x5f, A: 0xff}, //  "#00d75f"
+	42:  {R: 0x00, G: 0xd7, B: 0x87, A: 0xff}, //  "#00d787"
+	43:  {R: 0x00, G: 0xd7, B: 0xaf, A: 0xff}, //  "#00d7af"
+	44:  {R: 0x00, G: 0xd7, B: 0xd7, A: 0xff}, //  "#00d7d7"
+	45:  {R: 0x00, G: 0xd7, B: 0xff, A: 0xff}, //  "#00d7ff"
+	46:  {R: 0x00, G: 0xff, B: 0x00, A: 0xff}, //  "#00ff00"
+	47:  {R: 0x00, G: 0xff, B: 0x5f, A: 0xff}, //  "#00ff5f"
+	48:  {R: 0x00, G: 0xff, B: 0x87, A: 0xff}, //  "#00ff87"
+	49:  {R: 0x00, G: 0xff, B: 0xaf, A: 0xff}, //  "#00ffaf"
+	50:  {R: 0x00, G: 0xff, B: 0xd7, A: 0xff}, //  "#00ffd7"
+	51:  {R: 0x00, G: 0xff, B: 0xff, A: 0xff}, //  "#00ffff"
+	52:  {R: 0x5f, G: 0x00, B: 0x00, A: 0xff}, //  "#5f0000"
+	53:  {R: 0x5f, G: 0x00, B: 0x5f, A: 0xff}, //  "#5f005f"
+	54:  {R: 0x5f, G: 0x00, B: 0x87, A: 0xff}, //  "#5f0087"
+	55:  {R: 0x5f, G: 0x00, B: 0xaf, A: 0xff}, //  "#5f00af"
+	56:  {R: 0x5f, G: 0x00, B: 0xd7, A: 0xff}, //  "#5f00d7"
+	57:  {R: 0x5f, G: 0x00, B: 0xff, A: 0xff}, //  "#5f00ff"
+	58:  {R: 0x5f, G: 0x5f, B: 0x00, A: 0xff}, //  "#5f5f00"
+	59:  {R: 0x5f, G: 0x5f, B: 0x5f, A: 0xff}, //  "#5f5f5f"
+	60:  {R: 0x5f, G: 0x5f, B: 0x87, A: 0xff}, //  "#5f5f87"
+	61:  {R: 0x5f, G: 0x5f, B: 0xaf, A: 0xff}, //  "#5f5faf"
+	62:  {R: 0x5f, G: 0x5f, B: 0xd7, A: 0xff}, //  "#5f5fd7"
+	63:  {R: 0x5f, G: 0x5f, B: 0xff, A: 0xff}, //  "#5f5fff"
+	64:  {R: 0x5f, G: 0x87, B: 0x00, A: 0xff}, //  "#5f8700"
+	65:  {R: 0x5f, G: 0x87, B: 0x5f, A: 0xff}, //  "#5f875f"
+	66:  {R: 0x5f, G: 0x87, B: 0x87, A: 0xff}, //  "#5f8787"
+	67:  {R: 0x5f, G: 0x87, B: 0xaf, A: 0xff}, //  "#5f87af"
+	68:  {R: 0x5f, G: 0x87, B: 0xd7, A: 0xff}, //  "#5f87d7"
+	69:  {R: 0x5f, G: 0x87, B: 0xff, A: 0xff}, //  "#5f87ff"
+	70:  {R: 0x5f, G: 0xaf, B: 0x00, A: 0xff}, //  "#5faf00"
+	71:  {R: 0x5f, G: 0xaf, B: 0x5f, A: 0xff}, //  "#5faf5f"
+	72:  {R: 0x5f, G: 0xaf, B: 0x87, A: 0xff}, //  "#5faf87"
+	73:  {R: 0x5f, G: 0xaf, B: 0xaf, A: 0xff}, //  "#5fafaf"
+	74:  {R: 0x5f, G: 0xaf, B: 0xd7, A: 0xff}, //  "#5fafd7"
+	75:  {R: 0x5f, G: 0xaf, B: 0xff, A: 0xff}, //  "#5fafff"
+	76:  {R: 0x5f, G: 0xd7, B: 0x00, A: 0xff}, //  "#5fd700"
+	77:  {R: 0x5f, G: 0xd7, B: 0x5f, A: 0xff}, //  "#5fd75f"
+	78:  {R: 0x5f, G: 0xd7, B: 0x87, A: 0xff}, //  "#5fd787"
+	79:  {R: 0x5f, G: 0xd7, B: 0xaf, A: 0xff}, //  "#5fd7af"
+	80:  {R: 0x5f, G: 0xd7, B: 0xd7, A: 0xff}, //  "#5fd7d7"
+	81:  {R: 0x5f, G: 0xd7, B: 0xff, A: 0xff}, //  "#5fd7ff"
+	82:  {R: 0x5f, G: 0xff, B: 0x00, A: 0xff}, //  "#5fff00"
+	83:  {R: 0x5f, G: 0xff, B: 0x5f, A: 0xff}, //  "#5fff5f"
+	84:  {R: 0x5f, G: 0xff, B: 0x87, A: 0xff}, //  "#5fff87"
+	85:  {R: 0x5f, G: 0xff, B: 0xaf, A: 0xff}, //  "#5fffaf"
+	86:  {R: 0x5f, G: 0xff, B: 0xd7, A: 0xff}, //  "#5fffd7"
+	87:  {R: 0x5f, G: 0xff, B: 0xff, A: 0xff}, //  "#5fffff"
+	88:  {R: 0x87, G: 0x00, B: 0x00, A: 0xff}, //  "#870000"
+	89:  {R: 0x87, G: 0x00, B: 0x5f, A: 0xff}, //  "#87005f"
+	90:  {R: 0x87, G: 0x00, B: 0x87, A: 0xff}, //  "#870087"
+	91:  {R: 0x87, G: 0x00, B: 0xaf, A: 0xff}, //  "#8700af"
+	92:  {R: 0x87, G: 0x00, B: 0xd7, A: 0xff}, //  "#8700d7"
+	93:  {R: 0x87, G: 0x00, B: 0xff, A: 0xff}, //  "#8700ff"
+	94:  {R: 0x87, G: 0x5f, B: 0x00, A: 0xff}, //  "#875f00"
+	95:  {R: 0x87, G: 0x5f, B: 0x5f, A: 0xff}, //  "#875f5f"
+	96:  {R: 0x87, G: 0x5f, B: 0x87, A: 0xff}, //  "#875f87"
+	97:  {R: 0x87, G: 0x5f, B: 0xaf, A: 0xff}, //  "#875faf"
+	98:  {R: 0x87, G: 0x5f, B: 0xd7, A: 0xff}, //  "#875fd7"
+	99:  {R: 0x87, G: 0x5f, B: 0xff, A: 0xff}, //  "#875fff"
+	100: {R: 0x87, G: 0x87, B: 0x00, A: 0xff}, // "#878700"
+	101: {R: 0x87, G: 0x87, B: 0x5f, A: 0xff}, // "#87875f"
+	102: {R: 0x87, G: 0x87, B: 0x87, A: 0xff}, // "#878787"
+	103: {R: 0x87, G: 0x87, B: 0xaf, A: 0xff}, // "#8787af"
+	104: {R: 0x87, G: 0x87, B: 0xd7, A: 0xff}, // "#8787d7"
+	105: {R: 0x87, G: 0x87, B: 0xff, A: 0xff}, // "#8787ff"
+	106: {R: 0x87, G: 0xaf, B: 0x00, A: 0xff}, // "#87af00"
+	107: {R: 0x87, G: 0xaf, B: 0x5f, A: 0xff}, // "#87af5f"
+	108: {R: 0x87, G: 0xaf, B: 0x87, A: 0xff}, // "#87af87"
+	109: {R: 0x87, G: 0xaf, B: 0xaf, A: 0xff}, // "#87afaf"
+	110: {R: 0x87, G: 0xaf, B: 0xd7, A: 0xff}, // "#87afd7"
+	111: {R: 0x87, G: 0xaf, B: 0xff, A: 0xff}, // "#87afff"
+	112: {R: 0x87, G: 0xd7, B: 0x00, A: 0xff}, // "#87d700"
+	113: {R: 0x87, G: 0xd7, B: 0x5f, A: 0xff}, // "#87d75f"
+	114: {R: 0x87, G: 0xd7, B: 0x87, A: 0xff}, // "#87d787"
+	115: {R: 0x87, G: 0xd7, B: 0xaf, A: 0xff}, // "#87d7af"
+	116: {R: 0x87, G: 0xd7, B: 0xd7, A: 0xff}, // "#87d7d7"
+	117: {R: 0x87, G: 0xd7, B: 0xff, A: 0xff}, // "#87d7ff"
+	118: {R: 0x87, G: 0xff, B: 0x00, A: 0xff}, // "#87ff00"
+	119: {R: 0x87, G: 0xff, B: 0x5f, A: 0xff}, // "#87ff5f"
+	120: {R: 0x87, G: 0xff, B: 0x87, A: 0xff}, // "#87ff87"
+	121: {R: 0x87, G: 0xff, B: 0xaf, A: 0xff}, // "#87ffaf"
+	122: {R: 0x87, G: 0xff, B: 0xd7, A: 0xff}, // "#87ffd7"
+	123: {R: 0x87, G: 0xff, B: 0xff, A: 0xff}, // "#87ffff"
+	124: {R: 0xaf, G: 0x00, B: 0x00, A: 0xff}, // "#af0000"
+	125: {R: 0xaf, G: 0x00, B: 0x5f, A: 0xff}, // "#af005f"
+	126: {R: 0xaf, G: 0x00, B: 0x87, A: 0xff}, // "#af0087"
+	127: {R: 0xaf, G: 0x00, B: 0xaf, A: 0xff}, // "#af00af"
+	128: {R: 0xaf, G: 0x00, B: 0xd7, A: 0xff}, // "#af00d7"
+	129: {R: 0xaf, G: 0x00, B: 0xff, A: 0xff}, // "#af00ff"
+	130: {R: 0xaf, G: 0x5f, B: 0x00, A: 0xff}, // "#af5f00"
+	131: {R: 0xaf, G: 0x5f, B: 0x5f, A: 0xff}, // "#af5f5f"
+	132: {R: 0xaf, G: 0x5f, B: 0x87, A: 0xff}, // "#af5f87"
+	133: {R: 0xaf, G: 0x5f, B: 0xaf, A: 0xff}, // "#af5faf"
+	134: {R: 0xaf, G: 0x5f, B: 0xd7, A: 0xff}, // "#af5fd7"
+	135: {R: 0xaf, G: 0x5f, B: 0xff, A: 0xff}, // "#af5fff"
+	136: {R: 0xaf, G: 0x87, B: 0x00, A: 0xff}, // "#af8700"
+	137: {R: 0xaf, G: 0x87, B: 0x5f, A: 0xff}, // "#af875f"
+	138: {R: 0xaf, G: 0x87, B: 0x87, A: 0xff}, // "#af8787"
+	139: {R: 0xaf, G: 0x87, B: 0xaf, A: 0xff}, // "#af87af"
+	140: {R: 0xaf, G: 0x87, B: 0xd7, A: 0xff}, // "#af87d7"
+	141: {R: 0xaf, G: 0x87, B: 0xff, A: 0xff}, // "#af87ff"
+	142: {R: 0xaf, G: 0xaf, B: 0x00, A: 0xff}, // "#afaf00"
+	143: {R: 0xaf, G: 0xaf, B: 0x5f, A: 0xff}, // "#afaf5f"
+	144: {R: 0xaf, G: 0xaf, B: 0x87, A: 0xff}, // "#afaf87"
+	145: {R: 0xaf, G: 0xaf, B: 0xaf, A: 0xff}, // "#afafaf"
+	146: {R: 0xaf, G: 0xaf, B: 0xd7, A: 0xff}, // "#afafd7"
+	147: {R: 0xaf, G: 0xaf, B: 0xff, A: 0xff}, // "#afafff"
+	148: {R: 0xaf, G: 0xd7, B: 0x00, A: 0xff}, // "#afd700"
+	149: {R: 0xaf, G: 0xd7, B: 0x5f, A: 0xff}, // "#afd75f"
+	150: {R: 0xaf, G: 0xd7, B: 0x87, A: 0xff}, // "#afd787"
+	151: {R: 0xaf, G: 0xd7, B: 0xaf, A: 0xff}, // "#afd7af"
+	152: {R: 0xaf, G: 0xd7, B: 0xd7, A: 0xff}, // "#afd7d7"
+	153: {R: 0xaf, G: 0xd7, B: 0xff, A: 0xff}, // "#afd7ff"
+	154: {R: 0xaf, G: 0xff, B: 0x00, A: 0xff}, // "#afff00"
+	155: {R: 0xaf, G: 0xff, B: 0x5f, A: 0xff}, // "#afff5f"
+	156: {R: 0xaf, G: 0xff, B: 0x87, A: 0xff}, // "#afff87"
+	157: {R: 0xaf, G: 0xff, B: 0xaf, A: 0xff}, // "#afffaf"
+	158: {R: 0xaf, G: 0xff, B: 0xd7, A: 0xff}, // "#afffd7"
+	159: {R: 0xaf, G: 0xff, B: 0xff, A: 0xff}, // "#afffff"
+	160: {R: 0xd7, G: 0x00, B: 0x00, A: 0xff}, // "#d70000"
+	161: {R: 0xd7, G: 0x00, B: 0x5f, A: 0xff}, // "#d7005f"
+	162: {R: 0xd7, G: 0x00, B: 0x87, A: 0xff}, // "#d70087"
+	163: {R: 0xd7, G: 0x00, B: 0xaf, A: 0xff}, // "#d700af"
+	164: {R: 0xd7, G: 0x00, B: 0xd7, A: 0xff}, // "#d700d7"
+	165: {R: 0xd7, G: 0x00, B: 0xff, A: 0xff}, // "#d700ff"
+	166: {R: 0xd7, G: 0x5f, B: 0x00, A: 0xff}, // "#d75f00"
+	167: {R: 0xd7, G: 0x5f, B: 0x5f, A: 0xff}, // "#d75f5f"
+	168: {R: 0xd7, G: 0x5f, B: 0x87, A: 0xff}, // "#d75f87"
+	169: {R: 0xd7, G: 0x5f, B: 0xaf, A: 0xff}, // "#d75faf"
+	170: {R: 0xd7, G: 0x5f, B: 0xd7, A: 0xff}, // "#d75fd7"
+	171: {R: 0xd7, G: 0x5f, B: 0xff, A: 0xff}, // "#d75fff"
+	172: {R: 0xd7, G: 0x87, B: 0x00, A: 0xff}, // "#d78700"
+	173: {R: 0xd7, G: 0x87, B: 0x5f, A: 0xff}, // "#d7875f"
+	174: {R: 0xd7, G: 0x87, B: 0x87, A: 0xff}, // "#d78787"
+	175: {R: 0xd7, G: 0x87, B: 0xaf, A: 0xff}, // "#d787af"
+	176: {R: 0xd7, G: 0x87, B: 0xd7, A: 0xff}, // "#d787d7"
+	177: {R: 0xd7, G: 0x87, B: 0xff, A: 0xff}, // "#d787ff"
+	178: {R: 0xd7, G: 0xaf, B: 0x00, A: 0xff}, // "#d7af00"
+	179: {R: 0xd7, G: 0xaf, B: 0x5f, A: 0xff}, // "#d7af5f"
+	180: {R: 0xd7, G: 0xaf, B: 0x87, A: 0xff}, // "#d7af87"
+	181: {R: 0xd7, G: 0xaf, B: 0xaf, A: 0xff}, // "#d7afaf"
+	182: {R: 0xd7, G: 0xaf, B: 0xd7, A: 0xff}, // "#d7afd7"
+	183: {R: 0xd7, G: 0xaf, B: 0xff, A: 0xff}, // "#d7afff"
+	184: {R: 0xd7, G: 0xd7, B: 0x00, A: 0xff}, // "#d7d700"
+	185: {R: 0xd7, G: 0xd7, B: 0x5f, A: 0xff}, // "#d7d75f"
+	186: {R: 0xd7, G: 0xd7, B: 0x87, A: 0xff}, // "#d7d787"
+	187: {R: 0xd7, G: 0xd7, B: 0xaf, A: 0xff}, // "#d7d7af"
+	188: {R: 0xd7, G: 0xd7, B: 0xd7, A: 0xff}, // "#d7d7d7"
+	189: {R: 0xd7, G: 0xd7, B: 0xff, A: 0xff}, // "#d7d7ff"
+	190: {R: 0xd7, G: 0xff, B: 0x00, A: 0xff}, // "#d7ff00"
+	191: {R: 0xd7, G: 0xff, B: 0x5f, A: 0xff}, // "#d7ff5f"
+	192: {R: 0xd7, G: 0xff, B: 0x87, A: 0xff}, // "#d7ff87"
+	193: {R: 0xd7, G: 0xff, B: 0xaf, A: 0xff}, // "#d7ffaf"
+	194: {R: 0xd7, G: 0xff, B: 0xd7, A: 0xff}, // "#d7ffd7"
+	195: {R: 0xd7, G: 0xff, B: 0xff, A: 0xff}, // "#d7ffff"
+	196: {R: 0xff, G: 0x00, B: 0x00, A: 0xff}, // "#ff0000"
+	197: {R: 0xff, G: 0x00, B: 0x5f, A: 0xff}, // "#ff005f"
+	198: {R: 0xff, G: 0x00, B: 0x87, A: 0xff}, // "#ff0087"
+	199: {R: 0xff, G: 0x00, B: 0xaf, A: 0xff}, // "#ff00af"
+	200: {R: 0xff, G: 0x00, B: 0xd7, A: 0xff}, // "#ff00d7"
+	201: {R: 0xff, G: 0x00, B: 0xff, A: 0xff}, // "#ff00ff"
+	202: {R: 0xff, G: 0x5f, B: 0x00, A: 0xff}, // "#ff5f00"
+	203: {R: 0xff, G: 0x5f, B: 0x5f, A: 0xff}, // "#ff5f5f"
+	204: {R: 0xff, G: 0x5f, B: 0x87, A: 0xff}, // "#ff5f87"
+	205: {R: 0xff, G: 0x5f, B: 0xaf, A: 0xff}, // "#ff5faf"
+	206: {R: 0xff, G: 0x5f, B: 0xd7, A: 0xff}, // "#ff5fd7"
+	207: {R: 0xff, G: 0x5f, B: 0xff, A: 0xff}, // "#ff5fff"
+	208: {R: 0xff, G: 0x87, B: 0x00, A: 0xff}, // "#ff8700"
+	209: {R: 0xff, G: 0x87, B: 0x5f, A: 0xff}, // "#ff875f"
+	210: {R: 0xff, G: 0x87, B: 0x87, A: 0xff}, // "#ff8787"
+	211: {R: 0xff, G: 0x87, B: 0xaf, A: 0xff}, // "#ff87af"
+	212: {R: 0xff, G: 0x87, B: 0xd7, A: 0xff}, // "#ff87d7"
+	213: {R: 0xff, G: 0x87, B: 0xff, A: 0xff}, // "#ff87ff"
+	214: {R: 0xff, G: 0xaf, B: 0x00, A: 0xff}, // "#ffaf00"
+	215: {R: 0xff, G: 0xaf, B: 0x5f, A: 0xff}, // "#ffaf5f"
+	216: {R: 0xff, G: 0xaf, B: 0x87, A: 0xff}, // "#ffaf87"
+	217: {R: 0xff, G: 0xaf, B: 0xaf, A: 0xff}, // "#ffafaf"
+	218: {R: 0xff, G: 0xaf, B: 0xd7, A: 0xff}, // "#ffafd7"
+	219: {R: 0xff, G: 0xaf, B: 0xff, A: 0xff}, // "#ffafff"
+	220: {R: 0xff, G: 0xd7, B: 0x00, A: 0xff}, // "#ffd700"
+	221: {R: 0xff, G: 0xd7, B: 0x5f, A: 0xff}, // "#ffd75f"
+	222: {R: 0xff, G: 0xd7, B: 0x87, A: 0xff}, // "#ffd787"
+	223: {R: 0xff, G: 0xd7, B: 0xaf, A: 0xff}, // "#ffd7af"
+	224: {R: 0xff, G: 0xd7, B: 0xd7, A: 0xff}, // "#ffd7d7"
+	225: {R: 0xff, G: 0xd7, B: 0xff, A: 0xff}, // "#ffd7ff"
+	226: {R: 0xff, G: 0xff, B: 0x00, A: 0xff}, // "#ffff00"
+	227: {R: 0xff, G: 0xff, B: 0x5f, A: 0xff}, // "#ffff5f"
+	228: {R: 0xff, G: 0xff, B: 0x87, A: 0xff}, // "#ffff87"
+	229: {R: 0xff, G: 0xff, B: 0xaf, A: 0xff}, // "#ffffaf"
+	230: {R: 0xff, G: 0xff, B: 0xd7, A: 0xff}, // "#ffffd7"
+	231: {R: 0xff, G: 0xff, B: 0xff, A: 0xff}, // "#ffffff"
+	232: {R: 0x08, G: 0x08, B: 0x08, A: 0xff}, // "#080808"
+	233: {R: 0x12, G: 0x12, B: 0x12, A: 0xff}, // "#121212"
+	234: {R: 0x1c, G: 0x1c, B: 0x1c, A: 0xff}, // "#1c1c1c"
+	235: {R: 0x26, G: 0x26, B: 0x26, A: 0xff}, // "#262626"
+	236: {R: 0x30, G: 0x30, B: 0x30, A: 0xff}, // "#303030"
+	237: {R: 0x3a, G: 0x3a, B: 0x3a, A: 0xff}, // "#3a3a3a"
+	238: {R: 0x44, G: 0x44, B: 0x44, A: 0xff}, // "#444444"
+	239: {R: 0x4e, G: 0x4e, B: 0x4e, A: 0xff}, // "#4e4e4e"
+	240: {R: 0x58, G: 0x58, B: 0x58, A: 0xff}, // "#585858"
+	241: {R: 0x62, G: 0x62, B: 0x62, A: 0xff}, // "#626262"
+	242: {R: 0x6c, G: 0x6c, B: 0x6c, A: 0xff}, // "#6c6c6c"
+	243: {R: 0x76, G: 0x76, B: 0x76, A: 0xff}, // "#767676"
+	244: {R: 0x80, G: 0x80, B: 0x80, A: 0xff}, // "#808080"
+	245: {R: 0x8a, G: 0x8a, B: 0x8a, A: 0xff}, // "#8a8a8a"
+	246: {R: 0x94, G: 0x94, B: 0x94, A: 0xff}, // "#949494"
+	247: {R: 0x9e, G: 0x9e, B: 0x9e, A: 0xff}, // "#9e9e9e"
+	248: {R: 0xa8, G: 0xa8, B: 0xa8, A: 0xff}, // "#a8a8a8"
+	249: {R: 0xb2, G: 0xb2, B: 0xb2, A: 0xff}, // "#b2b2b2"
+	250: {R: 0xbc, G: 0xbc, B: 0xbc, A: 0xff}, // "#bcbcbc"
+	251: {R: 0xc6, G: 0xc6, B: 0xc6, A: 0xff}, // "#c6c6c6"
+	252: {R: 0xd0, G: 0xd0, B: 0xd0, A: 0xff}, // "#d0d0d0"
+	253: {R: 0xda, G: 0xda, B: 0xda, A: 0xff}, // "#dadada"
+	254: {R: 0xe4, G: 0xe4, B: 0xe4, A: 0xff}, // "#e4e4e4"
+	255: {R: 0xee, G: 0xee, B: 0xee, A: 0xff}, // "#eeeeee"
+}
+
+var ansi256To16 = [...]BasicColor{
+	0:   0,
+	1:   1,
+	2:   2,
+	3:   3,
+	4:   4,
+	5:   5,
+	6:   6,
+	7:   7,
+	8:   8,
+	9:   9,
+	10:  10,
+	11:  11,
+	12:  12,
+	13:  13,
+	14:  14,
+	15:  15,
+	16:  0,
+	17:  4,
+	18:  4,
+	19:  4,
+	20:  12,
+	21:  12,
+	22:  2,
+	23:  6,
+	24:  4,
+	25:  4,
+	26:  12,
+	27:  12,
+	28:  2,
+	29:  2,
+	30:  6,
+	31:  4,
+	32:  12,
+	33:  12,
+	34:  2,
+	35:  2,
+	36:  2,
+	37:  6,
+	38:  12,
+	39:  12,
+	40:  10,
+	41:  10,
+	42:  10,
+	43:  10,
+	44:  14,
+	45:  12,
+	46:  10,
+	47:  10,
+	48:  10,
+	49:  10,
+	50:  10,
+	51:  14,
+	52:  1,
+	53:  5,
+	54:  4,
+	55:  4,
+	56:  12,
+	57:  12,
+	58:  3,
+	59:  8,
+	60:  4,
+	61:  4,
+	62:  12,
+	63:  12,
+	64:  2,
+	65:  2,
+	66:  6,
+	67:  4,
+	68:  12,
+	69:  12,
+	70:  2,
+	71:  2,
+	72:  2,
+	73:  6,
+	74:  12,
+	75:  12,
+	76:  10,
+	77:  10,
+	78:  10,
+	79:  10,
+	80:  14,
+	81:  12,
+	82:  10,
+	83:  10,
+	84:  10,
+	85:  10,
+	86:  10,
+	87:  14,
+	88:  1,
+	89:  1,
+	90:  5,
+	91:  4,
+	92:  12,
+	93:  12,
+	94:  1,
+	95:  1,
+	96:  5,
+	97:  4,
+	98:  12,
+	99:  12,
+	100: 3,
+	101: 3,
+	102: 8,
+	103: 4,
+	104: 12,
+	105: 12,
+	106: 2,
+	107: 2,
+	108: 2,
+	109: 6,
+	110: 12,
+	111: 12,
+	112: 10,
+	113: 10,
+	114: 10,
+	115: 10,
+	116: 14,
+	117: 12,
+	118: 10,
+	119: 10,
+	120: 10,
+	121: 10,
+	122: 10,
+	123: 14,
+	124: 1,
+	125: 1,
+	126: 1,
+	127: 5,
+	128: 12,
+	129: 12,
+	130: 1,
+	131: 1,
+	132: 1,
+	133: 5,
+	134: 12,
+	135: 12,
+	136: 1,
+	137: 1,
+	138: 1,
+	139: 5,
+	140: 12,
+	141: 12,
+	142: 3,
+	143: 3,
+	144: 3,
+	145: 7,
+	146: 12,
+	147: 12,
+	148: 10,
+	149: 10,
+	150: 10,
+	151: 10,
+	152: 14,
+	153: 12,
+	154: 10,
+	155: 10,
+	156: 10,
+	157: 10,
+	158: 10,
+	159: 14,
+	160: 9,
+	161: 9,
+	162: 9,
+	163: 9,
+	164: 13,
+	165: 12,
+	166: 9,
+	167: 9,
+	168: 9,
+	169: 9,
+	170: 13,
+	171: 12,
+	172: 9,
+	173: 9,
+	174: 9,
+	175: 9,
+	176: 13,
+	177: 12,
+	178: 9,
+	179: 9,
+	180: 9,
+	181: 9,
+	182: 13,
+	183: 12,
+	184: 11,
+	185: 11,
+	186: 11,
+	187: 11,
+	188: 7,
+	189: 12,
+	190: 10,
+	191: 10,
+	192: 10,
+	193: 10,
+	194: 10,
+	195: 14,
+	196: 9,
+	197: 9,
+	198: 9,
+	199: 9,
+	200: 9,
+	201: 13,
+	202: 9,
+	203: 9,
+	204: 9,
+	205: 9,
+	206: 9,
+	207: 13,
+	208: 9,
+	209: 9,
+	210: 9,
+	211: 9,
+	212: 9,
+	213: 13,
+	214: 9,
+	215: 9,
+	216: 9,
+	217: 9,
+	218: 9,
+	219: 13,
+	220: 9,
+	221: 9,
+	222: 9,
+	223: 9,
+	224: 9,
+	225: 13,
+	226: 11,
+	227: 11,
+	228: 11,
+	229: 11,
+	230: 11,
+	231: 15,
+	232: 0,
+	233: 0,
+	234: 0,
+	235: 0,
+	236: 0,
+	237: 0,
+	238: 8,
+	239: 8,
+	240: 8,
+	241: 8,
+	242: 8,
+	243: 8,
+	244: 7,
+	245: 7,
+	246: 7,
+	247: 7,
+	248: 7,
+	249: 7,
+	250: 15,
+	251: 15,
+	252: 15,
+	253: 15,
+	254: 15,
+	255: 15,
+}
diff --git a/vendor/github.com/charmbracelet/x/ansi/ctrl.go b/vendor/github.com/charmbracelet/x/ansi/ctrl.go
index 8ca744cf..64bcf113 100644
--- a/vendor/github.com/charmbracelet/x/ansi/ctrl.go
+++ b/vendor/github.com/charmbracelet/x/ansi/ctrl.go
@@ -38,6 +38,25 @@ const RequestXTVersion = RequestNameVersion
 // If no attributes are given, or if the attribute is 0, this function returns
 // the request sequence. Otherwise, it returns the response sequence.
 //
+// Common attributes include:
+//   - 1	132 columns
+//   - 2	Printer port
+//   - 4	Sixel
+//   - 6	Selective erase
+//   - 7	Soft character set (DRCS)
+//   - 8	User-defined keys (UDKs)
+//   - 9	National replacement character sets (NRCS) (International terminal only)
+//   - 12	Yugoslavian (SCS)
+//   - 15	Technical character set
+//   - 18	Windowing capability
+//   - 21	Horizontal scrolling
+//   - 23	Greek
+//   - 24	Turkish
+//   - 42	ISO Latin-2 character set
+//   - 44	PCTerm
+//   - 45	Soft key map
+//   - 46	ASCII emulation
+//
 // See https://vt100.net/docs/vt510-rm/DA1.html
 func PrimaryDeviceAttributes(attrs ...int) string {
 	if len(attrs) == 0 {
diff --git a/vendor/github.com/charmbracelet/x/ansi/cursor.go b/vendor/github.com/charmbracelet/x/ansi/cursor.go
index 0c364d60..4adf6896 100644
--- a/vendor/github.com/charmbracelet/x/ansi/cursor.go
+++ b/vendor/github.com/charmbracelet/x/ansi/cursor.go
@@ -1,6 +1,8 @@
 package ansi
 
-import "strconv"
+import (
+	"strconv"
+)
 
 // SaveCursor (DECSC) is an escape sequence that saves the current cursor
 // position.
@@ -260,7 +262,7 @@ func CHA(col int) string {
 // See: https://vt100.net/docs/vt510-rm/CUP.html
 func CursorPosition(col, row int) string {
 	if row <= 0 && col <= 0 {
-		return HomeCursorPosition
+		return CursorHomePosition
 	}
 
 	var r, c string
@@ -356,8 +358,8 @@ func CHT(n int) string {
 	return CursorHorizontalForwardTab(n)
 }
 
-// EraseCharacter (ECH) returns a sequence for erasing n characters and moving
-// the cursor to the right. This doesn't affect other cell attributes.
+// EraseCharacter (ECH) returns a sequence for erasing n characters from the
+// screen. This doesn't affect other cell attributes.
 //
 // Default is 1.
 //
@@ -589,7 +591,7 @@ const ReverseIndex = "\x1bM"
 //
 // Default is 1.
 //
-//	CSI n `
+//	CSI n \`
 //
 // See: https://vt100.net/docs/vt510-rm/HPA.html
 func HorizontalPositionAbsolute(col int) string {
diff --git a/vendor/github.com/charmbracelet/x/ansi/finalterm.go b/vendor/github.com/charmbracelet/x/ansi/finalterm.go
new file mode 100644
index 00000000..2c283472
--- /dev/null
+++ b/vendor/github.com/charmbracelet/x/ansi/finalterm.go
@@ -0,0 +1,67 @@
+package ansi
+
+import "strings"
+
+// FinalTerm returns an escape sequence that is used for shell integrations.
+// Originally, FinalTerm designed the protocol hence the name.
+//
+//	OSC 133 ; Ps ; Pm ST
+//	OSC 133 ; Ps ; Pm BEL
+//
+// See: https://iterm2.com/documentation-shell-integration.html
+func FinalTerm(pm ...string) string {
+	return "\x1b]133;" + strings.Join(pm, ";") + "\x07"
+}
+
+// FinalTermPrompt returns an escape sequence that is used for shell
+// integrations prompt marks. This is sent just before the start of the shell
+// prompt.
+//
+// This is an alias for FinalTerm("A").
+func FinalTermPrompt(pm ...string) string {
+	if len(pm) == 0 {
+		return FinalTerm("A")
+	}
+	return FinalTerm(append([]string{"A"}, pm...)...)
+}
+
+// FinalTermCmdStart returns an escape sequence that is used for shell
+// integrations command start marks. This is sent just after the end of the
+// shell prompt, before the user enters a command.
+//
+// This is an alias for FinalTerm("B").
+func FinalTermCmdStart(pm ...string) string {
+	if len(pm) == 0 {
+		return FinalTerm("B")
+	}
+	return FinalTerm(append([]string{"B"}, pm...)...)
+}
+
+// FinalTermCmdExecuted returns an escape sequence that is used for shell
+// integrations command executed marks. This is sent just before the start of
+// the command output.
+//
+// This is an alias for FinalTerm("C").
+func FinalTermCmdExecuted(pm ...string) string {
+	if len(pm) == 0 {
+		return FinalTerm("C")
+	}
+	return FinalTerm(append([]string{"C"}, pm...)...)
+}
+
+// FinalTermCmdFinished returns an escape sequence that is used for shell
+// integrations command finished marks.
+//
+// If the command was sent after
+// [FinalTermCmdStart], it indicates that the command was aborted. If the
+// command was sent after [FinalTermCmdExecuted], it indicates the end of the
+// command output. If neither was sent, [FinalTermCmdFinished] should be
+// ignored.
+//
+// This is an alias for FinalTerm("D").
+func FinalTermCmdFinished(pm ...string) string {
+	if len(pm) == 0 {
+		return FinalTerm("D")
+	}
+	return FinalTerm(append([]string{"D"}, pm...)...)
+}
diff --git a/vendor/github.com/charmbracelet/x/ansi/graphics.go b/vendor/github.com/charmbracelet/x/ansi/graphics.go
index 604fef47..d4a693b7 100644
--- a/vendor/github.com/charmbracelet/x/ansi/graphics.go
+++ b/vendor/github.com/charmbracelet/x/ansi/graphics.go
@@ -2,17 +2,47 @@ package ansi
 
 import (
 	"bytes"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"image"
-	"io"
-	"os"
+	"strconv"
 	"strings"
-
-	"github.com/charmbracelet/x/ansi/kitty"
 )
 
+// SixelGraphics returns a sequence that encodes the given sixel image payload to
+// a DCS sixel sequence.
+//
+//	DCS p1; p2; p3; q [sixel payload] ST
+//
+// p1 = pixel aspect ratio, deprecated and replaced by pixel metrics in the payload
+//
+// p2 = This is supposed to be 0 for transparency, but terminals don't seem to
+// to use it properly. Value 0 leaves an unsightly black bar on all terminals
+// I've tried and looks correct with value 1.
+//
+// p3 = Horizontal grid size parameter. Everyone ignores this and uses a fixed grid
+// size, as far as I can tell.
+//
+// See https://shuford.invisible-island.net/all_about_sixels.txt
+func SixelGraphics(p1, p2, p3 int, payload []byte) string {
+	var buf bytes.Buffer
+
+	buf.WriteString("\x1bP")
+	if p1 >= 0 {
+		buf.WriteString(strconv.Itoa(p1))
+	}
+	buf.WriteByte(';')
+	if p2 >= 0 {
+		buf.WriteString(strconv.Itoa(p2))
+	}
+	if p3 > 0 {
+		buf.WriteByte(';')
+		buf.WriteString(strconv.Itoa(p3))
+	}
+	buf.WriteByte('q')
+	buf.Write(payload)
+	buf.WriteString("\x1b\\")
+
+	return buf.String()
+}
+
 // KittyGraphics returns a sequence that encodes the given image in the Kitty
 // graphics protocol.
 //
@@ -30,170 +60,3 @@ func KittyGraphics(payload []byte, opts ...string) string {
 	buf.WriteString("\x1b\\")
 	return buf.String()
 }
-
-var (
-	// KittyGraphicsTempDir is the directory where temporary files are stored.
-	// This is used in [WriteKittyGraphics] along with [os.CreateTemp].
-	KittyGraphicsTempDir = ""
-
-	// KittyGraphicsTempPattern is the pattern used to create temporary files.
-	// This is used in [WriteKittyGraphics] along with [os.CreateTemp].
-	// The Kitty Graphics protocol requires the file path to contain the
-	// substring "tty-graphics-protocol".
-	KittyGraphicsTempPattern = "tty-graphics-protocol-*"
-)
-
-// WriteKittyGraphics writes an image using the Kitty Graphics protocol with
-// the given options to w. It chunks the written data if o.Chunk is true.
-//
-// You can omit m and use nil when rendering an image from a file. In this
-// case, you must provide a file path in o.File and use o.Transmission =
-// [kitty.File]. You can also use o.Transmission = [kitty.TempFile] to write
-// the image to a temporary file. In that case, the file path is ignored, and
-// the image is written to a temporary file that is automatically deleted by
-// the terminal.
-//
-// See https://sw.kovidgoyal.net/kitty/graphics-protocol/
-func WriteKittyGraphics(w io.Writer, m image.Image, o *kitty.Options) error {
-	if o == nil {
-		o = &kitty.Options{}
-	}
-
-	if o.Transmission == 0 && len(o.File) != 0 {
-		o.Transmission = kitty.File
-	}
-
-	var data bytes.Buffer // the data to be encoded into base64
-	e := &kitty.Encoder{
-		Compress: o.Compression == kitty.Zlib,
-		Format:   o.Format,
-	}
-
-	switch o.Transmission {
-	case kitty.Direct:
-		if err := e.Encode(&data, m); err != nil {
-			return fmt.Errorf("failed to encode direct image: %w", err)
-		}
-
-	case kitty.SharedMemory:
-		// TODO: Implement shared memory
-		return fmt.Errorf("shared memory transmission is not yet implemented")
-
-	case kitty.File:
-		if len(o.File) == 0 {
-			return kitty.ErrMissingFile
-		}
-
-		f, err := os.Open(o.File)
-		if err != nil {
-			return fmt.Errorf("failed to open file: %w", err)
-		}
-
-		defer f.Close() //nolint:errcheck
-
-		stat, err := f.Stat()
-		if err != nil {
-			return fmt.Errorf("failed to get file info: %w", err)
-		}
-
-		mode := stat.Mode()
-		if !mode.IsRegular() {
-			return fmt.Errorf("file is not a regular file")
-		}
-
-		// Write the file path to the buffer
-		if _, err := data.WriteString(f.Name()); err != nil {
-			return fmt.Errorf("failed to write file path to buffer: %w", err)
-		}
-
-	case kitty.TempFile:
-		f, err := os.CreateTemp(KittyGraphicsTempDir, KittyGraphicsTempPattern)
-		if err != nil {
-			return fmt.Errorf("failed to create file: %w", err)
-		}
-
-		defer f.Close() //nolint:errcheck
-
-		if err := e.Encode(f, m); err != nil {
-			return fmt.Errorf("failed to encode image to file: %w", err)
-		}
-
-		// Write the file path to the buffer
-		if _, err := data.WriteString(f.Name()); err != nil {
-			return fmt.Errorf("failed to write file path to buffer: %w", err)
-		}
-	}
-
-	// Encode image to base64
-	var payload bytes.Buffer // the base64 encoded image to be written to w
-	b64 := base64.NewEncoder(base64.StdEncoding, &payload)
-	if _, err := data.WriteTo(b64); err != nil {
-		return fmt.Errorf("failed to write base64 encoded image to payload: %w", err)
-	}
-	if err := b64.Close(); err != nil {
-		return err
-	}
-
-	// If not chunking, write all at once
-	if !o.Chunk {
-		_, err := io.WriteString(w, KittyGraphics(payload.Bytes(), o.Options()...))
-		return err
-	}
-
-	// Write in chunks
-	var (
-		err error
-		n   int
-	)
-	chunk := make([]byte, kitty.MaxChunkSize)
-	isFirstChunk := true
-
-	for {
-		// Stop if we read less than the chunk size [kitty.MaxChunkSize].
-		n, err = io.ReadFull(&payload, chunk)
-		if errors.Is(err, io.ErrUnexpectedEOF) || errors.Is(err, io.EOF) {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed to read chunk: %w", err)
-		}
-
-		opts := buildChunkOptions(o, isFirstChunk, false)
-		if _, err := io.WriteString(w, KittyGraphics(chunk[:n], opts...)); err != nil {
-			return err
-		}
-
-		isFirstChunk = false
-	}
-
-	// Write the last chunk
-	opts := buildChunkOptions(o, isFirstChunk, true)
-	_, err = io.WriteString(w, KittyGraphics(chunk[:n], opts...))
-	return err
-}
-
-// buildChunkOptions creates the options slice for a chunk
-func buildChunkOptions(o *kitty.Options, isFirstChunk, isLastChunk bool) []string {
-	var opts []string
-	if isFirstChunk {
-		opts = o.Options()
-	} else {
-		// These options are allowed in subsequent chunks
-		if o.Quite > 0 {
-			opts = append(opts, fmt.Sprintf("q=%d", o.Quite))
-		}
-		if o.Action == kitty.Frame {
-			opts = append(opts, "a=f")
-		}
-	}
-
-	if !isFirstChunk || !isLastChunk {
-		// We don't need to encode the (m=) option when we only have one chunk.
-		if isLastChunk {
-			opts = append(opts, "m=0")
-		} else {
-			opts = append(opts, "m=1")
-		}
-	}
-	return opts
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/kitty/decoder.go b/vendor/github.com/charmbracelet/x/ansi/kitty/decoder.go
deleted file mode 100644
index fbd08441..00000000
--- a/vendor/github.com/charmbracelet/x/ansi/kitty/decoder.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package kitty
-
-import (
-	"compress/zlib"
-	"fmt"
-	"image"
-	"image/color"
-	"image/png"
-	"io"
-)
-
-// Decoder is a decoder for the Kitty graphics protocol. It supports decoding
-// images in the 24-bit [RGB], 32-bit [RGBA], and [PNG] formats. It can also
-// decompress data using zlib.
-// The default format is 32-bit [RGBA].
-type Decoder struct {
-	// Uses zlib decompression.
-	Decompress bool
-
-	// Can be one of [RGB], [RGBA], or [PNG].
-	Format int
-
-	// Width of the image in pixels. This can be omitted if the image is [PNG]
-	// formatted.
-	Width int
-
-	// Height of the image in pixels. This can be omitted if the image is [PNG]
-	// formatted.
-	Height int
-}
-
-// Decode decodes the image data from r in the specified format.
-func (d *Decoder) Decode(r io.Reader) (image.Image, error) {
-	if d.Decompress {
-		zr, err := zlib.NewReader(r)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create zlib reader: %w", err)
-		}
-
-		defer zr.Close() //nolint:errcheck
-		r = zr
-	}
-
-	if d.Format == 0 {
-		d.Format = RGBA
-	}
-
-	switch d.Format {
-	case RGBA, RGB:
-		return d.decodeRGBA(r, d.Format == RGBA)
-
-	case PNG:
-		return png.Decode(r)
-
-	default:
-		return nil, fmt.Errorf("unsupported format: %d", d.Format)
-	}
-}
-
-// decodeRGBA decodes the image data in 32-bit RGBA or 24-bit RGB formats.
-func (d *Decoder) decodeRGBA(r io.Reader, alpha bool) (image.Image, error) {
-	m := image.NewRGBA(image.Rect(0, 0, d.Width, d.Height))
-
-	var buf []byte
-	if alpha {
-		buf = make([]byte, 4)
-	} else {
-		buf = make([]byte, 3)
-	}
-
-	for y := 0; y < d.Height; y++ {
-		for x := 0; x < d.Width; x++ {
-			if _, err := io.ReadFull(r, buf[:]); err != nil {
-				return nil, fmt.Errorf("failed to read pixel data: %w", err)
-			}
-			if alpha {
-				m.SetRGBA(x, y, color.RGBA{buf[0], buf[1], buf[2], buf[3]})
-			} else {
-				m.SetRGBA(x, y, color.RGBA{buf[0], buf[1], buf[2], 0xff})
-			}
-		}
-	}
-
-	return m, nil
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/kitty/encoder.go b/vendor/github.com/charmbracelet/x/ansi/kitty/encoder.go
deleted file mode 100644
index f668b9e3..00000000
--- a/vendor/github.com/charmbracelet/x/ansi/kitty/encoder.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package kitty
-
-import (
-	"compress/zlib"
-	"fmt"
-	"image"
-	"image/png"
-	"io"
-)
-
-// Encoder is an encoder for the Kitty graphics protocol. It supports encoding
-// images in the 24-bit [RGB], 32-bit [RGBA], and [PNG] formats, and
-// compressing the data using zlib.
-// The default format is 32-bit [RGBA].
-type Encoder struct {
-	// Uses zlib compression.
-	Compress bool
-
-	// Can be one of [RGBA], [RGB], or [PNG].
-	Format int
-}
-
-// Encode encodes the image data in the specified format and writes it to w.
-func (e *Encoder) Encode(w io.Writer, m image.Image) error {
-	if m == nil {
-		return nil
-	}
-
-	if e.Compress {
-		zw := zlib.NewWriter(w)
-		defer zw.Close() //nolint:errcheck
-		w = zw
-	}
-
-	if e.Format == 0 {
-		e.Format = RGBA
-	}
-
-	switch e.Format {
-	case RGBA, RGB:
-		bounds := m.Bounds()
-		for y := bounds.Min.Y; y < bounds.Max.Y; y++ {
-			for x := bounds.Min.X; x < bounds.Max.X; x++ {
-				r, g, b, a := m.At(x, y).RGBA()
-				switch e.Format {
-				case RGBA:
-					w.Write([]byte{byte(r >> 8), byte(g >> 8), byte(b >> 8), byte(a >> 8)}) //nolint:errcheck
-				case RGB:
-					w.Write([]byte{byte(r >> 8), byte(g >> 8), byte(b >> 8)}) //nolint:errcheck
-				}
-			}
-		}
-
-	case PNG:
-		if err := png.Encode(w, m); err != nil {
-			return fmt.Errorf("failed to encode PNG: %w", err)
-		}
-
-	default:
-		return fmt.Errorf("unsupported format: %d", e.Format)
-	}
-
-	return nil
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/kitty/graphics.go b/vendor/github.com/charmbracelet/x/ansi/kitty/graphics.go
deleted file mode 100644
index 490e7a8a..00000000
--- a/vendor/github.com/charmbracelet/x/ansi/kitty/graphics.go
+++ /dev/null
@@ -1,414 +0,0 @@
-package kitty
-
-import "errors"
-
-// ErrMissingFile is returned when the file path is missing.
-var ErrMissingFile = errors.New("missing file path")
-
-// MaxChunkSize is the maximum chunk size for the image data.
-const MaxChunkSize = 1024 * 4
-
-// Placeholder is a special Unicode character that can be used as a placeholder
-// for an image.
-const Placeholder = '\U0010EEEE'
-
-// Graphics image format.
-const (
-	// 32-bit RGBA format.
-	RGBA = 32
-
-	// 24-bit RGB format.
-	RGB = 24
-
-	// PNG format.
-	PNG = 100
-)
-
-// Compression types.
-const (
-	Zlib = 'z'
-)
-
-// Transmission types.
-const (
-	// The data transmitted directly in the escape sequence.
-	Direct = 'd'
-
-	// The data transmitted in a regular file.
-	File = 'f'
-
-	// A temporary file is used and deleted after transmission.
-	TempFile = 't'
-
-	// A shared memory object.
-	// For POSIX see https://pubs.opengroup.org/onlinepubs/9699919799/functions/shm_open.html
-	// For Windows see https://docs.microsoft.com/en-us/windows/win32/memory/creating-named-shared-memory
-	SharedMemory = 's'
-)
-
-// Action types.
-const (
-	// Transmit image data.
-	Transmit = 't'
-	// TransmitAndPut transmit image data and display (put) it.
-	TransmitAndPut = 'T'
-	// Query terminal for image info.
-	Query = 'q'
-	// Put (display) previously transmitted image.
-	Put = 'p'
-	// Delete image.
-	Delete = 'd'
-	// Frame transmits data for animation frames.
-	Frame = 'f'
-	// Animate controls animation.
-	Animate = 'a'
-	// Compose composes animation frames.
-	Compose = 'c'
-)
-
-// Delete types.
-const (
-	// Delete all placements visible on screen
-	DeleteAll = 'a'
-	// Delete all images with the specified id, specified using the i key. If
-	// you specify a p key for the placement id as well, then only the
-	// placement with the specified image id and placement id will be deleted.
-	DeleteID = 'i'
-	// Delete newest image with the specified number, specified using the I
-	// key. If you specify a p key for the placement id as well, then only the
-	// placement with the specified number and placement id will be deleted.
-	DeleteNumber = 'n'
-	// Delete all placements that intersect with the current cursor position.
-	DeleteCursor = 'c'
-	// Delete animation frames.
-	DeleteFrames = 'f'
-	// Delete all placements that intersect a specific cell, the cell is
-	// specified using the x and y keys
-	DeleteCell = 'p'
-	// Delete all placements that intersect a specific cell having a specific
-	// z-index. The cell and z-index is specified using the x, y and z keys.
-	DeleteCellZ = 'q'
-	// Delete all images whose id is greater than or equal to the value of the x
-	// key and less than or equal to the value of the y.
-	DeleteRange = 'r'
-	// Delete all placements that intersect the specified column, specified using
-	// the x key.
-	DeleteColumn = 'x'
-	// Delete all placements that intersect the specified row, specified using
-	// the y key.
-	DeleteRow = 'y'
-	// Delete all placements that have the specified z-index, specified using the
-	// z key.
-	DeleteZ = 'z'
-)
-
-// Diacritic returns the diacritic rune at the specified index. If the index is
-// out of bounds, the first diacritic rune is returned.
-func Diacritic(i int) rune {
-	if i < 0 || i >= len(diacritics) {
-		return diacritics[0]
-	}
-	return diacritics[i]
-}
-
-// From https://sw.kovidgoyal.net/kitty/_downloads/f0a0de9ec8d9ff4456206db8e0814937/rowcolumn-diacritics.txt
-// See https://sw.kovidgoyal.net/kitty/graphics-protocol/#unicode-placeholders for further explanation.
-var diacritics = []rune{
-	'\u0305',
-	'\u030D',
-	'\u030E',
-	'\u0310',
-	'\u0312',
-	'\u033D',
-	'\u033E',
-	'\u033F',
-	'\u0346',
-	'\u034A',
-	'\u034B',
-	'\u034C',
-	'\u0350',
-	'\u0351',
-	'\u0352',
-	'\u0357',
-	'\u035B',
-	'\u0363',
-	'\u0364',
-	'\u0365',
-	'\u0366',
-	'\u0367',
-	'\u0368',
-	'\u0369',
-	'\u036A',
-	'\u036B',
-	'\u036C',
-	'\u036D',
-	'\u036E',
-	'\u036F',
-	'\u0483',
-	'\u0484',
-	'\u0485',
-	'\u0486',
-	'\u0487',
-	'\u0592',
-	'\u0593',
-	'\u0594',
-	'\u0595',
-	'\u0597',
-	'\u0598',
-	'\u0599',
-	'\u059C',
-	'\u059D',
-	'\u059E',
-	'\u059F',
-	'\u05A0',
-	'\u05A1',
-	'\u05A8',
-	'\u05A9',
-	'\u05AB',
-	'\u05AC',
-	'\u05AF',
-	'\u05C4',
-	'\u0610',
-	'\u0611',
-	'\u0612',
-	'\u0613',
-	'\u0614',
-	'\u0615',
-	'\u0616',
-	'\u0617',
-	'\u0657',
-	'\u0658',
-	'\u0659',
-	'\u065A',
-	'\u065B',
-	'\u065D',
-	'\u065E',
-	'\u06D6',
-	'\u06D7',
-	'\u06D8',
-	'\u06D9',
-	'\u06DA',
-	'\u06DB',
-	'\u06DC',
-	'\u06DF',
-	'\u06E0',
-	'\u06E1',
-	'\u06E2',
-	'\u06E4',
-	'\u06E7',
-	'\u06E8',
-	'\u06EB',
-	'\u06EC',
-	'\u0730',
-	'\u0732',
-	'\u0733',
-	'\u0735',
-	'\u0736',
-	'\u073A',
-	'\u073D',
-	'\u073F',
-	'\u0740',
-	'\u0741',
-	'\u0743',
-	'\u0745',
-	'\u0747',
-	'\u0749',
-	'\u074A',
-	'\u07EB',
-	'\u07EC',
-	'\u07ED',
-	'\u07EE',
-	'\u07EF',
-	'\u07F0',
-	'\u07F1',
-	'\u07F3',
-	'\u0816',
-	'\u0817',
-	'\u0818',
-	'\u0819',
-	'\u081B',
-	'\u081C',
-	'\u081D',
-	'\u081E',
-	'\u081F',
-	'\u0820',
-	'\u0821',
-	'\u0822',
-	'\u0823',
-	'\u0825',
-	'\u0826',
-	'\u0827',
-	'\u0829',
-	'\u082A',
-	'\u082B',
-	'\u082C',
-	'\u082D',
-	'\u0951',
-	'\u0953',
-	'\u0954',
-	'\u0F82',
-	'\u0F83',
-	'\u0F86',
-	'\u0F87',
-	'\u135D',
-	'\u135E',
-	'\u135F',
-	'\u17DD',
-	'\u193A',
-	'\u1A17',
-	'\u1A75',
-	'\u1A76',
-	'\u1A77',
-	'\u1A78',
-	'\u1A79',
-	'\u1A7A',
-	'\u1A7B',
-	'\u1A7C',
-	'\u1B6B',
-	'\u1B6D',
-	'\u1B6E',
-	'\u1B6F',
-	'\u1B70',
-	'\u1B71',
-	'\u1B72',
-	'\u1B73',
-	'\u1CD0',
-	'\u1CD1',
-	'\u1CD2',
-	'\u1CDA',
-	'\u1CDB',
-	'\u1CE0',
-	'\u1DC0',
-	'\u1DC1',
-	'\u1DC3',
-	'\u1DC4',
-	'\u1DC5',
-	'\u1DC6',
-	'\u1DC7',
-	'\u1DC8',
-	'\u1DC9',
-	'\u1DCB',
-	'\u1DCC',
-	'\u1DD1',
-	'\u1DD2',
-	'\u1DD3',
-	'\u1DD4',
-	'\u1DD5',
-	'\u1DD6',
-	'\u1DD7',
-	'\u1DD8',
-	'\u1DD9',
-	'\u1DDA',
-	'\u1DDB',
-	'\u1DDC',
-	'\u1DDD',
-	'\u1DDE',
-	'\u1DDF',
-	'\u1DE0',
-	'\u1DE1',
-	'\u1DE2',
-	'\u1DE3',
-	'\u1DE4',
-	'\u1DE5',
-	'\u1DE6',
-	'\u1DFE',
-	'\u20D0',
-	'\u20D1',
-	'\u20D4',
-	'\u20D5',
-	'\u20D6',
-	'\u20D7',
-	'\u20DB',
-	'\u20DC',
-	'\u20E1',
-	'\u20E7',
-	'\u20E9',
-	'\u20F0',
-	'\u2CEF',
-	'\u2CF0',
-	'\u2CF1',
-	'\u2DE0',
-	'\u2DE1',
-	'\u2DE2',
-	'\u2DE3',
-	'\u2DE4',
-	'\u2DE5',
-	'\u2DE6',
-	'\u2DE7',
-	'\u2DE8',
-	'\u2DE9',
-	'\u2DEA',
-	'\u2DEB',
-	'\u2DEC',
-	'\u2DED',
-	'\u2DEE',
-	'\u2DEF',
-	'\u2DF0',
-	'\u2DF1',
-	'\u2DF2',
-	'\u2DF3',
-	'\u2DF4',
-	'\u2DF5',
-	'\u2DF6',
-	'\u2DF7',
-	'\u2DF8',
-	'\u2DF9',
-	'\u2DFA',
-	'\u2DFB',
-	'\u2DFC',
-	'\u2DFD',
-	'\u2DFE',
-	'\u2DFF',
-	'\uA66F',
-	'\uA67C',
-	'\uA67D',
-	'\uA6F0',
-	'\uA6F1',
-	'\uA8E0',
-	'\uA8E1',
-	'\uA8E2',
-	'\uA8E3',
-	'\uA8E4',
-	'\uA8E5',
-	'\uA8E6',
-	'\uA8E7',
-	'\uA8E8',
-	'\uA8E9',
-	'\uA8EA',
-	'\uA8EB',
-	'\uA8EC',
-	'\uA8ED',
-	'\uA8EE',
-	'\uA8EF',
-	'\uA8F0',
-	'\uA8F1',
-	'\uAAB0',
-	'\uAAB2',
-	'\uAAB3',
-	'\uAAB7',
-	'\uAAB8',
-	'\uAABE',
-	'\uAABF',
-	'\uAAC1',
-	'\uFE20',
-	'\uFE21',
-	'\uFE22',
-	'\uFE23',
-	'\uFE24',
-	'\uFE25',
-	'\uFE26',
-	'\U00010A0F',
-	'\U00010A38',
-	'\U0001D185',
-	'\U0001D186',
-	'\U0001D187',
-	'\U0001D188',
-	'\U0001D189',
-	'\U0001D1AA',
-	'\U0001D1AB',
-	'\U0001D1AC',
-	'\U0001D1AD',
-	'\U0001D242',
-	'\U0001D243',
-	'\U0001D244',
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/kitty/options.go b/vendor/github.com/charmbracelet/x/ansi/kitty/options.go
deleted file mode 100644
index a8d907bd..00000000
--- a/vendor/github.com/charmbracelet/x/ansi/kitty/options.go
+++ /dev/null
@@ -1,367 +0,0 @@
-package kitty
-
-import (
-	"encoding"
-	"fmt"
-	"strconv"
-	"strings"
-)
-
-var (
-	_ encoding.TextMarshaler   = Options{}
-	_ encoding.TextUnmarshaler = &Options{}
-)
-
-// Options represents a Kitty Graphics Protocol options.
-type Options struct {
-	// Common options.
-
-	// Action (a=t) is the action to be performed on the image. Can be one of
-	// [Transmit], [TransmitDisplay], [Query], [Put], [Delete], [Frame],
-	// [Animate], [Compose].
-	Action byte
-
-	// Quite mode (q=0) is the quiet mode. Can be either zero, one, or two
-	// where zero is the default, 1 suppresses OK responses, and 2 suppresses
-	// both OK and error responses.
-	Quite byte
-
-	// Transmission options.
-
-	// ID (i=) is the image ID. The ID is a unique identifier for the image.
-	// Must be a positive integer up to [math.MaxUint32].
-	ID int
-
-	// PlacementID (p=) is the placement ID. The placement ID is a unique
-	// identifier for the placement of the image. Must be a positive integer up
-	// to [math.MaxUint32].
-	PlacementID int
-
-	// Number (I=0) is the number of images to be transmitted.
-	Number int
-
-	// Format (f=32) is the image format. One of [RGBA], [RGB], [PNG].
-	Format int
-
-	// ImageWidth (s=0) is the transmitted image width.
-	ImageWidth int
-
-	// ImageHeight (v=0) is the transmitted image height.
-	ImageHeight int
-
-	// Compression (o=) is the image compression type. Can be [Zlib] or zero.
-	Compression byte
-
-	// Transmission (t=d) is the image transmission type. Can be [Direct], [File],
-	// [TempFile], or[SharedMemory].
-	Transmission byte
-
-	// File is the file path to be used when the transmission type is [File].
-	// If [Options.Transmission] is omitted i.e. zero and this is non-empty,
-	// the transmission type is set to [File].
-	File string
-
-	// Size (S=0) is the size to be read from the transmission medium.
-	Size int
-
-	// Offset (O=0) is the offset byte to start reading from the transmission
-	// medium.
-	Offset int
-
-	// Chunk (m=) whether the image is transmitted in chunks. Can be either
-	// zero or one. When true, the image is transmitted in chunks. Each chunk
-	// must be a multiple of 4, and up to [MaxChunkSize] bytes. Each chunk must
-	// have the m=1 option except for the last chunk which must have m=0.
-	Chunk bool
-
-	// Display options.
-
-	// X (x=0) is the pixel X coordinate of the image to start displaying.
-	X int
-
-	// Y (y=0) is the pixel Y coordinate of the image to start displaying.
-	Y int
-
-	// Z (z=0) is the Z coordinate of the image to display.
-	Z int
-
-	// Width (w=0) is the width of the image to display.
-	Width int
-
-	// Height (h=0) is the height of the image to display.
-	Height int
-
-	// OffsetX (X=0) is the OffsetX coordinate of the cursor cell to start
-	// displaying the image. OffsetX=0 is the leftmost cell. This must be
-	// smaller than the terminal cell width.
-	OffsetX int
-
-	// OffsetY (Y=0) is the OffsetY coordinate of the cursor cell to start
-	// displaying the image. OffsetY=0 is the topmost cell. This must be
-	// smaller than the terminal cell height.
-	OffsetY int
-
-	// Columns (c=0) is the number of columns to display the image. The image
-	// will be scaled to fit the number of columns.
-	Columns int
-
-	// Rows (r=0) is the number of rows to display the image. The image will be
-	// scaled to fit the number of rows.
-	Rows int
-
-	// VirtualPlacement (U=0) whether to use virtual placement. This is used
-	// with Unicode [Placeholder] to display images.
-	VirtualPlacement bool
-
-	// DoNotMoveCursor (C=0) whether to move the cursor after displaying the
-	// image.
-	DoNotMoveCursor bool
-
-	// ParentID (P=0) is the parent image ID. The parent ID is the ID of the
-	// image that is the parent of the current image. This is used with Unicode
-	// [Placeholder] to display images relative to the parent image.
-	ParentID int
-
-	// ParentPlacementID (Q=0) is the parent placement ID. The parent placement
-	// ID is the ID of the placement of the parent image. This is used with
-	// Unicode [Placeholder] to display images relative to the parent image.
-	ParentPlacementID int
-
-	// Delete options.
-
-	// Delete (d=a) is the delete action. Can be one of [DeleteAll],
-	// [DeleteID], [DeleteNumber], [DeleteCursor], [DeleteFrames],
-	// [DeleteCell], [DeleteCellZ], [DeleteRange], [DeleteColumn], [DeleteRow],
-	// [DeleteZ].
-	Delete byte
-
-	// DeleteResources indicates whether to delete the resources associated
-	// with the image.
-	DeleteResources bool
-}
-
-// Options returns the options as a slice of a key-value pairs.
-func (o *Options) Options() (opts []string) {
-	opts = []string{}
-	if o.Format == 0 {
-		o.Format = RGBA
-	}
-
-	if o.Action == 0 {
-		o.Action = Transmit
-	}
-
-	if o.Delete == 0 {
-		o.Delete = DeleteAll
-	}
-
-	if o.Transmission == 0 {
-		if len(o.File) > 0 {
-			o.Transmission = File
-		} else {
-			o.Transmission = Direct
-		}
-	}
-
-	if o.Format != RGBA {
-		opts = append(opts, fmt.Sprintf("f=%d", o.Format))
-	}
-
-	if o.Quite > 0 {
-		opts = append(opts, fmt.Sprintf("q=%d", o.Quite))
-	}
-
-	if o.ID > 0 {
-		opts = append(opts, fmt.Sprintf("i=%d", o.ID))
-	}
-
-	if o.PlacementID > 0 {
-		opts = append(opts, fmt.Sprintf("p=%d", o.PlacementID))
-	}
-
-	if o.Number > 0 {
-		opts = append(opts, fmt.Sprintf("I=%d", o.Number))
-	}
-
-	if o.ImageWidth > 0 {
-		opts = append(opts, fmt.Sprintf("s=%d", o.ImageWidth))
-	}
-
-	if o.ImageHeight > 0 {
-		opts = append(opts, fmt.Sprintf("v=%d", o.ImageHeight))
-	}
-
-	if o.Transmission != Direct {
-		opts = append(opts, fmt.Sprintf("t=%c", o.Transmission))
-	}
-
-	if o.Size > 0 {
-		opts = append(opts, fmt.Sprintf("S=%d", o.Size))
-	}
-
-	if o.Offset > 0 {
-		opts = append(opts, fmt.Sprintf("O=%d", o.Offset))
-	}
-
-	if o.Compression == Zlib {
-		opts = append(opts, fmt.Sprintf("o=%c", o.Compression))
-	}
-
-	if o.VirtualPlacement {
-		opts = append(opts, "U=1")
-	}
-
-	if o.DoNotMoveCursor {
-		opts = append(opts, "C=1")
-	}
-
-	if o.ParentID > 0 {
-		opts = append(opts, fmt.Sprintf("P=%d", o.ParentID))
-	}
-
-	if o.ParentPlacementID > 0 {
-		opts = append(opts, fmt.Sprintf("Q=%d", o.ParentPlacementID))
-	}
-
-	if o.X > 0 {
-		opts = append(opts, fmt.Sprintf("x=%d", o.X))
-	}
-
-	if o.Y > 0 {
-		opts = append(opts, fmt.Sprintf("y=%d", o.Y))
-	}
-
-	if o.Z > 0 {
-		opts = append(opts, fmt.Sprintf("z=%d", o.Z))
-	}
-
-	if o.Width > 0 {
-		opts = append(opts, fmt.Sprintf("w=%d", o.Width))
-	}
-
-	if o.Height > 0 {
-		opts = append(opts, fmt.Sprintf("h=%d", o.Height))
-	}
-
-	if o.OffsetX > 0 {
-		opts = append(opts, fmt.Sprintf("X=%d", o.OffsetX))
-	}
-
-	if o.OffsetY > 0 {
-		opts = append(opts, fmt.Sprintf("Y=%d", o.OffsetY))
-	}
-
-	if o.Columns > 0 {
-		opts = append(opts, fmt.Sprintf("c=%d", o.Columns))
-	}
-
-	if o.Rows > 0 {
-		opts = append(opts, fmt.Sprintf("r=%d", o.Rows))
-	}
-
-	if o.Delete != DeleteAll || o.DeleteResources {
-		da := o.Delete
-		if o.DeleteResources {
-			da = da - ' ' // to uppercase
-		}
-
-		opts = append(opts, fmt.Sprintf("d=%c", da))
-	}
-
-	if o.Action != Transmit {
-		opts = append(opts, fmt.Sprintf("a=%c", o.Action))
-	}
-
-	return
-}
-
-// String returns the string representation of the options.
-func (o Options) String() string {
-	return strings.Join(o.Options(), ",")
-}
-
-// MarshalText returns the string representation of the options.
-func (o Options) MarshalText() ([]byte, error) {
-	return []byte(o.String()), nil
-}
-
-// UnmarshalText parses the options from the given string.
-func (o *Options) UnmarshalText(text []byte) error {
-	opts := strings.Split(string(text), ",")
-	for _, opt := range opts {
-		ps := strings.SplitN(opt, "=", 2)
-		if len(ps) != 2 || len(ps[1]) == 0 {
-			continue
-		}
-
-		switch ps[0] {
-		case "a":
-			o.Action = ps[1][0]
-		case "o":
-			o.Compression = ps[1][0]
-		case "t":
-			o.Transmission = ps[1][0]
-		case "d":
-			d := ps[1][0]
-			if d >= 'A' && d <= 'Z' {
-				o.DeleteResources = true
-				d = d + ' ' // to lowercase
-			}
-			o.Delete = d
-		case "i", "q", "p", "I", "f", "s", "v", "S", "O", "m", "x", "y", "z", "w", "h", "X", "Y", "c", "r", "U", "P", "Q":
-			v, err := strconv.Atoi(ps[1])
-			if err != nil {
-				continue
-			}
-
-			switch ps[0] {
-			case "i":
-				o.ID = v
-			case "q":
-				o.Quite = byte(v)
-			case "p":
-				o.PlacementID = v
-			case "I":
-				o.Number = v
-			case "f":
-				o.Format = v
-			case "s":
-				o.ImageWidth = v
-			case "v":
-				o.ImageHeight = v
-			case "S":
-				o.Size = v
-			case "O":
-				o.Offset = v
-			case "m":
-				o.Chunk = v == 0 || v == 1
-			case "x":
-				o.X = v
-			case "y":
-				o.Y = v
-			case "z":
-				o.Z = v
-			case "w":
-				o.Width = v
-			case "h":
-				o.Height = v
-			case "X":
-				o.OffsetX = v
-			case "Y":
-				o.OffsetY = v
-			case "c":
-				o.Columns = v
-			case "r":
-				o.Rows = v
-			case "U":
-				o.VirtualPlacement = v == 1
-			case "P":
-				o.ParentID = v
-			case "Q":
-				o.ParentPlacementID = v
-			}
-		}
-	}
-
-	return nil
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/mode.go b/vendor/github.com/charmbracelet/x/ansi/mode.go
index 57f3f0a8..03c91108 100644
--- a/vendor/github.com/charmbracelet/x/ansi/mode.go
+++ b/vendor/github.com/charmbracelet/x/ansi/mode.go
@@ -48,7 +48,7 @@ type Mode interface {
 	Mode() int
 }
 
-// SetMode (SM) returns a sequence to set a mode.
+// SetMode (SM) or (DECSET) returns a sequence to set a mode.
 // The mode arguments are a list of modes to set.
 //
 // If one of the modes is a [DECMode], the function will returns two escape
@@ -72,7 +72,12 @@ func SM(modes ...Mode) string {
 	return SetMode(modes...)
 }
 
-// ResetMode (RM) returns a sequence to reset a mode.
+// DECSET is an alias for [SetMode].
+func DECSET(modes ...Mode) string {
+	return SetMode(modes...)
+}
+
+// ResetMode (RM) or (DECRST) returns a sequence to reset a mode.
 // The mode arguments are a list of modes to reset.
 //
 // If one of the modes is a [DECMode], the function will returns two escape
@@ -96,9 +101,14 @@ func RM(modes ...Mode) string {
 	return ResetMode(modes...)
 }
 
+// DECRST is an alias for [ResetMode].
+func DECRST(modes ...Mode) string {
+	return ResetMode(modes...)
+}
+
 func setMode(reset bool, modes ...Mode) (s string) {
 	if len(modes) == 0 {
-		return
+		return //nolint:nakedret
 	}
 
 	cmd := "h"
@@ -132,7 +142,7 @@ func setMode(reset bool, modes ...Mode) (s string) {
 	if len(dec) > 0 {
 		s += seq + "?" + strings.Join(dec, ";") + cmd
 	}
-	return
+	return //nolint:nakedret
 }
 
 // RequestMode (DECRQM) returns a sequence to request a mode from the terminal.
@@ -243,6 +253,21 @@ const (
 	RequestInsertReplaceMode = "\x1b[4$p"
 )
 
+// BiDirectional Support Mode (BDSM) is a mode that determines whether the
+// terminal supports bidirectional text. When enabled, the terminal supports
+// bidirectional text and is set to implicit bidirectional mode. When disabled,
+// the terminal does not support bidirectional text.
+//
+// See ECMA-48 7.2.1.
+const (
+	BiDirectionalSupportMode = ANSIMode(8)
+	BDSM                     = BiDirectionalSupportMode
+
+	SetBiDirectionalSupportMode     = "\x1b[8h"
+	ResetBiDirectionalSupportMode   = "\x1b[8l"
+	RequestBiDirectionalSupportMode = "\x1b[8$p"
+)
+
 // Send Receive Mode (SRM) or Local Echo Mode is a mode that determines whether
 // the terminal echoes characters back to the host. When enabled, the terminal
 // sends characters to the host as they are typed.
@@ -297,7 +322,7 @@ const (
 
 // Deprecated: use [SetCursorKeysMode] and [ResetCursorKeysMode] instead.
 const (
-	EnableCursorKeys  = "\x1b[?1h"
+	EnableCursorKeys  = "\x1b[?1h" //nolint:revive // grouped constants
 	DisableCursorKeys = "\x1b[?1l"
 )
 
@@ -548,8 +573,9 @@ const (
 
 // Deprecated: use [SetFocusEventMode], [ResetFocusEventMode], and
 // [RequestFocusEventMode] instead.
+// Focus reporting mode constants.
 const (
-	ReportFocusMode = DECMode(1004)
+	ReportFocusMode = DECMode(1004) //nolint:revive // grouped constants
 
 	EnableReportFocus  = "\x1b[?1004h"
 	DisableReportFocus = "\x1b[?1004l"
@@ -577,7 +603,7 @@ const (
 // Deprecated: use [SgrExtMouseMode] [SetSgrExtMouseMode],
 // [ResetSgrExtMouseMode], and [RequestSgrExtMouseMode] instead.
 const (
-	MouseSgrExtMode    = DECMode(1006)
+	MouseSgrExtMode    = DECMode(1006) //nolint:revive // grouped constants
 	EnableMouseSgrExt  = "\x1b[?1006h"
 	DisableMouseSgrExt = "\x1b[?1006l"
 	RequestMouseSgrExt = "\x1b[?1006$p"
@@ -693,7 +719,7 @@ const (
 // Deprecated: use [SetBracketedPasteMode], [ResetBracketedPasteMode], and
 // [RequestBracketedPasteMode] instead.
 const (
-	EnableBracketedPaste  = "\x1b[?2004h"
+	EnableBracketedPaste  = "\x1b[?2004h" //nolint:revive // grouped constants
 	DisableBracketedPaste = "\x1b[?2004l"
 	RequestBracketedPaste = "\x1b[?2004$p"
 )
@@ -710,6 +736,8 @@ const (
 	RequestSynchronizedOutputMode = "\x1b[?2026$p"
 )
 
+// Synchronized Output Mode. See [SynchronizedOutputMode].
+//
 // Deprecated: use [SynchronizedOutputMode], [SetSynchronizedOutputMode], and
 // [ResetSynchronizedOutputMode], and [RequestSynchronizedOutputMode] instead.
 const (
@@ -720,12 +748,28 @@ const (
 	RequestSyncdOutput = "\x1b[?2026$p"
 )
 
+// Unicode Core Mode is a mode that determines whether the terminal should use
+// Unicode grapheme clustering to calculate the width of glyphs for each
+// terminal cell.
+//
+// See: https://github.com/contour-terminal/terminal-unicode-core
+const (
+	UnicodeCoreMode = DECMode(2027)
+
+	SetUnicodeCoreMode     = "\x1b[?2027h"
+	ResetUnicodeCoreMode   = "\x1b[?2027l"
+	RequestUnicodeCoreMode = "\x1b[?2027$p"
+)
+
 // Grapheme Clustering Mode is a mode that determines whether the terminal
 // should look for grapheme clusters instead of single runes in the rendered
 // text. This makes the terminal properly render combining characters such as
 // emojis.
 //
 // See: https://github.com/contour-terminal/terminal-unicode-core
+//
+// Deprecated: use [GraphemeClusteringMode], [SetUnicodeCoreMode],
+// [ResetUnicodeCoreMode], and [RequestUnicodeCoreMode] instead.
 const (
 	GraphemeClusteringMode = DECMode(2027)
 
@@ -734,14 +778,54 @@ const (
 	RequestGraphemeClusteringMode = "\x1b[?2027$p"
 )
 
-// Deprecated: use [SetGraphemeClusteringMode], [ResetGraphemeClusteringMode], and
-// [RequestGraphemeClusteringMode] instead.
+// Grapheme Clustering Mode. See [GraphemeClusteringMode].
+//
+// Deprecated: use [SetUnicodeCoreMode], [ResetUnicodeCoreMode], and
+// [RequestUnicodeCoreMode] instead.
 const (
 	EnableGraphemeClustering  = "\x1b[?2027h"
 	DisableGraphemeClustering = "\x1b[?2027l"
 	RequestGraphemeClustering = "\x1b[?2027$p"
 )
 
+// LightDarkMode is a mode that enables reporting the operating system's color
+// scheme (light or dark) preference. It reports the color scheme as a [DSR]
+// and [LightDarkReport] escape sequences encoded as follows:
+//
+//	CSI ? 997 ; 1 n   for dark mode
+//	CSI ? 997 ; 2 n   for light mode
+//
+// The color preference can also be requested via the following [DSR] and
+// [RequestLightDarkReport] escape sequences:
+//
+//	CSI ? 996 n
+//
+// See: https://contour-terminal.org/vt-extensions/color-palette-update-notifications/
+const (
+	LightDarkMode = DECMode(2031)
+
+	SetLightDarkMode     = "\x1b[?2031h"
+	ResetLightDarkMode   = "\x1b[?2031l"
+	RequestLightDarkMode = "\x1b[?2031$p"
+)
+
+// InBandResizeMode is a mode that reports terminal resize events as escape
+// sequences. This is useful for systems that do not support [SIGWINCH] like
+// Windows.
+//
+// The terminal then sends the following encoding:
+//
+//	CSI 48 ; cellsHeight ; cellsWidth ; pixelHeight ; pixelWidth t
+//
+// See: https://gist.github.com/rockorager/e695fb2924d36b2bcf1fff4a3704bd83
+const (
+	InBandResizeMode = DECMode(2048)
+
+	SetInBandResizeMode     = "\x1b[?2048h"
+	ResetInBandResizeMode   = "\x1b[?2048l"
+	RequestInBandResizeMode = "\x1b[?2048$p"
+)
+
 // Win32Input is a mode that determines whether input is processed by the
 // Win32 console and Conpty.
 //
@@ -757,7 +841,7 @@ const (
 // Deprecated: use [SetWin32InputMode], [ResetWin32InputMode], and
 // [RequestWin32InputMode] instead.
 const (
-	EnableWin32Input  = "\x1b[?9001h"
+	EnableWin32Input  = "\x1b[?9001h" //nolint:revive // grouped constants
 	DisableWin32Input = "\x1b[?9001l"
 	RequestWin32Input = "\x1b[?9001$p"
 )
diff --git a/vendor/github.com/charmbracelet/x/ansi/modes.go b/vendor/github.com/charmbracelet/x/ansi/modes.go
index 1bec5bc8..6856d35e 100644
--- a/vendor/github.com/charmbracelet/x/ansi/modes.go
+++ b/vendor/github.com/charmbracelet/x/ansi/modes.go
@@ -4,12 +4,6 @@ package ansi
 // all modes are [ModeNotRecognized].
 type Modes map[Mode]ModeSetting
 
-// NewModes creates a new Modes map. By default, all modes are
-// [ModeNotRecognized].
-func NewModes() Modes {
-	return make(Modes)
-}
-
 // Get returns the setting of a terminal mode. If the mode is not set, it
 // returns [ModeNotRecognized].
 func (m Modes) Get(mode Mode) ModeSetting {
diff --git a/vendor/github.com/charmbracelet/x/ansi/mouse.go b/vendor/github.com/charmbracelet/x/ansi/mouse.go
index 95b0127f..0e4776bb 100644
--- a/vendor/github.com/charmbracelet/x/ansi/mouse.go
+++ b/vendor/github.com/charmbracelet/x/ansi/mouse.go
@@ -134,7 +134,7 @@ func EncodeMouseButton(b MouseButton, motion, shift, alt, ctrl bool) (m byte) {
 		m |= bitMotion
 	}
 
-	return
+	return //nolint:nakedret
 }
 
 // x10Offset is the offset for X10 mouse events.
diff --git a/vendor/github.com/charmbracelet/x/ansi/parser.go b/vendor/github.com/charmbracelet/x/ansi/parser.go
index 882e1ed7..e770c15f 100644
--- a/vendor/github.com/charmbracelet/x/ansi/parser.go
+++ b/vendor/github.com/charmbracelet/x/ansi/parser.go
@@ -150,7 +150,7 @@ func (p *Parser) StateName() string {
 // Parse parses the given dispatcher and byte buffer.
 // Deprecated: Loop over the buffer and call [Parser.Advance] instead.
 func (p *Parser) Parse(b []byte) {
-	for i := 0; i < len(b); i++ {
+	for i := range b {
 		p.Advance(b[i])
 	}
 }
@@ -245,7 +245,7 @@ func (p *Parser) parseStringCmd() {
 	if p.dataLen >= 0 {
 		datalen = p.dataLen
 	}
-	for i := 0; i < datalen; i++ {
+	for i := range datalen {
 		d := p.data[i]
 		if d < '0' || d > '9' {
 			break
diff --git a/vendor/github.com/charmbracelet/x/ansi/parser/const.go b/vendor/github.com/charmbracelet/x/ansi/parser/const.go
index d62dbf37..85c90869 100644
--- a/vendor/github.com/charmbracelet/x/ansi/parser/const.go
+++ b/vendor/github.com/charmbracelet/x/ansi/parser/const.go
@@ -1,3 +1,4 @@
+// Package parser provides ANSI escape sequence parsing functionality.
 package parser
 
 // Action is a DEC ANSI parser action.
@@ -19,7 +20,7 @@ const (
 	IgnoreAction = NoneAction
 )
 
-// nolint: unused
+// ActionNames provides string names for parser actions.
 var ActionNames = []string{
 	"NoneAction",
 	"ClearAction",
@@ -58,7 +59,7 @@ const (
 	Utf8State
 )
 
-// nolint: unused
+// StateNames provides string names for parser states.
 var StateNames = []string{
 	"GroundState",
 	"CsiEntryState",
diff --git a/vendor/github.com/charmbracelet/x/ansi/parser/seq.go b/vendor/github.com/charmbracelet/x/ansi/parser/seq.go
index 29f491d1..de7e15e6 100644
--- a/vendor/github.com/charmbracelet/x/ansi/parser/seq.go
+++ b/vendor/github.com/charmbracelet/x/ansi/parser/seq.go
@@ -78,7 +78,7 @@ func Subparams(params []int, i int) []int {
 	// Count the number of parameters before the given parameter index.
 	var count int
 	var j int
-	for j = 0; j < len(params); j++ {
+	for j = range params {
 		if count == i {
 			break
 		}
@@ -116,7 +116,7 @@ func Subparams(params []int, i int) []int {
 // sub-parameters.
 func Len(params []int) int {
 	var n int
-	for i := 0; i < len(params); i++ {
+	for i := range params {
 		if !HasMore(params, i) {
 			n++
 		}
@@ -128,7 +128,7 @@ func Len(params []int) int {
 // function for each parameter.
 // The function should return false to stop the iteration.
 func Range(params []int, fn func(i int, param int, hasMore bool) bool) {
-	for i := 0; i < len(params); i++ {
+	for i := range params {
 		if !fn(i, Param(params, i), HasMore(params, i)) {
 			break
 		}
diff --git a/vendor/github.com/charmbracelet/x/ansi/parser/transition_table.go b/vendor/github.com/charmbracelet/x/ansi/parser/transition_table.go
index 558a5eac..ef46b7b6 100644
--- a/vendor/github.com/charmbracelet/x/ansi/parser/transition_table.go
+++ b/vendor/github.com/charmbracelet/x/ansi/parser/transition_table.go
@@ -30,7 +30,7 @@ func NewTransitionTable(size int) TransitionTable {
 
 // SetDefault sets default transition.
 func (t TransitionTable) SetDefault(action Action, state State) {
-	for i := 0; i < len(t); i++ {
+	for i := range t {
 		t[i] = action<<TransitionActionShift | state
 	}
 }
@@ -63,7 +63,7 @@ func (t TransitionTable) Transition(state State, code byte) (State, Action) {
 	return value & TransitionStateMask, value >> TransitionActionShift
 }
 
-// byte range macro
+// byte range macro.
 func r(start, end byte) []byte {
 	var a []byte
 	for i := int(start); i <= int(end); i++ {
diff --git a/vendor/github.com/charmbracelet/x/ansi/parser_decode.go b/vendor/github.com/charmbracelet/x/ansi/parser_decode.go
index 3e504739..dfd2dc76 100644
--- a/vendor/github.com/charmbracelet/x/ansi/parser_decode.go
+++ b/vendor/github.com/charmbracelet/x/ansi/parser_decode.go
@@ -359,7 +359,7 @@ func parseOscCmd(p *Parser) {
 	if p == nil || p.cmd != parser.MissingCommand {
 		return
 	}
-	for j := 0; j < p.dataLen; j++ {
+	for j := range p.dataLen {
 		d := p.data[j]
 		if d < '0' || d > '9' {
 			break
diff --git a/vendor/github.com/charmbracelet/x/ansi/passthrough.go b/vendor/github.com/charmbracelet/x/ansi/passthrough.go
index 14a74522..7ac7cef1 100644
--- a/vendor/github.com/charmbracelet/x/ansi/passthrough.go
+++ b/vendor/github.com/charmbracelet/x/ansi/passthrough.go
@@ -21,10 +21,7 @@ func ScreenPassthrough(seq string, limit int) string {
 	b.WriteString("\x1bP")
 	if limit > 0 {
 		for i := 0; i < len(seq); i += limit {
-			end := i + limit
-			if end > len(seq) {
-				end = len(seq)
-			}
+			end := min(i+limit, len(seq))
 			b.WriteString(seq[i:end])
 			if end < len(seq) {
 				b.WriteString("\x1b\\\x1bP")
@@ -52,7 +49,7 @@ func ScreenPassthrough(seq string, limit int) string {
 func TmuxPassthrough(seq string) string {
 	var b bytes.Buffer
 	b.WriteString("\x1bPtmux;")
-	for i := 0; i < len(seq); i++ {
+	for i := range len(seq) {
 		if seq[i] == ESC {
 			b.WriteByte(ESC)
 		}
diff --git a/vendor/github.com/charmbracelet/x/ansi/screen.go b/vendor/github.com/charmbracelet/x/ansi/screen.go
index c76e4f0d..e2027dff 100644
--- a/vendor/github.com/charmbracelet/x/ansi/screen.go
+++ b/vendor/github.com/charmbracelet/x/ansi/screen.go
@@ -351,7 +351,7 @@ func DECRQPSR(n int) string {
 //
 // See: https://vt100.net/docs/vt510-rm/DECTABSR.html
 func TabStopReport(stops ...int) string {
-	var s []string
+	var s []string //nolint:prealloc
 	for _, v := range stops {
 		s = append(s, strconv.Itoa(v))
 	}
@@ -376,7 +376,7 @@ func DECTABSR(stops ...int) string {
 //
 // See: https://vt100.net/docs/vt510-rm/DECCIR.html
 func CursorInformationReport(values ...int) string {
-	var s []string
+	var s []string //nolint:prealloc
 	for _, v := range values {
 		s = append(s, strconv.Itoa(v))
 	}
@@ -395,7 +395,7 @@ func DECCIR(values ...int) string {
 //
 //	CSI Pn b
 //
-// See: ECMA-48 § 8.3.103
+// See: ECMA-48 § 8.3.103.
 func RepeatPreviousCharacter(n int) string {
 	var s string
 	if n > 1 {
diff --git a/vendor/github.com/charmbracelet/x/ansi/sgr.go b/vendor/github.com/charmbracelet/x/ansi/sgr.go
index 1a18c98e..5e6d05df 100644
--- a/vendor/github.com/charmbracelet/x/ansi/sgr.go
+++ b/vendor/github.com/charmbracelet/x/ansi/sgr.go
@@ -1,8 +1,6 @@
 package ansi
 
-import "strconv"
-
-// Select Graphic Rendition (SGR) is a command that sets display attributes.
+// SelectGraphicRendition (SGR) is a command that sets display attributes.
 //
 // Default is 0.
 //
@@ -14,20 +12,7 @@ func SelectGraphicRendition(ps ...Attr) string {
 		return ResetStyle
 	}
 
-	var s Style
-	for _, p := range ps {
-		attr, ok := attrStrings[p]
-		if ok {
-			s = append(s, attr)
-		} else {
-			if p < 0 {
-				p = 0
-			}
-			s = append(s, strconv.Itoa(p))
-		}
-	}
-
-	return s.String()
+	return NewStyle(ps...).String()
 }
 
 // SGR is an alias for [SelectGraphicRendition].
@@ -36,60 +21,59 @@ func SGR(ps ...Attr) string {
 }
 
 var attrStrings = map[int]string{
-	ResetAttr:                        "0",
-	BoldAttr:                         "1",
-	FaintAttr:                        "2",
-	ItalicAttr:                       "3",
-	UnderlineAttr:                    "4",
-	SlowBlinkAttr:                    "5",
-	RapidBlinkAttr:                   "6",
-	ReverseAttr:                      "7",
-	ConcealAttr:                      "8",
-	StrikethroughAttr:                "9",
-	NoBoldAttr:                       "21",
-	NormalIntensityAttr:              "22",
-	NoItalicAttr:                     "23",
-	NoUnderlineAttr:                  "24",
-	NoBlinkAttr:                      "25",
-	NoReverseAttr:                    "27",
-	NoConcealAttr:                    "28",
-	NoStrikethroughAttr:              "29",
-	BlackForegroundColorAttr:         "30",
-	RedForegroundColorAttr:           "31",
-	GreenForegroundColorAttr:         "32",
-	YellowForegroundColorAttr:        "33",
-	BlueForegroundColorAttr:          "34",
-	MagentaForegroundColorAttr:       "35",
-	CyanForegroundColorAttr:          "36",
-	WhiteForegroundColorAttr:         "37",
-	ExtendedForegroundColorAttr:      "38",
-	DefaultForegroundColorAttr:       "39",
-	BlackBackgroundColorAttr:         "40",
-	RedBackgroundColorAttr:           "41",
-	GreenBackgroundColorAttr:         "42",
-	YellowBackgroundColorAttr:        "43",
-	BlueBackgroundColorAttr:          "44",
-	MagentaBackgroundColorAttr:       "45",
-	CyanBackgroundColorAttr:          "46",
-	WhiteBackgroundColorAttr:         "47",
-	ExtendedBackgroundColorAttr:      "48",
-	DefaultBackgroundColorAttr:       "49",
-	ExtendedUnderlineColorAttr:       "58",
-	DefaultUnderlineColorAttr:        "59",
-	BrightBlackForegroundColorAttr:   "90",
-	BrightRedForegroundColorAttr:     "91",
-	BrightGreenForegroundColorAttr:   "92",
-	BrightYellowForegroundColorAttr:  "93",
-	BrightBlueForegroundColorAttr:    "94",
-	BrightMagentaForegroundColorAttr: "95",
-	BrightCyanForegroundColorAttr:    "96",
-	BrightWhiteForegroundColorAttr:   "97",
-	BrightBlackBackgroundColorAttr:   "100",
-	BrightRedBackgroundColorAttr:     "101",
-	BrightGreenBackgroundColorAttr:   "102",
-	BrightYellowBackgroundColorAttr:  "103",
-	BrightBlueBackgroundColorAttr:    "104",
-	BrightMagentaBackgroundColorAttr: "105",
-	BrightCyanBackgroundColorAttr:    "106",
-	BrightWhiteBackgroundColorAttr:   "107",
+	ResetAttr:                        resetAttr,
+	BoldAttr:                         boldAttr,
+	FaintAttr:                        faintAttr,
+	ItalicAttr:                       italicAttr,
+	UnderlineAttr:                    underlineAttr,
+	SlowBlinkAttr:                    slowBlinkAttr,
+	RapidBlinkAttr:                   rapidBlinkAttr,
+	ReverseAttr:                      reverseAttr,
+	ConcealAttr:                      concealAttr,
+	StrikethroughAttr:                strikethroughAttr,
+	NormalIntensityAttr:              normalIntensityAttr,
+	NoItalicAttr:                     noItalicAttr,
+	NoUnderlineAttr:                  noUnderlineAttr,
+	NoBlinkAttr:                      noBlinkAttr,
+	NoReverseAttr:                    noReverseAttr,
+	NoConcealAttr:                    noConcealAttr,
+	NoStrikethroughAttr:              noStrikethroughAttr,
+	BlackForegroundColorAttr:         blackForegroundColorAttr,
+	RedForegroundColorAttr:           redForegroundColorAttr,
+	GreenForegroundColorAttr:         greenForegroundColorAttr,
+	YellowForegroundColorAttr:        yellowForegroundColorAttr,
+	BlueForegroundColorAttr:          blueForegroundColorAttr,
+	MagentaForegroundColorAttr:       magentaForegroundColorAttr,
+	CyanForegroundColorAttr:          cyanForegroundColorAttr,
+	WhiteForegroundColorAttr:         whiteForegroundColorAttr,
+	ExtendedForegroundColorAttr:      extendedForegroundColorAttr,
+	DefaultForegroundColorAttr:       defaultForegroundColorAttr,
+	BlackBackgroundColorAttr:         blackBackgroundColorAttr,
+	RedBackgroundColorAttr:           redBackgroundColorAttr,
+	GreenBackgroundColorAttr:         greenBackgroundColorAttr,
+	YellowBackgroundColorAttr:        yellowBackgroundColorAttr,
+	BlueBackgroundColorAttr:          blueBackgroundColorAttr,
+	MagentaBackgroundColorAttr:       magentaBackgroundColorAttr,
+	CyanBackgroundColorAttr:          cyanBackgroundColorAttr,
+	WhiteBackgroundColorAttr:         whiteBackgroundColorAttr,
+	ExtendedBackgroundColorAttr:      extendedBackgroundColorAttr,
+	DefaultBackgroundColorAttr:       defaultBackgroundColorAttr,
+	ExtendedUnderlineColorAttr:       extendedUnderlineColorAttr,
+	DefaultUnderlineColorAttr:        defaultUnderlineColorAttr,
+	BrightBlackForegroundColorAttr:   brightBlackForegroundColorAttr,
+	BrightRedForegroundColorAttr:     brightRedForegroundColorAttr,
+	BrightGreenForegroundColorAttr:   brightGreenForegroundColorAttr,
+	BrightYellowForegroundColorAttr:  brightYellowForegroundColorAttr,
+	BrightBlueForegroundColorAttr:    brightBlueForegroundColorAttr,
+	BrightMagentaForegroundColorAttr: brightMagentaForegroundColorAttr,
+	BrightCyanForegroundColorAttr:    brightCyanForegroundColorAttr,
+	BrightWhiteForegroundColorAttr:   brightWhiteForegroundColorAttr,
+	BrightBlackBackgroundColorAttr:   brightBlackBackgroundColorAttr,
+	BrightRedBackgroundColorAttr:     brightRedBackgroundColorAttr,
+	BrightGreenBackgroundColorAttr:   brightGreenBackgroundColorAttr,
+	BrightYellowBackgroundColorAttr:  brightYellowBackgroundColorAttr,
+	BrightBlueBackgroundColorAttr:    brightBlueBackgroundColorAttr,
+	BrightMagentaBackgroundColorAttr: brightMagentaBackgroundColorAttr,
+	BrightCyanBackgroundColorAttr:    brightCyanBackgroundColorAttr,
+	BrightWhiteBackgroundColorAttr:   brightWhiteBackgroundColorAttr,
 }
diff --git a/vendor/github.com/charmbracelet/x/ansi/status.go b/vendor/github.com/charmbracelet/x/ansi/status.go
index 4337e189..3adfb028 100644
--- a/vendor/github.com/charmbracelet/x/ansi/status.go
+++ b/vendor/github.com/charmbracelet/x/ansi/status.go
@@ -11,10 +11,10 @@ type StatusReport interface {
 	StatusReport() int
 }
 
-// ANSIReport represents an ANSI terminal status report.
+// ANSIStatusReport represents an ANSI terminal status report.
 type ANSIStatusReport int //nolint:revive
 
-// Report returns the status report identifier.
+// StatusReport returns the status report identifier.
 func (s ANSIStatusReport) StatusReport() int {
 	return int(s)
 }
@@ -22,7 +22,7 @@ func (s ANSIStatusReport) StatusReport() int {
 // DECStatusReport represents a DEC terminal status report.
 type DECStatusReport int
 
-// Status returns the status report identifier.
+// StatusReport returns the status report identifier.
 func (s DECStatusReport) StatusReport() int {
 	return int(s)
 }
@@ -89,6 +89,16 @@ const RequestCursorPositionReport = "\x1b[6n"
 // See: https://vt100.net/docs/vt510-rm/DECXCPR.html
 const RequestExtendedCursorPositionReport = "\x1b[?6n"
 
+// RequestLightDarkReport is a control sequence that requests the terminal to
+// report its operating system light/dark color preference. Supported terminals
+// should respond with a [LightDarkReport] sequence as follows:
+//
+//	CSI ? 997 ; 1 n   for dark mode
+//	CSI ? 997 ; 2 n   for light mode
+//
+// See: https://contour-terminal.org/vt-extensions/color-palette-update-notifications/
+const RequestLightDarkReport = "\x1b[?996n"
+
 // CursorPositionReport (CPR) is a control sequence that reports the cursor's
 // position.
 //
@@ -142,3 +152,17 @@ func ExtendedCursorPositionReport(line, column, page int) string {
 func DECXCPR(line, column, page int) string {
 	return ExtendedCursorPositionReport(line, column, page)
 }
+
+// LightDarkReport is a control sequence that reports the terminal's operating
+// system light/dark color preference.
+//
+//	CSI ? 997 ; 1 n   for dark mode
+//	CSI ? 997 ; 2 n   for light mode
+//
+// See: https://contour-terminal.org/vt-extensions/color-palette-update-notifications/
+func LightDarkReport(dark bool) string {
+	if dark {
+		return "\x1b[?997;1n"
+	}
+	return "\x1b[?997;2n"
+}
diff --git a/vendor/github.com/charmbracelet/x/ansi/style.go b/vendor/github.com/charmbracelet/x/ansi/style.go
index 46ddcaa9..d8a7efae 100644
--- a/vendor/github.com/charmbracelet/x/ansi/style.go
+++ b/vendor/github.com/charmbracelet/x/ansi/style.go
@@ -17,6 +17,26 @@ type Attr = int
 // Style represents an ANSI SGR (Select Graphic Rendition) style.
 type Style []string
 
+// NewStyle returns a new style with the given attributes.
+func NewStyle(attrs ...Attr) Style {
+	if len(attrs) == 0 {
+		return Style{}
+	}
+	s := make(Style, 0, len(attrs))
+	for _, a := range attrs {
+		attr, ok := attrStrings[a]
+		if ok {
+			s = append(s, attr)
+		} else {
+			if a < 0 {
+				a = 0
+			}
+			s = append(s, strconv.Itoa(a))
+		}
+	}
+	return s
+}
+
 // String returns the ANSI SGR (Select Graphic Rendition) style sequence for
 // the given style.
 func (s Style) String() string {
@@ -127,11 +147,6 @@ func (s Style) Strikethrough() Style {
 	return append(s, strikethroughAttr)
 }
 
-// NoBold appends the no bold style attribute to the style.
-func (s Style) NoBold() Style {
-	return append(s, noBoldAttr)
-}
-
 // NormalIntensity appends the normal intensity style attribute to the style.
 func (s Style) NormalIntensity() Style {
 	return append(s, normalIntensityAttr)
@@ -236,7 +251,6 @@ const (
 	ReverseAttr                      Attr = 7
 	ConcealAttr                      Attr = 8
 	StrikethroughAttr                Attr = 9
-	NoBoldAttr                       Attr = 21 // Some terminals treat this as double underline.
 	NormalIntensityAttr              Attr = 22
 	NoItalicAttr                     Attr = 23
 	NoUnderlineAttr                  Attr = 24
@@ -298,7 +312,6 @@ const (
 	reverseAttr                      = "7"
 	concealAttr                      = "8"
 	strikethroughAttr                = "9"
-	noBoldAttr                       = "21"
 	normalIntensityAttr              = "22"
 	noItalicAttr                     = "23"
 	noUnderlineAttr                  = "24"
@@ -581,7 +594,7 @@ func ReadStyleColor(params Params, co *color.Color) (n int) {
 			B: uint8(b), //nolint:gosec
 			A: 0xff,
 		}
-		return
+		return //nolint:nakedret
 
 	case 3: // CMY direct color
 		if len(params) < 5 {
@@ -599,7 +612,7 @@ func ReadStyleColor(params Params, co *color.Color) (n int) {
 			Y: uint8(y), //nolint:gosec
 			K: 0,
 		}
-		return
+		return //nolint:nakedret
 
 	case 4: // CMYK direct color
 		if len(params) < 6 {
@@ -617,7 +630,7 @@ func ReadStyleColor(params Params, co *color.Color) (n int) {
 			Y: uint8(y), //nolint:gosec
 			K: uint8(k), //nolint:gosec
 		}
-		return
+		return //nolint:nakedret
 
 	case 5: // indexed color
 		if len(params) < 3 {
@@ -652,7 +665,7 @@ func ReadStyleColor(params Params, co *color.Color) (n int) {
 			B: uint8(b), //nolint:gosec
 			A: uint8(a), //nolint:gosec
 		}
-		return
+		return //nolint:nakedret
 
 	default:
 		return 0
diff --git a/vendor/github.com/charmbracelet/x/ansi/termcap.go b/vendor/github.com/charmbracelet/x/ansi/termcap.go
index 3c5c7da9..b59aa420 100644
--- a/vendor/github.com/charmbracelet/x/ansi/termcap.go
+++ b/vendor/github.com/charmbracelet/x/ansi/termcap.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 )
 
-// RequestTermcap (XTGETTCAP) requests Termcap/Terminfo strings.
+// XTGETTCAP (RequestTermcap) requests Termcap/Terminfo strings.
 //
 //	DCS + q <Pt> ST
 //
diff --git a/vendor/github.com/charmbracelet/x/ansi/title.go b/vendor/github.com/charmbracelet/x/ansi/title.go
index 8fd8bf98..54ef9423 100644
--- a/vendor/github.com/charmbracelet/x/ansi/title.go
+++ b/vendor/github.com/charmbracelet/x/ansi/title.go
@@ -30,3 +30,19 @@ func SetIconName(s string) string {
 func SetWindowTitle(s string) string {
 	return "\x1b]2;" + s + "\x07"
 }
+
+// DECSWT is a sequence for setting the window title.
+//
+// This is an alias for [SetWindowTitle]("1;<name>").
+// See: EK-VT520-RM 5–156 https://vt100.net/dec/ek-vt520-rm.pdf
+func DECSWT(name string) string {
+	return SetWindowTitle("1;" + name)
+}
+
+// DECSIN is a sequence for setting the icon name.
+//
+// This is an alias for [SetWindowTitle]("L;<name>").
+// See: EK-VT520-RM 5–134 https://vt100.net/dec/ek-vt520-rm.pdf
+func DECSIN(name string) string {
+	return SetWindowTitle("L;" + name)
+}
diff --git a/vendor/github.com/charmbracelet/x/ansi/truncate.go b/vendor/github.com/charmbracelet/x/ansi/truncate.go
index 1fa3efef..3f541fa5 100644
--- a/vendor/github.com/charmbracelet/x/ansi/truncate.go
+++ b/vendor/github.com/charmbracelet/x/ansi/truncate.go
@@ -10,8 +10,7 @@ import (
 
 // Cut the string, without adding any prefix or tail strings. This function is
 // aware of ANSI escape codes and will not break them, and accounts for
-// wide-characters (such as East-Asian characters and emojis). Note that the
-// [left] parameter is inclusive, while [right] isn't.
+// wide-characters (such as East-Asian characters and emojis).
 // This treats the text as a sequence of graphemes.
 func Cut(s string, left, right int) string {
 	return cut(GraphemeWidth, s, left, right)
@@ -19,8 +18,10 @@ func Cut(s string, left, right int) string {
 
 // CutWc the string, without adding any prefix or tail strings. This function is
 // aware of ANSI escape codes and will not break them, and accounts for
-// wide-characters (such as East-Asian characters and emojis). Note that the
-// [left] parameter is inclusive, while [right] isn't.
+// wide-characters (such as East-Asian characters and emojis).
+// Note that the [left] parameter is inclusive, while [right] isn't,
+// which is to say it'll return `[left, right)`.
+//
 // This treats the text as a sequence of wide characters and runes.
 func CutWc(s string, left, right int) string {
 	return cut(WcWidth, s, left, right)
@@ -41,7 +42,7 @@ func cut(m Method, s string, left, right int) string {
 	if left == 0 {
 		return truncate(s, right, "")
 	}
-	return truncateLeft(Truncate(s, right, ""), left, "")
+	return truncateLeft(truncate(s, right, ""), left, "")
 }
 
 // Truncate truncates a string to a given length, adding a tail to the end if
@@ -99,6 +100,7 @@ func truncate(m Method, s string, length int, tail string) string {
 
 			// increment the index by the length of the cluster
 			i += len(cluster)
+			curWidth += width
 
 			// Are we ignoring? Skip to the next byte
 			if ignoring {
@@ -107,16 +109,15 @@ func truncate(m Method, s string, length int, tail string) string {
 
 			// Is this gonna be too wide?
 			// If so write the tail and stop collecting.
-			if curWidth+width > length && !ignoring {
+			if curWidth > length && !ignoring {
 				ignoring = true
 				buf.WriteString(tail)
 			}
 
-			if curWidth+width > length {
+			if curWidth > length {
 				continue
 			}
 
-			curWidth += width
 			buf.Write(cluster)
 
 			// Done collecting, now we're back in the ground state.
@@ -142,6 +143,14 @@ func truncate(m Method, s string, length int, tail string) string {
 			// collects printable ASCII
 			curWidth++
 			fallthrough
+		case parser.ExecuteAction:
+			// execute action will be things like \n, which, if outside the cut,
+			// should be ignored.
+			if ignoring {
+				i++
+				continue
+			}
+			fallthrough
 		default:
 			buf.WriteByte(b[i])
 			i++
@@ -214,14 +223,14 @@ func truncateLeft(m Method, s string, n int, prefix string) string {
 				buf.WriteString(prefix)
 			}
 
-			if ignoring {
-				continue
-			}
-
 			if curWidth > n {
 				buf.Write(cluster)
 			}
 
+			if ignoring {
+				continue
+			}
+
 			pstate = parser.GroundState
 			continue
 		}
@@ -240,6 +249,14 @@ func truncateLeft(m Method, s string, n int, prefix string) string {
 				continue
 			}
 
+			fallthrough
+		case parser.ExecuteAction:
+			// execute action will be things like \n, which, if outside the cut,
+			// should be ignored.
+			if ignoring {
+				i++
+				continue
+			}
 			fallthrough
 		default:
 			buf.WriteByte(b[i])
diff --git a/vendor/github.com/charmbracelet/x/ansi/util.go b/vendor/github.com/charmbracelet/x/ansi/util.go
index 301ef15f..103f452b 100644
--- a/vendor/github.com/charmbracelet/x/ansi/util.go
+++ b/vendor/github.com/charmbracelet/x/ansi/util.go
@@ -10,7 +10,7 @@ import (
 )
 
 // colorToHexString returns a hex string representation of a color.
-func colorToHexString(c color.Color) string {
+func colorToHexString(c color.Color) string { //nolint:unused
 	if c == nil {
 		return ""
 	}
@@ -28,7 +28,7 @@ func colorToHexString(c color.Color) string {
 // rgbToHex converts red, green, and blue values to a hexadecimal value.
 //
 //	hex := rgbToHex(0, 0, 255) // 0x0000FF
-func rgbToHex(r, g, b uint32) uint32 {
+func rgbToHex(r, g, b uint32) uint32 { //nolint:unused
 	return r<<16 + g<<8 + b
 }
 
@@ -90,17 +90,3 @@ func XParseColor(s string) color.Color {
 	}
 	return nil
 }
-
-type ordered interface {
-	~int | ~int8 | ~int16 | ~int32 | ~int64 |
-		~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64 | ~uintptr |
-		~float32 | ~float64 |
-		~string
-}
-
-func max[T ordered](a, b T) T { //nolint:predeclared
-	if a > b {
-		return a
-	}
-	return b
-}
diff --git a/vendor/github.com/charmbracelet/x/ansi/width.go b/vendor/github.com/charmbracelet/x/ansi/width.go
index d0487d35..cc085816 100644
--- a/vendor/github.com/charmbracelet/x/ansi/width.go
+++ b/vendor/github.com/charmbracelet/x/ansi/width.go
@@ -19,7 +19,7 @@ func Strip(s string) string {
 
 	// This implements a subset of the Parser to only collect runes and
 	// printable characters.
-	for i := 0; i < len(s); i++ {
+	for i := range len(s) {
 		if pstate == parser.Utf8State {
 			// During this state, collect rw bytes to form a valid rune in the
 			// buffer. After getting all the rune bytes into the buffer,
diff --git a/vendor/github.com/charmbracelet/x/ansi/wrap.go b/vendor/github.com/charmbracelet/x/ansi/wrap.go
index 6b995800..253e1233 100644
--- a/vendor/github.com/charmbracelet/x/ansi/wrap.go
+++ b/vendor/github.com/charmbracelet/x/ansi/wrap.go
@@ -10,7 +10,7 @@ import (
 	"github.com/rivo/uniseg"
 )
 
-// nbsp is a non-breaking space
+// nbsp is a non-breaking space.
 const nbsp = 0xA0
 
 // Hardwrap wraps a string or a block of text to a given line length, breaking
@@ -55,7 +55,7 @@ func hardwrap(m Method, s string, limit int, preserveSpace bool) string {
 	i := 0
 	for i < len(b) {
 		state, action := parser.Table.Transition(pstate, b[i])
-		if state == parser.Utf8State {
+		if state == parser.Utf8State { //nolint:nestif
 			var width int
 			cluster, _, width, _ = uniseg.FirstGraphemeCluster(b[i:], -1)
 			if m == WcWidth {
@@ -190,7 +190,7 @@ func wordwrap(m Method, s string, limit int, breakpoints string) string {
 	i := 0
 	for i < len(b) {
 		state, action := parser.Table.Transition(pstate, b[i])
-		if state == parser.Utf8State {
+		if state == parser.Utf8State { //nolint:nestif
 			var width int
 			cluster, _, width, _ = uniseg.FirstGraphemeCluster(b[i:], -1)
 			if m == WcWidth {
@@ -303,20 +303,22 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 	}
 
 	var (
-		cluster  []byte
-		buf      bytes.Buffer
-		word     bytes.Buffer
-		space    bytes.Buffer
-		curWidth int                  // written width of the line
-		wordLen  int                  // word buffer len without ANSI escape codes
-		pstate   = parser.GroundState // initial state
-		b        = []byte(s)
+		cluster    []byte
+		buf        bytes.Buffer
+		word       bytes.Buffer
+		space      bytes.Buffer
+		spaceWidth int                  // width of the space buffer
+		curWidth   int                  // written width of the line
+		wordLen    int                  // word buffer len without ANSI escape codes
+		pstate     = parser.GroundState // initial state
+		b          = []byte(s)
 	)
 
 	addSpace := func() {
-		curWidth += space.Len()
+		curWidth += spaceWidth
 		buf.Write(space.Bytes())
 		space.Reset()
+		spaceWidth = 0
 	}
 
 	addWord := func() {
@@ -335,12 +337,13 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 		buf.WriteByte('\n')
 		curWidth = 0
 		space.Reset()
+		spaceWidth = 0
 	}
 
 	i := 0
 	for i < len(b) {
 		state, action := parser.Table.Transition(pstate, b[i])
-		if state == parser.Utf8State {
+		if state == parser.Utf8State { //nolint:nestif
 			var width int
 			cluster, _, width, _ = uniseg.FirstGraphemeCluster(b[i:], -1)
 			if m == WcWidth {
@@ -353,6 +356,7 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 			case r != utf8.RuneError && unicode.IsSpace(r) && r != nbsp: // nbsp is a non-breaking space
 				addWord()
 				space.WriteRune(r)
+				spaceWidth += width
 			case bytes.ContainsAny(cluster, breakpoints):
 				addSpace()
 				if curWidth+wordLen+width > limit {
@@ -372,7 +376,7 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 				word.Write(cluster)
 				wordLen += width
 
-				if curWidth+wordLen+space.Len() > limit {
+				if curWidth+wordLen+spaceWidth > limit {
 					addNewline()
 				}
 			}
@@ -386,13 +390,14 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 			switch r := rune(b[i]); {
 			case r == '\n':
 				if wordLen == 0 {
-					if curWidth+space.Len() > limit {
+					if curWidth+spaceWidth > limit {
 						curWidth = 0
 					} else {
 						// preserve whitespaces
 						buf.Write(space.Bytes())
 					}
 					space.Reset()
+					spaceWidth = 0
 				}
 
 				addWord()
@@ -400,6 +405,7 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 			case unicode.IsSpace(r):
 				addWord()
 				space.WriteRune(r)
+				spaceWidth++
 			case r == '-':
 				fallthrough
 			case runeContainsAny(r, breakpoints):
@@ -426,7 +432,7 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 					addWord()
 				}
 
-				if curWidth+wordLen+space.Len() > limit {
+				if curWidth+wordLen+spaceWidth > limit {
 					addNewline()
 				}
 			}
@@ -443,13 +449,14 @@ func wrap(m Method, s string, limit int, breakpoints string) string {
 	}
 
 	if wordLen == 0 {
-		if curWidth+space.Len() > limit {
+		if curWidth+spaceWidth > limit {
 			curWidth = 0
 		} else {
 			// preserve whitespaces
 			buf.Write(space.Bytes())
 		}
 		space.Reset()
+		spaceWidth = 0
 	}
 
 	addWord()
diff --git a/vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go b/vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go
index 5a939100..1f165141 100644
--- a/vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go
+++ b/vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go
@@ -18,6 +18,9 @@ func (Curve) Identity() *Point {
 func (Curve) IsOnCurve(P *Point) bool {
 	x2, y2, t, t2, z2 := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
 	rhs, lhs := &fp.Elt{}, &fp.Elt{}
+	// Check z != 0
+	eq0 := !fp.IsZero(&P.z)
+
 	fp.Mul(t, &P.ta, &P.tb)  // t = ta*tb
 	fp.Sqr(x2, &P.x)         // x^2
 	fp.Sqr(y2, &P.y)         // y^2
@@ -27,13 +30,14 @@ func (Curve) IsOnCurve(P *Point) bool {
 	fp.Mul(rhs, t2, &paramD) // dt^2
 	fp.Add(rhs, rhs, z2)     // z^2 + dt^2
 	fp.Sub(lhs, lhs, rhs)    // x^2 + y^2 - (z^2 + dt^2)
-	eq0 := fp.IsZero(lhs)
+	eq1 := fp.IsZero(lhs)
 
 	fp.Mul(lhs, &P.x, &P.y) // xy
 	fp.Mul(rhs, t, &P.z)    // tz
 	fp.Sub(lhs, lhs, rhs)   // xy - tz
-	eq1 := fp.IsZero(lhs)
-	return eq0 && eq1
+	eq2 := fp.IsZero(lhs)
+
+	return eq0 && eq1 && eq2
 }
 
 // Generator returns the generator point.
diff --git a/vendor/github.com/cloudflare/circl/sign/ed25519/point.go b/vendor/github.com/cloudflare/circl/sign/ed25519/point.go
index 374a6950..d1c3b146 100644
--- a/vendor/github.com/cloudflare/circl/sign/ed25519/point.go
+++ b/vendor/github.com/cloudflare/circl/sign/ed25519/point.go
@@ -164,7 +164,7 @@ func (P *pointR1) isEqual(Q *pointR1) bool {
 	fp.Mul(r, r, &P.z)
 	fp.Sub(l, l, r)
 	b = b && fp.IsZero(l)
-	return b
+	return b && !fp.IsZero(&P.z) && !fp.IsZero(&Q.z)
 }
 
 func (P *pointR3) neg() {
diff --git a/vendor/github.com/containerd/errdefs/LICENSE b/vendor/github.com/containerd/errdefs/LICENSE
new file mode 100644
index 00000000..584149b6
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/errdefs/README.md b/vendor/github.com/containerd/errdefs/README.md
new file mode 100644
index 00000000..bd418c63
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/README.md
@@ -0,0 +1,13 @@
+# errdefs
+
+A Go package for defining and checking common containerd errors.
+
+## Project details
+
+**errdefs** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
diff --git a/vendor/github.com/containerd/errdefs/errors.go b/vendor/github.com/containerd/errdefs/errors.go
new file mode 100644
index 00000000..f654d196
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/errors.go
@@ -0,0 +1,443 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package errdefs defines the common errors used throughout containerd
+// packages.
+//
+// Use with fmt.Errorf to add context to an error.
+//
+// To detect an error class, use the IsXXX functions to tell whether an error
+// is of a certain type.
+package errdefs
+
+import (
+	"context"
+	"errors"
+)
+
+// Definitions of common error types used throughout containerd. All containerd
+// errors returned by most packages will map into one of these errors classes.
+// Packages should return errors of these types when they want to instruct a
+// client to take a particular action.
+//
+// These errors map closely to grpc errors.
+var (
+	ErrUnknown            = errUnknown{}
+	ErrInvalidArgument    = errInvalidArgument{}
+	ErrNotFound           = errNotFound{}
+	ErrAlreadyExists      = errAlreadyExists{}
+	ErrPermissionDenied   = errPermissionDenied{}
+	ErrResourceExhausted  = errResourceExhausted{}
+	ErrFailedPrecondition = errFailedPrecondition{}
+	ErrConflict           = errConflict{}
+	ErrNotModified        = errNotModified{}
+	ErrAborted            = errAborted{}
+	ErrOutOfRange         = errOutOfRange{}
+	ErrNotImplemented     = errNotImplemented{}
+	ErrInternal           = errInternal{}
+	ErrUnavailable        = errUnavailable{}
+	ErrDataLoss           = errDataLoss{}
+	ErrUnauthenticated    = errUnauthorized{}
+)
+
+// cancelled maps to Moby's "ErrCancelled"
+type cancelled interface {
+	Cancelled()
+}
+
+// IsCanceled returns true if the error is due to `context.Canceled`.
+func IsCanceled(err error) bool {
+	return errors.Is(err, context.Canceled) || isInterface[cancelled](err)
+}
+
+type errUnknown struct{}
+
+func (errUnknown) Error() string { return "unknown" }
+
+func (errUnknown) Unknown() {}
+
+func (e errUnknown) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unknown maps to Moby's "ErrUnknown"
+type unknown interface {
+	Unknown()
+}
+
+// IsUnknown returns true if the error is due to an unknown error,
+// unhandled condition or unexpected response.
+func IsUnknown(err error) bool {
+	return errors.Is(err, errUnknown{}) || isInterface[unknown](err)
+}
+
+type errInvalidArgument struct{}
+
+func (errInvalidArgument) Error() string { return "invalid argument" }
+
+func (errInvalidArgument) InvalidParameter() {}
+
+func (e errInvalidArgument) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// invalidParameter maps to Moby's "ErrInvalidParameter"
+type invalidParameter interface {
+	InvalidParameter()
+}
+
+// IsInvalidArgument returns true if the error is due to an invalid argument
+func IsInvalidArgument(err error) bool {
+	return errors.Is(err, ErrInvalidArgument) || isInterface[invalidParameter](err)
+}
+
+// deadlineExceed maps to Moby's "ErrDeadline"
+type deadlineExceeded interface {
+	DeadlineExceeded()
+}
+
+// IsDeadlineExceeded returns true if the error is due to
+// `context.DeadlineExceeded`.
+func IsDeadlineExceeded(err error) bool {
+	return errors.Is(err, context.DeadlineExceeded) || isInterface[deadlineExceeded](err)
+}
+
+type errNotFound struct{}
+
+func (errNotFound) Error() string { return "not found" }
+
+func (errNotFound) NotFound() {}
+
+func (e errNotFound) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notFound maps to Moby's "ErrNotFound"
+type notFound interface {
+	NotFound()
+}
+
+// IsNotFound returns true if the error is due to a missing object
+func IsNotFound(err error) bool {
+	return errors.Is(err, ErrNotFound) || isInterface[notFound](err)
+}
+
+type errAlreadyExists struct{}
+
+func (errAlreadyExists) Error() string { return "already exists" }
+
+func (errAlreadyExists) AlreadyExists() {}
+
+func (e errAlreadyExists) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type alreadyExists interface {
+	AlreadyExists()
+}
+
+// IsAlreadyExists returns true if the error is due to an already existing
+// metadata item
+func IsAlreadyExists(err error) bool {
+	return errors.Is(err, ErrAlreadyExists) || isInterface[alreadyExists](err)
+}
+
+type errPermissionDenied struct{}
+
+func (errPermissionDenied) Error() string { return "permission denied" }
+
+func (errPermissionDenied) Forbidden() {}
+
+func (e errPermissionDenied) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// forbidden maps to Moby's "ErrForbidden"
+type forbidden interface {
+	Forbidden()
+}
+
+// IsPermissionDenied returns true if the error is due to permission denied
+// or forbidden (403) response
+func IsPermissionDenied(err error) bool {
+	return errors.Is(err, ErrPermissionDenied) || isInterface[forbidden](err)
+}
+
+type errResourceExhausted struct{}
+
+func (errResourceExhausted) Error() string { return "resource exhausted" }
+
+func (errResourceExhausted) ResourceExhausted() {}
+
+func (e errResourceExhausted) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type resourceExhausted interface {
+	ResourceExhausted()
+}
+
+// IsResourceExhausted returns true if the error is due to
+// a lack of resources or too many attempts.
+func IsResourceExhausted(err error) bool {
+	return errors.Is(err, errResourceExhausted{}) || isInterface[resourceExhausted](err)
+}
+
+type errFailedPrecondition struct{}
+
+func (e errFailedPrecondition) Error() string { return "failed precondition" }
+
+func (errFailedPrecondition) FailedPrecondition() {}
+
+func (e errFailedPrecondition) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type failedPrecondition interface {
+	FailedPrecondition()
+}
+
+// IsFailedPrecondition returns true if an operation could not proceed due to
+// the lack of a particular condition
+func IsFailedPrecondition(err error) bool {
+	return errors.Is(err, errFailedPrecondition{}) || isInterface[failedPrecondition](err)
+}
+
+type errConflict struct{}
+
+func (errConflict) Error() string { return "conflict" }
+
+func (errConflict) Conflict() {}
+
+func (e errConflict) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// conflict maps to Moby's "ErrConflict"
+type conflict interface {
+	Conflict()
+}
+
+// IsConflict returns true if an operation could not proceed due to
+// a conflict.
+func IsConflict(err error) bool {
+	return errors.Is(err, errConflict{}) || isInterface[conflict](err)
+}
+
+type errNotModified struct{}
+
+func (errNotModified) Error() string { return "not modified" }
+
+func (errNotModified) NotModified() {}
+
+func (e errNotModified) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notModified maps to Moby's "ErrNotModified"
+type notModified interface {
+	NotModified()
+}
+
+// IsNotModified returns true if an operation could not proceed due
+// to an object not modified from a previous state.
+func IsNotModified(err error) bool {
+	return errors.Is(err, errNotModified{}) || isInterface[notModified](err)
+}
+
+type errAborted struct{}
+
+func (errAborted) Error() string { return "aborted" }
+
+func (errAborted) Aborted() {}
+
+func (e errAborted) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type aborted interface {
+	Aborted()
+}
+
+// IsAborted returns true if an operation was aborted.
+func IsAborted(err error) bool {
+	return errors.Is(err, errAborted{}) || isInterface[aborted](err)
+}
+
+type errOutOfRange struct{}
+
+func (errOutOfRange) Error() string { return "out of range" }
+
+func (errOutOfRange) OutOfRange() {}
+
+func (e errOutOfRange) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type outOfRange interface {
+	OutOfRange()
+}
+
+// IsOutOfRange returns true if an operation could not proceed due
+// to data being out of the expected range.
+func IsOutOfRange(err error) bool {
+	return errors.Is(err, errOutOfRange{}) || isInterface[outOfRange](err)
+}
+
+type errNotImplemented struct{}
+
+func (errNotImplemented) Error() string { return "not implemented" }
+
+func (errNotImplemented) NotImplemented() {}
+
+func (e errNotImplemented) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notImplemented maps to Moby's "ErrNotImplemented"
+type notImplemented interface {
+	NotImplemented()
+}
+
+// IsNotImplemented returns true if the error is due to not being implemented
+func IsNotImplemented(err error) bool {
+	return errors.Is(err, errNotImplemented{}) || isInterface[notImplemented](err)
+}
+
+type errInternal struct{}
+
+func (errInternal) Error() string { return "internal" }
+
+func (errInternal) System() {}
+
+func (e errInternal) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// system maps to Moby's "ErrSystem"
+type system interface {
+	System()
+}
+
+// IsInternal returns true if the error returns to an internal or system error
+func IsInternal(err error) bool {
+	return errors.Is(err, errInternal{}) || isInterface[system](err)
+}
+
+type errUnavailable struct{}
+
+func (errUnavailable) Error() string { return "unavailable" }
+
+func (errUnavailable) Unavailable() {}
+
+func (e errUnavailable) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unavailable maps to Moby's "ErrUnavailable"
+type unavailable interface {
+	Unavailable()
+}
+
+// IsUnavailable returns true if the error is due to a resource being unavailable
+func IsUnavailable(err error) bool {
+	return errors.Is(err, errUnavailable{}) || isInterface[unavailable](err)
+}
+
+type errDataLoss struct{}
+
+func (errDataLoss) Error() string { return "data loss" }
+
+func (errDataLoss) DataLoss() {}
+
+func (e errDataLoss) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// dataLoss maps to Moby's "ErrDataLoss"
+type dataLoss interface {
+	DataLoss()
+}
+
+// IsDataLoss returns true if data during an operation was lost or corrupted
+func IsDataLoss(err error) bool {
+	return errors.Is(err, errDataLoss{}) || isInterface[dataLoss](err)
+}
+
+type errUnauthorized struct{}
+
+func (errUnauthorized) Error() string { return "unauthorized" }
+
+func (errUnauthorized) Unauthorized() {}
+
+func (e errUnauthorized) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unauthorized maps to Moby's "ErrUnauthorized"
+type unauthorized interface {
+	Unauthorized()
+}
+
+// IsUnauthorized returns true if the error indicates that the user was
+// unauthenticated or unauthorized.
+func IsUnauthorized(err error) bool {
+	return errors.Is(err, errUnauthorized{}) || isInterface[unauthorized](err)
+}
+
+func isInterface[T any](err error) bool {
+	for {
+		switch x := err.(type) {
+		case T:
+			return true
+		case customMessage:
+			err = x.err
+		case interface{ Unwrap() error }:
+			err = x.Unwrap()
+			if err == nil {
+				return false
+			}
+		case interface{ Unwrap() []error }:
+			for _, err := range x.Unwrap() {
+				if isInterface[T](err) {
+					return true
+				}
+			}
+			return false
+		default:
+			return false
+		}
+	}
+}
+
+// customMessage is used to provide a defined error with a custom message.
+// The message is not wrapped but can be compared by the `Is(error) bool` interface.
+type customMessage struct {
+	err error
+	msg string
+}
+
+func (c customMessage) Is(err error) bool {
+	return c.err == err
+}
+
+func (c customMessage) As(target any) bool {
+	return errors.As(c.err, target)
+}
+
+func (c customMessage) Error() string {
+	return c.msg
+}
diff --git a/vendor/github.com/containerd/errdefs/pkg/LICENSE b/vendor/github.com/containerd/errdefs/pkg/LICENSE
new file mode 100644
index 00000000..584149b6
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/pkg/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/errdefs/pkg/errhttp/http.go b/vendor/github.com/containerd/errdefs/pkg/errhttp/http.go
new file mode 100644
index 00000000..d7cd2b8c
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/pkg/errhttp/http.go
@@ -0,0 +1,96 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package errhttp provides utility functions for translating errors to
+// and from a HTTP context.
+//
+// The functions ToHTTP and ToNative can be used to map server-side and
+// client-side errors to the correct types.
+package errhttp
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/containerd/errdefs"
+	"github.com/containerd/errdefs/pkg/internal/cause"
+)
+
+// ToHTTP returns the best status code for the given error
+func ToHTTP(err error) int {
+	switch {
+	case errdefs.IsNotFound(err):
+		return http.StatusNotFound
+	case errdefs.IsInvalidArgument(err):
+		return http.StatusBadRequest
+	case errdefs.IsConflict(err):
+		return http.StatusConflict
+	case errdefs.IsNotModified(err):
+		return http.StatusNotModified
+	case errdefs.IsFailedPrecondition(err):
+		return http.StatusPreconditionFailed
+	case errdefs.IsUnauthorized(err):
+		return http.StatusUnauthorized
+	case errdefs.IsPermissionDenied(err):
+		return http.StatusForbidden
+	case errdefs.IsResourceExhausted(err):
+		return http.StatusTooManyRequests
+	case errdefs.IsInternal(err):
+		return http.StatusInternalServerError
+	case errdefs.IsNotImplemented(err):
+		return http.StatusNotImplemented
+	case errdefs.IsUnavailable(err):
+		return http.StatusServiceUnavailable
+	case errdefs.IsUnknown(err):
+		var unexpected cause.ErrUnexpectedStatus
+		if errors.As(err, &unexpected) && unexpected.Status >= 200 && unexpected.Status < 600 {
+			return unexpected.Status
+		}
+		return http.StatusInternalServerError
+	default:
+		return http.StatusInternalServerError
+	}
+}
+
+// ToNative returns the error best matching the HTTP status code
+func ToNative(statusCode int) error {
+	switch statusCode {
+	case http.StatusNotFound:
+		return errdefs.ErrNotFound
+	case http.StatusBadRequest:
+		return errdefs.ErrInvalidArgument
+	case http.StatusConflict:
+		return errdefs.ErrConflict
+	case http.StatusPreconditionFailed:
+		return errdefs.ErrFailedPrecondition
+	case http.StatusUnauthorized:
+		return errdefs.ErrUnauthenticated
+	case http.StatusForbidden:
+		return errdefs.ErrPermissionDenied
+	case http.StatusNotModified:
+		return errdefs.ErrNotModified
+	case http.StatusTooManyRequests:
+		return errdefs.ErrResourceExhausted
+	case http.StatusInternalServerError:
+		return errdefs.ErrInternal
+	case http.StatusNotImplemented:
+		return errdefs.ErrNotImplemented
+	case http.StatusServiceUnavailable:
+		return errdefs.ErrUnavailable
+	default:
+		return cause.ErrUnexpectedStatus{Status: statusCode}
+	}
+}
diff --git a/vendor/github.com/containerd/errdefs/pkg/internal/cause/cause.go b/vendor/github.com/containerd/errdefs/pkg/internal/cause/cause.go
new file mode 100644
index 00000000..d88756bb
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/pkg/internal/cause/cause.go
@@ -0,0 +1,33 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package cause is used to define root causes for errors
+// common to errors packages like grpc and http.
+package cause
+
+import "fmt"
+
+type ErrUnexpectedStatus struct {
+	Status int
+}
+
+const UnexpectedStatusPrefix = "unexpected status "
+
+func (e ErrUnexpectedStatus) Error() string {
+	return fmt.Sprintf("%s%d", UnexpectedStatusPrefix, e.Status)
+}
+
+func (ErrUnexpectedStatus) Unknown() {}
diff --git a/vendor/github.com/containerd/errdefs/resolve.go b/vendor/github.com/containerd/errdefs/resolve.go
new file mode 100644
index 00000000..c02d4a73
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/resolve.go
@@ -0,0 +1,147 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package errdefs
+
+import "context"
+
+// Resolve returns the first error found in the error chain which matches an
+// error defined in this package or context error. A raw, unwrapped error is
+// returned or ErrUnknown if no matching error is found.
+//
+// This is useful for determining a response code based on the outermost wrapped
+// error rather than the original cause. For example, a not found error deep
+// in the code may be wrapped as an invalid argument. When determining status
+// code from Is* functions, the depth or ordering of the error is not
+// considered.
+//
+// The search order is depth first, a wrapped error returned from any part of
+// the chain from `Unwrap() error` will be returned before any joined errors
+// as returned by `Unwrap() []error`.
+func Resolve(err error) error {
+	if err == nil {
+		return nil
+	}
+	err = firstError(err)
+	if err == nil {
+		err = ErrUnknown
+	}
+	return err
+}
+
+func firstError(err error) error {
+	for {
+		switch err {
+		case ErrUnknown,
+			ErrInvalidArgument,
+			ErrNotFound,
+			ErrAlreadyExists,
+			ErrPermissionDenied,
+			ErrResourceExhausted,
+			ErrFailedPrecondition,
+			ErrConflict,
+			ErrNotModified,
+			ErrAborted,
+			ErrOutOfRange,
+			ErrNotImplemented,
+			ErrInternal,
+			ErrUnavailable,
+			ErrDataLoss,
+			ErrUnauthenticated,
+			context.DeadlineExceeded,
+			context.Canceled:
+			return err
+		}
+		switch e := err.(type) {
+		case customMessage:
+			err = e.err
+		case unknown:
+			return ErrUnknown
+		case invalidParameter:
+			return ErrInvalidArgument
+		case notFound:
+			return ErrNotFound
+		case alreadyExists:
+			return ErrAlreadyExists
+		case forbidden:
+			return ErrPermissionDenied
+		case resourceExhausted:
+			return ErrResourceExhausted
+		case failedPrecondition:
+			return ErrFailedPrecondition
+		case conflict:
+			return ErrConflict
+		case notModified:
+			return ErrNotModified
+		case aborted:
+			return ErrAborted
+		case errOutOfRange:
+			return ErrOutOfRange
+		case notImplemented:
+			return ErrNotImplemented
+		case system:
+			return ErrInternal
+		case unavailable:
+			return ErrUnavailable
+		case dataLoss:
+			return ErrDataLoss
+		case unauthorized:
+			return ErrUnauthenticated
+		case deadlineExceeded:
+			return context.DeadlineExceeded
+		case cancelled:
+			return context.Canceled
+		case interface{ Unwrap() error }:
+			err = e.Unwrap()
+			if err == nil {
+				return nil
+			}
+		case interface{ Unwrap() []error }:
+			for _, ue := range e.Unwrap() {
+				if fe := firstError(ue); fe != nil {
+					return fe
+				}
+			}
+			return nil
+		case interface{ Is(error) bool }:
+			for _, target := range []error{ErrUnknown,
+				ErrInvalidArgument,
+				ErrNotFound,
+				ErrAlreadyExists,
+				ErrPermissionDenied,
+				ErrResourceExhausted,
+				ErrFailedPrecondition,
+				ErrConflict,
+				ErrNotModified,
+				ErrAborted,
+				ErrOutOfRange,
+				ErrNotImplemented,
+				ErrInternal,
+				ErrUnavailable,
+				ErrDataLoss,
+				ErrUnauthenticated,
+				context.DeadlineExceeded,
+				context.Canceled} {
+				if e.Is(target) {
+					return target
+				}
+			}
+			return nil
+		default:
+			return nil
+		}
+	}
+}
diff --git a/vendor/github.com/containerd/platforms/.gitattributes b/vendor/github.com/containerd/platforms/.gitattributes
new file mode 100644
index 00000000..a0717e4b
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/.gitattributes
@@ -0,0 +1 @@
+*.go text eol=lf
\ No newline at end of file
diff --git a/vendor/github.com/containerd/platforms/.golangci.yml b/vendor/github.com/containerd/platforms/.golangci.yml
new file mode 100644
index 00000000..a695775d
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/.golangci.yml
@@ -0,0 +1,30 @@
+linters:
+  enable:
+    - exportloopref # Checks for pointers to enclosing loop variables
+    - gofmt
+    - goimports
+    - gosec
+    - ineffassign
+    - misspell
+    - nolintlint
+    - revive
+    - staticcheck
+    - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
+    - unconvert
+    - unused
+    - vet
+    - dupword # Checks for duplicate words in the source code
+  disable:
+    - errcheck
+
+run:
+  timeout: 5m
+  skip-dirs:
+    - api
+    - cluster
+    - design
+    - docs
+    - docs/man
+    - releases
+    - reports
+    - test # e2e scripts
diff --git a/vendor/github.com/containerd/platforms/LICENSE b/vendor/github.com/containerd/platforms/LICENSE
new file mode 100644
index 00000000..584149b6
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/platforms/README.md b/vendor/github.com/containerd/platforms/README.md
new file mode 100644
index 00000000..2059de77
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/README.md
@@ -0,0 +1,32 @@
+# platforms
+
+A Go package for formatting, normalizing and matching container platforms.
+
+This package is based on the Open Containers Image Spec definition of a [platform](https://github.com/opencontainers/image-spec/blob/main/specs-go/v1/descriptor.go#L52).
+
+## Platform Specifier
+
+While the OCI platform specifications provide a tool for components to
+specify structured information, user input typically doesn't need the full
+context and much can be inferred. To solve this problem, this package introduces
+"specifiers". A specifier has the format
+`<os>|<arch>|<os>/<arch>[/<variant>]`.  The user can provide either the
+operating system or the architecture or both.
+
+An example of a common specifier is `linux/amd64`. If the host has a default
+runtime that matches this, the user can simply provide the component that
+matters. For example, if an image provides `amd64` and `arm64` support, the
+operating system, `linux` can be inferred, so they only have to provide
+`arm64` or `amd64`. Similar behavior is implemented for operating systems,
+where the architecture may be known but a runtime may support images from
+different operating systems.
+
+## Project details
+
+**platforms** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
\ No newline at end of file
diff --git a/vendor/github.com/containerd/platforms/compare.go b/vendor/github.com/containerd/platforms/compare.go
new file mode 100644
index 00000000..3913ef66
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/compare.go
@@ -0,0 +1,203 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// MatchComparer is able to match and compare platforms to
+// filter and sort platforms.
+type MatchComparer interface {
+	Matcher
+
+	Less(specs.Platform, specs.Platform) bool
+}
+
+// platformVector returns an (ordered) vector of appropriate specs.Platform
+// objects to try matching for the given platform object (see platforms.Only).
+func platformVector(platform specs.Platform) []specs.Platform {
+	vector := []specs.Platform{platform}
+
+	switch platform.Architecture {
+	case "amd64":
+		if amd64Version, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && amd64Version > 1 {
+			for amd64Version--; amd64Version >= 1; amd64Version-- {
+				vector = append(vector, specs.Platform{
+					Architecture: platform.Architecture,
+					OS:           platform.OS,
+					OSVersion:    platform.OSVersion,
+					OSFeatures:   platform.OSFeatures,
+					Variant:      "v" + strconv.Itoa(amd64Version),
+				})
+			}
+		}
+		vector = append(vector, specs.Platform{
+			Architecture: "386",
+			OS:           platform.OS,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+		})
+	case "arm":
+		if armVersion, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && armVersion > 5 {
+			for armVersion--; armVersion >= 5; armVersion-- {
+				vector = append(vector, specs.Platform{
+					Architecture: platform.Architecture,
+					OS:           platform.OS,
+					OSVersion:    platform.OSVersion,
+					OSFeatures:   platform.OSFeatures,
+					Variant:      "v" + strconv.Itoa(armVersion),
+				})
+			}
+		}
+	case "arm64":
+		variant := platform.Variant
+		if variant == "" {
+			variant = "v8"
+		}
+		vector = append(vector, platformVector(specs.Platform{
+			Architecture: "arm",
+			OS:           platform.OS,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+			Variant:      variant,
+		})...)
+	}
+
+	return vector
+}
+
+// Only returns a match comparer for a single platform
+// using default resolution logic for the platform.
+//
+// For arm/v8, will also match arm/v7, arm/v6 and arm/v5
+// For arm/v7, will also match arm/v6 and arm/v5
+// For arm/v6, will also match arm/v5
+// For amd64, will also match 386
+func Only(platform specs.Platform) MatchComparer {
+	return Ordered(platformVector(Normalize(platform))...)
+}
+
+// OnlyStrict returns a match comparer for a single platform.
+//
+// Unlike Only, OnlyStrict does not match sub platforms.
+// So, "arm/vN" will not match "arm/vM" where M < N,
+// and "amd64" will not also match "386".
+//
+// OnlyStrict matches non-canonical forms.
+// So, "arm64" matches "arm/64/v8".
+func OnlyStrict(platform specs.Platform) MatchComparer {
+	return Ordered(Normalize(platform))
+}
+
+// Ordered returns a platform MatchComparer which matches any of the platforms
+// but orders them in order they are provided.
+func Ordered(platforms ...specs.Platform) MatchComparer {
+	matchers := make([]Matcher, len(platforms))
+	for i := range platforms {
+		matchers[i] = NewMatcher(platforms[i])
+	}
+	return orderedPlatformComparer{
+		matchers: matchers,
+	}
+}
+
+// Any returns a platform MatchComparer which matches any of the platforms
+// with no preference for ordering.
+func Any(platforms ...specs.Platform) MatchComparer {
+	matchers := make([]Matcher, len(platforms))
+	for i := range platforms {
+		matchers[i] = NewMatcher(platforms[i])
+	}
+	return anyPlatformComparer{
+		matchers: matchers,
+	}
+}
+
+// All is a platform MatchComparer which matches all platforms
+// with preference for ordering.
+var All MatchComparer = allPlatformComparer{}
+
+type orderedPlatformComparer struct {
+	matchers []Matcher
+}
+
+func (c orderedPlatformComparer) Match(platform specs.Platform) bool {
+	for _, m := range c.matchers {
+		if m.Match(platform) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c orderedPlatformComparer) Less(p1 specs.Platform, p2 specs.Platform) bool {
+	for _, m := range c.matchers {
+		p1m := m.Match(p1)
+		p2m := m.Match(p2)
+		if p1m && !p2m {
+			return true
+		}
+		if p1m || p2m {
+			return false
+		}
+	}
+	return false
+}
+
+type anyPlatformComparer struct {
+	matchers []Matcher
+}
+
+func (c anyPlatformComparer) Match(platform specs.Platform) bool {
+	for _, m := range c.matchers {
+		if m.Match(platform) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c anyPlatformComparer) Less(p1, p2 specs.Platform) bool {
+	var p1m, p2m bool
+	for _, m := range c.matchers {
+		if !p1m && m.Match(p1) {
+			p1m = true
+		}
+		if !p2m && m.Match(p2) {
+			p2m = true
+		}
+		if p1m && p2m {
+			return false
+		}
+	}
+	// If one matches, and the other does, sort match first
+	return p1m && !p2m
+}
+
+type allPlatformComparer struct{}
+
+func (allPlatformComparer) Match(specs.Platform) bool {
+	return true
+}
+
+func (allPlatformComparer) Less(specs.Platform, specs.Platform) bool {
+	return false
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo.go b/vendor/github.com/containerd/platforms/cpuinfo.go
new file mode 100644
index 00000000..91f50e8c
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo.go
@@ -0,0 +1,43 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+	"sync"
+
+	"github.com/containerd/log"
+)
+
+// Present the ARM instruction set architecture, eg: v7, v8
+// Don't use this value directly; call cpuVariant() instead.
+var cpuVariantValue string
+
+var cpuVariantOnce sync.Once
+
+func cpuVariant() string {
+	cpuVariantOnce.Do(func() {
+		if isArmArch(runtime.GOARCH) {
+			var err error
+			cpuVariantValue, err = getCPUVariant()
+			if err != nil {
+				log.L.Errorf("Error getCPUVariant for OS %s: %v", runtime.GOOS, err)
+			}
+		}
+	})
+	return cpuVariantValue
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo_linux.go b/vendor/github.com/containerd/platforms/cpuinfo_linux.go
new file mode 100644
index 00000000..98c7001f
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo_linux.go
@@ -0,0 +1,160 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+// getMachineArch retrieves the machine architecture through system call
+func getMachineArch() (string, error) {
+	var uname unix.Utsname
+	err := unix.Uname(&uname)
+	if err != nil {
+		return "", err
+	}
+
+	arch := string(uname.Machine[:bytes.IndexByte(uname.Machine[:], 0)])
+
+	return arch, nil
+}
+
+// For Linux, the kernel has already detected the ABI, ISA and Features.
+// So we don't need to access the ARM registers to detect platform information
+// by ourselves. We can just parse these information from /proc/cpuinfo
+func getCPUInfo(pattern string) (info string, err error) {
+
+	cpuinfo, err := os.Open("/proc/cpuinfo")
+	if err != nil {
+		return "", err
+	}
+	defer cpuinfo.Close()
+
+	// Start to Parse the Cpuinfo line by line. For SMP SoC, we parse
+	// the first core is enough.
+	scanner := bufio.NewScanner(cpuinfo)
+	for scanner.Scan() {
+		newline := scanner.Text()
+		list := strings.Split(newline, ":")
+
+		if len(list) > 1 && strings.EqualFold(strings.TrimSpace(list[0]), pattern) {
+			return strings.TrimSpace(list[1]), nil
+		}
+	}
+
+	// Check whether the scanner encountered errors
+	err = scanner.Err()
+	if err != nil {
+		return "", err
+	}
+
+	return "", fmt.Errorf("getCPUInfo for pattern %s: %w", pattern, errNotFound)
+}
+
+// getCPUVariantFromArch get CPU variant from arch through a system call
+func getCPUVariantFromArch(arch string) (string, error) {
+
+	var variant string
+
+	arch = strings.ToLower(arch)
+
+	if arch == "aarch64" {
+		variant = "8"
+	} else if arch[0:4] == "armv" && len(arch) >= 5 {
+		// Valid arch format is in form of armvXx
+		switch arch[3:5] {
+		case "v8":
+			variant = "8"
+		case "v7":
+			variant = "7"
+		case "v6":
+			variant = "6"
+		case "v5":
+			variant = "5"
+		case "v4":
+			variant = "4"
+		case "v3":
+			variant = "3"
+		default:
+			variant = "unknown"
+		}
+	} else {
+		return "", fmt.Errorf("getCPUVariantFromArch invalid arch: %s, %w", arch, errInvalidArgument)
+	}
+	return variant, nil
+}
+
+// getCPUVariant returns cpu variant for ARM
+// We first try reading "Cpu architecture" field from /proc/cpuinfo
+// If we can't find it, then fall back using a system call
+// This is to cover running ARM in emulated environment on x86 host as this field in /proc/cpuinfo
+// was not present.
+func getCPUVariant() (string, error) {
+	variant, err := getCPUInfo("Cpu architecture")
+	if err != nil {
+		if errors.Is(err, errNotFound) {
+			// Let's try getting CPU variant from machine architecture
+			arch, err := getMachineArch()
+			if err != nil {
+				return "", fmt.Errorf("failure getting machine architecture: %v", err)
+			}
+
+			variant, err = getCPUVariantFromArch(arch)
+			if err != nil {
+				return "", fmt.Errorf("failure getting CPU variant from machine architecture: %v", err)
+			}
+		} else {
+			return "", fmt.Errorf("failure getting CPU variant: %v", err)
+		}
+	}
+
+	// handle edge case for Raspberry Pi ARMv6 devices (which due to a kernel quirk, report "CPU architecture: 7")
+	// https://www.raspberrypi.org/forums/viewtopic.php?t=12614
+	if runtime.GOARCH == "arm" && variant == "7" {
+		model, err := getCPUInfo("model name")
+		if err == nil && strings.HasPrefix(strings.ToLower(model), "armv6-compatible") {
+			variant = "6"
+		}
+	}
+
+	switch strings.ToLower(variant) {
+	case "8", "aarch64":
+		variant = "v8"
+	case "7", "7m", "?(12)", "?(13)", "?(14)", "?(15)", "?(16)", "?(17)":
+		variant = "v7"
+	case "6", "6tej":
+		variant = "v6"
+	case "5", "5t", "5te", "5tej":
+		variant = "v5"
+	case "4", "4t":
+		variant = "v4"
+	case "3":
+		variant = "v3"
+	default:
+		variant = "unknown"
+	}
+
+	return variant, nil
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo_other.go b/vendor/github.com/containerd/platforms/cpuinfo_other.go
new file mode 100644
index 00000000..97a1fe8a
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo_other.go
@@ -0,0 +1,55 @@
+//go:build !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"fmt"
+	"runtime"
+)
+
+func getCPUVariant() (string, error) {
+
+	var variant string
+
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		// Windows/Darwin only supports v7 for ARM32 and v8 for ARM64 and so we can use
+		// runtime.GOARCH to determine the variants
+		switch runtime.GOARCH {
+		case "arm64":
+			variant = "v8"
+		case "arm":
+			variant = "v7"
+		default:
+			variant = "unknown"
+		}
+	} else if runtime.GOOS == "freebsd" {
+		// FreeBSD supports ARMv6 and ARMv7 as well as ARMv4 and ARMv5 (though deprecated)
+		// detecting those variants is currently unimplemented
+		switch runtime.GOARCH {
+		case "arm64":
+			variant = "v8"
+		default:
+			variant = "unknown"
+		}
+	} else {
+		return "", fmt.Errorf("getCPUVariant for OS %s: %v", runtime.GOOS, errNotImplemented)
+	}
+
+	return variant, nil
+}
diff --git a/vendor/github.com/containerd/platforms/database.go b/vendor/github.com/containerd/platforms/database.go
new file mode 100644
index 00000000..2e26fd3b
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/database.go
@@ -0,0 +1,109 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+	"strings"
+)
+
+// These function are generated from https://golang.org/src/go/build/syslist.go.
+//
+// We use switch statements because they are slightly faster than map lookups
+// and use a little less memory.
+
+// isKnownOS returns true if we know about the operating system.
+//
+// The OS value should be normalized before calling this function.
+func isKnownOS(os string) bool {
+	switch os {
+	case "aix", "android", "darwin", "dragonfly", "freebsd", "hurd", "illumos", "ios", "js", "linux", "nacl", "netbsd", "openbsd", "plan9", "solaris", "windows", "zos":
+		return true
+	}
+	return false
+}
+
+// isArmArch returns true if the architecture is ARM.
+//
+// The arch value should be normalized before being passed to this function.
+func isArmArch(arch string) bool {
+	switch arch {
+	case "arm", "arm64":
+		return true
+	}
+	return false
+}
+
+// isKnownArch returns true if we know about the architecture.
+//
+// The arch value should be normalized before being passed to this function.
+func isKnownArch(arch string) bool {
+	switch arch {
+	case "386", "amd64", "amd64p32", "arm", "armbe", "arm64", "arm64be", "ppc64", "ppc64le", "loong64", "mips", "mipsle", "mips64", "mips64le", "mips64p32", "mips64p32le", "ppc", "riscv", "riscv64", "s390", "s390x", "sparc", "sparc64", "wasm":
+		return true
+	}
+	return false
+}
+
+func normalizeOS(os string) string {
+	if os == "" {
+		return runtime.GOOS
+	}
+	os = strings.ToLower(os)
+
+	switch os {
+	case "macos":
+		os = "darwin"
+	}
+	return os
+}
+
+// normalizeArch normalizes the architecture.
+func normalizeArch(arch, variant string) (string, string) {
+	arch, variant = strings.ToLower(arch), strings.ToLower(variant)
+	switch arch {
+	case "i386":
+		arch = "386"
+		variant = ""
+	case "x86_64", "x86-64", "amd64":
+		arch = "amd64"
+		if variant == "v1" {
+			variant = ""
+		}
+	case "aarch64", "arm64":
+		arch = "arm64"
+		switch variant {
+		case "8", "v8":
+			variant = ""
+		}
+	case "armhf":
+		arch = "arm"
+		variant = "v7"
+	case "armel":
+		arch = "arm"
+		variant = "v6"
+	case "arm":
+		switch variant {
+		case "", "7":
+			variant = "v7"
+		case "5", "6", "8":
+			variant = "v" + variant
+		}
+	}
+
+	return arch, variant
+}
diff --git a/vendor/github.com/containerd/platforms/defaults.go b/vendor/github.com/containerd/platforms/defaults.go
new file mode 100644
index 00000000..9d898d60
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults.go
@@ -0,0 +1,29 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+// DefaultString returns the default string specifier for the platform,
+// with [PR#6](https://github.com/containerd/platforms/pull/6) the result
+// may now also include the OSVersion from the provided platform specification.
+func DefaultString() string {
+	return FormatAll(DefaultSpec())
+}
+
+// DefaultStrict returns strict form of Default.
+func DefaultStrict() MatchComparer {
+	return OnlyStrict(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_darwin.go b/vendor/github.com/containerd/platforms/defaults_darwin.go
new file mode 100644
index 00000000..72355ca8
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_darwin.go
@@ -0,0 +1,44 @@
+//go:build darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Ordered(DefaultSpec(), specs.Platform{
+		// darwin runtime also supports Linux binary via runu/LKL
+		OS:           "linux",
+		Architecture: runtime.GOARCH,
+	})
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_freebsd.go b/vendor/github.com/containerd/platforms/defaults_freebsd.go
new file mode 100644
index 00000000..d3fe89e0
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_freebsd.go
@@ -0,0 +1,43 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Ordered(DefaultSpec(), specs.Platform{
+		OS:           "linux",
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	})
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_unix.go b/vendor/github.com/containerd/platforms/defaults_unix.go
new file mode 100644
index 00000000..44acc47e
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_unix.go
@@ -0,0 +1,40 @@
+//go:build !windows && !darwin && !freebsd
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Only(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_windows.go b/vendor/github.com/containerd/platforms/defaults_windows.go
new file mode 100644
index 00000000..427ed72e
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_windows.go
@@ -0,0 +1,118 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"fmt"
+	"runtime"
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sys/windows"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	major, minor, build := windows.RtlGetNtVersionNumbers()
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		OSVersion:    fmt.Sprintf("%d.%d.%d", major, minor, build),
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+type windowsmatcher struct {
+	specs.Platform
+	osVersionPrefix string
+	defaultMatcher  Matcher
+}
+
+// Match matches platform with the same windows major, minor
+// and build version.
+func (m windowsmatcher) Match(p specs.Platform) bool {
+	match := m.defaultMatcher.Match(p)
+
+	if match && m.OS == "windows" {
+		// HPC containers do not have OS version filled
+		if m.OSVersion == "" || p.OSVersion == "" {
+			return true
+		}
+
+		hostOsVersion := getOSVersion(m.osVersionPrefix)
+		ctrOsVersion := getOSVersion(p.OSVersion)
+		return checkHostAndContainerCompat(hostOsVersion, ctrOsVersion)
+	}
+
+	return match
+}
+
+func getOSVersion(osVersionPrefix string) osVersion {
+	parts := strings.Split(osVersionPrefix, ".")
+	if len(parts) < 3 {
+		return osVersion{}
+	}
+
+	majorVersion, _ := strconv.Atoi(parts[0])
+	minorVersion, _ := strconv.Atoi(parts[1])
+	buildNumber, _ := strconv.Atoi(parts[2])
+
+	return osVersion{
+		MajorVersion: uint8(majorVersion),
+		MinorVersion: uint8(minorVersion),
+		Build:        uint16(buildNumber),
+	}
+}
+
+// Less sorts matched platforms in front of other platforms.
+// For matched platforms, it puts platforms with larger revision
+// number in front.
+func (m windowsmatcher) Less(p1, p2 specs.Platform) bool {
+	m1, m2 := m.Match(p1), m.Match(p2)
+	if m1 && m2 {
+		r1, r2 := revision(p1.OSVersion), revision(p2.OSVersion)
+		return r1 > r2
+	}
+	return m1 && !m2
+}
+
+func revision(v string) int {
+	parts := strings.Split(v, ".")
+	if len(parts) < 4 {
+		return 0
+	}
+	r, err := strconv.Atoi(parts[3])
+	if err != nil {
+		return 0
+	}
+	return r
+}
+
+func prefix(v string) string {
+	parts := strings.Split(v, ".")
+	if len(parts) < 4 {
+		return v
+	}
+	return strings.Join(parts[0:3], ".")
+}
+
+// Default returns the current platform's default platform specification.
+func Default() MatchComparer {
+	return Only(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/errors.go b/vendor/github.com/containerd/platforms/errors.go
new file mode 100644
index 00000000..5ad721e7
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/errors.go
@@ -0,0 +1,30 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import "errors"
+
+// These errors mirror the errors defined in [github.com/containerd/containerd/errdefs],
+// however, they are not exported as they are not expected to be used as sentinel
+// errors by consumers of this package.
+//
+//nolint:unused // not all errors are used on all platforms.
+var (
+	errNotFound        = errors.New("not found")
+	errInvalidArgument = errors.New("invalid argument")
+	errNotImplemented  = errors.New("not implemented")
+)
diff --git a/vendor/github.com/containerd/platforms/platform_compat_windows.go b/vendor/github.com/containerd/platforms/platform_compat_windows.go
new file mode 100644
index 00000000..89e66f0c
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platform_compat_windows.go
@@ -0,0 +1,78 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+// osVersion is a wrapper for Windows version information
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
+type osVersion struct {
+	Version      uint32
+	MajorVersion uint8
+	MinorVersion uint8
+	Build        uint16
+}
+
+// Windows Client and Server build numbers.
+//
+// See:
+// https://learn.microsoft.com/en-us/windows/release-health/release-information
+// https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info
+// https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
+const (
+	// rs5 (version 1809, codename "Redstone 5") corresponds to Windows Server
+	// 2019 (ltsc2019), and Windows 10 (October 2018 Update).
+	rs5 = 17763
+
+	// v21H2Server corresponds to Windows Server 2022 (ltsc2022).
+	v21H2Server = 20348
+
+	// v22H2Win11 corresponds to Windows 11 (2022 Update).
+	v22H2Win11 = 22621
+)
+
+// List of stable ABI compliant ltsc releases
+// Note: List must be sorted in ascending order
+var compatLTSCReleases = []uint16{
+	v21H2Server,
+}
+
+// CheckHostAndContainerCompat checks if given host and container
+// OS versions are compatible.
+// It includes support for stable ABI compliant versions as well.
+// Every release after WS 2022 will support the previous ltsc
+// container image. Stable ABI is in preview mode for windows 11 client.
+// Refer: https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-10#windows-server-host-os-compatibility
+func checkHostAndContainerCompat(host, ctr osVersion) bool {
+	// check major minor versions of host and guest
+	if host.MajorVersion != ctr.MajorVersion ||
+		host.MinorVersion != ctr.MinorVersion {
+		return false
+	}
+
+	// If host is < WS 2022, exact version match is required
+	if host.Build < v21H2Server {
+		return host.Build == ctr.Build
+	}
+
+	var supportedLtscRelease uint16
+	for i := len(compatLTSCReleases) - 1; i >= 0; i-- {
+		if host.Build >= compatLTSCReleases[i] {
+			supportedLtscRelease = compatLTSCReleases[i]
+			break
+		}
+	}
+	return ctr.Build >= supportedLtscRelease && ctr.Build <= host.Build
+}
diff --git a/vendor/github.com/containerd/platforms/platforms.go b/vendor/github.com/containerd/platforms/platforms.go
new file mode 100644
index 00000000..1bbbdb91
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms.go
@@ -0,0 +1,308 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package platforms provides a toolkit for normalizing, matching and
+// specifying container platforms.
+//
+// Centered around OCI platform specifications, we define a string-based
+// specifier syntax that can be used for user input. With a specifier, users
+// only need to specify the parts of the platform that are relevant to their
+// context, providing an operating system or architecture or both.
+//
+// How do I use this package?
+//
+// The vast majority of use cases should simply use the match function with
+// user input. The first step is to parse a specifier into a matcher:
+//
+//	m, err := Parse("linux")
+//	if err != nil { ... }
+//
+// Once you have a matcher, use it to match against the platform declared by a
+// component, typically from an image or runtime. Since extracting an images
+// platform is a little more involved, we'll use an example against the
+// platform default:
+//
+//	if ok := m.Match(Default()); !ok { /* doesn't match */ }
+//
+// This can be composed in loops for resolving runtimes or used as a filter for
+// fetch and select images.
+//
+// More details of the specifier syntax and platform spec follow.
+//
+// # Declaring Platform Support
+//
+// Components that have strict platform requirements should use the OCI
+// platform specification to declare their support. Typically, this will be
+// images and runtimes that should make these declaring which platform they
+// support specifically. This looks roughly as follows:
+//
+//	  type Platform struct {
+//		   Architecture string
+//		   OS           string
+//		   Variant      string
+//	  }
+//
+// Most images and runtimes should at least set Architecture and OS, according
+// to their GOARCH and GOOS values, respectively (follow the OCI image
+// specification when in doubt). ARM should set variant under certain
+// discussions, which are outlined below.
+//
+// # Platform Specifiers
+//
+// While the OCI platform specifications provide a tool for components to
+// specify structured information, user input typically doesn't need the full
+// context and much can be inferred. To solve this problem, we introduced
+// "specifiers". A specifier has the format
+// `<os>|<arch>|<os>/<arch>[/<variant>]`.  The user can provide either the
+// operating system or the architecture or both.
+//
+// An example of a common specifier is `linux/amd64`. If the host has a default
+// of runtime that matches this, the user can simply provide the component that
+// matters. For example, if a image provides amd64 and arm64 support, the
+// operating system, `linux` can be inferred, so they only have to provide
+// `arm64` or `amd64`. Similar behavior is implemented for operating systems,
+// where the architecture may be known but a runtime may support images from
+// different operating systems.
+//
+// # Normalization
+//
+// Because not all users are familiar with the way the Go runtime represents
+// platforms, several normalizations have been provided to make this package
+// easier to user.
+//
+// The following are performed for architectures:
+//
+//	Value    Normalized
+//	aarch64  arm64
+//	armhf    arm
+//	armel    arm/v6
+//	i386     386
+//	x86_64   amd64
+//	x86-64   amd64
+//
+// We also normalize the operating system `macos` to `darwin`.
+//
+// # ARM Support
+//
+// To qualify ARM architecture, the Variant field is used to qualify the arm
+// version. The most common arm version, v7, is represented without the variant
+// unless it is explicitly provided. This is treated as equivalent to armhf. A
+// previous architecture, armel, will be normalized to arm/v6.
+//
+// Similarly, the most common arm64 version v8, and most common amd64 version v1
+// are represented without the variant.
+//
+// While these normalizations are provided, their support on arm platforms has
+// not yet been fully implemented and tested.
+package platforms
+
+import (
+	"fmt"
+	"path"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+var (
+	specifierRe    = regexp.MustCompile(`^[A-Za-z0-9_-]+$`)
+	osAndVersionRe = regexp.MustCompile(`^([A-Za-z0-9_-]+)(?:\(([A-Za-z0-9_.-]*)\))?$`)
+)
+
+const osAndVersionFormat = "%s(%s)"
+
+// Platform is a type alias for convenience, so there is no need to import image-spec package everywhere.
+type Platform = specs.Platform
+
+// Matcher matches platforms specifications, provided by an image or runtime.
+type Matcher interface {
+	Match(platform specs.Platform) bool
+}
+
+// NewMatcher returns a simple matcher based on the provided platform
+// specification. The returned matcher only looks for equality based on os,
+// architecture and variant.
+//
+// One may implement their own matcher if this doesn't provide the required
+// functionality.
+//
+// Applications should opt to use `Match` over directly parsing specifiers.
+func NewMatcher(platform specs.Platform) Matcher {
+	return newDefaultMatcher(platform)
+}
+
+type matcher struct {
+	specs.Platform
+}
+
+func (m *matcher) Match(platform specs.Platform) bool {
+	normalized := Normalize(platform)
+	return m.OS == normalized.OS &&
+		m.Architecture == normalized.Architecture &&
+		m.Variant == normalized.Variant
+}
+
+func (m *matcher) String() string {
+	return FormatAll(m.Platform)
+}
+
+// ParseAll parses a list of platform specifiers into a list of platform.
+func ParseAll(specifiers []string) ([]specs.Platform, error) {
+	platforms := make([]specs.Platform, len(specifiers))
+	for i, s := range specifiers {
+		p, err := Parse(s)
+		if err != nil {
+			return nil, fmt.Errorf("invalid platform %s: %w", s, err)
+		}
+		platforms[i] = p
+	}
+	return platforms, nil
+}
+
+// Parse parses the platform specifier syntax into a platform declaration.
+//
+// Platform specifiers are in the format `<os>[(<OSVersion>)]|<arch>|<os>[(<OSVersion>)]/<arch>[/<variant>]`.
+// The minimum required information for a platform specifier is the operating
+// system or architecture. The OSVersion can be part of the OS like `windows(10.0.17763)`
+// When an OSVersion is specified, then specs.Platform.OSVersion is populated with that value,
+// and an empty string otherwise.
+// If there is only a single string (no slashes), the
+// value will be matched against the known set of operating systems, then fall
+// back to the known set of architectures. The missing component will be
+// inferred based on the local environment.
+func Parse(specifier string) (specs.Platform, error) {
+	if strings.Contains(specifier, "*") {
+		// TODO(stevvooe): need to work out exact wildcard handling
+		return specs.Platform{}, fmt.Errorf("%q: wildcards not yet supported: %w", specifier, errInvalidArgument)
+	}
+
+	// Limit to 4 elements to prevent unbounded split
+	parts := strings.SplitN(specifier, "/", 4)
+
+	var p specs.Platform
+	for i, part := range parts {
+		if i == 0 {
+			// First element is <os>[(<OSVersion>)]
+			osVer := osAndVersionRe.FindStringSubmatch(part)
+			if osVer == nil {
+				return specs.Platform{}, fmt.Errorf("%q is an invalid OS component of %q: OSAndVersion specifier component must match %q: %w", part, specifier, osAndVersionRe.String(), errInvalidArgument)
+			}
+
+			p.OS = normalizeOS(osVer[1])
+			p.OSVersion = osVer[2]
+		} else {
+			if !specifierRe.MatchString(part) {
+				return specs.Platform{}, fmt.Errorf("%q is an invalid component of %q: platform specifier component must match %q: %w", part, specifier, specifierRe.String(), errInvalidArgument)
+			}
+		}
+	}
+
+	switch len(parts) {
+	case 1:
+		// in this case, we will test that the value might be an OS (with or
+		// without the optional OSVersion specified) and look it up.
+		// If it is not known, we'll treat it as an architecture. Since
+		// we have very little information about the platform here, we are
+		// going to be a little more strict if we don't know about the argument
+		// value.
+		if isKnownOS(p.OS) {
+			// picks a default architecture
+			p.Architecture = runtime.GOARCH
+			if p.Architecture == "arm" && cpuVariant() != "v7" {
+				p.Variant = cpuVariant()
+			}
+
+			return p, nil
+		}
+
+		p.Architecture, p.Variant = normalizeArch(parts[0], "")
+		if p.Architecture == "arm" && p.Variant == "v7" {
+			p.Variant = ""
+		}
+		if isKnownArch(p.Architecture) {
+			p.OS = runtime.GOOS
+			return p, nil
+		}
+
+		return specs.Platform{}, fmt.Errorf("%q: unknown operating system or architecture: %w", specifier, errInvalidArgument)
+	case 2:
+		// In this case, we treat as a regular OS[(OSVersion)]/arch pair. We don't care
+		// about whether or not we know of the platform.
+		p.Architecture, p.Variant = normalizeArch(parts[1], "")
+		if p.Architecture == "arm" && p.Variant == "v7" {
+			p.Variant = ""
+		}
+
+		return p, nil
+	case 3:
+		// we have a fully specified variant, this is rare
+		p.Architecture, p.Variant = normalizeArch(parts[1], parts[2])
+		if p.Architecture == "arm64" && p.Variant == "" {
+			p.Variant = "v8"
+		}
+
+		return p, nil
+	}
+
+	return specs.Platform{}, fmt.Errorf("%q: cannot parse platform specifier: %w", specifier, errInvalidArgument)
+}
+
+// MustParse is like Parses but panics if the specifier cannot be parsed.
+// Simplifies initialization of global variables.
+func MustParse(specifier string) specs.Platform {
+	p, err := Parse(specifier)
+	if err != nil {
+		panic("platform: Parse(" + strconv.Quote(specifier) + "): " + err.Error())
+	}
+	return p
+}
+
+// Format returns a string specifier from the provided platform specification.
+func Format(platform specs.Platform) string {
+	if platform.OS == "" {
+		return "unknown"
+	}
+
+	return path.Join(platform.OS, platform.Architecture, platform.Variant)
+}
+
+// FormatAll returns a string specifier that also includes the OSVersion from the
+// provided platform specification.
+func FormatAll(platform specs.Platform) string {
+	if platform.OS == "" {
+		return "unknown"
+	}
+
+	if platform.OSVersion != "" {
+		OSAndVersion := fmt.Sprintf(osAndVersionFormat, platform.OS, platform.OSVersion)
+		return path.Join(OSAndVersion, platform.Architecture, platform.Variant)
+	}
+	return path.Join(platform.OS, platform.Architecture, platform.Variant)
+}
+
+// Normalize validates and translate the platform to the canonical value.
+//
+// For example, if "Aarch64" is encountered, we change it to "arm64" or if
+// "x86_64" is encountered, it becomes "amd64".
+func Normalize(platform specs.Platform) specs.Platform {
+	platform.OS = normalizeOS(platform.OS)
+	platform.Architecture, platform.Variant = normalizeArch(platform.Architecture, platform.Variant)
+
+	return platform
+}
diff --git a/vendor/github.com/containerd/platforms/platforms_other.go b/vendor/github.com/containerd/platforms/platforms_other.go
new file mode 100644
index 00000000..03f4dcd9
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms_other.go
@@ -0,0 +1,30 @@
+//go:build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewMatcher returns the default Matcher for containerd
+func newDefaultMatcher(platform specs.Platform) Matcher {
+	return &matcher{
+		Platform: Normalize(platform),
+	}
+}
diff --git a/vendor/github.com/containerd/platforms/platforms_windows.go b/vendor/github.com/containerd/platforms/platforms_windows.go
new file mode 100644
index 00000000..950e2a2d
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms_windows.go
@@ -0,0 +1,34 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewMatcher returns a Windows matcher that will match on osVersionPrefix if
+// the platform is Windows otherwise use the default matcher
+func newDefaultMatcher(platform specs.Platform) Matcher {
+	prefix := prefix(platform.OSVersion)
+	return windowsmatcher{
+		Platform:        platform,
+		osVersionPrefix: prefix,
+		defaultMatcher: &matcher{
+			Platform: Normalize(platform),
+		},
+	}
+}
diff --git a/vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go b/vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go
index 62d91b77..5673f5c0 100644
--- a/vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go
+++ b/vendor/github.com/cpuguy83/go-md2man/v2/md2man/md2man.go
@@ -1,3 +1,4 @@
+// Package md2man aims in converting markdown into roff (man pages).
 package md2man
 
 import (
diff --git a/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go b/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go
index 96a80c99..4f1070fc 100644
--- a/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go
+++ b/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go
@@ -47,13 +47,13 @@ const (
 	tableStart        = "\n.TS\nallbox;\n"
 	tableEnd          = ".TE\n"
 	tableCellStart    = "T{\n"
-	tableCellEnd      = "\nT}\n"
+	tableCellEnd      = "\nT}"
 	tablePreprocessor = `'\" t`
 )
 
 // NewRoffRenderer creates a new blackfriday Renderer for generating roff documents
 // from markdown
-func NewRoffRenderer() *roffRenderer { // nolint: golint
+func NewRoffRenderer() *roffRenderer {
 	return &roffRenderer{}
 }
 
@@ -316,9 +316,8 @@ func (r *roffRenderer) handleTableCell(w io.Writer, node *blackfriday.Node, ente
 		} else if nodeLiteralSize(node) > 30 {
 			end = tableCellEnd
 		}
-		if node.Next == nil && end != tableCellEnd {
-			// Last cell: need to carriage return if we are at the end of the
-			// header row and content isn't wrapped in a "tablecell"
+		if node.Next == nil {
+			// Last cell: need to carriage return if we are at the end of the header row.
 			end += crTag
 		}
 		out(w, end)
@@ -356,7 +355,7 @@ func countColumns(node *blackfriday.Node) int {
 }
 
 func out(w io.Writer, output string) {
-	io.WriteString(w, output) // nolint: errcheck
+	io.WriteString(w, output) //nolint:errcheck
 }
 
 func escapeSpecialChars(w io.Writer, text []byte) {
@@ -395,7 +394,7 @@ func escapeSpecialCharsLine(w io.Writer, text []byte) {
 			i++
 		}
 		if i > org {
-			w.Write(text[org:i]) // nolint: errcheck
+			w.Write(text[org:i]) //nolint:errcheck
 		}
 
 		// escape a character
@@ -403,7 +402,7 @@ func escapeSpecialCharsLine(w io.Writer, text []byte) {
 			break
 		}
 
-		w.Write([]byte{'\\', text[i]}) // nolint: errcheck
+		w.Write([]byte{'\\', text[i]}) //nolint:errcheck
 	}
 }
 
diff --git a/vendor/github.com/docker/cli/AUTHORS b/vendor/github.com/docker/cli/AUTHORS
index ad1abd49..c5a480b5 100644
--- a/vendor/github.com/docker/cli/AUTHORS
+++ b/vendor/github.com/docker/cli/AUTHORS
@@ -48,6 +48,7 @@ Alfred Landrum <alfred.landrum@docker.com>
 Ali Rostami <rostami.ali@gmail.com>
 Alicia Lauerman <alicia@eta.im>
 Allen Sun <allensun.shl@alibaba-inc.com>
+Allie Sadler <allie.sadler@docker.com>
 Alvin Deng <alvin.q.deng@utexas.edu>
 Amen Belayneh <amenbelayneh@gmail.com>
 Amey Shrivastava <72866602+AmeyShrivastava@users.noreply.github.com>
@@ -81,6 +82,7 @@ Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
 Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
+Archimedes Trajano <developer@trajano.net>
 Arko Dasgupta <arko@tetrate.io>
 Arnaud Porterie <icecrime@gmail.com>
 Arnaud Rebillout <elboulangero@gmail.com>
@@ -88,6 +90,7 @@ Arthur Peka <arthur.peka@outlook.com>
 Ashly Mathew <ashly.mathew@sap.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
 Aslam Ahemad <aslamahemad@gmail.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
 Barnaby Gray <barnaby@pickle.me.uk>
@@ -132,6 +135,7 @@ Cao Weiwei <cao.weiwei30@zte.com.cn>
 Carlo Mion <mion00@gmail.com>
 Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
+Carston Schilds <Carston.Schilds@visier.com>
 Casey Korver <casey@korver.dev>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
@@ -189,6 +193,7 @@ Daisuke Ito <itodaisuke00@gmail.com>
 dalanlan <dalanlan925@gmail.com>
 Damien Nadé <github@livna.org>
 Dan Cotora <dan@bluevision.ro>
+Dan Wallis <dan@wallis.nz>
 Danial Gharib <danial.mail.gh@gmail.com>
 Daniel Artine <daniel.artine@ufrj.br>
 Daniel Cassidy <mail@danielcassidy.me.uk>
@@ -237,6 +242,7 @@ Deshi Xiao <dxiao@redhat.com>
 Dharmit Shah <shahdharmit@gmail.com>
 Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
 Dieter Reuter <dieter.reuter@me.com>
+Dilep Dev <34891655+DilepDev@users.noreply.github.com>
 Dima Stopel <dima@twistlock.com>
 Dimitry Andric <d.andric@activevideo.com>
 Ding Fei <dingfei@stars.org.cn>
@@ -308,6 +314,8 @@ George MacRorie <gmacr31@gmail.com>
 George Margaritis <gmargaritis@protonmail.com>
 George Xie <georgexsh@gmail.com>
 Gianluca Borello <g.borello@gmail.com>
+Giau. Tran Minh <hello@giautm.dev>
+Giedrius Jonikas <giedriusj1@gmail.com>
 Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
 Gio d'Amelio <giodamelio@gmail.com>
 Gleb Stsenov <gleb.stsenov@gmail.com>
@@ -344,6 +352,7 @@ Hugo Gabriel Eyherabide <hugogabriel.eyherabide@gmail.com>
 huqun <huqun@zju.edu.cn>
 Huu Nguyen <huu@prismskylabs.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Iain MacDonald <IJMacD@gmail.com>
 Iain Samuel McLean Elder <iain@isme.es>
 Ian Campbell <ian.campbell@docker.com>
 Ian Philpot <ian.philpot@microsoft.com>
@@ -393,6 +402,7 @@ Jesse Adametz <jesseadametz@gmail.com>
 Jessica Frazelle <jess@oxide.computer>
 Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+Jianyong Wu <wujianyong@hygon.cn>
 Jie Luo <luo612@zju.edu.cn>
 Jilles Oldenbeuving <ojilles@gmail.com>
 Jim Chen <njucjc@gmail.com>
@@ -446,6 +456,7 @@ Julian <gitea+julian@ic.thejulian.uk>
 Julien Barbier <write0@gmail.com>
 Julien Kassar <github@kassisol.com>
 Julien Maitrehenry <julien.maitrehenry@me.com>
+Julio Cesar Garcia <juliogarciamelgarejo@gmail.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
 Justin Chadwell <me@jedevc.com>
 Justin Cormack <justin.cormack@docker.com>
@@ -490,19 +501,22 @@ Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Kyle Mitofsky <Kylemit@gmail.com>
 Lachlan Cooper <lachlancooper@gmail.com>
 Lai Jiangshan <jiangshanlai@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Laurent Goderre <laurent.goderre@docker.com>
 Lee Gaines <eightlimbed@gmail.com>
 Lei Jitang <leijitang@huawei.com>
 Lennie <github@consolejunkie.net>
+lentil32 <lentil32@icloud.com>
 Leo Gallucci <elgalu3@gmail.com>
 Leonid Skorospelov <leosko94@gmail.com>
 Lewis Daly <lewisdaly@me.com>
 Li Fu Bang <lifubang@acmcoder.com>
 Li Yi <denverdino@gmail.com>
-Li Yi <weiyuan.yl@alibaba-inc.com>
+Li Zeghong <zeghong@hotmail.com>
 Liang-Chi Hsieh <viirya@gmail.com>
 Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
@@ -515,6 +529,7 @@ lixiaobing10051267 <li.xiaobing1@zte.com.cn>
 Lloyd Dewolf <foolswisdom@gmail.com>
 Lorenzo Fontana <lo@linux.com>
 Louis Opter <kalessin@kalessin.fr>
+Lovekesh Kumar <lovekesh.kumar@rtcamp.com>
 Luca Favatella <luca.favatella@erlang-solutions.com>
 Luca Marturana <lucamarturana@gmail.com>
 Lucas Chan <lucas-github@lucaschan.com>
@@ -559,6 +574,7 @@ Matt Robenolt <matt@ydekproductions.com>
 Matteo Orefice <matteo.orefice@bites4bits.software>
 Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
 Max-Julian Pogner <max-julian@pogner.at>
@@ -566,6 +582,7 @@ Maxime Petazzoni <max@signalfuse.com>
 Maximillian Fan Xavier <maximillianfx@gmail.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
 Melroy van den Berg <melroy@melroy.org>
+Mert Şişmanoğlu <mert190737fb@gmail.com>
 Metal <2466052+tedhexaflow@users.noreply.github.com>
 Micah Zoltu <micah@newrelic.com>
 Michael A. Smith <michael@smith-li.com>
@@ -598,7 +615,9 @@ Mindaugas Rukas <momomg@gmail.com>
 Miroslav Gula <miroslav.gula@naytrolabs.com>
 Misty Stanley-Jones <misty@docker.com>
 Mohammad Banikazemi <mb@us.ibm.com>
+Mohammad Hossein <mhm98035@gmail.com>
 Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohammed Aminu Futa <mohammedfuta2000@gmail.com>
 Mohini Anne Dsouza <mohini3917@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com>
 Morgan Bauer <mbauer@us.ibm.com>
@@ -633,9 +652,11 @@ Nicolas De Loof <nicolas.deloof@gmail.com>
 Nikhil Chawla <chawlanikhil24@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Milovanov <nmil@itransformers.net>
+NinaLua <iturf@sina.cn>
 Nir Soffer <nsoffer@redhat.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+Noah Silas <noah@hustle.com>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
 Oded Arbel <oded@geek.co.il>
@@ -653,10 +674,12 @@ Patrick Böänziger <patrick.baenziger@bsi-software.com>
 Patrick Daigle <114765035+pdaig@users.noreply.github.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick Lang <plang@microsoft.com>
+Patrick St. laurent <patrick@saint-laurent.us>
 Paul <paul9869@gmail.com>
 Paul Kehrer <paul.l.kehrer@gmail.com>
 Paul Lietar <paul@lietar.net>
 Paul Mulders <justinkb@gmail.com>
+Paul Rogalski <mail@paul-rogalski.de>
 Paul Seyfert <pseyfert.mathphys@gmail.com>
 Paul Weaver <pauweave@cisco.com>
 Pavel Pospisil <pospispa@gmail.com>
@@ -678,7 +701,6 @@ Philip Alexander Etling <paetling@gmail.com>
 Philipp Gillé <philipp.gille@gmail.com>
 Philipp Schmied <pschmied@schutzwerk.com>
 Phong Tran <tran.pho@northeastern.edu>
-pidster <pid@pidster.com>
 Pieter E Smit <diepes@github.com>
 pixelistik <pixelistik@users.noreply.github.com>
 Pratik Karki <prertik@outlook.com>
@@ -738,6 +760,7 @@ Samuel Cochran <sj26@sj26.com>
 Samuel Karp <skarp@amazon.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com>
 Santhosh Manohar <santhosh@docker.com>
+Sarah Sanders <sarah.sanders@docker.com>
 Sargun Dhillon <sargun@netflix.com>
 Saswat Bhattacharya <sas.saswat@gmail.com>
 Saurabh Kumar <saurabhkumar0184@gmail.com>
@@ -770,6 +793,7 @@ Spencer Brown <spencer@spencerbrown.org>
 Spring Lee <xi.shuai@outlook.com>
 squeegels <lmscrewy@gmail.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
+Stavros Panakakis <stavrospanakakis@gmail.com>
 Stefan S. <tronicum@user.github.com>
 Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
@@ -780,6 +804,7 @@ Steve Durrheimer <s.durrheimer@gmail.com>
 Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Stoica-Marcu Floris-Andrei <floris.sm@gmail.com>
+Stuart Williams <pid@pidster.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sune Keller <absukl@almbrand.dk>
@@ -867,6 +892,7 @@ Wang Yumu <37442693@qq.com>
 Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
 Wayne Song <wsong@docker.com>
 Wen Cheng Ma <wenchma@cn.ibm.com>
+Wenlong Zhang <zhangwenlong@loongson.cn>
 Wenzhi Liang <wenzhi.liang@gmail.com>
 Wes Morgan <cap10morgan@gmail.com>
 Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
@@ -908,3 +934,4 @@ Zhuo Zhi <h.dwwwwww@gmail.com>
 Átila Camurça Alves <camurca.home@gmail.com>
 Александр Менщиков <__Singleton__@hackerdom.ru>
 徐俊杰 <paco.xu@daocloud.io>
+林博仁 Buo-ren Lin <Buo.Ren.Lin@gmail.com>
diff --git a/vendor/github.com/docker/cli/cli-plugins/hooks/printer.go b/vendor/github.com/docker/cli/cli-plugins/hooks/printer.go
deleted file mode 100644
index f6d4b28e..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/hooks/printer.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package hooks
-
-import (
-	"fmt"
-	"io"
-
-	"github.com/morikuni/aec"
-)
-
-func PrintNextSteps(out io.Writer, messages []string) {
-	if len(messages) == 0 {
-		return
-	}
-	_, _ = fmt.Fprintln(out, aec.Bold.Apply("\nWhat's next:"))
-	for _, n := range messages {
-		_, _ = fmt.Fprintln(out, "   ", n)
-	}
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/hooks/template.go b/vendor/github.com/docker/cli/cli-plugins/hooks/template.go
deleted file mode 100644
index e6bd69f3..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/hooks/template.go
+++ /dev/null
@@ -1,116 +0,0 @@
-package hooks
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-	"text/template"
-
-	"github.com/spf13/cobra"
-)
-
-type HookType int
-
-const (
-	NextSteps = iota
-)
-
-// HookMessage represents a plugin hook response. Plugins
-// declaring support for CLI hooks need to print a json
-// representation of this type when their hook subcommand
-// is invoked.
-type HookMessage struct {
-	Type     HookType
-	Template string
-}
-
-// TemplateReplaceSubcommandName returns a hook template string
-// that will be replaced by the CLI subcommand being executed
-//
-// Example:
-//
-// "you ran the subcommand: " + TemplateReplaceSubcommandName()
-//
-// when being executed after the command:
-// `docker run --name "my-container" alpine`
-// will result in the message:
-// `you ran the subcommand: run`
-func TemplateReplaceSubcommandName() string {
-	return hookTemplateCommandName
-}
-
-// TemplateReplaceFlagValue returns a hook template string
-// that will be replaced by the flags value.
-//
-// Example:
-//
-// "you ran a container named: " + TemplateReplaceFlagValue("name")
-//
-// when being executed after the command:
-// `docker run --name "my-container" alpine`
-// will result in the message:
-// `you ran a container named: my-container`
-func TemplateReplaceFlagValue(flag string) string {
-	return fmt.Sprintf(hookTemplateFlagValue, flag)
-}
-
-// TemplateReplaceArg takes an index i and returns a hook
-// template string that the CLI will replace the template with
-// the ith argument, after processing the passed flags.
-//
-// Example:
-//
-// "run this image with `docker run " + TemplateReplaceArg(0) + "`"
-//
-// when being executed after the command:
-// `docker pull alpine`
-// will result in the message:
-// "Run this image with `docker run alpine`"
-func TemplateReplaceArg(i int) string {
-	return fmt.Sprintf(hookTemplateArg, strconv.Itoa(i))
-}
-
-func ParseTemplate(hookTemplate string, cmd *cobra.Command) ([]string, error) {
-	tmpl := template.New("").Funcs(commandFunctions)
-	tmpl, err := tmpl.Parse(hookTemplate)
-	if err != nil {
-		return nil, err
-	}
-	b := bytes.Buffer{}
-	err = tmpl.Execute(&b, cmd)
-	if err != nil {
-		return nil, err
-	}
-	return strings.Split(b.String(), "\n"), nil
-}
-
-var ErrHookTemplateParse = errors.New("failed to parse hook template")
-
-const (
-	hookTemplateCommandName = "{{.Name}}"
-	hookTemplateFlagValue   = `{{flag . "%s"}}`
-	hookTemplateArg         = "{{arg . %s}}"
-)
-
-var commandFunctions = template.FuncMap{
-	"flag": getFlagValue,
-	"arg":  getArgValue,
-}
-
-func getFlagValue(cmd *cobra.Command, flag string) (string, error) {
-	cmdFlag := cmd.Flag(flag)
-	if cmdFlag == nil {
-		return "", ErrHookTemplateParse
-	}
-	return cmdFlag.Value.String(), nil
-}
-
-func getArgValue(cmd *cobra.Command, i int) (string, error) {
-	flags := cmd.Flags()
-	if flags == nil {
-		return "", ErrHookTemplateParse
-	}
-	return flags.Arg(i), nil
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/candidate.go b/vendor/github.com/docker/cli/cli-plugins/manager/candidate.go
deleted file mode 100644
index e65ac1a5..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/candidate.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package manager
-
-import "os/exec"
-
-// Candidate represents a possible plugin candidate, for mocking purposes
-type Candidate interface {
-	Path() string
-	Metadata() ([]byte, error)
-}
-
-type candidate struct {
-	path string
-}
-
-func (c *candidate) Path() string {
-	return c.path
-}
-
-func (c *candidate) Metadata() ([]byte, error) {
-	return exec.Command(c.path, MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/cobra.go b/vendor/github.com/docker/cli/cli-plugins/manager/cobra.go
deleted file mode 100644
index 4bfa06fa..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/cobra.go
+++ /dev/null
@@ -1,147 +0,0 @@
-package manager
-
-import (
-	"fmt"
-	"net/url"
-	"os"
-	"strings"
-	"sync"
-
-	"github.com/docker/cli/cli/command"
-	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/attribute"
-)
-
-const (
-	// CommandAnnotationPlugin is added to every stub command added by
-	// AddPluginCommandStubs with the value "true" and so can be
-	// used to distinguish plugin stubs from regular commands.
-	CommandAnnotationPlugin = "com.docker.cli.plugin"
-
-	// CommandAnnotationPluginVendor is added to every stub command
-	// added by AddPluginCommandStubs and contains the vendor of
-	// that plugin.
-	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
-
-	// CommandAnnotationPluginVersion is added to every stub command
-	// added by AddPluginCommandStubs and contains the version of
-	// that plugin.
-	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
-
-	// CommandAnnotationPluginInvalid is added to any stub command
-	// added by AddPluginCommandStubs for an invalid command (that
-	// is, one which failed it's candidate test) and contains the
-	// reason for the failure.
-	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
-
-	// CommandAnnotationPluginCommandPath is added to overwrite the
-	// command path for a plugin invocation.
-	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
-)
-
-var pluginCommandStubsOnce sync.Once
-
-// AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
-// plugin. The command stubs will have several annotations added, see
-// `CommandAnnotationPlugin*`.
-func AddPluginCommandStubs(dockerCli command.Cli, rootCmd *cobra.Command) (err error) {
-	pluginCommandStubsOnce.Do(func() {
-		var plugins []Plugin
-		plugins, err = ListPlugins(dockerCli, rootCmd)
-		if err != nil {
-			return
-		}
-		for _, p := range plugins {
-			vendor := p.Vendor
-			if vendor == "" {
-				vendor = "unknown"
-			}
-			annotations := map[string]string{
-				CommandAnnotationPlugin:        "true",
-				CommandAnnotationPluginVendor:  vendor,
-				CommandAnnotationPluginVersion: p.Version,
-			}
-			if p.Err != nil {
-				annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
-			}
-			rootCmd.AddCommand(&cobra.Command{
-				Use:                p.Name,
-				Short:              p.ShortDescription,
-				Run:                func(_ *cobra.Command, _ []string) {},
-				Annotations:        annotations,
-				DisableFlagParsing: true,
-				RunE: func(cmd *cobra.Command, args []string) error {
-					flags := rootCmd.PersistentFlags()
-					flags.SetOutput(nil)
-					perr := flags.Parse(args)
-					if perr != nil {
-						return err
-					}
-					if flags.Changed("help") {
-						cmd.HelpFunc()(rootCmd, args)
-						return nil
-					}
-					return fmt.Errorf("docker: unknown command: docker %s\n\nRun 'docker --help' for more information", cmd.Name())
-				},
-				ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-					// Delegate completion to plugin
-					cargs := []string{p.Path, cobra.ShellCompRequestCmd, p.Name}
-					cargs = append(cargs, args...)
-					cargs = append(cargs, toComplete)
-					os.Args = cargs
-					runCommand, runErr := PluginRunCommand(dockerCli, p.Name, cmd)
-					if runErr != nil {
-						return nil, cobra.ShellCompDirectiveError
-					}
-					runErr = runCommand.Run()
-					if runErr == nil {
-						os.Exit(0) // plugin already rendered complete data
-					}
-					return nil, cobra.ShellCompDirectiveError
-				},
-			})
-		}
-	})
-	return err
-}
-
-const (
-	dockerCliAttributePrefix = attribute.Key("docker.cli")
-
-	cobraCommandPath = attribute.Key("cobra.command_path")
-)
-
-func getPluginResourceAttributes(cmd *cobra.Command, plugin Plugin) attribute.Set {
-	commandPath := cmd.Annotations[CommandAnnotationPluginCommandPath]
-	if commandPath == "" {
-		commandPath = fmt.Sprintf("%s %s", cmd.CommandPath(), plugin.Name)
-	}
-
-	attrSet := attribute.NewSet(
-		cobraCommandPath.String(commandPath),
-	)
-
-	kvs := make([]attribute.KeyValue, 0, attrSet.Len())
-	for iter := attrSet.Iter(); iter.Next(); {
-		attr := iter.Attribute()
-		kvs = append(kvs, attribute.KeyValue{
-			Key:   dockerCliAttributePrefix + "." + attr.Key,
-			Value: attr.Value,
-		})
-	}
-	return attribute.NewSet(kvs...)
-}
-
-func appendPluginResourceAttributesEnvvar(env []string, cmd *cobra.Command, plugin Plugin) []string {
-	if attrs := getPluginResourceAttributes(cmd, plugin); attrs.Len() > 0 {
-		// values in environment variables need to be in baggage format
-		// otel/baggage package can be used after update to v1.22, currently it encodes incorrectly
-		attrsSlice := make([]string, attrs.Len())
-		for iter := attrs.Iter(); iter.Next(); {
-			i, v := iter.IndexedAttribute()
-			attrsSlice[i] = string(v.Key) + "=" + url.PathEscape(v.Value.AsString())
-		}
-		env = append(env, ResourceAttributesEnvvar+"="+strings.Join(attrsSlice, ","))
-	}
-	return env
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/error.go b/vendor/github.com/docker/cli/cli-plugins/manager/error.go
deleted file mode 100644
index cb0bbb5a..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/error.go
+++ /dev/null
@@ -1,54 +0,0 @@
-// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
-
-package manager
-
-import (
-	"github.com/pkg/errors"
-)
-
-// pluginError is set as Plugin.Err by NewPlugin if the plugin
-// candidate fails one of the candidate tests. This exists primarily
-// to implement encoding.TextMarshaller such that rendering a plugin as JSON
-// (e.g. for `docker info -f '{{json .CLIPlugins}}'`) renders the Err
-// field as a useful string and not just `{}`. See
-// https://github.com/golang/go/issues/10748 for some discussion
-// around why the builtin error type doesn't implement this.
-type pluginError struct {
-	cause error
-}
-
-// Error satisfies the core error interface for pluginError.
-func (e *pluginError) Error() string {
-	return e.cause.Error()
-}
-
-// Cause satisfies the errors.causer interface for pluginError.
-func (e *pluginError) Cause() error {
-	return e.cause
-}
-
-// Unwrap provides compatibility for Go 1.13 error chains.
-func (e *pluginError) Unwrap() error {
-	return e.cause
-}
-
-// MarshalText marshalls the pluginError into a textual form.
-func (e *pluginError) MarshalText() (text []byte, err error) {
-	return []byte(e.cause.Error()), nil
-}
-
-// wrapAsPluginError wraps an error in a pluginError with an
-// additional message, analogous to errors.Wrapf.
-func wrapAsPluginError(err error, msg string) error {
-	if err == nil {
-		return nil
-	}
-	return &pluginError{cause: errors.Wrap(err, msg)}
-}
-
-// NewPluginError creates a new pluginError, analogous to
-// errors.Errorf.
-func NewPluginError(msg string, args ...any) error {
-	return &pluginError{cause: errors.Errorf(msg, args...)}
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/hooks.go b/vendor/github.com/docker/cli/cli-plugins/manager/hooks.go
deleted file mode 100644
index 5125c56d..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/hooks.go
+++ /dev/null
@@ -1,199 +0,0 @@
-package manager
-
-import (
-	"context"
-	"encoding/json"
-	"strings"
-
-	"github.com/docker/cli/cli-plugins/hooks"
-	"github.com/docker/cli/cli/command"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-)
-
-// HookPluginData is the type representing the information
-// that plugins declaring support for hooks get passed when
-// being invoked following a CLI command execution.
-type HookPluginData struct {
-	// RootCmd is a string representing the matching hook configuration
-	// which is currently being invoked. If a hook for `docker context` is
-	// configured and the user executes `docker context ls`, the plugin will
-	// be invoked with `context`.
-	RootCmd      string
-	Flags        map[string]string
-	CommandError string
-}
-
-// RunCLICommandHooks is the entrypoint into the hooks execution flow after
-// a main CLI command was executed. It calls the hook subcommand for all
-// present CLI plugins that declare support for hooks in their metadata and
-// parses/prints their responses.
-func RunCLICommandHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, cmdErrorMessage string) {
-	commandName := strings.TrimPrefix(subCommand.CommandPath(), rootCmd.Name()+" ")
-	flags := getCommandFlags(subCommand)
-
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, cmdErrorMessage)
-}
-
-// RunPluginHooks is the entrypoint for the hooks execution flow
-// after a plugin command was just executed by the CLI.
-func RunPluginHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, args []string) {
-	commandName := strings.Join(args, " ")
-	flags := getNaiveFlags(args)
-
-	runHooks(ctx, dockerCli, rootCmd, subCommand, commandName, flags, "")
-}
-
-func runHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCommand *cobra.Command, invokedCommand string, flags map[string]string, cmdErrorMessage string) {
-	nextSteps := invokeAndCollectHooks(ctx, dockerCli, rootCmd, subCommand, invokedCommand, flags, cmdErrorMessage)
-
-	hooks.PrintNextSteps(dockerCli.Err(), nextSteps)
-}
-
-func invokeAndCollectHooks(ctx context.Context, dockerCli command.Cli, rootCmd, subCmd *cobra.Command, subCmdStr string, flags map[string]string, cmdErrorMessage string) []string {
-	// check if the context was cancelled before invoking hooks
-	select {
-	case <-ctx.Done():
-		return nil
-	default:
-	}
-
-	pluginsCfg := dockerCli.ConfigFile().Plugins
-	if pluginsCfg == nil {
-		return nil
-	}
-
-	nextSteps := make([]string, 0, len(pluginsCfg))
-	for pluginName, cfg := range pluginsCfg {
-		match, ok := pluginMatch(cfg, subCmdStr)
-		if !ok {
-			continue
-		}
-
-		p, err := GetPlugin(pluginName, dockerCli, rootCmd)
-		if err != nil {
-			continue
-		}
-
-		hookReturn, err := p.RunHook(ctx, HookPluginData{
-			RootCmd:      match,
-			Flags:        flags,
-			CommandError: cmdErrorMessage,
-		})
-		if err != nil {
-			// skip misbehaving plugins, but don't halt execution
-			continue
-		}
-
-		var hookMessageData hooks.HookMessage
-		err = json.Unmarshal(hookReturn, &hookMessageData)
-		if err != nil {
-			continue
-		}
-
-		// currently the only hook type
-		if hookMessageData.Type != hooks.NextSteps {
-			continue
-		}
-
-		processedHook, err := hooks.ParseTemplate(hookMessageData.Template, subCmd)
-		if err != nil {
-			continue
-		}
-
-		var appended bool
-		nextSteps, appended = appendNextSteps(nextSteps, processedHook)
-		if !appended {
-			logrus.Debugf("Plugin %s responded with an empty hook message %q. Ignoring.", pluginName, string(hookReturn))
-		}
-	}
-	return nextSteps
-}
-
-// appendNextSteps appends the processed hook output to the nextSteps slice.
-// If the processed hook output is empty, it is not appended.
-// Empty lines are not stripped if there's at least one non-empty line.
-func appendNextSteps(nextSteps []string, processed []string) ([]string, bool) {
-	empty := true
-	for _, l := range processed {
-		if strings.TrimSpace(l) != "" {
-			empty = false
-			break
-		}
-	}
-
-	if empty {
-		return nextSteps, false
-	}
-
-	return append(nextSteps, processed...), true
-}
-
-// pluginMatch takes a plugin configuration and a string representing the
-// command being executed (such as 'image ls' – the root 'docker' is omitted)
-// and, if the configuration includes a hook for the invoked command, returns
-// the configured hook string.
-func pluginMatch(pluginCfg map[string]string, subCmd string) (string, bool) {
-	configuredPluginHooks, ok := pluginCfg["hooks"]
-	if !ok || configuredPluginHooks == "" {
-		return "", false
-	}
-
-	commands := strings.Split(configuredPluginHooks, ",")
-	for _, hookCmd := range commands {
-		if hookMatch(hookCmd, subCmd) {
-			return hookCmd, true
-		}
-	}
-
-	return "", false
-}
-
-func hookMatch(hookCmd, subCmd string) bool {
-	hookCmdTokens := strings.Split(hookCmd, " ")
-	subCmdTokens := strings.Split(subCmd, " ")
-
-	if len(hookCmdTokens) > len(subCmdTokens) {
-		return false
-	}
-
-	for i, v := range hookCmdTokens {
-		if v != subCmdTokens[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-func getCommandFlags(cmd *cobra.Command) map[string]string {
-	flags := make(map[string]string)
-	cmd.Flags().Visit(func(f *pflag.Flag) {
-		var fValue string
-		if f.Value.Type() == "bool" {
-			fValue = f.Value.String()
-		}
-		flags[f.Name] = fValue
-	})
-	return flags
-}
-
-// getNaiveFlags string-matches argv and parses them into a map.
-// This is used when calling hooks after a plugin command, since
-// in this case we can't rely on the cobra command tree to parse
-// flags in this case. In this case, no values are ever passed,
-// since we don't have enough information to process them.
-func getNaiveFlags(args []string) map[string]string {
-	flags := make(map[string]string)
-	for _, arg := range args {
-		if strings.HasPrefix(arg, "--") {
-			flags[arg[2:]] = ""
-			continue
-		}
-		if strings.HasPrefix(arg, "-") {
-			flags[arg[1:]] = ""
-		}
-	}
-	return flags
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/manager.go b/vendor/github.com/docker/cli/cli-plugins/manager/manager.go
deleted file mode 100644
index 9f795bc4..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/manager.go
+++ /dev/null
@@ -1,247 +0,0 @@
-package manager
-
-import (
-	"context"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sort"
-	"strings"
-	"sync"
-
-	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/config"
-	"github.com/docker/cli/cli/config/configfile"
-	"github.com/fvbommel/sortorder"
-	"github.com/spf13/cobra"
-	"golang.org/x/sync/errgroup"
-)
-
-const (
-	// ReexecEnvvar is the name of an ennvar which is set to the command
-	// used to originally invoke the docker CLI when executing a
-	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
-	// the plugin to re-execute the original CLI.
-	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
-
-	// ResourceAttributesEnvvar is the name of the envvar that includes additional
-	// resource attributes for OTEL.
-	ResourceAttributesEnvvar = "OTEL_RESOURCE_ATTRIBUTES"
-)
-
-// errPluginNotFound is the error returned when a plugin could not be found.
-type errPluginNotFound string
-
-func (errPluginNotFound) NotFound() {}
-
-func (e errPluginNotFound) Error() string {
-	return "Error: No such CLI plugin: " + string(e)
-}
-
-type notFound interface{ NotFound() }
-
-// IsNotFound is true if the given error is due to a plugin not being found.
-func IsNotFound(err error) bool {
-	if e, ok := err.(*pluginError); ok {
-		err = e.Cause()
-	}
-	_, ok := err.(notFound)
-	return ok
-}
-
-// getPluginDirs returns the platform-specific locations to search for plugins
-// in order of preference.
-//
-// Plugin-discovery is performed in the following order of preference:
-//
-// 1. The "cli-plugins" directory inside the CLIs [config.Path] (usually "~/.docker/cli-plugins").
-// 2. Additional plugin directories as configured through [ConfigFile.CLIPluginsExtraDirs].
-// 3. Platform-specific defaultSystemPluginDirs.
-//
-// [ConfigFile.CLIPluginsExtraDirs]: https://pkg.go.dev/github.com/docker/cli@v26.1.4+incompatible/cli/config/configfile#ConfigFile.CLIPluginsExtraDirs
-func getPluginDirs(cfg *configfile.ConfigFile) ([]string, error) {
-	var pluginDirs []string
-
-	if cfg != nil {
-		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
-	}
-	pluginDir, err := config.Path("cli-plugins")
-	if err != nil {
-		return nil, err
-	}
-
-	pluginDirs = append(pluginDirs, pluginDir)
-	pluginDirs = append(pluginDirs, defaultSystemPluginDirs...)
-	return pluginDirs, nil
-}
-
-func addPluginCandidatesFromDir(res map[string][]string, d string) {
-	dentries, err := os.ReadDir(d)
-	// Silently ignore any directories which we cannot list (e.g. due to
-	// permissions or anything else) or which is not a directory
-	if err != nil {
-		return
-	}
-	for _, dentry := range dentries {
-		switch dentry.Type() & os.ModeType {
-		case 0, os.ModeSymlink:
-			// Regular file or symlink, keep going
-		default:
-			// Something else, ignore.
-			continue
-		}
-		name := dentry.Name()
-		if !strings.HasPrefix(name, NamePrefix) {
-			continue
-		}
-		name = strings.TrimPrefix(name, NamePrefix)
-		var err error
-		if name, err = trimExeSuffix(name); err != nil {
-			continue
-		}
-		res[name] = append(res[name], filepath.Join(d, dentry.Name()))
-	}
-}
-
-// listPluginCandidates returns a map from plugin name to the list of (unvalidated) Candidates. The list is in descending order of priority.
-func listPluginCandidates(dirs []string) map[string][]string {
-	result := make(map[string][]string)
-	for _, d := range dirs {
-		addPluginCandidatesFromDir(result, d)
-	}
-	return result
-}
-
-// GetPlugin returns a plugin on the system by its name
-func GetPlugin(name string, dockerCli command.Cli, rootcmd *cobra.Command) (*Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
-
-	candidates := listPluginCandidates(pluginDirs)
-	if paths, ok := candidates[name]; ok {
-		if len(paths) == 0 {
-			return nil, errPluginNotFound(name)
-		}
-		c := &candidate{paths[0]}
-		p, err := newPlugin(c, rootcmd.Commands())
-		if err != nil {
-			return nil, err
-		}
-		if !IsNotFound(p.Err) {
-			p.ShadowedPaths = paths[1:]
-		}
-		return &p, nil
-	}
-
-	return nil, errPluginNotFound(name)
-}
-
-// ListPlugins produces a list of the plugins available on the system
-func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
-
-	candidates := listPluginCandidates(pluginDirs)
-
-	var plugins []Plugin
-	var mu sync.Mutex
-	eg, _ := errgroup.WithContext(context.TODO())
-	cmds := rootcmd.Commands()
-	for _, paths := range candidates {
-		func(paths []string) {
-			eg.Go(func() error {
-				if len(paths) == 0 {
-					return nil
-				}
-				c := &candidate{paths[0]}
-				p, err := newPlugin(c, cmds)
-				if err != nil {
-					return err
-				}
-				if !IsNotFound(p.Err) {
-					p.ShadowedPaths = paths[1:]
-					mu.Lock()
-					defer mu.Unlock()
-					plugins = append(plugins, p)
-				}
-				return nil
-			})
-		}(paths)
-	}
-	if err := eg.Wait(); err != nil {
-		return nil, err
-	}
-
-	sort.Slice(plugins, func(i, j int) bool {
-		return sortorder.NaturalLess(plugins[i].Name, plugins[j].Name)
-	})
-
-	return plugins, nil
-}
-
-// PluginRunCommand returns an "os/exec".Cmd which when .Run() will execute the named plugin.
-// The rootcmd argument is referenced to determine the set of builtin commands in order to detect conficts.
-// The error returned satisfies the IsNotFound() predicate if no plugin was found or if the first candidate plugin was invalid somehow.
-func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
-	// This uses the full original args, not the args which may
-	// have been provided by cobra to our caller. This is because
-	// they lack e.g. global options which we must propagate here.
-	args := os.Args[1:]
-	if !pluginNameRe.MatchString(name) {
-		// We treat this as "not found" so that callers will
-		// fallback to their "invalid" command path.
-		return nil, errPluginNotFound(name)
-	}
-	exename := addExeSuffix(NamePrefix + name)
-	pluginDirs, err := getPluginDirs(dockerCli.ConfigFile())
-	if err != nil {
-		return nil, err
-	}
-
-	for _, d := range pluginDirs {
-		path := filepath.Join(d, exename)
-
-		// We stat here rather than letting the exec tell us
-		// ENOENT because the latter does not distinguish a
-		// file not existing from its dynamic loader or one of
-		// its libraries not existing.
-		if _, err := os.Stat(path); os.IsNotExist(err) {
-			continue
-		}
-
-		c := &candidate{path: path}
-		plugin, err := newPlugin(c, rootcmd.Commands())
-		if err != nil {
-			return nil, err
-		}
-		if plugin.Err != nil {
-			// TODO: why are we not returning plugin.Err?
-			return nil, errPluginNotFound(name)
-		}
-		cmd := exec.Command(plugin.Path, args...) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
-
-		// Using dockerCli.{In,Out,Err}() here results in a hang until something is input.
-		// See: - https://github.com/golang/go/issues/10338
-		//      - https://github.com/golang/go/commit/d000e8742a173aa0659584aa01b7ba2834ba28ab
-		// os.Stdin is a *os.File which avoids this behaviour. We don't need the functionality
-		// of the wrappers here anyway.
-		cmd.Stdin = os.Stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-
-		cmd.Env = append(cmd.Environ(), ReexecEnvvar+"="+os.Args[0])
-		cmd.Env = appendPluginResourceAttributesEnvvar(cmd.Env, rootcmd, plugin)
-
-		return cmd, nil
-	}
-	return nil, errPluginNotFound(name)
-}
-
-// IsPluginCommand checks if the given cmd is a plugin-stub.
-func IsPluginCommand(cmd *cobra.Command) bool {
-	return cmd.Annotations[CommandAnnotationPlugin] == "true"
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/manager_unix.go b/vendor/github.com/docker/cli/cli-plugins/manager/manager_unix.go
deleted file mode 100644
index f546dc38..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/manager_unix.go
+++ /dev/null
@@ -1,20 +0,0 @@
-//go:build !windows
-
-package manager
-
-// defaultSystemPluginDirs are the platform-specific locations to search
-// for plugins in order of preference.
-//
-// Plugin-discovery is performed in the following order of preference:
-//
-// 1. The "cli-plugins" directory inside the CLIs config-directory (usually "~/.docker/cli-plugins").
-// 2. Additional plugin directories as configured through [ConfigFile.CLIPluginsExtraDirs].
-// 3. Platform-specific defaultSystemPluginDirs (as defined below).
-//
-// [ConfigFile.CLIPluginsExtraDirs]: https://pkg.go.dev/github.com/docker/cli@v26.1.4+incompatible/cli/config/configfile#ConfigFile.CLIPluginsExtraDirs
-var defaultSystemPluginDirs = []string{
-	"/usr/local/lib/docker/cli-plugins",
-	"/usr/local/libexec/docker/cli-plugins",
-	"/usr/lib/docker/cli-plugins",
-	"/usr/libexec/docker/cli-plugins",
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/manager_windows.go b/vendor/github.com/docker/cli/cli-plugins/manager/manager_windows.go
deleted file mode 100644
index e8b5598e..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/manager_windows.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package manager
-
-import (
-	"os"
-	"path/filepath"
-)
-
-// defaultSystemPluginDirs are the platform-specific locations to search
-// for plugins in order of preference.
-//
-// Plugin-discovery is performed in the following order of preference:
-//
-// 1. The "cli-plugins" directory inside the CLIs config-directory (usually "~/.docker/cli-plugins").
-// 2. Additional plugin directories as configured through [ConfigFile.CLIPluginsExtraDirs].
-// 3. Platform-specific defaultSystemPluginDirs (as defined below).
-//
-// [ConfigFile.CLIPluginsExtraDirs]: https://pkg.go.dev/github.com/docker/cli@v26.1.4+incompatible/cli/config/configfile#ConfigFile.CLIPluginsExtraDirs
-var defaultSystemPluginDirs = []string{
-	filepath.Join(os.Getenv("ProgramData"), "Docker", "cli-plugins"),
-	filepath.Join(os.Getenv("ProgramFiles"), "Docker", "cli-plugins"),
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/plugin.go b/vendor/github.com/docker/cli/cli-plugins/manager/plugin.go
deleted file mode 100644
index 5576ef43..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/plugin.go
+++ /dev/null
@@ -1,124 +0,0 @@
-package manager
-
-import (
-	"context"
-	"encoding/json"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"regexp"
-	"strings"
-
-	"github.com/pkg/errors"
-	"github.com/spf13/cobra"
-)
-
-var pluginNameRe = regexp.MustCompile("^[a-z][a-z0-9]*$")
-
-// Plugin represents a potential plugin with all it's metadata.
-type Plugin struct {
-	Metadata
-
-	Name string `json:",omitempty"`
-	Path string `json:",omitempty"`
-
-	// Err is non-nil if the plugin failed one of the candidate tests.
-	Err error `json:",omitempty"`
-
-	// ShadowedPaths contains the paths of any other plugins which this plugin takes precedence over.
-	ShadowedPaths []string `json:",omitempty"`
-}
-
-// newPlugin determines if the given candidate is valid and returns a
-// Plugin.  If the candidate fails one of the tests then `Plugin.Err`
-// is set, and is always a `pluginError`, but the `Plugin` is still
-// returned with no error. An error is only returned due to a
-// non-recoverable error.
-func newPlugin(c Candidate, cmds []*cobra.Command) (Plugin, error) {
-	path := c.Path()
-	if path == "" {
-		return Plugin{}, errors.New("plugin candidate path cannot be empty")
-	}
-
-	// The candidate listing process should have skipped anything
-	// which would fail here, so there are all real errors.
-	fullname := filepath.Base(path)
-	if fullname == "." {
-		return Plugin{}, errors.Errorf("unable to determine basename of plugin candidate %q", path)
-	}
-	var err error
-	if fullname, err = trimExeSuffix(fullname); err != nil {
-		return Plugin{}, errors.Wrapf(err, "plugin candidate %q", path)
-	}
-	if !strings.HasPrefix(fullname, NamePrefix) {
-		return Plugin{}, errors.Errorf("plugin candidate %q: does not have %q prefix", path, NamePrefix)
-	}
-
-	p := Plugin{
-		Name: strings.TrimPrefix(fullname, NamePrefix),
-		Path: path,
-	}
-
-	// Now apply the candidate tests, so these update p.Err.
-	if !pluginNameRe.MatchString(p.Name) {
-		p.Err = NewPluginError("plugin candidate %q did not match %q", p.Name, pluginNameRe.String())
-		return p, nil
-	}
-
-	for _, cmd := range cmds {
-		// Ignore conflicts with commands which are
-		// just plugin stubs (i.e. from a previous
-		// call to AddPluginCommandStubs).
-		if IsPluginCommand(cmd) {
-			continue
-		}
-		if cmd.Name() == p.Name {
-			p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
-			return p, nil
-		}
-		if cmd.HasAlias(p.Name) {
-			p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
-			return p, nil
-		}
-	}
-
-	// We are supposed to check for relevant execute permissions here. Instead we rely on an attempt to execute.
-	meta, err := c.Metadata()
-	if err != nil {
-		p.Err = wrapAsPluginError(err, "failed to fetch metadata")
-		return p, nil
-	}
-
-	if err := json.Unmarshal(meta, &p.Metadata); err != nil {
-		p.Err = wrapAsPluginError(err, "invalid metadata")
-		return p, nil
-	}
-	if p.Metadata.SchemaVersion != "0.1.0" {
-		p.Err = NewPluginError("plugin SchemaVersion %q is not valid, must be 0.1.0", p.Metadata.SchemaVersion)
-		return p, nil
-	}
-	if p.Metadata.Vendor == "" {
-		p.Err = NewPluginError("plugin metadata does not define a vendor")
-		return p, nil
-	}
-	return p, nil
-}
-
-// RunHook executes the plugin's hooks command
-// and returns its unprocessed output.
-func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte, error) {
-	hDataBytes, err := json.Marshal(hookData)
-	if err != nil {
-		return nil, wrapAsPluginError(err, "failed to marshall hook data")
-	}
-
-	pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments"
-	pCmd.Env = os.Environ()
-	pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0])
-	hookCmdOutput, err := pCmd.Output()
-	if err != nil {
-		return nil, wrapAsPluginError(err, "failed to execute plugin hook subcommand")
-	}
-
-	return hookCmdOutput, nil
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/suffix_unix.go b/vendor/github.com/docker/cli/cli-plugins/manager/suffix_unix.go
deleted file mode 100644
index 050e5020..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/suffix_unix.go
+++ /dev/null
@@ -1,11 +0,0 @@
-//go:build !windows
-
-package manager
-
-func trimExeSuffix(s string) (string, error) {
-	return s, nil
-}
-
-func addExeSuffix(s string) string {
-	return s
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/suffix_windows.go b/vendor/github.com/docker/cli/cli-plugins/manager/suffix_windows.go
deleted file mode 100644
index 53b507c8..00000000
--- a/vendor/github.com/docker/cli/cli-plugins/manager/suffix_windows.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package manager
-
-import (
-	"path/filepath"
-	"strings"
-
-	"github.com/pkg/errors"
-)
-
-// This is made slightly more complex due to needing to be case insensitive.
-func trimExeSuffix(s string) (string, error) {
-	ext := filepath.Ext(s)
-	if ext == "" {
-		return "", errors.Errorf("path %q lacks required file extension", s)
-	}
-
-	exe := ".exe"
-	if !strings.EqualFold(ext, exe) {
-		return "", errors.Errorf("path %q lacks required %q suffix", s, exe)
-	}
-	return strings.TrimSuffix(s, ext), nil
-}
-
-func addExeSuffix(s string) string {
-	return s + ".exe"
-}
diff --git a/vendor/github.com/docker/cli/cli-plugins/metadata/annotations.go b/vendor/github.com/docker/cli/cli-plugins/metadata/annotations.go
new file mode 100644
index 00000000..1c7c6d18
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli-plugins/metadata/annotations.go
@@ -0,0 +1,28 @@
+package metadata
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = "com.docker.cli.plugin"
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+
+	// CommandAnnotationPluginCommandPath is added to overwrite the
+	// command path for a plugin invocation.
+	CommandAnnotationPluginCommandPath = "com.docker.cli.plugin.command_path"
+)
diff --git a/vendor/github.com/docker/cli/cli-plugins/manager/metadata.go b/vendor/github.com/docker/cli/cli-plugins/metadata/metadata.go
similarity index 76%
rename from vendor/github.com/docker/cli/cli-plugins/manager/metadata.go
rename to vendor/github.com/docker/cli/cli-plugins/metadata/metadata.go
index f7aac06f..9d408c00 100644
--- a/vendor/github.com/docker/cli/cli-plugins/manager/metadata.go
+++ b/vendor/github.com/docker/cli/cli-plugins/metadata/metadata.go
@@ -1,4 +1,4 @@
-package manager
+package metadata
 
 const (
 	// NamePrefix is the prefix required on all plugin binary names
@@ -13,6 +13,12 @@ const (
 	// which must be implemented by plugins declaring support
 	// for hooks in their metadata.
 	HookSubcommandName = "docker-cli-plugin-hooks"
+
+	// ReexecEnvvar is the name of an ennvar which is set to the command
+	// used to originally invoke the docker CLI when executing a
+	// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+	// the plugin to re-execute the original CLI.
+	ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
 )
 
 // Metadata provided by the plugin.
diff --git a/vendor/github.com/docker/cli/cli/cobra.go b/vendor/github.com/docker/cli/cli/cobra.go
index aa7dbef4..7a14b6f4 100644
--- a/vendor/github.com/docker/cli/cli/cobra.go
+++ b/vendor/github.com/docker/cli/cli/cobra.go
@@ -3,15 +3,12 @@ package cli
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 	"sort"
 	"strings"
 
-	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/metadata"
 	"github.com/docker/cli/cli/command"
 	cliflags "github.com/docker/cli/cli/flags"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/registry"
 	"github.com/fvbommel/sortorder"
 	"github.com/moby/term"
 	"github.com/morikuni/aec"
@@ -62,13 +59,6 @@ func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *c
 		"docs.code-delimiter": `"`, // https://github.com/docker/cli-docs-tool/blob/77abede22166eaea4af7335096bdcedd043f5b19/annotation/annotation.go#L20-L22
 	}
 
-	// Configure registry.CertsDir() when running in rootless-mode
-	if os.Getenv("ROOTLESSKIT_STATE_DIR") != "" {
-		if configHome, err := homedir.GetConfigHome(); err == nil {
-			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
-		}
-	}
-
 	return opts, helpCommand
 }
 
@@ -252,7 +242,7 @@ func hasAdditionalHelp(cmd *cobra.Command) bool {
 }
 
 func isPlugin(cmd *cobra.Command) bool {
-	return pluginmanager.IsPluginCommand(cmd)
+	return cmd.Annotations[metadata.CommandAnnotationPlugin] == "true"
 }
 
 func hasAliases(cmd *cobra.Command) bool {
@@ -356,9 +346,9 @@ func decoratedName(cmd *cobra.Command) string {
 }
 
 func vendorAndVersion(cmd *cobra.Command) string {
-	if vendor, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
+	if vendor, ok := cmd.Annotations[metadata.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
 		version := ""
-		if v, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVersion]; ok && v != "" {
+		if v, ok := cmd.Annotations[metadata.CommandAnnotationPluginVersion]; ok && v != "" {
 			version = ", " + v
 		}
 		return fmt.Sprintf("(%s%s)", vendor, version)
@@ -417,7 +407,7 @@ func invalidPlugins(cmd *cobra.Command) []*cobra.Command {
 }
 
 func invalidPluginReason(cmd *cobra.Command) string {
-	return cmd.Annotations[pluginmanager.CommandAnnotationPluginInvalid]
+	return cmd.Annotations[metadata.CommandAnnotationPluginInvalid]
 }
 
 const usageTemplate = `Usage:
diff --git a/vendor/github.com/docker/cli/cli/command/cli.go b/vendor/github.com/docker/cli/cli/command/cli.go
index 227720fa..1e042ec0 100644
--- a/vendor/github.com/docker/cli/cli/command/cli.go
+++ b/vendor/github.com/docker/cli/cli/command/cli.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"strconv"
 	"sync"
@@ -21,21 +20,15 @@ import (
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
-	manifeststore "github.com/docker/cli/cli/manifest/store"
-	registryclient "github.com/docker/cli/cli/registry/client"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/cli/version"
 	dopts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
-	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	notaryclient "github.com/theupdateframework/notary/client"
 )
 
 const defaultInitTimeout = 2 * time.Second
@@ -53,13 +46,10 @@ type Cli interface {
 	Streams
 	SetIn(in *streams.In)
 	Apply(ops ...CLIOption) error
-	ConfigFile() *configfile.ConfigFile
+	config.Provider
 	ServerInfo() ServerInfo
-	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
 	DefaultVersion() string
 	CurrentVersion() string
-	ManifestStore() manifeststore.Store
-	RegistryClient(bool) registryclient.RegistryClient
 	ContentTrustEnabled() bool
 	BuildKitEnabled() (bool, error)
 	ContextStore() store.Store
@@ -69,7 +59,9 @@ type Cli interface {
 }
 
 // DockerCli is an instance the docker command line client.
-// Instances of the client can be returned from NewDockerCli.
+// Instances of the client should be created using the [NewDockerCli]
+// constructor to make sure they are properly initialized with defaults
+// set.
 type DockerCli struct {
 	configFile         *configfile.ConfigFile
 	options            *cliflags.ClientOptions
@@ -84,7 +76,7 @@ type DockerCli struct {
 	init               sync.Once
 	initErr            error
 	dockerEndpoint     docker.Endpoint
-	contextStoreConfig store.Config
+	contextStoreConfig *store.Config
 	initTimeout        time.Duration
 	res                telemetryResource
 
@@ -96,7 +88,7 @@ type DockerCli struct {
 	enableGlobalMeter, enableGlobalTracer bool
 }
 
-// DefaultVersion returns api.defaultVersion.
+// DefaultVersion returns [api.DefaultVersion].
 func (*DockerCli) DefaultVersion() string {
 	return api.DefaultVersion
 }
@@ -188,7 +180,7 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 	}
 
 	si := cli.ServerInfo()
-	if si.BuildkitVersion == types.BuilderBuildKit {
+	if si.BuildkitVersion == build.BuilderBuildKit {
 		// The daemon advertised BuildKit as the preferred builder; this may
 		// be either a Linux daemon or a Windows daemon with experimental
 		// BuildKit support enabled.
@@ -202,16 +194,16 @@ func (cli *DockerCli) BuildKitEnabled() (bool, error) {
 
 // HooksEnabled returns whether plugin hooks are enabled.
 func (cli *DockerCli) HooksEnabled() bool {
-	// legacy support DOCKER_CLI_HINTS env var
-	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
+	// use DOCKER_CLI_HOOKS env var value if set and not empty
+	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
 		}
 		return enabled
 	}
-	// use DOCKER_CLI_HOOKS env var value if set and not empty
-	if v := os.Getenv("DOCKER_CLI_HOOKS"); v != "" {
+	// legacy support DOCKER_CLI_HINTS env var
+	if v := os.Getenv("DOCKER_CLI_HINTS"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false
@@ -230,30 +222,6 @@ func (cli *DockerCli) HooksEnabled() bool {
 	return false
 }
 
-// ManifestStore returns a store for local manifests
-func (*DockerCli) ManifestStore() manifeststore.Store {
-	// TODO: support override default location from config file
-	return manifeststore.NewStore(filepath.Join(config.Dir(), "manifests"))
-}
-
-// RegistryClient returns a client for communicating with a Docker distribution
-// registry
-func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.RegistryClient {
-	resolver := func(ctx context.Context, index *registry.IndexInfo) registry.AuthConfig {
-		return ResolveAuthConfig(cli.ConfigFile(), index)
-	}
-	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
-}
-
-// WithInitializeClient is passed to DockerCli.Initialize by callers who wish to set a particular API Client for use by the CLI.
-func WithInitializeClient(makeClient func(dockerCli *DockerCli) (client.APIClient, error)) CLIOption {
-	return func(dockerCli *DockerCli) error {
-		var err error
-		dockerCli.client, err = makeClient(dockerCli)
-		return err
-	}
-}
-
 // Initialize the dockerCli runs initialization that must happen after command
 // line flags are parsed.
 func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption) error {
@@ -275,13 +243,33 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 		return errors.New("conflicting options: cannot specify both --host and --context")
 	}
 
+	if cli.contextStoreConfig == nil {
+		// This path can be hit when calling Initialize on a DockerCli that's
+		// not constructed through [NewDockerCli]. Using the default context
+		// store without a config set will result in Endpoints from contexts
+		// not being type-mapped correctly, and used as a generic "map[string]any",
+		// instead of a [docker.EndpointMeta].
+		//
+		// When looking up the API endpoint (using [EndpointFromContext]), no
+		// endpoint will be found, and a default, empty endpoint will be used
+		// instead which in its turn, causes newAPIClientFromEndpoint to
+		// be initialized with the default config instead of settings for
+		// the current context (which may mean; connecting with the wrong
+		// endpoint and/or TLS Config to be missing).
+		//
+		// [EndpointFromContext]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/context/docker/load.go#L139-L149
+		if err := WithDefaultContextStoreConfig()(cli); err != nil {
+			return err
+		}
+	}
+
 	cli.options = opts
 	cli.configFile = config.LoadDefaultConfigFile(cli.err)
 	cli.currentContext = resolveContextName(cli.options, cli.configFile)
 	cli.contextStore = &ContextStoreWithDefault{
-		Store: store.New(config.ContextStoreDir(), cli.contextStoreConfig),
+		Store: store.New(config.ContextStoreDir(), *cli.contextStoreConfig),
 		Resolver: func() (*DefaultContext, error) {
-			return ResolveDefaultContext(cli.options, cli.contextStoreConfig)
+			return ResolveDefaultContext(cli.options, *cli.contextStoreConfig)
 		},
 	}
 
@@ -292,6 +280,7 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 	if cli.enableGlobalTracer {
 		cli.createGlobalTracerProvider(cli.baseCtx)
 	}
+	filterResourceAttributesEnvvar()
 
 	return nil
 }
@@ -345,7 +334,10 @@ func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint,
 
 // Resolve the Docker endpoint for the default context (based on config, env vars and CLI flags)
 func resolveDefaultDockerEndpoint(opts *cliflags.ClientOptions) (docker.Endpoint, error) {
-	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	// defaultToTLS determines whether we should use a TLS host as default
+	// if nothing was configured by the user.
+	defaultToTLS := opts.TLSOptions != nil
+	host, err := getServerHost(opts.Hosts, defaultToTLS)
 	if err != nil {
 		return docker.Endpoint{}, err
 	}
@@ -403,11 +395,6 @@ func (cli *DockerCli) initializeFromClient() {
 	cli.client.NegotiateAPIVersionPing(ping)
 }
 
-// NotaryClient provides a Notary Repository to interact with signed metadata for an image
-func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
-	return trust.GetNotaryRepository(cli.In(), cli.Out(), UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
-}
-
 // ContextStore returns the ContextStore
 func (cli *DockerCli) ContextStore() store.Store {
 	return cli.contextStore
@@ -523,7 +510,7 @@ func (cli *DockerCli) Apply(ops ...CLIOption) error {
 type ServerInfo struct {
 	HasExperimental bool
 	OSType          string
-	BuildkitVersion types.BuilderVersion
+	BuildkitVersion build.BuilderVersion
 
 	// SwarmStatus provides information about the current swarm status of the
 	// engine, obtained from the "Swarm" header in the API response.
@@ -553,18 +540,15 @@ func NewDockerCli(ops ...CLIOption) (*DockerCli, error) {
 	return cli, nil
 }
 
-func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
-	var host string
+func getServerHost(hosts []string, defaultToTLS bool) (string, error) {
 	switch len(hosts) {
 	case 0:
-		host = os.Getenv(client.EnvOverrideHost)
+		return dopts.ParseHost(defaultToTLS, os.Getenv(client.EnvOverrideHost))
 	case 1:
-		host = hosts[0]
+		return dopts.ParseHost(defaultToTLS, hosts[0])
 	default:
 		return "", errors.New("Specify only one -H")
 	}
-
-	return dopts.ParseHost(tlsOptions != nil, host)
 }
 
 // UserAgent returns the user agent string used for making API requests
diff --git a/vendor/github.com/docker/cli/cli/command/cli_options.go b/vendor/github.com/docker/cli/cli/command/cli_options.go
index ef133d6a..dd3c9473 100644
--- a/vendor/github.com/docker/cli/cli/command/cli_options.go
+++ b/vendor/github.com/docker/cli/cli/command/cli_options.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/docker/client"
-	"github.com/docker/docker/errdefs"
 	"github.com/moby/term"
 	"github.com/pkg/errors"
 )
@@ -101,7 +100,8 @@ func WithContentTrust(enabled bool) CLIOption {
 // WithDefaultContextStoreConfig configures the cli to use the default context store configuration.
 func WithDefaultContextStoreConfig() CLIOption {
 	return func(cli *DockerCli) error {
-		cli.contextStoreConfig = DefaultContextStoreConfig()
+		cfg := DefaultContextStoreConfig()
+		cli.contextStoreConfig = &cfg
 		return nil
 	}
 }
@@ -114,6 +114,18 @@ func WithAPIClient(c client.APIClient) CLIOption {
 	}
 }
 
+// WithInitializeClient is passed to [DockerCli.Initialize] to initialize
+// an API Client for use by the CLI.
+func WithInitializeClient(makeClient func(*DockerCli) (client.APIClient, error)) CLIOption {
+	return func(cli *DockerCli) error {
+		c, err := makeClient(cli)
+		if err != nil {
+			return err
+		}
+		return WithAPIClient(c)(cli)
+	}
+}
+
 // envOverrideHTTPHeaders is the name of the environment-variable that can be
 // used to set custom HTTP headers to be sent by the client. This environment
 // variable is the equivalent to the HttpHeaders field in the configuration
@@ -177,7 +189,7 @@ func withCustomHeadersFromEnv() client.Opt {
 		csvReader := csv.NewReader(strings.NewReader(value))
 		fields, err := csvReader.Read()
 		if err != nil {
-			return errdefs.InvalidParameter(errors.Errorf(
+			return invalidParameter(errors.Errorf(
 				"failed to parse custom headers from %s environment variable: value must be formatted as comma-separated key=value pairs",
 				envOverrideHTTPHeaders,
 			))
@@ -194,7 +206,7 @@ func withCustomHeadersFromEnv() client.Opt {
 			k = strings.TrimSpace(k)
 
 			if k == "" {
-				return errdefs.InvalidParameter(errors.Errorf(
+				return invalidParameter(errors.Errorf(
 					`failed to set custom headers from %s environment variable: value contains a key=value pair with an empty key: '%s'`,
 					envOverrideHTTPHeaders, kv,
 				))
@@ -205,7 +217,7 @@ func withCustomHeadersFromEnv() client.Opt {
 			// from an environment variable with the same name). In the meantime,
 			// produce an error to prevent users from depending on this.
 			if !hasValue {
-				return errdefs.InvalidParameter(errors.Errorf(
+				return invalidParameter(errors.Errorf(
 					`failed to set custom headers from %s environment variable: missing "=" in key=value pair: '%s'`,
 					envOverrideHTTPHeaders, kv,
 				))
diff --git a/vendor/github.com/docker/cli/cli/command/context.go b/vendor/github.com/docker/cli/cli/command/context.go
index 404a6a13..64e88e44 100644
--- a/vendor/github.com/docker/cli/cli/command/context.go
+++ b/vendor/github.com/docker/cli/cli/command/context.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
diff --git a/vendor/github.com/docker/cli/cli/command/defaultcontextstore.go b/vendor/github.com/docker/cli/cli/command/defaultcontextstore.go
index c5b310e9..9b49b3af 100644
--- a/vendor/github.com/docker/cli/cli/command/defaultcontextstore.go
+++ b/vendor/github.com/docker/cli/cli/command/defaultcontextstore.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
@@ -7,7 +7,6 @@ import (
 	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
 	cliflags "github.com/docker/cli/cli/flags"
-	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 )
 
@@ -117,7 +116,7 @@ func (s *ContextStoreWithDefault) List() ([]store.Metadata, error) {
 // CreateOrUpdate is not allowed for the default context and fails
 func (s *ContextStoreWithDefault) CreateOrUpdate(meta store.Metadata) error {
 	if meta.Name == DefaultContextName {
-		return errdefs.InvalidParameter(errors.New("default context cannot be created nor updated"))
+		return invalidParameter(errors.New("default context cannot be created nor updated"))
 	}
 	return s.Store.CreateOrUpdate(meta)
 }
@@ -125,7 +124,7 @@ func (s *ContextStoreWithDefault) CreateOrUpdate(meta store.Metadata) error {
 // Remove is not allowed for the default context and fails
 func (s *ContextStoreWithDefault) Remove(name string) error {
 	if name == DefaultContextName {
-		return errdefs.InvalidParameter(errors.New("default context cannot be removed"))
+		return invalidParameter(errors.New("default context cannot be removed"))
 	}
 	return s.Store.Remove(name)
 }
@@ -145,7 +144,7 @@ func (s *ContextStoreWithDefault) GetMetadata(name string) (store.Metadata, erro
 // ResetTLSMaterial is not implemented for default context and fails
 func (s *ContextStoreWithDefault) ResetTLSMaterial(name string, data *store.ContextTLSData) error {
 	if name == DefaultContextName {
-		return errdefs.InvalidParameter(errors.New("default context cannot be edited"))
+		return invalidParameter(errors.New("default context cannot be edited"))
 	}
 	return s.Store.ResetTLSMaterial(name, data)
 }
@@ -153,7 +152,7 @@ func (s *ContextStoreWithDefault) ResetTLSMaterial(name string, data *store.Cont
 // ResetEndpointTLSMaterial is not implemented for default context and fails
 func (s *ContextStoreWithDefault) ResetEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
 	if contextName == DefaultContextName {
-		return errdefs.InvalidParameter(errors.New("default context cannot be edited"))
+		return invalidParameter(errors.New("default context cannot be edited"))
 	}
 	return s.Store.ResetEndpointTLSMaterial(contextName, endpointName, data)
 }
@@ -186,7 +185,7 @@ func (s *ContextStoreWithDefault) GetTLSData(contextName, endpointName, fileName
 			return nil, err
 		}
 		if defaultContext.TLS.Endpoints[endpointName].Files[fileName] == nil {
-			return nil, errdefs.NotFound(errors.Errorf("TLS data for %s/%s/%s does not exist", DefaultContextName, endpointName, fileName))
+			return nil, notFound(errors.Errorf("TLS data for %s/%s/%s does not exist", DefaultContextName, endpointName, fileName))
 		}
 		return defaultContext.TLS.Endpoints[endpointName].Files[fileName], nil
 	}
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/buildcache.go b/vendor/github.com/docker/cli/cli/command/formatter/buildcache.go
index 71f80c0c..ade5de73 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/buildcache.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/buildcache.go
@@ -6,8 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/go-units"
 )
 
@@ -52,7 +51,7 @@ shared: {{.Shared}}
 	return Format(source)
 }
 
-func buildCacheSort(buildCache []*types.BuildCache) {
+func buildCacheSort(buildCache []*build.CacheRecord) {
 	sort.Slice(buildCache, func(i, j int) bool {
 		lui, luj := buildCache[i].LastUsedAt, buildCache[j].LastUsedAt
 		switch {
@@ -71,7 +70,7 @@ func buildCacheSort(buildCache []*types.BuildCache) {
 }
 
 // BuildCacheWrite renders the context for a list of containers
-func BuildCacheWrite(ctx Context, buildCaches []*types.BuildCache) error {
+func BuildCacheWrite(ctx Context, buildCaches []*build.CacheRecord) error {
 	render := func(format func(subContext SubContext) error) error {
 		buildCacheSort(buildCaches)
 		for _, bc := range buildCaches {
@@ -88,7 +87,7 @@ func BuildCacheWrite(ctx Context, buildCaches []*types.BuildCache) error {
 type buildCacheContext struct {
 	HeaderContext
 	trunc bool
-	v     *types.BuildCache
+	v     *build.CacheRecord
 }
 
 func newBuildCacheContext() *buildCacheContext {
@@ -115,7 +114,7 @@ func (c *buildCacheContext) MarshalJSON() ([]byte, error) {
 func (c *buildCacheContext) ID() string {
 	id := c.v.ID
 	if c.trunc {
-		id = stringid.TruncateID(c.v.ID)
+		id = TruncateID(c.v.ID)
 	}
 	if c.v.InUse {
 		return id + "*"
@@ -131,7 +130,7 @@ func (c *buildCacheContext) Parent() string {
 		parent = c.v.Parent //nolint:staticcheck // Ignore SA1019: Field was deprecated in API v1.42, but kept for backward compatibility
 	}
 	if c.trunc {
-		return stringid.TruncateID(parent)
+		return TruncateID(parent)
 	}
 	return parent
 }
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/container.go b/vendor/github.com/docker/cli/cli/command/formatter/container.go
index ba62efb2..0a5c587a 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/container.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/container.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package formatter
 
@@ -11,10 +11,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/go-units"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 const (
@@ -26,8 +27,18 @@ const (
 	mountsHeader     = "MOUNTS"
 	localVolumes     = "LOCAL VOLUMES"
 	networksHeader   = "NETWORKS"
+	platformHeader   = "PLATFORM"
 )
 
+// Platform wraps a [ocispec.Platform] to implement the stringer interface.
+type Platform struct {
+	ocispec.Platform
+}
+
+func (p Platform) String() string {
+	return platforms.FormatAll(p.Platform)
+}
+
 // NewContainerFormat returns a Format for rendering using a Context
 func NewContainerFormat(source string, quiet bool, size bool) Format {
 	switch source {
@@ -68,16 +79,14 @@ ports: {{- pad .Ports 1 0}}
 
 // ContainerWrite renders the context for a list of containers
 func ContainerWrite(ctx Context, containers []container.Summary) error {
-	render := func(format func(subContext SubContext) error) error {
+	return ctx.Write(NewContainerContext(), func(format func(subContext SubContext) error) error {
 		for _, ctr := range containers {
-			err := format(&ContainerContext{trunc: ctx.Trunc, c: ctr})
-			if err != nil {
+			if err := format(&ContainerContext{trunc: ctx.Trunc, c: ctr}); err != nil {
 				return err
 			}
 		}
 		return nil
-	}
-	return ctx.Write(NewContainerContext(), render)
+	})
 }
 
 // ContainerContext is a struct used for rendering a list of containers in a Go template.
@@ -111,6 +120,7 @@ func NewContainerContext() *ContainerContext {
 		"Mounts":       mountsHeader,
 		"LocalVolumes": localVolumes,
 		"Networks":     networksHeader,
+		"Platform":     platformHeader,
 	}
 	return &containerCtx
 }
@@ -124,7 +134,7 @@ func (c *ContainerContext) MarshalJSON() ([]byte, error) {
 // option being set, the full or truncated ID is returned.
 func (c *ContainerContext) ID() string {
 	if c.trunc {
-		return stringid.TruncateID(c.c.ID)
+		return TruncateID(c.c.ID)
 	}
 	return c.c.ID
 }
@@ -161,7 +171,7 @@ func (c *ContainerContext) Image() string {
 		return "<no image>"
 	}
 	if c.trunc {
-		if trunc := stringid.TruncateID(c.c.ImageID); trunc == stringid.TruncateID(c.c.Image) {
+		if trunc := TruncateID(c.c.ImageID); trunc == TruncateID(c.c.Image) {
 			return trunc
 		}
 		// truncate digest if no-trunc option was not selected
@@ -210,6 +220,16 @@ func (c *ContainerContext) RunningFor() string {
 	return units.HumanDuration(time.Now().UTC().Sub(createdAt)) + " ago"
 }
 
+// Platform returns a human-readable representation of the container's
+// platform if it is available.
+func (c *ContainerContext) Platform() *Platform {
+	p := c.c.ImageManifestDescriptor
+	if p == nil || p.Platform == nil {
+		return nil
+	}
+	return &Platform{*p.Platform}
+}
+
 // Ports returns a comma-separated string representing open ports of the container
 // e.g. "0.0.0.0:80->9090/tcp, 9988/tcp"
 // it's used by command 'docker ps'
@@ -218,7 +238,8 @@ func (c *ContainerContext) Ports() string {
 	return DisplayablePorts(c.c.Ports)
 }
 
-// State returns the container's current state (e.g. "running" or "paused")
+// State returns the container's current state (e.g. "running" or "paused").
+// Refer to [container.ContainerState] for possible states.
 func (c *ContainerContext) State() string {
 	return c.c.State
 }
@@ -255,6 +276,7 @@ func (c *ContainerContext) Labels() string {
 	for k, v := range c.c.Labels {
 		joinLabels = append(joinLabels, k+"="+v)
 	}
+	sort.Strings(joinLabels)
 	return strings.Join(joinLabels, ",")
 }
 
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/context.go b/vendor/github.com/docker/cli/cli/command/formatter/context.go
index 293c8415..985a6ff3 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/context.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/context.go
@@ -1,7 +1,5 @@
 package formatter
 
-import "encoding/json"
-
 const (
 	// ClientContextTableFormat is the default client context format.
 	ClientContextTableFormat = "table {{.Name}}{{if .Current}} *{{end}}\t{{.Description}}\t{{.DockerEndpoint}}\t{{.Error}}"
@@ -30,13 +28,6 @@ type ClientContext struct {
 	DockerEndpoint string
 	Current        bool
 	Error          string
-
-	// ContextType is a temporary field for compatibility with
-	// Visual Studio, which depends on this from the "cloud integration"
-	// wrapper.
-	//
-	// Deprecated: this type is only for backward-compatibility. Do not use.
-	ContextType string `json:"ContextType,omitempty"`
 }
 
 // ClientContextWrite writes formatted contexts using the Context
@@ -69,13 +60,6 @@ func newClientContextContext() *clientContextContext {
 }
 
 func (c *clientContextContext) MarshalJSON() ([]byte, error) {
-	if c.c.ContextType != "" {
-		// We only have ContextType set for plain "json" or "{{json .}}" formatting,
-		// so we should be able to just use the default json.Marshal with no
-		// special handling.
-		return json.Marshal(c.c)
-	}
-	// FIXME(thaJeztah): why do we need a special marshal function here?
 	return MarshalJSON(c)
 }
 
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/custom.go b/vendor/github.com/docker/cli/cli/command/formatter/custom.go
index 6910a261..c2b9cb2c 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/custom.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/custom.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package formatter
 
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/disk_usage.go b/vendor/github.com/docker/cli/cli/command/formatter/disk_usage.go
index 1199d571..b663c59b 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/disk_usage.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/disk_usage.go
@@ -4,15 +4,14 @@ import (
 	"bytes"
 	"fmt"
 	"strconv"
-	"strings"
 	"text/template"
 
 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/volume"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )
 
 const (
@@ -39,12 +38,12 @@ type DiskUsageContext struct {
 	Images      []*image.Summary
 	Containers  []*container.Summary
 	Volumes     []*volume.Volume
-	BuildCache  []*types.BuildCache
+	BuildCache  []*build.CacheRecord
 	BuilderSize int64
 }
 
 func (ctx *DiskUsageContext) startSubsection(format string) (*template.Template, error) {
-	ctx.buffer = bytes.NewBufferString("")
+	ctx.buffer = &bytes.Buffer{}
 	ctx.header = ""
 	ctx.Format = Format(format)
 	ctx.preFormat()
@@ -88,7 +87,7 @@ func (ctx *DiskUsageContext) Write() (err error) {
 	if ctx.Verbose {
 		return ctx.verboseWrite()
 	}
-	ctx.buffer = bytes.NewBufferString("")
+	ctx.buffer = &bytes.Buffer{}
 	ctx.preFormat()
 
 	tmpl, err := ctx.parseFormat()
@@ -330,9 +329,15 @@ func (c *diskUsageContainersContext) TotalCount() string {
 }
 
 func (*diskUsageContainersContext) isActive(ctr container.Summary) bool {
-	return strings.Contains(ctr.State, "running") ||
-		strings.Contains(ctr.State, "paused") ||
-		strings.Contains(ctr.State, "restarting")
+	switch ctr.State {
+	case container.StateRunning, container.StatePaused, container.StateRestarting:
+		return true
+	case container.StateCreated, container.StateRemoving, container.StateExited, container.StateDead:
+		return false
+	default:
+		// Unknown state (should never happen).
+		return false
+	}
 }
 
 func (c *diskUsageContainersContext) Active() string {
@@ -436,7 +441,7 @@ func (c *diskUsageVolumesContext) Reclaimable() string {
 type diskUsageBuilderContext struct {
 	HeaderContext
 	builderSize int64
-	buildCache  []*types.BuildCache
+	buildCache  []*build.CacheRecord
 }
 
 func (c *diskUsageBuilderContext) MarshalJSON() ([]byte, error) {
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/displayutils.go b/vendor/github.com/docker/cli/cli/command/formatter/displayutils.go
index 7847bb30..b062c339 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/displayutils.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/displayutils.go
@@ -1,6 +1,11 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
 package formatter
 
 import (
+	"fmt"
+	"strings"
 	"unicode/utf8"
 
 	"golang.org/x/text/width"
@@ -15,11 +20,32 @@ func charWidth(r rune) int {
 	switch width.LookupRune(r).Kind() {
 	case width.EastAsianWide, width.EastAsianFullwidth:
 		return 2
+	case width.Neutral, width.EastAsianAmbiguous, width.EastAsianNarrow, width.EastAsianHalfwidth:
+		return 1
 	default:
 		return 1
 	}
 }
 
+const shortLen = 12
+
+// TruncateID returns a shorthand version of a string identifier for presentation,
+// after trimming digest algorithm prefix (if any).
+//
+// This function is a copy of [stringid.TruncateID] for presentation / formatting
+// purposes.
+//
+// [stringid.TruncateID]: https://github.com/moby/moby/blob/v28.3.2/pkg/stringid/stringid.go#L19
+func TruncateID(id string) string {
+	if i := strings.IndexRune(id, ':'); i >= 0 {
+		id = id[i+1:]
+	}
+	if len(id) > shortLen {
+		id = id[:shortLen]
+	}
+	return id
+}
+
 // Ellipsis truncates a string to fit within maxDisplayWidth, and appends ellipsis (…).
 // For maxDisplayWidth of 1 and lower, no ellipsis is appended.
 // For maxDisplayWidth of 1, first char of string will return even if its width > 1.
@@ -59,3 +85,27 @@ func Ellipsis(s string, maxDisplayWidth int) string {
 	}
 	return s
 }
+
+// capitalizeFirst capitalizes the first character of string
+func capitalizeFirst(s string) string {
+	switch l := len(s); l {
+	case 0:
+		return s
+	case 1:
+		return strings.ToLower(s)
+	default:
+		return strings.ToUpper(string(s[0])) + strings.ToLower(s[1:])
+	}
+}
+
+// PrettyPrint outputs arbitrary data for human formatted output by uppercasing the first letter.
+func PrettyPrint(i any) string {
+	switch t := i.(type) {
+	case nil:
+		return "None"
+	case string:
+		return capitalizeFirst(t)
+	default:
+		return capitalizeFirst(fmt.Sprintf("%s", t))
+	}
+}
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/formatter.go b/vendor/github.com/docker/cli/cli/command/formatter/formatter.go
index 5873cce8..7803cabe 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/formatter.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/formatter.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package formatter
 
@@ -76,12 +76,15 @@ func (c *Context) preFormat() {
 func (c *Context) parseFormat() (*template.Template, error) {
 	tmpl, err := templates.Parse(c.finalFormat)
 	if err != nil {
-		return tmpl, errors.Wrap(err, "template parsing error")
+		return nil, errors.Wrap(err, "template parsing error")
 	}
-	return tmpl, err
+	return tmpl, nil
 }
 
 func (c *Context) postFormat(tmpl *template.Template, subContext SubContext) {
+	if c.Output == nil {
+		c.Output = io.Discard
+	}
 	if c.Format.IsTable() {
 		t := tabwriter.NewWriter(c.Output, 10, 1, 3, ' ', 0)
 		buffer := bytes.NewBufferString("")
@@ -111,7 +114,7 @@ type SubFormat func(func(SubContext) error) error
 
 // Write the template to the buffer using this Context
 func (c *Context) Write(sub SubContext, f SubFormat) error {
-	c.buffer = bytes.NewBufferString("")
+	c.buffer = &bytes.Buffer{}
 	c.preFormat()
 
 	tmpl, err := c.parseFormat()
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/image.go b/vendor/github.com/docker/cli/cli/command/formatter/image.go
index d16f42b5..74c2fe75 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/image.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/image.go
@@ -6,8 +6,7 @@ import (
 
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/pkg/stringid"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )
 
 const (
@@ -216,7 +215,7 @@ func (c *imageContext) MarshalJSON() ([]byte, error) {
 
 func (c *imageContext) ID() string {
 	if c.trunc {
-		return stringid.TruncateID(c.i.ID)
+		return TruncateID(c.i.ID)
 	}
 	return c.i.ID
 }
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/reflect.go b/vendor/github.com/docker/cli/cli/command/formatter/reflect.go
index fe8def61..31658337 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/reflect.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/reflect.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package formatter
 
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/tabwriter/tabwriter.go b/vendor/github.com/docker/cli/cli/command/formatter/tabwriter/tabwriter.go
index 1d908f58..e7473cd9 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/tabwriter/tabwriter.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/tabwriter/tabwriter.go
@@ -12,7 +12,7 @@
 
 // based on https://github.com/golang/go/blob/master/src/text/tabwriter/tabwriter.go Last modified 690ac40 on 31 Jan
 
-//nolint:gocyclo,nakedret,stylecheck,unused // ignore linting errors, so that we can stick close to upstream
+//nolint:gocyclo,nakedret,unused // ignore linting errors, so that we can stick close to upstream
 package tabwriter
 
 import (
diff --git a/vendor/github.com/docker/cli/cli/command/formatter/volume.go b/vendor/github.com/docker/cli/cli/command/formatter/volume.go
index 85f07079..bf9ea5d4 100644
--- a/vendor/github.com/docker/cli/cli/command/formatter/volume.go
+++ b/vendor/github.com/docker/cli/cli/command/formatter/volume.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 
 	"github.com/docker/docker/api/types/volume"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 )
 
 const (
diff --git a/vendor/github.com/docker/cli/cli/command/registry.go b/vendor/github.com/docker/cli/cli/command/registry.go
index e2581d57..be49d85b 100644
--- a/vendor/github.com/docker/cli/cli/command/registry.go
+++ b/vendor/github.com/docker/cli/cli/command/registry.go
@@ -13,9 +13,9 @@ import (
 	configtypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/cli/cli/hints"
 	"github.com/docker/cli/cli/streams"
+	"github.com/docker/cli/internal/prompt"
 	"github.com/docker/cli/internal/tui"
 	registrytypes "github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/registry"
 	"github.com/morikuni/aec"
 	"github.com/pkg/errors"
 )
@@ -28,16 +28,22 @@ const (
 		"for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/"
 )
 
+// authConfigKey is the key used to store credentials for Docker Hub. It is
+// a copy of [registry.IndexServer].
+//
+// [registry.IndexServer]: https://pkg.go.dev/github.com/docker/docker/registry#IndexServer
+const authConfigKey = "https://index.docker.io/v1/"
+
 // RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
-// for the given command.
+// for the given command to prompt the user for username and password.
 func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInfo, cmdName string) registrytypes.RequestAuthConfig {
+	configKey := getAuthConfigKey(index.Name)
+	isDefaultRegistry := configKey == authConfigKey || index.Official
 	return func(ctx context.Context) (string, error) {
 		_, _ = fmt.Fprintf(cli.Out(), "\nLogin prior to %s:\n", cmdName)
-		indexServer := registry.GetAuthConfigKey(index)
-		isDefaultRegistry := indexServer == registry.IndexServer
-		authConfig, err := GetDefaultAuthConfig(cli.ConfigFile(), true, indexServer, isDefaultRegistry)
+		authConfig, err := GetDefaultAuthConfig(cli.ConfigFile(), true, configKey, isDefaultRegistry)
 		if err != nil {
-			_, _ = fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
+			_, _ = fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", configKey, err)
 		}
 
 		select {
@@ -46,7 +52,7 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 		default:
 		}
 
-		authConfig, err = PromptUserForCredentials(ctx, cli, "", "", authConfig.Username, indexServer)
+		authConfig, err = PromptUserForCredentials(ctx, cli, "", "", authConfig.Username, configKey)
 		if err != nil {
 			return "", err
 		}
@@ -63,7 +69,7 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 func ResolveAuthConfig(cfg *configfile.ConfigFile, index *registrytypes.IndexInfo) registrytypes.AuthConfig {
 	configKey := index.Name
 	if index.Official {
-		configKey = registry.IndexServer
+		configKey = authConfigKey
 	}
 
 	a, _ := cfg.GetAuthConfig(configKey)
@@ -132,7 +138,7 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword
 
 	argUser = strings.TrimSpace(argUser)
 	if argUser == "" {
-		if serverAddress == registry.IndexServer {
+		if serverAddress == authConfigKey {
 			// When signing in to the default (Docker Hub) registry, we display
 			// hints for creating an account, and (if hints are enabled), using
 			// a token instead of a password.
@@ -143,16 +149,16 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword
 			}
 		}
 
-		var prompt string
+		var msg string
 		defaultUsername = strings.TrimSpace(defaultUsername)
 		if defaultUsername == "" {
-			prompt = "Username: "
+			msg = "Username: "
 		} else {
-			prompt = fmt.Sprintf("Username (%s): ", defaultUsername)
+			msg = fmt.Sprintf("Username (%s): ", defaultUsername)
 		}
 
 		var err error
-		argUser, err = PromptForInput(ctx, cli.In(), cli.Out(), prompt)
+		argUser, err = prompt.ReadInput(ctx, cli.In(), cli.Out(), msg)
 		if err != nil {
 			return registrytypes.AuthConfig{}, err
 		}
@@ -166,7 +172,7 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword
 
 	argPassword = strings.TrimSpace(argPassword)
 	if argPassword == "" {
-		restoreInput, err := DisableInputEcho(cli.In())
+		restoreInput, err := prompt.DisableInputEcho(cli.In())
 		if err != nil {
 			return registrytypes.AuthConfig{}, err
 		}
@@ -180,10 +186,13 @@ func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword
 			}
 		}()
 
-		out := tui.NewOutput(cli.Err())
-		out.PrintNote("A Personal Access Token (PAT) can be used instead.\n" +
-			"To create a PAT, visit " + aec.Underline.Apply("https://app.docker.com/settings") + "\n\n")
-		argPassword, err = PromptForInput(ctx, cli.In(), cli.Out(), "Password: ")
+		if serverAddress == authConfigKey {
+			out := tui.NewOutput(cli.Err())
+			out.PrintNote("A Personal Access Token (PAT) can be used instead.\n" +
+				"To create a PAT, visit " + aec.Underline.Apply("https://app.docker.com/settings") + "\n\n")
+		}
+
+		argPassword, err = prompt.ReadInput(ctx, cli.In(), cli.Out(), "Password: ")
 		if err != nil {
 			return registrytypes.AuthConfig{}, err
 		}
@@ -225,9 +234,25 @@ func resolveAuthConfigFromImage(cfg *configfile.ConfigFile, image string) (regis
 	if err != nil {
 		return registrytypes.AuthConfig{}, err
 	}
-	repoInfo, err := registry.ParseRepositoryInfo(registryRef)
+	configKey := getAuthConfigKey(reference.Domain(registryRef))
+	a, err := cfg.GetAuthConfig(configKey)
 	if err != nil {
 		return registrytypes.AuthConfig{}, err
 	}
-	return ResolveAuthConfig(cfg, repoInfo.Index), nil
+	return registrytypes.AuthConfig(a), nil
+}
+
+// getAuthConfigKey special-cases using the full index address of the official
+// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
+//
+// It is similar to [registry.GetAuthConfigKey], but does not require on
+// [registrytypes.IndexInfo] as intermediate.
+//
+// [registry.GetAuthConfigKey]: https://pkg.go.dev/github.com/docker/docker/registry#GetAuthConfigKey
+// [registrytypes.IndexInfo]:https://pkg.go.dev/github.com/docker/docker/api/types/registry#IndexInfo
+func getAuthConfigKey(domainName string) string {
+	if domainName == "docker.io" || domainName == "index.docker.io" {
+		return authConfigKey
+	}
+	return domainName
 }
diff --git a/vendor/github.com/docker/cli/cli/command/service/progress/progress.go b/vendor/github.com/docker/cli/cli/command/service/progress/progress.go
index 09da1877..5f87e291 100644
--- a/vendor/github.com/docker/cli/cli/command/service/progress/progress.go
+++ b/vendor/github.com/docker/cli/cli/command/service/progress/progress.go
@@ -11,13 +11,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
-	"github.com/docker/docker/pkg/stringid"
 )
 
 var (
@@ -89,7 +88,7 @@ func ServiceProgress(ctx context.Context, apiClient client.APIClient, serviceID
 	)
 
 	for {
-		service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
+		service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID, swarm.ServiceInspectOptions{})
 		if err != nil {
 			return err
 		}
@@ -143,7 +142,7 @@ func ServiceProgress(ctx context.Context, apiClient client.APIClient, serviceID
 			return nil
 		}
 
-		tasks, err := apiClient.TaskList(ctx, types.TaskListOptions{Filters: filters.NewArgs(
+		tasks, err := apiClient.TaskList(ctx, swarm.TaskListOptions{Filters: filters.NewArgs(
 			filters.KeyValuePair{Key: "service", Value: service.ID},
 			filters.KeyValuePair{Key: "_up-to-date", Value: "true"},
 		)})
@@ -217,7 +216,7 @@ func ServiceProgress(ctx context.Context, apiClient client.APIClient, serviceID
 //
 // TODO(thaJeztah): this should really be a filter on [apiClient.NodeList] instead of being filtered on the client side.
 func getActiveNodes(ctx context.Context, apiClient client.NodeAPIClient) (map[string]struct{}, error) {
-	nodes, err := apiClient.NodeList(ctx, types.NodeListOptions{})
+	nodes, err := apiClient.NodeList(ctx, swarm.NodeListOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -506,7 +505,7 @@ func (u *globalProgressUpdater) writeTaskProgress(task swarm.Task, nodeCount int
 
 	if task.Status.Err != "" {
 		u.progressOut.WriteProgress(progress.Progress{
-			ID:     stringid.TruncateID(task.NodeID),
+			ID:     formatter.TruncateID(task.NodeID),
 			Action: truncError(task.Status.Err),
 		})
 		return
@@ -514,7 +513,7 @@ func (u *globalProgressUpdater) writeTaskProgress(task swarm.Task, nodeCount int
 
 	if !terminalState(task.DesiredState) && !terminalState(task.Status.State) {
 		u.progressOut.WriteProgress(progress.Progress{
-			ID:         stringid.TruncateID(task.NodeID),
+			ID:         formatter.TruncateID(task.NodeID),
 			Action:     fmt.Sprintf("%-[1]*s", longestState, task.Status.State),
 			Current:    numberedStates[task.Status.State],
 			Total:      maxProgress,
diff --git a/vendor/github.com/docker/cli/cli/command/telemetry.go b/vendor/github.com/docker/cli/cli/command/telemetry.go
index 2ee8adfb..e8e6296b 100644
--- a/vendor/github.com/docker/cli/cli/command/telemetry.go
+++ b/vendor/github.com/docker/cli/cli/command/telemetry.go
@@ -4,10 +4,11 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
-	"github.com/docker/distribution/uuid"
+	"github.com/google/uuid"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/metric"
 	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
@@ -142,7 +143,7 @@ func defaultResourceOptions() []resource.Option {
 			// of the CLI is its own instance. Without this, downstream
 			// OTEL processors may think the same process is restarting
 			// continuously.
-			semconv.ServiceInstanceID(uuid.Generate().String()),
+			semconv.ServiceInstanceID(uuid.NewString()),
 		),
 		resource.WithFromEnv(),
 		resource.WithTelemetrySDK(),
@@ -216,3 +217,49 @@ func (r *cliReader) ForceFlush(ctx context.Context) error {
 func deltaTemporality(_ sdkmetric.InstrumentKind) metricdata.Temporality {
 	return metricdata.DeltaTemporality
 }
+
+// resourceAttributesEnvVar is the name of the envvar that includes additional
+// resource attributes for OTEL as defined in the [OpenTelemetry specification].
+//
+// [OpenTelemetry specification]: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/#general-sdk-configuration
+const resourceAttributesEnvVar = "OTEL_RESOURCE_ATTRIBUTES"
+
+func filterResourceAttributesEnvvar() {
+	if v := os.Getenv(resourceAttributesEnvVar); v != "" {
+		if filtered := filterResourceAttributes(v); filtered != "" {
+			_ = os.Setenv(resourceAttributesEnvVar, filtered)
+		} else {
+			_ = os.Unsetenv(resourceAttributesEnvVar)
+		}
+	}
+}
+
+// dockerCLIAttributePrefix is the prefix for any docker cli OTEL attributes.
+// When updating, make sure to also update the copy in cli-plugins/manager.
+//
+// TODO(thaJeztah): move telemetry-related code to an (internal) package to reduce dependency on cli/command in cli-plugins, which has too many imports.
+const dockerCLIAttributePrefix = "docker.cli."
+
+func filterResourceAttributes(s string) string {
+	if trimmed := strings.TrimSpace(s); trimmed == "" {
+		return trimmed
+	}
+
+	pairs := strings.Split(s, ",")
+	elems := make([]string, 0, len(pairs))
+	for _, p := range pairs {
+		k, _, found := strings.Cut(p, "=")
+		if !found {
+			// Do not interact with invalid otel resources.
+			elems = append(elems, p)
+			continue
+		}
+
+		// Skip attributes that have our docker.cli prefix.
+		if strings.HasPrefix(k, dockerCLIAttributePrefix) {
+			continue
+		}
+		elems = append(elems, p)
+	}
+	return strings.Join(elems, ",")
+}
diff --git a/vendor/github.com/docker/cli/cli/command/telemetry_docker.go b/vendor/github.com/docker/cli/cli/command/telemetry_docker.go
index 298209e2..6598997d 100644
--- a/vendor/github.com/docker/cli/cli/command/telemetry_docker.go
+++ b/vendor/github.com/docker/cli/cli/command/telemetry_docker.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
diff --git a/vendor/github.com/docker/cli/cli/command/utils.go b/vendor/github.com/docker/cli/cli/command/utils.go
index 8a8368fb..ab64ef8f 100644
--- a/vendor/github.com/docker/cli/cli/command/utils.go
+++ b/vendor/github.com/docker/cli/cli/command/utils.go
@@ -1,95 +1,45 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package command
 
 import (
-	"bufio"
 	"context"
-	"fmt"
 	"io"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"
 
+	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/streams"
+	"github.com/docker/cli/internal/prompt"
 	"github.com/docker/docker/api/types/filters"
-	mounttypes "github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
-	"github.com/moby/sys/sequential"
-	"github.com/moby/term"
+	"github.com/moby/sys/atomicwriter"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 )
 
 // CopyToFile writes the content of the reader to the specified file
+//
+// Deprecated: use [atomicwriter.New].
 func CopyToFile(outfile string, r io.Reader) error {
-	// We use sequential file access here to avoid depleting the standby list
-	// on Windows. On Linux, this is a call directly to os.CreateTemp
-	tmpFile, err := sequential.CreateTemp(filepath.Dir(outfile), ".docker_temp_")
+	writer, err := atomicwriter.New(outfile, 0o600)
 	if err != nil {
 		return err
 	}
-
-	tmpPath := tmpFile.Name()
-
-	_, err = io.Copy(tmpFile, r)
-	tmpFile.Close()
-
-	if err != nil {
-		os.Remove(tmpPath)
-		return err
-	}
-
-	if err = os.Rename(tmpPath, outfile); err != nil {
-		os.Remove(tmpPath)
-		return err
-	}
-
-	return nil
+	defer writer.Close()
+	_, err = io.Copy(writer, r)
+	return err
 }
 
-// capitalizeFirst capitalizes the first character of string
-func capitalizeFirst(s string) string {
-	switch l := len(s); l {
-	case 0:
-		return s
-	case 1:
-		return strings.ToLower(s)
-	default:
-		return strings.ToUpper(string(s[0])) + strings.ToLower(s[1:])
-	}
-}
-
-// PrettyPrint outputs arbitrary data for human formatted output by uppercasing the first letter.
-func PrettyPrint(i any) string {
-	switch t := i.(type) {
-	case nil:
-		return "None"
-	case string:
-		return capitalizeFirst(t)
-	default:
-		return capitalizeFirst(fmt.Sprintf("%s", t))
-	}
-}
-
-var ErrPromptTerminated = errdefs.Cancelled(errors.New("prompt terminated"))
+const ErrPromptTerminated = prompt.ErrTerminated
 
 // DisableInputEcho disables input echo on the provided streams.In.
 // This is useful when the user provides sensitive information like passwords.
 // The function returns a restore function that should be called to restore the
 // terminal state.
 func DisableInputEcho(ins *streams.In) (restore func() error, err error) {
-	oldState, err := term.SaveState(ins.FD())
-	if err != nil {
-		return nil, err
-	}
-	restore = func() error {
-		return term.RestoreTerminal(ins.FD(), oldState)
-	}
-	return restore, term.DisableEcho(ins.FD(), oldState)
+	return prompt.DisableInputEcho(ins)
 }
 
 // PromptForInput requests input from the user.
@@ -100,23 +50,7 @@ func DisableInputEcho(ins *streams.In) (restore func() error, err error) {
 // the stack and close the io.Reader used for the prompt which will prevent the
 // background goroutine from blocking indefinitely.
 func PromptForInput(ctx context.Context, in io.Reader, out io.Writer, message string) (string, error) {
-	_, _ = fmt.Fprint(out, message)
-
-	result := make(chan string)
-	go func() {
-		scanner := bufio.NewScanner(in)
-		if scanner.Scan() {
-			result <- strings.TrimSpace(scanner.Text())
-		}
-	}()
-
-	select {
-	case <-ctx.Done():
-		_, _ = fmt.Fprintln(out, "")
-		return "", ErrPromptTerminated
-	case r := <-result:
-		return r, nil
-	}
+	return prompt.ReadInput(ctx, in, out, message)
 }
 
 // PromptForConfirmation requests and checks confirmation from the user.
@@ -130,67 +64,45 @@ func PromptForInput(ctx context.Context, in io.Reader, out io.Writer, message st
 // the stack and close the io.Reader used for the prompt which will prevent the
 // background goroutine from blocking indefinitely.
 func PromptForConfirmation(ctx context.Context, ins io.Reader, outs io.Writer, message string) (bool, error) {
-	if message == "" {
-		message = "Are you sure you want to proceed?"
-	}
-	message += " [y/N] "
-
-	_, _ = fmt.Fprint(outs, message)
-
-	// On Windows, force the use of the regular OS stdin stream.
-	if runtime.GOOS == "windows" {
-		ins = streams.NewIn(os.Stdin)
-	}
-
-	result := make(chan bool)
-
-	go func() {
-		var res bool
-		scanner := bufio.NewScanner(ins)
-		if scanner.Scan() {
-			answer := strings.TrimSpace(scanner.Text())
-			if strings.EqualFold(answer, "y") {
-				res = true
-			}
-		}
-		result <- res
-	}()
-
-	select {
-	case <-ctx.Done():
-		_, _ = fmt.Fprintln(outs, "")
-		return false, ErrPromptTerminated
-	case r := <-result:
-		return r, nil
-	}
+	return prompt.Confirm(ctx, ins, outs, message)
 }
 
-// PruneFilters returns consolidated prune filters obtained from config.json and cli
-func PruneFilters(dockerCli Cli, pruneFilters filters.Args) filters.Args {
-	if dockerCli.ConfigFile() == nil {
+// PruneFilters merges prune filters specified in config.json with those specified
+// as command-line flags.
+//
+// CLI label filters have precedence over those specified in config.json. If a
+// label filter specified as flag conflicts with a label defined in config.json
+// (i.e., "label=some-value" conflicts with "label!=some-value", and vice versa),
+// then the filter defined in config.json is omitted.
+func PruneFilters(dockerCLI config.Provider, pruneFilters filters.Args) filters.Args {
+	cfg := dockerCLI.ConfigFile()
+	if cfg == nil {
 		return pruneFilters
 	}
-	for _, f := range dockerCli.ConfigFile().PruneFilters {
+
+	// Merge filters provided through the CLI with default filters defined
+	// in the CLI-configfile.
+	for _, f := range cfg.PruneFilters {
 		k, v, ok := strings.Cut(f, "=")
 		if !ok {
 			continue
 		}
-		if k == "label" {
-			// CLI label filter supersede config.json.
-			// If CLI label filter conflict with config.json,
-			// skip adding label! filter in config.json.
-			if pruneFilters.Contains("label!") && pruneFilters.ExactMatch("label!", v) {
+		switch k {
+		case "label":
+			// "label != some-value" conflicts with "label = some-value"
+			if pruneFilters.ExactMatch("label!", v) {
 				continue
 			}
-		} else if k == "label!" {
-			// CLI label! filter supersede config.json.
-			// If CLI label! filter conflict with config.json,
-			// skip adding label filter in config.json.
-			if pruneFilters.Contains("label") && pruneFilters.ExactMatch("label", v) {
+			pruneFilters.Add(k, v)
+		case "label!":
+			// "label != some-value" conflicts with "label = some-value"
+			if pruneFilters.ExactMatch("label", v) {
 				continue
 			}
+			pruneFilters.Add(k, v)
+		default:
+			pruneFilters.Add(k, v)
 		}
-		pruneFilters.Add(k, v)
 	}
 
 	return pruneFilters
@@ -202,7 +114,7 @@ func AddPlatformFlag(flags *pflag.FlagSet, target *string) {
 	_ = flags.SetAnnotation("platform", "version", []string{"1.32"})
 }
 
-// ValidateOutputPath validates the output paths of the `export` and `save` commands.
+// ValidateOutputPath validates the output paths of the "docker cp" command.
 func ValidateOutputPath(path string) error {
 	dir := filepath.Dir(filepath.Clean(path))
 	if dir != "" && dir != "." {
@@ -228,8 +140,8 @@ func ValidateOutputPath(path string) error {
 	return nil
 }
 
-// ValidateOutputPathFileMode validates the output paths of the `cp` command and serves as a
-// helper to `ValidateOutputPath`
+// ValidateOutputPathFileMode validates the output paths of the "docker cp" command
+// and serves as a helper to [ValidateOutputPath]
 func ValidateOutputPathFileMode(fileMode os.FileMode) error {
 	switch {
 	case fileMode&os.ModeDevice != 0:
@@ -240,47 +152,21 @@ func ValidateOutputPathFileMode(fileMode os.FileMode) error {
 	return nil
 }
 
-func stringSliceIndex(s, subs []string) int {
-	j := 0
-	if len(subs) > 0 {
-		for i, x := range s {
-			if j < len(subs) && subs[j] == x {
-				j++
-			} else {
-				j = 0
-			}
-			if len(subs) == j {
-				return i + 1 - j
-			}
-		}
-	}
-	return -1
+func invalidParameter(err error) error {
+	return invalidParameterErr{err}
 }
 
-// StringSliceReplaceAt replaces the sub-slice find, with the sub-slice replace, in the string
-// slice s, returning a new slice and a boolean indicating if the replacement happened.
-// requireIdx is the index at which old needs to be found at (or -1 to disregard that).
-func StringSliceReplaceAt(s, find, replace []string, requireIndex int) ([]string, bool) {
-	idx := stringSliceIndex(s, find)
-	if (requireIndex != -1 && requireIndex != idx) || idx == -1 {
-		return s, false
-	}
-	out := append([]string{}, s[:idx]...)
-	out = append(out, replace...)
-	out = append(out, s[idx+len(find):]...)
-	return out, true
+type invalidParameterErr struct{ error }
+
+func (invalidParameterErr) InvalidParameter() {}
+
+func notFound(err error) error {
+	return notFoundErr{err}
 }
 
-// ValidateMountWithAPIVersion validates a mount with the server API version.
-func ValidateMountWithAPIVersion(m mounttypes.Mount, serverAPIVersion string) error {
-	if m.BindOptions != nil {
-		if m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") {
-			return errors.Errorf("bind-recursive=disabled requires API v1.40 or later")
-		}
-		// ReadOnlyNonRecursive can be safely ignored when API < 1.44
-		if m.BindOptions.ReadOnlyForceRecursive && versions.LessThan(serverAPIVersion, "1.44") {
-			return errors.Errorf("bind-recursive=readonly requires API v1.44 or later")
-		}
-	}
-	return nil
+type notFoundErr struct{ error }
+
+func (notFoundErr) NotFound() {}
+func (e notFoundErr) Unwrap() error {
+	return e.error
 }
diff --git a/vendor/github.com/docker/cli/cli/compose/interpolation/interpolation.go b/vendor/github.com/docker/cli/cli/compose/interpolation/interpolation.go
index ee11656f..c7bee693 100644
--- a/vendor/github.com/docker/cli/cli/compose/interpolation/interpolation.go
+++ b/vendor/github.com/docker/cli/cli/compose/interpolation/interpolation.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package interpolation
 
@@ -67,7 +67,10 @@ func recursiveInterpolate(value any, path Path, opts Options) (any, error) {
 			return newValue, nil
 		}
 		casted, err := caster(newValue)
-		return casted, newPathError(path, errors.Wrap(err, "failed to cast to expected type"))
+		if err != nil {
+			return casted, newPathError(path, errors.Wrap(err, "failed to cast to expected type"))
+		}
+		return casted, nil
 
 	case map[string]any:
 		out := map[string]any{}
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go b/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
index 82c36d7d..93ac9d83 100644
--- a/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
+++ b/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package loader
 
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/loader.go b/vendor/github.com/docker/cli/cli/compose/loader/loader.go
index 6cd2d203..b2673394 100644
--- a/vendor/github.com/docker/cli/cli/compose/loader/loader.go
+++ b/vendor/github.com/docker/cli/cli/compose/loader/loader.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package loader
 
@@ -18,9 +18,10 @@ import (
 	"github.com/docker/cli/cli/compose/template"
 	"github.com/docker/cli/cli/compose/types"
 	"github.com/docker/cli/opts"
+	"github.com/docker/cli/opts/swarmopts"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/go-connections/nat"
-	units "github.com/docker/go-units"
+	"github.com/docker/go-units"
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/google/shlex"
 	"github.com/pkg/errors"
@@ -925,7 +926,7 @@ func toServicePortConfigs(value string) ([]any, error) {
 
 	for _, key := range keys {
 		// Reuse ConvertPortToPortConfig so that it is consistent
-		portConfig, err := opts.ConvertPortToPortConfig(nat.Port(key), portBindings)
+		portConfig, err := swarmopts.ConvertPortToPortConfig(nat.Port(key), portBindings)
 		if err != nil {
 			return nil, err
 		}
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/merge.go b/vendor/github.com/docker/cli/cli/compose/loader/merge.go
index ee0a39f9..8c0f35db 100644
--- a/vendor/github.com/docker/cli/cli/compose/loader/merge.go
+++ b/vendor/github.com/docker/cli/cli/compose/loader/merge.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package loader
 
diff --git a/vendor/github.com/docker/cli/cli/compose/schema/schema.go b/vendor/github.com/docker/cli/cli/compose/schema/schema.go
index b636ea5b..1484410d 100644
--- a/vendor/github.com/docker/cli/cli/compose/schema/schema.go
+++ b/vendor/github.com/docker/cli/cli/compose/schema/schema.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package schema
 
diff --git a/vendor/github.com/docker/cli/cli/compose/template/template.go b/vendor/github.com/docker/cli/cli/compose/template/template.go
index 1507c0ee..b823b499 100644
--- a/vendor/github.com/docker/cli/cli/compose/template/template.go
+++ b/vendor/github.com/docker/cli/cli/compose/template/template.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package template
 
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+
+	"github.com/docker/cli/internal/lazyregexp"
 )
 
 const (
@@ -14,11 +16,21 @@ const (
 	subst     = "[_a-z][_a-z0-9]*(?::?[-?][^}]*)?"
 )
 
-var defaultPattern = regexp.MustCompile(fmt.Sprintf(
+var defaultPattern = lazyregexp.New(fmt.Sprintf(
 	"%s(?i:(?P<escaped>%s)|(?P<named>%s)|{(?P<braced>%s)}|(?P<invalid>))",
 	delimiter, delimiter, subst, subst,
 ))
 
+// regexper is an internal interface to allow passing a [lazyregexp.Regexp]
+// in places where a custom ("regular") [regexp.Regexp] is accepted. It defines
+// only the methods we currently use.
+type regexper interface {
+	FindAllStringSubmatch(s string, n int) [][]string
+	FindStringSubmatch(s string) []string
+	ReplaceAllStringFunc(src string, repl func(string) string) string
+	SubexpNames() []string
+}
+
 // DefaultSubstituteFuncs contains the default SubstituteFunc used by the docker cli
 var DefaultSubstituteFuncs = []SubstituteFunc{
 	softDefault,
@@ -51,10 +63,16 @@ type SubstituteFunc func(string, Mapping) (string, bool, error)
 // SubstituteWith substitutes variables in the string with their values.
 // It accepts additional substitute function.
 func SubstituteWith(template string, mapping Mapping, pattern *regexp.Regexp, subsFuncs ...SubstituteFunc) (string, error) {
+	return substituteWith(template, mapping, pattern, subsFuncs...)
+}
+
+// SubstituteWith substitutes variables in the string with their values.
+// It accepts additional substitute function.
+func substituteWith(template string, mapping Mapping, pattern regexper, subsFuncs ...SubstituteFunc) (string, error) {
 	var err error
 	result := pattern.ReplaceAllStringFunc(template, func(substring string) string {
 		matches := pattern.FindStringSubmatch(substring)
-		groups := matchGroups(matches, pattern)
+		groups := matchGroups(matches, defaultPattern)
 		if escaped := groups["escaped"]; escaped != "" {
 			return escaped
 		}
@@ -93,38 +111,42 @@ func SubstituteWith(template string, mapping Mapping, pattern *regexp.Regexp, su
 
 // Substitute variables in the string with their values
 func Substitute(template string, mapping Mapping) (string, error) {
-	return SubstituteWith(template, mapping, defaultPattern, DefaultSubstituteFuncs...)
+	return substituteWith(template, mapping, defaultPattern, DefaultSubstituteFuncs...)
 }
 
 // ExtractVariables returns a map of all the variables defined in the specified
 // composefile (dict representation) and their default value if any.
 func ExtractVariables(configDict map[string]any, pattern *regexp.Regexp) map[string]string {
+	return extractVariables(configDict, pattern)
+}
+
+func extractVariables(configDict map[string]any, pattern regexper) map[string]string {
 	if pattern == nil {
 		pattern = defaultPattern
 	}
 	return recurseExtract(configDict, pattern)
 }
 
-func recurseExtract(value any, pattern *regexp.Regexp) map[string]string {
+func recurseExtract(value any, pattern regexper) map[string]string {
 	m := map[string]string{}
 
-	switch value := value.(type) {
+	switch val := value.(type) {
 	case string:
-		if values, is := extractVariable(value, pattern); is {
+		if values, is := extractVariable(val, pattern); is {
 			for _, v := range values {
 				m[v.name] = v.value
 			}
 		}
 	case map[string]any:
-		for _, elem := range value {
+		for _, elem := range val {
 			submap := recurseExtract(elem, pattern)
-			for key, value := range submap {
-				m[key] = value
+			for k, v := range submap {
+				m[k] = v
 			}
 		}
 
 	case []any:
-		for _, elem := range value {
+		for _, elem := range val {
 			if values, is := extractVariable(elem, pattern); is {
 				for _, v := range values {
 					m[v.name] = v.value
@@ -141,7 +163,7 @@ type extractedValue struct {
 	value string
 }
 
-func extractVariable(value any, pattern *regexp.Regexp) ([]extractedValue, bool) {
+func extractVariable(value any, pattern regexper) ([]extractedValue, bool) {
 	sValue, ok := value.(string)
 	if !ok {
 		return []extractedValue{}, false
@@ -227,7 +249,7 @@ func withRequired(substitution string, mapping Mapping, sep string, valid func(s
 	return value, true, nil
 }
 
-func matchGroups(matches []string, pattern *regexp.Regexp) map[string]string {
+func matchGroups(matches []string, pattern regexper) map[string]string {
 	groups := make(map[string]string)
 	for i, name := range pattern.SubexpNames()[1:] {
 		groups[name] = matches[i+1]
diff --git a/vendor/github.com/docker/cli/cli/compose/types/types.go b/vendor/github.com/docker/cli/cli/compose/types/types.go
index 1377a795..0804388a 100644
--- a/vendor/github.com/docker/cli/cli/compose/types/types.go
+++ b/vendor/github.com/docker/cli/cli/compose/types/types.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package types
 
diff --git a/vendor/github.com/docker/cli/cli/config/config.go b/vendor/github.com/docker/cli/cli/config/config.go
index 910b3c00..cbb34486 100644
--- a/vendor/github.com/docker/cli/cli/config/config.go
+++ b/vendor/github.com/docker/cli/cli/config/config.go
@@ -58,7 +58,7 @@ func resetConfigDir() {
 // getHomeDir is a copy of [pkg/homedir.Get] to prevent adding docker/docker
 // as dependency for consumers that only need to read the config-file.
 //
-// [pkg/homedir.Get]: https://pkg.go.dev/github.com/docker/docker@v26.1.4+incompatible/pkg/homedir#Get
+// [pkg/homedir.Get]: https://pkg.go.dev/github.com/docker/docker@v28.0.3+incompatible/pkg/homedir#Get
 func getHomeDir() string {
 	home, _ := os.UserHomeDir()
 	if home == "" && runtime.GOOS != "windows" {
@@ -69,6 +69,11 @@ func getHomeDir() string {
 	return home
 }
 
+// Provider defines an interface for providing the CLI config.
+type Provider interface {
+	ConfigFile() *configfile.ConfigFile
+}
+
 // Dir returns the directory the configuration file is stored in
 func Dir() string {
 	initConfigDir.Do(func() {
diff --git a/vendor/github.com/docker/cli/cli/config/configfile/file.go b/vendor/github.com/docker/cli/cli/config/configfile/file.go
index ae9dcb33..530c5228 100644
--- a/vendor/github.com/docker/cli/cli/config/configfile/file.go
+++ b/vendor/github.com/docker/cli/cli/config/configfile/file.go
@@ -3,12 +3,14 @@ package configfile
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/config/memorystore"
 	"github.com/docker/cli/cli/config/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -36,14 +38,41 @@ type ConfigFile struct {
 	NodesFormat          string                       `json:"nodesFormat,omitempty"`
 	PruneFilters         []string                     `json:"pruneFilters,omitempty"`
 	Proxies              map[string]ProxyConfig       `json:"proxies,omitempty"`
-	Experimental         string                       `json:"experimental,omitempty"`
 	CurrentContext       string                       `json:"currentContext,omitempty"`
 	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
 	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
 	Aliases              map[string]string            `json:"aliases,omitempty"`
 	Features             map[string]string            `json:"features,omitempty"`
+
+	// Deprecated: experimental CLI features are always enabled and this field is no longer used. Use [Features] instead for optional features. This field will be removed in a future release.
+	Experimental string `json:"experimental,omitempty"`
 }
 
+type configEnvAuth struct {
+	Auth string `json:"auth"`
+}
+
+type configEnv struct {
+	AuthConfigs map[string]configEnvAuth `json:"auths"`
+}
+
+// DockerEnvConfigKey is an environment variable that contains a JSON encoded
+// credential config. It only supports storing the credentials as a base64
+// encoded string in the format base64("username:pat").
+//
+// Adding additional fields will produce a parsing error.
+//
+// Example:
+//
+//	{
+//		"auths": {
+//			"example.test": {
+//				"auth": base64-encoded-username-pat
+//			}
+//		}
+//	}
+const DockerEnvConfigKey = "DOCKER_AUTH_CONFIG"
+
 // ProxyConfig contains proxy configuration settings
 type ProxyConfig struct {
 	HTTPProxy  string `json:"httpProxy,omitempty"`
@@ -150,7 +179,8 @@ func (configFile *ConfigFile) Save() (retErr error) {
 		return err
 	}
 	defer func() {
-		temp.Close()
+		// ignore error as the file may already be closed when we reach this.
+		_ = temp.Close()
 		if retErr != nil {
 			if err := os.Remove(temp.Name()); err != nil {
 				logrus.WithError(err).WithField("file", temp.Name()).Debug("Error cleaning up temp file")
@@ -167,10 +197,16 @@ func (configFile *ConfigFile) Save() (retErr error) {
 		return errors.Wrap(err, "error closing temp file")
 	}
 
-	// Handle situation where the configfile is a symlink
+	// Handle situation where the configfile is a symlink, and allow for dangling symlinks
 	cfgFile := configFile.Filename
-	if f, err := os.Readlink(cfgFile); err == nil {
+	if f, err := filepath.EvalSymlinks(cfgFile); err == nil {
 		cfgFile = f
+	} else if os.IsNotExist(err) {
+		// extract the path from the error if the configfile does not exist or is a dangling symlink
+		var pathError *os.PathError
+		if errors.As(err, &pathError) {
+			cfgFile = pathError.Path
+		}
 	}
 
 	// Try copying the current config file (if any) ownership and permissions
@@ -254,10 +290,64 @@ func decodeAuth(authStr string) (string, string, error) {
 // GetCredentialsStore returns a new credentials store from the settings in the
 // configuration file
 func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
+	store := credentials.NewFileStore(configFile)
+
 	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
-		return newNativeStore(configFile, helper)
+		store = newNativeStore(configFile, helper)
 	}
-	return credentials.NewFileStore(configFile)
+
+	envConfig := os.Getenv(DockerEnvConfigKey)
+	if envConfig == "" {
+		return store
+	}
+
+	authConfig, err := parseEnvConfig(envConfig)
+	if err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, "Failed to create credential store from DOCKER_AUTH_CONFIG: ", err)
+		return store
+	}
+
+	// use DOCKER_AUTH_CONFIG if set
+	// it uses the native or file store as a fallback to fetch and store credentials
+	envStore, err := memorystore.New(
+		memorystore.WithAuthConfig(authConfig),
+		memorystore.WithFallbackStore(store),
+	)
+	if err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, "Failed to create credential store from DOCKER_AUTH_CONFIG: ", err)
+		return store
+	}
+
+	return envStore
+}
+
+func parseEnvConfig(v string) (map[string]types.AuthConfig, error) {
+	envConfig := &configEnv{}
+	decoder := json.NewDecoder(strings.NewReader(v))
+	decoder.DisallowUnknownFields()
+	if err := decoder.Decode(envConfig); err != nil && !errors.Is(err, io.EOF) {
+		return nil, err
+	}
+	if decoder.More() {
+		return nil, errors.New("DOCKER_AUTH_CONFIG does not support more than one JSON object")
+	}
+
+	authConfigs := make(map[string]types.AuthConfig)
+	for addr, envAuth := range envConfig.AuthConfigs {
+		if envAuth.Auth == "" {
+			return nil, fmt.Errorf("DOCKER_AUTH_CONFIG environment variable is missing key `auth` for %s", addr)
+		}
+		username, password, err := decodeAuth(envAuth.Auth)
+		if err != nil {
+			return nil, err
+		}
+		authConfigs[addr] = types.AuthConfig{
+			Username:      username,
+			Password:      password,
+			ServerAddress: addr,
+		}
+	}
+	return authConfigs, nil
 }
 
 // var for unit testing.
diff --git a/vendor/github.com/docker/cli/cli/config/memorystore/store.go b/vendor/github.com/docker/cli/cli/config/memorystore/store.go
new file mode 100644
index 00000000..19908346
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/config/memorystore/store.go
@@ -0,0 +1,126 @@
+//go:build go1.23
+
+package memorystore
+
+import (
+	"errors"
+	"fmt"
+	"maps"
+	"os"
+	"sync"
+
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/config/types"
+)
+
+var errValueNotFound = errors.New("value not found")
+
+func IsErrValueNotFound(err error) bool {
+	return errors.Is(err, errValueNotFound)
+}
+
+type Config struct {
+	lock              sync.RWMutex
+	memoryCredentials map[string]types.AuthConfig
+	fallbackStore     credentials.Store
+}
+
+func (e *Config) Erase(serverAddress string) error {
+	e.lock.Lock()
+	defer e.lock.Unlock()
+	delete(e.memoryCredentials, serverAddress)
+
+	if e.fallbackStore != nil {
+		err := e.fallbackStore.Erase(serverAddress)
+		if err != nil {
+			_, _ = fmt.Fprintln(os.Stderr, "memorystore: ", err)
+		}
+	}
+
+	return nil
+}
+
+func (e *Config) Get(serverAddress string) (types.AuthConfig, error) {
+	e.lock.RLock()
+	defer e.lock.RUnlock()
+	authConfig, ok := e.memoryCredentials[serverAddress]
+	if !ok {
+		if e.fallbackStore != nil {
+			return e.fallbackStore.Get(serverAddress)
+		}
+		return types.AuthConfig{}, errValueNotFound
+	}
+	return authConfig, nil
+}
+
+func (e *Config) GetAll() (map[string]types.AuthConfig, error) {
+	e.lock.RLock()
+	defer e.lock.RUnlock()
+	creds := make(map[string]types.AuthConfig)
+
+	if e.fallbackStore != nil {
+		fileCredentials, err := e.fallbackStore.GetAll()
+		if err != nil {
+			_, _ = fmt.Fprintln(os.Stderr, "memorystore: ", err)
+		} else {
+			creds = fileCredentials
+		}
+	}
+
+	maps.Copy(creds, e.memoryCredentials)
+	return creds, nil
+}
+
+func (e *Config) Store(authConfig types.AuthConfig) error {
+	e.lock.Lock()
+	defer e.lock.Unlock()
+	e.memoryCredentials[authConfig.ServerAddress] = authConfig
+
+	if e.fallbackStore != nil {
+		return e.fallbackStore.Store(authConfig)
+	}
+	return nil
+}
+
+// WithFallbackStore sets a fallback store.
+//
+// Write operations will be performed on both the memory store and the
+// fallback store.
+//
+// Read operations will first check the memory store, and if the credential
+// is not found, it will then check the fallback store.
+//
+// Retrieving all credentials will return from both the memory store and the
+// fallback store, merging the results from both stores into a single map.
+//
+// Data stored in the memory store will take precedence over data in the
+// fallback store.
+func WithFallbackStore(store credentials.Store) Options {
+	return func(s *Config) error {
+		s.fallbackStore = store
+		return nil
+	}
+}
+
+// WithAuthConfig allows to set the initial credentials in the memory store.
+func WithAuthConfig(config map[string]types.AuthConfig) Options {
+	return func(s *Config) error {
+		s.memoryCredentials = config
+		return nil
+	}
+}
+
+type Options func(*Config) error
+
+// New creates a new in memory credential store
+func New(opts ...Options) (credentials.Store, error) {
+	m := &Config{
+		memoryCredentials: make(map[string]types.AuthConfig),
+	}
+	for _, opt := range opts {
+		if err := opt(m); err != nil {
+			return nil, err
+		}
+	}
+	return m, nil
+}
diff --git a/vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go b/vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go
index 52888a91..4b04f8b3 100644
--- a/vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go
+++ b/vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go
@@ -28,7 +28,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
@@ -149,7 +148,7 @@ func (c *commandConn) handleEOF(err error) error {
 			c.stderrMu.Lock()
 			stderr := c.stderr.String()
 			c.stderrMu.Unlock()
-			return errors.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, err, stderr)
+			return fmt.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, err, stderr)
 		}
 	}
 
@@ -159,7 +158,7 @@ func (c *commandConn) handleEOF(err error) error {
 	c.stderrMu.Lock()
 	stderr := c.stderr.String()
 	c.stderrMu.Unlock()
-	return errors.Errorf("command %v has exited with %v, make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=%s", c.cmd.Args, werr, stderr)
+	return fmt.Errorf("command %v has exited with %v, make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=%s", c.cmd.Args, werr, stderr)
 }
 
 func ignorableCloseError(err error) bool {
diff --git a/vendor/github.com/docker/cli/cli/connhelper/connhelper.go b/vendor/github.com/docker/cli/cli/connhelper/connhelper.go
index 152d3e29..25ce7aef 100644
--- a/vendor/github.com/docker/cli/cli/connhelper/connhelper.go
+++ b/vendor/github.com/docker/cli/cli/connhelper/connhelper.go
@@ -3,13 +3,13 @@ package connhelper
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
 
 	"github.com/docker/cli/cli/connhelper/commandconn"
 	"github.com/docker/cli/cli/connhelper/ssh"
-	"github.com/pkg/errors"
 )
 
 // ConnectionHelper allows to connect to a remote host with custom stream provider binary.
@@ -41,20 +41,25 @@ func getConnectionHelper(daemonURL string, sshFlags []string) (*ConnectionHelper
 		return nil, err
 	}
 	if u.Scheme == "ssh" {
-		sp, err := ssh.ParseURL(daemonURL)
+		sp, err := ssh.NewSpec(u)
 		if err != nil {
-			return nil, errors.Wrap(err, "ssh host connection is not valid")
+			return nil, fmt.Errorf("ssh host connection is not valid: %w", err)
 		}
 		sshFlags = addSSHTimeout(sshFlags)
 		sshFlags = disablePseudoTerminalAllocation(sshFlags)
+
+		remoteCommand := []string{"docker", "system", "dial-stdio"}
+		socketPath := sp.Path
+		if strings.Trim(sp.Path, "/") != "" {
+			remoteCommand = []string{"docker", "--host=unix://" + socketPath, "system", "dial-stdio"}
+		}
+		sshArgs, err := sp.Command(sshFlags, remoteCommand...)
+		if err != nil {
+			return nil, err
+		}
 		return &ConnectionHelper{
 			Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				args := []string{"docker"}
-				if sp.Path != "" {
-					args = append(args, "--host", "unix://"+sp.Path)
-				}
-				args = append(args, "system", "dial-stdio")
-				return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args(args...)...)...)
+				return commandconn.New(ctx, "ssh", sshArgs...)
 			},
 			Host: "http://docker.example.com",
 		}, nil
diff --git a/vendor/github.com/miekg/pkcs11/LICENSE b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/LICENSE
similarity index 91%
rename from vendor/github.com/miekg/pkcs11/LICENSE
rename to vendor/github.com/docker/cli/cli/connhelper/internal/syntax/LICENSE
index ce25d13a..2a5268e5 100644
--- a/vendor/github.com/miekg/pkcs11/LICENSE
+++ b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2013 Miek Gieben. All rights reserved.
+Copyright (c) 2016, Daniel Martí. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Miek Gieben nor the names of its
+   * Neither the name of the copyright holder nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
diff --git a/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/doc.go b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/doc.go
new file mode 100644
index 00000000..32cf60c7
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/doc.go
@@ -0,0 +1,13 @@
+// Package syntax is a fork of [mvdan.cc/sh/v3@v3.10.0/syntax].
+//
+// Copyright (c) 2016, Daniel Martí. All rights reserved.
+//
+// It is a reduced set of the package to only provide the [Quote] function,
+// and contains the [LICENSE], [quote.go] and [parser.go] files at the given
+// revision.
+//
+// [quote.go]: https://raw.githubusercontent.com/mvdan/sh/refs/tags/v3.10.0/syntax/quote.go
+// [parser.go]: https://raw.githubusercontent.com/mvdan/sh/refs/tags/v3.10.0/syntax/parser.go
+// [LICENSE]: https://raw.githubusercontent.com/mvdan/sh/refs/tags/v3.10.0/LICENSE
+// [mvdan.cc/sh/v3@v3.10.0/syntax]: https://pkg.go.dev/mvdan.cc/sh/v3@v3.10.0/syntax
+package syntax
diff --git a/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/parser.go b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/parser.go
new file mode 100644
index 00000000..06b1222f
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/parser.go
@@ -0,0 +1,95 @@
+// Copyright (c) 2016, Daniel Martí <mvdan@mvdan.cc>
+// See LICENSE for licensing information
+
+package syntax
+
+// LangVariant describes a shell language variant to use when tokenizing and
+// parsing shell code. The zero value is [LangBash].
+type LangVariant int
+
+const (
+	// LangBash corresponds to the GNU Bash language, as described in its
+	// manual at https://www.gnu.org/software/bash/manual/bash.html.
+	//
+	// We currently follow Bash version 5.2.
+	//
+	// Its string representation is "bash".
+	LangBash LangVariant = iota
+
+	// LangPOSIX corresponds to the POSIX Shell language, as described at
+	// https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html.
+	//
+	// Its string representation is "posix" or "sh".
+	LangPOSIX
+
+	// LangMirBSDKorn corresponds to the MirBSD Korn Shell, also known as
+	// mksh, as described at http://www.mirbsd.org/htman/i386/man1/mksh.htm.
+	// Note that it shares some features with Bash, due to the shared
+	// ancestry that is ksh.
+	//
+	// We currently follow mksh version 59.
+	//
+	// Its string representation is "mksh".
+	LangMirBSDKorn
+
+	// LangBats corresponds to the Bash Automated Testing System language,
+	// as described at https://github.com/bats-core/bats-core. Note that
+	// it's just a small extension of the Bash language.
+	//
+	// Its string representation is "bats".
+	LangBats
+
+	// LangAuto corresponds to automatic language detection,
+	// commonly used by end-user applications like shfmt,
+	// which can guess a file's language variant given its filename or shebang.
+	//
+	// At this time, [Variant] does not support LangAuto.
+	LangAuto
+)
+
+func (l LangVariant) String() string {
+	switch l {
+	case LangBash:
+		return "bash"
+	case LangPOSIX:
+		return "posix"
+	case LangMirBSDKorn:
+		return "mksh"
+	case LangBats:
+		return "bats"
+	case LangAuto:
+		return "auto"
+	}
+	return "unknown shell language variant"
+}
+
+// IsKeyword returns true if the given word is part of the language keywords.
+func IsKeyword(word string) bool {
+	// This list has been copied from the bash 5.1 source code, file y.tab.c +4460
+	switch word {
+	case
+		"!",
+		"[[", // only if COND_COMMAND is defined
+		"]]", // only if COND_COMMAND is defined
+		"case",
+		"coproc", // only if COPROCESS_SUPPORT is defined
+		"do",
+		"done",
+		"else",
+		"esac",
+		"fi",
+		"for",
+		"function",
+		"if",
+		"in",
+		"select", // only if SELECT_COMMAND is defined
+		"then",
+		"time", // only if COMMAND_TIMING is defined
+		"until",
+		"while",
+		"{",
+		"}":
+		return true
+	}
+	return false
+}
diff --git a/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/quote.go b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/quote.go
new file mode 100644
index 00000000..628fa489
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/connhelper/internal/syntax/quote.go
@@ -0,0 +1,187 @@
+// Copyright (c) 2021, Daniel Martí <mvdan@mvdan.cc>
+// See LICENSE for licensing information
+
+package syntax
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+type QuoteError struct {
+	ByteOffset int
+	Message    string
+}
+
+func (e QuoteError) Error() string {
+	return fmt.Sprintf("cannot quote character at byte %d: %s", e.ByteOffset, e.Message)
+}
+
+const (
+	quoteErrNull  = "shell strings cannot contain null bytes"
+	quoteErrPOSIX = "POSIX shell lacks escape sequences"
+	quoteErrRange = "rune out of range"
+	quoteErrMksh  = "mksh cannot escape codepoints above 16 bits"
+)
+
+// Quote returns a quoted version of the input string,
+// so that the quoted version is expanded or interpreted
+// as the original string in the given language variant.
+//
+// Quoting is necessary when using arbitrary literal strings
+// as words in a shell script or command.
+// Without quoting, one can run into syntax errors,
+// as well as the possibility of running unintended code.
+//
+// An error is returned when a string cannot be quoted for a variant.
+// For instance, POSIX lacks escape sequences for non-printable characters,
+// and no language variant can represent a string containing null bytes.
+// In such cases, the returned error type will be *QuoteError.
+//
+// The quoting strategy is chosen on a best-effort basis,
+// to minimize the amount of extra bytes necessary.
+//
+// Some strings do not require any quoting and are returned unchanged.
+// Those strings can be directly surrounded in single quotes as well.
+//
+//nolint:gocyclo // ignore "cyclomatic complexity 35 of func `Quote` is high (> 16) (gocyclo)"
+func Quote(s string, lang LangVariant) (string, error) {
+	if s == "" {
+		// Special case; an empty string must always be quoted,
+		// as otherwise it expands to zero fields.
+		return "''", nil
+	}
+	shellChars := false
+	nonPrintable := false
+	offs := 0
+	for rem := s; len(rem) > 0; {
+		r, size := utf8.DecodeRuneInString(rem)
+		switch r {
+		// Like regOps; token characters.
+		case ';', '"', '\'', '(', ')', '$', '|', '&', '>', '<', '`',
+			// Whitespace; might result in multiple fields.
+			' ', '\t', '\r', '\n',
+			// Escape sequences would be expanded.
+			'\\',
+			// Would start a comment unless quoted.
+			'#',
+			// Might result in brace expansion.
+			'{',
+			// Might result in tilde expansion.
+			'~',
+			// Might result in globbing.
+			'*', '?', '[',
+			// Might result in an assignment.
+			'=':
+			shellChars = true
+		case '\x00':
+			return "", &QuoteError{ByteOffset: offs, Message: quoteErrNull}
+		}
+		if r == utf8.RuneError || !unicode.IsPrint(r) {
+			if lang == LangPOSIX {
+				return "", &QuoteError{ByteOffset: offs, Message: quoteErrPOSIX}
+			}
+			nonPrintable = true
+		}
+		rem = rem[size:]
+		offs += size
+	}
+	if !shellChars && !nonPrintable && !IsKeyword(s) {
+		// Nothing to quote; avoid allocating.
+		return s, nil
+	}
+
+	// Single quotes are usually best,
+	// as they don't require any escaping of characters.
+	// If we have any invalid utf8 or non-printable runes,
+	// use $'' so that we can escape them.
+	// Note that we can't use double quotes for those.
+	var b strings.Builder
+	if nonPrintable {
+		b.WriteString("$'")
+		lastRequoteIfHex := false
+		offs = 0
+		for rem := s; len(rem) > 0; {
+			nextRequoteIfHex := false
+			r, size := utf8.DecodeRuneInString(rem)
+			switch {
+			case r == '\'', r == '\\':
+				b.WriteByte('\\')
+				b.WriteRune(r)
+			case unicode.IsPrint(r) && r != utf8.RuneError:
+				if lastRequoteIfHex && isHex(r) {
+					b.WriteString("'$'")
+				}
+				b.WriteRune(r)
+			case r == '\a':
+				b.WriteString(`\a`)
+			case r == '\b':
+				b.WriteString(`\b`)
+			case r == '\f':
+				b.WriteString(`\f`)
+			case r == '\n':
+				b.WriteString(`\n`)
+			case r == '\r':
+				b.WriteString(`\r`)
+			case r == '\t':
+				b.WriteString(`\t`)
+			case r == '\v':
+				b.WriteString(`\v`)
+			case r < utf8.RuneSelf, r == utf8.RuneError && size == 1:
+				// \xXX, fixed at two hexadecimal characters.
+				fmt.Fprintf(&b, "\\x%02x", rem[0])
+				// Unfortunately, mksh allows \x to consume more hex characters.
+				// Ensure that we don't allow it to read more than two.
+				if lang == LangMirBSDKorn {
+					nextRequoteIfHex = true
+				}
+			case r > utf8.MaxRune:
+				// Not a valid Unicode code point?
+				return "", &QuoteError{ByteOffset: offs, Message: quoteErrRange}
+			case lang == LangMirBSDKorn && r > 0xFFFD:
+				// From the CAVEATS section in R59's man page:
+				//
+				// mksh currently uses OPTU-16 internally, which is the same as
+				// UTF-8 and CESU-8 with 0000..FFFD being valid codepoints.
+				return "", &QuoteError{ByteOffset: offs, Message: quoteErrMksh}
+			case r < 0x10000:
+				// \uXXXX, fixed at four hexadecimal characters.
+				fmt.Fprintf(&b, "\\u%04x", r)
+			default:
+				// \UXXXXXXXX, fixed at eight hexadecimal characters.
+				fmt.Fprintf(&b, "\\U%08x", r)
+			}
+			rem = rem[size:]
+			lastRequoteIfHex = nextRequoteIfHex
+			offs += size
+		}
+		b.WriteString("'")
+		return b.String(), nil
+	}
+
+	// Single quotes without any need for escaping.
+	if !strings.Contains(s, "'") {
+		return "'" + s + "'", nil
+	}
+
+	// The string contains single quotes,
+	// so fall back to double quotes.
+	b.WriteByte('"')
+	for _, r := range s {
+		switch r {
+		case '"', '\\', '`', '$':
+			b.WriteByte('\\')
+		}
+		b.WriteRune(r)
+	}
+	b.WriteByte('"')
+	return b.String(), nil
+}
+
+func isHex(r rune) bool {
+	return (r >= '0' && r <= '9') ||
+		(r >= 'a' && r <= 'f') ||
+		(r >= 'A' && r <= 'F')
+}
diff --git a/vendor/github.com/docker/cli/cli/connhelper/ssh/ssh.go b/vendor/github.com/docker/cli/cli/connhelper/ssh/ssh.go
index fb4c9111..2fcb54a9 100644
--- a/vendor/github.com/docker/cli/cli/connhelper/ssh/ssh.go
+++ b/vendor/github.com/docker/cli/cli/connhelper/ssh/ssh.go
@@ -2,19 +2,48 @@
 package ssh
 
 import (
+	"errors"
+	"fmt"
 	"net/url"
 
-	"github.com/pkg/errors"
+	"github.com/docker/cli/cli/connhelper/internal/syntax"
 )
 
-// ParseURL parses URL
+// ParseURL creates a [Spec] from the given ssh URL. It returns an error if
+// the URL is using the wrong scheme, contains fragments, query-parameters,
+// or contains a password.
 func ParseURL(daemonURL string) (*Spec, error) {
 	u, err := url.Parse(daemonURL)
 	if err != nil {
-		return nil, err
+		var urlErr *url.Error
+		if errors.As(err, &urlErr) {
+			err = urlErr.Unwrap()
+		}
+		return nil, fmt.Errorf("invalid SSH URL: %w", err)
+	}
+	return NewSpec(u)
+}
+
+// NewSpec creates a [Spec] from the given ssh URL's properties. It returns
+// an error if the URL is using the wrong scheme, contains fragments,
+// query-parameters, or contains a password.
+func NewSpec(sshURL *url.URL) (*Spec, error) {
+	s, err := newSpec(sshURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid SSH URL: %w", err)
+	}
+	return s, nil
+}
+
+func newSpec(u *url.URL) (*Spec, error) {
+	if u == nil {
+		return nil, errors.New("URL is nil")
+	}
+	if u.Scheme == "" {
+		return nil, errors.New("no scheme provided")
 	}
 	if u.Scheme != "ssh" {
-		return nil, errors.Errorf("expected scheme ssh, got %q", u.Scheme)
+		return nil, errors.New("incorrect scheme: " + u.Scheme)
 	}
 
 	var sp Spec
@@ -27,17 +56,18 @@ func ParseURL(daemonURL string) (*Spec, error) {
 	}
 	sp.Host = u.Hostname()
 	if sp.Host == "" {
-		return nil, errors.Errorf("no host specified")
+		return nil, errors.New("hostname is empty")
 	}
 	sp.Port = u.Port()
 	sp.Path = u.Path
 	if u.RawQuery != "" {
-		return nil, errors.Errorf("extra query after the host: %q", u.RawQuery)
+		return nil, fmt.Errorf("query parameters are not allowed: %q", u.RawQuery)
 	}
 	if u.Fragment != "" {
-		return nil, errors.Errorf("extra fragment after the host: %q", u.Fragment)
+		return nil, fmt.Errorf("fragments are not allowed: %q", u.Fragment)
 	}
-	return &sp, err
+
+	return &sp, nil
 }
 
 // Spec of SSH URL
@@ -48,16 +78,106 @@ type Spec struct {
 	Path string
 }
 
-// Args returns args except "ssh" itself combined with optional additional command args
-func (sp *Spec) Args(add ...string) []string {
+// Args returns args except "ssh" itself combined with optional additional
+// command and args to be executed on the remote host. It attempts to quote
+// the given arguments to account for ssh executing the remote command in a
+// shell. It returns nil when unable to quote the remote command.
+func (sp *Spec) Args(remoteCommandAndArgs ...string) []string {
+	// Format the remote command to run using the ssh connection, quoting
+	// values where needed because ssh executes these in a POSIX shell.
+	remoteCommand, err := quoteCommand(remoteCommandAndArgs...)
+	if err != nil {
+		return nil
+	}
+
+	sshArgs, err := sp.args()
+	if err != nil {
+		return nil
+	}
+	if remoteCommand != "" {
+		sshArgs = append(sshArgs, remoteCommand)
+	}
+	return sshArgs
+}
+
+func (sp *Spec) args(sshFlags ...string) ([]string, error) {
 	var args []string
+	if sp.Host == "" {
+		return nil, errors.New("no host specified")
+	}
 	if sp.User != "" {
-		args = append(args, "-l", sp.User)
+		// Quote user, as it's obtained from the URL.
+		usr, err := syntax.Quote(sp.User, syntax.LangPOSIX)
+		if err != nil {
+			return nil, fmt.Errorf("invalid user: %w", err)
+		}
+		args = append(args, "-l", usr)
 	}
 	if sp.Port != "" {
-		args = append(args, "-p", sp.Port)
+		// Quote port, as it's obtained from the URL.
+		port, err := syntax.Quote(sp.Port, syntax.LangPOSIX)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port: %w", err)
+		}
+		args = append(args, "-p", port)
 	}
-	args = append(args, "--", sp.Host)
-	args = append(args, add...)
-	return args
+
+	// We consider "sshFlags" to be "trusted", and set from code only,
+	// as they are not parsed from the DOCKER_HOST URL.
+	args = append(args, sshFlags...)
+
+	host, err := syntax.Quote(sp.Host, syntax.LangPOSIX)
+	if err != nil {
+		return nil, fmt.Errorf("invalid host: %w", err)
+	}
+
+	return append(args, "--", host), nil
+}
+
+// Command returns the ssh flags and arguments to execute a command
+// (remoteCommandAndArgs) on the remote host. Where needed, it quotes
+// values passed in remoteCommandAndArgs to account for ssh executing
+// the remote command in a shell. It returns an error if no remote command
+// is passed, or when unable to quote the remote command.
+//
+// Important: to preserve backward-compatibility, Command does not currently
+// perform sanitization or quoting on the sshFlags and callers are expected
+// to sanitize this argument.
+func (sp *Spec) Command(sshFlags []string, remoteCommandAndArgs ...string) ([]string, error) {
+	if len(remoteCommandAndArgs) == 0 {
+		return nil, errors.New("no remote command specified")
+	}
+	sshArgs, err := sp.args(sshFlags...)
+	if err != nil {
+		return nil, err
+	}
+	remoteCommand, err := quoteCommand(remoteCommandAndArgs...)
+	if err != nil {
+		return nil, err
+	}
+	if remoteCommand != "" {
+		sshArgs = append(sshArgs, remoteCommand)
+	}
+	return sshArgs, nil
+}
+
+// quoteCommand returns the remote command to run using the ssh connection
+// as a single string, quoting values where needed because ssh executes
+// these in a POSIX shell.
+func quoteCommand(commandAndArgs ...string) (string, error) {
+	var quotedCmd string
+	for i, arg := range commandAndArgs {
+		a, err := syntax.Quote(arg, syntax.LangPOSIX)
+		if err != nil {
+			return "", fmt.Errorf("invalid argument: %w", err)
+		}
+		if i == 0 {
+			quotedCmd = a
+			continue
+		}
+		quotedCmd += " " + a
+	}
+	// each part is quoted appropriately, so now we'll have a full
+	// shell command to pass off to "ssh"
+	return quotedCmd, nil
 }
diff --git a/vendor/github.com/docker/cli/cli/context/docker/load.go b/vendor/github.com/docker/cli/cli/context/docker/load.go
index 700b73c9..89d43e2e 100644
--- a/vendor/github.com/docker/cli/cli/context/docker/load.go
+++ b/vendor/github.com/docker/cli/cli/context/docker/load.go
@@ -6,6 +6,7 @@ import (
 	"encoding/pem"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/docker/cli/cli/connhelper"
@@ -90,14 +91,19 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 			return nil, err
 		}
 		if helper == nil {
-			tlsConfig, err := ep.tlsConfig()
-			if err != nil {
-				return nil, err
+			// Check if we're connecting over a socket, because there's no
+			// need to configure TLS for a socket connection.
+			//
+			// TODO(thaJeztah); make resolveDockerEndpoint and resolveDefaultDockerEndpoint not load TLS data,
+			//  and load TLS files lazily; see https://github.com/docker/cli/pull/1581
+			if !isSocket(ep.Host) {
+				tlsConfig, err := ep.tlsConfig()
+				if err != nil {
+					return nil, err
+				}
+				result = append(result, withHTTPClient(tlsConfig))
 			}
-			result = append(result,
-				withHTTPClient(tlsConfig),
-				client.WithHost(ep.Host),
-			)
+			result = append(result, client.WithHost(ep.Host))
 		} else {
 			result = append(result,
 				client.WithHTTPClient(&http.Client{
@@ -116,6 +122,17 @@ func (ep *Endpoint) ClientOpts() ([]client.Opt, error) {
 	return result, nil
 }
 
+// isSocket checks if the given address is a Unix-socket (linux),
+// named pipe (Windows), or file-descriptor.
+func isSocket(addr string) bool {
+	switch proto, _, _ := strings.Cut(addr, "://"); proto {
+	case "unix", "npipe", "fd":
+		return true
+	default:
+		return false
+	}
+}
+
 func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 	return func(c *client.Client) error {
 		if tlsConfig == nil {
diff --git a/vendor/github.com/docker/cli/cli/context/store/errors.go b/vendor/github.com/docker/cli/cli/context/store/errors.go
new file mode 100644
index 00000000..e85ce325
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/context/store/errors.go
@@ -0,0 +1,28 @@
+package store
+
+import cerrdefs "github.com/containerd/errdefs"
+
+func invalidParameter(err error) error {
+	if err == nil || cerrdefs.IsInvalidArgument(err) {
+		return err
+	}
+	return invalidParameterErr{err}
+}
+
+type invalidParameterErr struct{ error }
+
+func (invalidParameterErr) InvalidParameter() {}
+
+func notFound(err error) error {
+	if err == nil || cerrdefs.IsNotFound(err) {
+		return err
+	}
+	return notFoundErr{err}
+}
+
+type notFoundErr struct{ error }
+
+func (notFoundErr) NotFound() {}
+func (e notFoundErr) Unwrap() error {
+	return e.error
+}
diff --git a/vendor/github.com/docker/cli/cli/context/store/io_utils.go b/vendor/github.com/docker/cli/cli/context/store/io_utils.go
index 6f854c8e..097443d0 100644
--- a/vendor/github.com/docker/cli/cli/context/store/io_utils.go
+++ b/vendor/github.com/docker/cli/cli/context/store/io_utils.go
@@ -5,14 +5,14 @@ import (
 	"io"
 )
 
-// LimitedReader is a fork of io.LimitedReader to override Read.
-type LimitedReader struct {
+// limitedReader is a fork of [io.LimitedReader] to override Read.
+type limitedReader struct {
 	R io.Reader
 	N int64 // max bytes remaining
 }
 
-// Read is a fork of io.LimitedReader.Read that returns an error when limit exceeded.
-func (l *LimitedReader) Read(p []byte) (n int, err error) {
+// Read is a fork of [io.LimitedReader.Read] that returns an error when limit exceeded.
+func (l *limitedReader) Read(p []byte) (n int, err error) {
 	if l.N < 0 {
 		return 0, errors.New("read exceeds the defined limit")
 	}
diff --git a/vendor/github.com/docker/cli/cli/context/store/metadatastore.go b/vendor/github.com/docker/cli/cli/context/store/metadatastore.go
index e8b25675..deec5cc9 100644
--- a/vendor/github.com/docker/cli/cli/context/store/metadatastore.go
+++ b/vendor/github.com/docker/cli/cli/context/store/metadatastore.go
@@ -1,20 +1,19 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package store
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"reflect"
 	"sort"
 
-	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/atomicwriter"
 	"github.com/fvbommel/sortorder"
-	"github.com/pkg/errors"
+	"github.com/moby/sys/atomicwriter"
 )
 
 const (
@@ -64,7 +63,7 @@ func parseTypedOrMap(payload []byte, getter TypeGetter) (any, error) {
 func (s *metadataStore) get(name string) (Metadata, error) {
 	m, err := s.getByID(contextdirOf(name))
 	if err != nil {
-		return m, errors.Wrapf(err, "context %q", name)
+		return m, fmt.Errorf("context %q: %w", name, err)
 	}
 	return m, nil
 }
@@ -74,7 +73,7 @@ func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
 	bytes, err := os.ReadFile(fileName)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
-			return Metadata{}, errdefs.NotFound(errors.Wrap(err, "context not found"))
+			return Metadata{}, notFound(fmt.Errorf("context not found: %w", err))
 		}
 		return Metadata{}, err
 	}
@@ -99,7 +98,7 @@ func (s *metadataStore) getByID(id contextdir) (Metadata, error) {
 
 func (s *metadataStore) remove(name string) error {
 	if err := os.RemoveAll(s.contextDir(contextdirOf(name))); err != nil {
-		return errors.Wrapf(err, "failed to remove metadata")
+		return fmt.Errorf("failed to remove metadata: %w", err)
 	}
 	return nil
 }
@@ -119,7 +118,7 @@ func (s *metadataStore) list() ([]Metadata, error) {
 			if errors.Is(err, os.ErrNotExist) {
 				continue
 			}
-			return nil, errors.Wrap(err, "failed to read metadata")
+			return nil, fmt.Errorf("failed to read metadata: %w", err)
 		}
 		res = append(res, c)
 	}
diff --git a/vendor/github.com/docker/cli/cli/context/store/store.go b/vendor/github.com/docker/cli/cli/context/store/store.go
index 3643e576..91d9c19c 100644
--- a/vendor/github.com/docker/cli/cli/context/store/store.go
+++ b/vendor/github.com/docker/cli/cli/context/store/store.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package store
 
@@ -10,21 +10,21 @@ import (
 	"bytes"
 	_ "crypto/sha256" // ensure ids can be computed
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"path"
 	"path/filepath"
-	"regexp"
 	"strings"
 
-	"github.com/docker/docker/errdefs"
+	"github.com/docker/cli/internal/lazyregexp"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 )
 
 const restrictedNamePattern = "^[a-zA-Z0-9][a-zA-Z0-9_.+-]+$"
 
-var restrictedNameRegEx = regexp.MustCompile(restrictedNamePattern)
+var restrictedNameRegEx = lazyregexp.New(restrictedNamePattern)
 
 // Store provides a context store for easily remembering endpoints configuration
 type Store interface {
@@ -146,10 +146,10 @@ func (s *ContextStore) CreateOrUpdate(meta Metadata) error {
 // Remove deletes the context with the given name, if found.
 func (s *ContextStore) Remove(name string) error {
 	if err := s.meta.remove(name); err != nil {
-		return errors.Wrapf(err, "failed to remove context %s", name)
+		return fmt.Errorf("failed to remove context %s: %w", name, err)
 	}
 	if err := s.tls.remove(name); err != nil {
-		return errors.Wrapf(err, "failed to remove context %s", name)
+		return fmt.Errorf("failed to remove context %s: %w", name, err)
 	}
 	return nil
 }
@@ -226,7 +226,7 @@ func ValidateContextName(name string) error {
 		return errors.New(`"default" is a reserved context name`)
 	}
 	if !restrictedNameRegEx.MatchString(name) {
-		return errors.Errorf("context name %q is invalid, names are validated against regexp %q", name, restrictedNamePattern)
+		return fmt.Errorf("context name %q is invalid, names are validated against regexp %q", name, restrictedNamePattern)
 	}
 	return nil
 }
@@ -356,7 +356,7 @@ func isValidFilePath(p string) error {
 }
 
 func importTar(name string, s Writer, reader io.Reader) error {
-	tr := tar.NewReader(&LimitedReader{R: reader, N: maxAllowedFileSizeToImport})
+	tr := tar.NewReader(&limitedReader{R: reader, N: maxAllowedFileSizeToImport})
 	tlsData := ContextTLSData{
 		Endpoints: map[string]EndpointTLSData{},
 	}
@@ -374,7 +374,7 @@ func importTar(name string, s Writer, reader io.Reader) error {
 			continue
 		}
 		if err := isValidFilePath(hdr.Name); err != nil {
-			return errors.Wrap(err, hdr.Name)
+			return fmt.Errorf("%s: %w", hdr.Name, err)
 		}
 		if hdr.Name == metaFile {
 			data, err := io.ReadAll(tr)
@@ -400,13 +400,13 @@ func importTar(name string, s Writer, reader io.Reader) error {
 		}
 	}
 	if !importedMetaFile {
-		return errdefs.InvalidParameter(errors.New("invalid context: no metadata found"))
+		return invalidParameter(errors.New("invalid context: no metadata found"))
 	}
 	return s.ResetTLSMaterial(name, &tlsData)
 }
 
 func importZip(name string, s Writer, reader io.Reader) error {
-	body, err := io.ReadAll(&LimitedReader{R: reader, N: maxAllowedFileSizeToImport})
+	body, err := io.ReadAll(&limitedReader{R: reader, N: maxAllowedFileSizeToImport})
 	if err != nil {
 		return err
 	}
@@ -426,7 +426,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 			continue
 		}
 		if err := isValidFilePath(zf.Name); err != nil {
-			return errors.Wrap(err, zf.Name)
+			return fmt.Errorf("%s: %w", zf.Name, err)
 		}
 		if zf.Name == metaFile {
 			f, err := zf.Open()
@@ -434,7 +434,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 				return err
 			}
 
-			data, err := io.ReadAll(&LimitedReader{R: f, N: maxAllowedFileSizeToImport})
+			data, err := io.ReadAll(&limitedReader{R: f, N: maxAllowedFileSizeToImport})
 			defer f.Close()
 			if err != nil {
 				return err
@@ -464,7 +464,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 		}
 	}
 	if !importedMetaFile {
-		return errdefs.InvalidParameter(errors.New("invalid context: no metadata found"))
+		return invalidParameter(errors.New("invalid context: no metadata found"))
 	}
 	return s.ResetTLSMaterial(name, &tlsData)
 }
diff --git a/vendor/github.com/docker/cli/cli/context/store/storeconfig.go b/vendor/github.com/docker/cli/cli/context/store/storeconfig.go
index bfd5e6fc..fccbf1d1 100644
--- a/vendor/github.com/docker/cli/cli/context/store/storeconfig.go
+++ b/vendor/github.com/docker/cli/cli/context/store/storeconfig.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package store
 
diff --git a/vendor/github.com/docker/cli/cli/context/store/tlsstore.go b/vendor/github.com/docker/cli/cli/context/store/tlsstore.go
index 3cbfe627..c1f5f8ca 100644
--- a/vendor/github.com/docker/cli/cli/context/store/tlsstore.go
+++ b/vendor/github.com/docker/cli/cli/context/store/tlsstore.go
@@ -1,12 +1,11 @@
 package store
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
-	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/atomicwriter"
-	"github.com/pkg/errors"
+	"github.com/moby/sys/atomicwriter"
 )
 
 const tlsDir = "tls"
@@ -39,9 +38,9 @@ func (s *tlsStore) getData(name, endpointName, filename string) ([]byte, error)
 	data, err := os.ReadFile(filepath.Join(s.endpointDir(name, endpointName), filename))
 	if err != nil {
 		if os.IsNotExist(err) {
-			return nil, errdefs.NotFound(errors.Errorf("TLS data for %s/%s/%s does not exist", name, endpointName, filename))
+			return nil, notFound(fmt.Errorf("TLS data for %s/%s/%s does not exist", name, endpointName, filename))
 		}
-		return nil, errors.Wrapf(err, "failed to read TLS data for endpoint %s", endpointName)
+		return nil, fmt.Errorf("failed to read TLS data for endpoint %s: %w", endpointName, err)
 	}
 	return data, nil
 }
@@ -49,14 +48,14 @@ func (s *tlsStore) getData(name, endpointName, filename string) ([]byte, error)
 // remove deletes all TLS data for the given context.
 func (s *tlsStore) remove(name string) error {
 	if err := os.RemoveAll(s.contextDir(name)); err != nil {
-		return errors.Wrapf(err, "failed to remove TLS data")
+		return fmt.Errorf("failed to remove TLS data: %w", err)
 	}
 	return nil
 }
 
 func (s *tlsStore) removeEndpoint(name, endpointName string) error {
 	if err := os.RemoveAll(s.endpointDir(name, endpointName)); err != nil {
-		return errors.Wrapf(err, "failed to remove TLS data for endpoint %s", endpointName)
+		return fmt.Errorf("failed to remove TLS data for endpoint %s: %w", endpointName, err)
 	}
 	return nil
 }
@@ -68,7 +67,7 @@ func (s *tlsStore) listContextData(name string) (map[string]EndpointFiles, error
 		if os.IsNotExist(err) {
 			return map[string]EndpointFiles{}, nil
 		}
-		return nil, errors.Wrapf(err, "failed to list TLS files for context %s", name)
+		return nil, fmt.Errorf("failed to list TLS files for context %s: %w", name, err)
 	}
 	r := make(map[string]EndpointFiles)
 	for _, epFS := range epFSs {
@@ -78,7 +77,7 @@ func (s *tlsStore) listContextData(name string) (map[string]EndpointFiles, error
 				continue
 			}
 			if err != nil {
-				return nil, errors.Wrapf(err, "failed to list TLS files for endpoint %s", epFS.Name())
+				return nil, fmt.Errorf("failed to list TLS files for endpoint %s: %w", epFS.Name(), err)
 			}
 			var files EndpointFiles
 			for _, fs := range fss {
diff --git a/vendor/github.com/docker/cli/cli/debug/debug.go b/vendor/github.com/docker/cli/cli/debug/debug.go
index 84002bd0..5ad1b032 100644
--- a/vendor/github.com/docker/cli/cli/debug/debug.go
+++ b/vendor/github.com/docker/cli/cli/debug/debug.go
@@ -33,5 +33,8 @@ func IsEnabled() bool {
 // The default is to log to the debug level which is only
 // enabled when debugging is enabled.
 var OTELErrorHandler otel.ErrorHandler = otel.ErrorHandlerFunc(func(err error) {
+	if err == nil {
+		return
+	}
 	logrus.WithError(err).Debug("otel error")
 })
diff --git a/vendor/github.com/docker/cli/cli/manifest/store/store.go b/vendor/github.com/docker/cli/cli/manifest/store/store.go
deleted file mode 100644
index e97e8628..00000000
--- a/vendor/github.com/docker/cli/cli/manifest/store/store.go
+++ /dev/null
@@ -1,178 +0,0 @@
-package store
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/manifest/types"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/opencontainers/go-digest"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-)
-
-// Store manages local storage of image distribution manifests
-type Store interface {
-	Remove(listRef reference.Reference) error
-	Get(listRef reference.Reference, manifest reference.Reference) (types.ImageManifest, error)
-	GetList(listRef reference.Reference) ([]types.ImageManifest, error)
-	Save(listRef reference.Reference, manifest reference.Reference, image types.ImageManifest) error
-}
-
-// fsStore manages manifest files stored on the local filesystem
-type fsStore struct {
-	root string
-}
-
-// NewStore returns a new store for a local file path
-func NewStore(root string) Store {
-	return &fsStore{root: root}
-}
-
-// Remove a manifest list from local storage
-func (s *fsStore) Remove(listRef reference.Reference) error {
-	path := filepath.Join(s.root, makeFilesafeName(listRef.String()))
-	return os.RemoveAll(path)
-}
-
-// Get returns the local manifest
-func (s *fsStore) Get(listRef reference.Reference, manifest reference.Reference) (types.ImageManifest, error) {
-	filename := manifestToFilename(s.root, listRef.String(), manifest.String())
-	return s.getFromFilename(manifest, filename)
-}
-
-func (*fsStore) getFromFilename(ref reference.Reference, filename string) (types.ImageManifest, error) {
-	bytes, err := os.ReadFile(filename)
-	switch {
-	case os.IsNotExist(err):
-		return types.ImageManifest{}, newNotFoundError(ref.String())
-	case err != nil:
-		return types.ImageManifest{}, err
-	}
-	var manifestInfo struct {
-		types.ImageManifest
-
-		// Deprecated Fields, replaced by Descriptor
-		Digest   digest.Digest
-		Platform *manifestlist.PlatformSpec
-	}
-
-	if err := json.Unmarshal(bytes, &manifestInfo); err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	// Compatibility with image manifests created before
-	// descriptor, newer versions omit Digest and Platform
-	if manifestInfo.Digest != "" {
-		mediaType, raw, err := manifestInfo.Payload()
-		if err != nil {
-			return types.ImageManifest{}, err
-		}
-		if dgst := digest.FromBytes(raw); dgst != manifestInfo.Digest {
-			return types.ImageManifest{}, errors.Errorf("invalid manifest file %v: image manifest digest mismatch (%v != %v)", filename, manifestInfo.Digest, dgst)
-		}
-		manifestInfo.ImageManifest.Descriptor = ocispec.Descriptor{
-			Digest:    manifestInfo.Digest,
-			Size:      int64(len(raw)),
-			MediaType: mediaType,
-			Platform:  types.OCIPlatform(manifestInfo.Platform),
-		}
-	}
-
-	return manifestInfo.ImageManifest, nil
-}
-
-// GetList returns all the local manifests for a transaction
-func (s *fsStore) GetList(listRef reference.Reference) ([]types.ImageManifest, error) {
-	filenames, err := s.listManifests(listRef.String())
-	switch {
-	case err != nil:
-		return nil, err
-	case filenames == nil:
-		return nil, newNotFoundError(listRef.String())
-	}
-
-	manifests := []types.ImageManifest{}
-	for _, filename := range filenames {
-		filename = filepath.Join(s.root, makeFilesafeName(listRef.String()), filename)
-		manifest, err := s.getFromFilename(listRef, filename)
-		if err != nil {
-			return nil, err
-		}
-		manifests = append(manifests, manifest)
-	}
-	return manifests, nil
-}
-
-// listManifests stored in a transaction
-func (s *fsStore) listManifests(transaction string) ([]string, error) {
-	transactionDir := filepath.Join(s.root, makeFilesafeName(transaction))
-	fileInfos, err := os.ReadDir(transactionDir)
-	switch {
-	case os.IsNotExist(err):
-		return nil, nil
-	case err != nil:
-		return nil, err
-	}
-
-	filenames := make([]string, 0, len(fileInfos))
-	for _, info := range fileInfos {
-		filenames = append(filenames, info.Name())
-	}
-	return filenames, nil
-}
-
-// Save a manifest as part of a local manifest list
-func (s *fsStore) Save(listRef reference.Reference, manifest reference.Reference, image types.ImageManifest) error {
-	if err := s.createManifestListDirectory(listRef.String()); err != nil {
-		return err
-	}
-	filename := manifestToFilename(s.root, listRef.String(), manifest.String())
-	bytes, err := json.Marshal(image)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(filename, bytes, 0o644)
-}
-
-func (s *fsStore) createManifestListDirectory(transaction string) error {
-	path := filepath.Join(s.root, makeFilesafeName(transaction))
-	return os.MkdirAll(path, 0o755)
-}
-
-func manifestToFilename(root, manifestList, manifest string) string {
-	return filepath.Join(root, makeFilesafeName(manifestList), makeFilesafeName(manifest))
-}
-
-func makeFilesafeName(ref string) string {
-	fileName := strings.ReplaceAll(ref, ":", "-")
-	return strings.ReplaceAll(fileName, "/", "_")
-}
-
-type notFoundError struct {
-	object string
-}
-
-func newNotFoundError(ref string) *notFoundError {
-	return &notFoundError{object: ref}
-}
-
-func (n *notFoundError) Error() string {
-	return "No such manifest: " + n.object
-}
-
-// NotFound interface
-func (*notFoundError) NotFound() {}
-
-// IsNotFound returns true if the error is a not found error
-func IsNotFound(err error) bool {
-	_, ok := err.(notFound)
-	return ok
-}
-
-type notFound interface {
-	NotFound()
-}
diff --git a/vendor/github.com/docker/cli/cli/manifest/types/types.go b/vendor/github.com/docker/cli/cli/manifest/types/types.go
deleted file mode 100644
index e098928d..00000000
--- a/vendor/github.com/docker/cli/cli/manifest/types/types.go
+++ /dev/null
@@ -1,154 +0,0 @@
-package types
-
-import (
-	"encoding/json"
-
-	"github.com/distribution/reference"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/manifest/ocischema"
-	"github.com/docker/distribution/manifest/schema2"
-	"github.com/opencontainers/go-digest"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-)
-
-// ImageManifest contains info to output for a manifest object.
-type ImageManifest struct {
-	Ref        *SerializableNamed
-	Descriptor ocispec.Descriptor
-	Raw        []byte `json:",omitempty"`
-
-	// SchemaV2Manifest is used for inspection
-	SchemaV2Manifest *schema2.DeserializedManifest `json:",omitempty"`
-	// OCIManifest is used for inspection
-	OCIManifest *ocischema.DeserializedManifest `json:",omitempty"`
-}
-
-// OCIPlatform creates an OCI platform from a manifest list platform spec
-func OCIPlatform(ps *manifestlist.PlatformSpec) *ocispec.Platform {
-	if ps == nil {
-		return nil
-	}
-	return &ocispec.Platform{
-		Architecture: ps.Architecture,
-		OS:           ps.OS,
-		OSVersion:    ps.OSVersion,
-		OSFeatures:   ps.OSFeatures,
-		Variant:      ps.Variant,
-	}
-}
-
-// PlatformSpecFromOCI creates a platform spec from OCI platform
-func PlatformSpecFromOCI(p *ocispec.Platform) *manifestlist.PlatformSpec {
-	if p == nil {
-		return nil
-	}
-	return &manifestlist.PlatformSpec{
-		Architecture: p.Architecture,
-		OS:           p.OS,
-		OSVersion:    p.OSVersion,
-		OSFeatures:   p.OSFeatures,
-		Variant:      p.Variant,
-	}
-}
-
-// Blobs returns the digests for all the blobs referenced by this manifest
-func (i ImageManifest) Blobs() []digest.Digest {
-	var digests []digest.Digest
-	switch {
-	case i.SchemaV2Manifest != nil:
-		refs := i.SchemaV2Manifest.References()
-		digests = make([]digest.Digest, 0, len(refs))
-		for _, descriptor := range refs {
-			digests = append(digests, descriptor.Digest)
-		}
-	case i.OCIManifest != nil:
-		refs := i.OCIManifest.References()
-		digests = make([]digest.Digest, 0, len(refs))
-		for _, descriptor := range refs {
-			digests = append(digests, descriptor.Digest)
-		}
-	}
-	return digests
-}
-
-// Payload returns the media type and bytes for the manifest
-func (i ImageManifest) Payload() (string, []byte, error) {
-	// TODO: If available, read content from a content store by digest
-	switch {
-	case i.SchemaV2Manifest != nil:
-		return i.SchemaV2Manifest.Payload()
-	case i.OCIManifest != nil:
-		return i.OCIManifest.Payload()
-	default:
-		return "", nil, errors.Errorf("%s has no payload", i.Ref)
-	}
-}
-
-// References implements the distribution.Manifest interface. It delegates to
-// the underlying manifest.
-func (i ImageManifest) References() []distribution.Descriptor {
-	switch {
-	case i.SchemaV2Manifest != nil:
-		return i.SchemaV2Manifest.References()
-	case i.OCIManifest != nil:
-		return i.OCIManifest.References()
-	default:
-		return nil
-	}
-}
-
-// NewImageManifest returns a new ImageManifest object. The values for Platform
-// are initialized from those in the image
-func NewImageManifest(ref reference.Named, desc ocispec.Descriptor, manifest *schema2.DeserializedManifest) ImageManifest {
-	raw, err := manifest.MarshalJSON()
-	if err != nil {
-		raw = nil
-	}
-
-	return ImageManifest{
-		Ref:              &SerializableNamed{Named: ref},
-		Descriptor:       desc,
-		Raw:              raw,
-		SchemaV2Manifest: manifest,
-	}
-}
-
-// NewOCIImageManifest returns a new ImageManifest object. The values for
-// Platform are initialized from those in the image
-func NewOCIImageManifest(ref reference.Named, desc ocispec.Descriptor, manifest *ocischema.DeserializedManifest) ImageManifest {
-	raw, err := manifest.MarshalJSON()
-	if err != nil {
-		raw = nil
-	}
-
-	return ImageManifest{
-		Ref:         &SerializableNamed{Named: ref},
-		Descriptor:  desc,
-		Raw:         raw,
-		OCIManifest: manifest,
-	}
-}
-
-// SerializableNamed is a reference.Named that can be serialized and deserialized
-// from JSON
-type SerializableNamed struct {
-	reference.Named
-}
-
-// UnmarshalJSON loads the Named reference from JSON bytes
-func (s *SerializableNamed) UnmarshalJSON(b []byte) error {
-	var raw string
-	if err := json.Unmarshal(b, &raw); err != nil {
-		return errors.Wrapf(err, "invalid named reference bytes: %s", b)
-	}
-	var err error
-	s.Named, err = reference.ParseNamed(raw)
-	return err
-}
-
-// MarshalJSON returns the JSON bytes representation
-func (s *SerializableNamed) MarshalJSON() ([]byte, error) {
-	return json.Marshal(s.String())
-}
diff --git a/vendor/github.com/docker/cli/cli/registry/client/client.go b/vendor/github.com/docker/cli/cli/registry/client/client.go
deleted file mode 100644
index bbc7f4c5..00000000
--- a/vendor/github.com/docker/cli/cli/registry/client/client.go
+++ /dev/null
@@ -1,198 +0,0 @@
-package client
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/distribution/reference"
-	manifesttypes "github.com/docker/cli/cli/manifest/types"
-	"github.com/docker/cli/cli/trust"
-	"github.com/docker/distribution"
-	distributionclient "github.com/docker/distribution/registry/client"
-	registrytypes "github.com/docker/docker/api/types/registry"
-	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-)
-
-// RegistryClient is a client used to communicate with a Docker distribution
-// registry
-type RegistryClient interface {
-	GetManifest(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error)
-	GetManifestList(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error)
-	MountBlob(ctx context.Context, source reference.Canonical, target reference.Named) error
-	PutManifest(ctx context.Context, ref reference.Named, manifest distribution.Manifest) (digest.Digest, error)
-}
-
-// NewRegistryClient returns a new RegistryClient with a resolver
-func NewRegistryClient(resolver AuthConfigResolver, userAgent string, insecure bool) RegistryClient {
-	return &client{
-		authConfigResolver: resolver,
-		insecureRegistry:   insecure,
-		userAgent:          userAgent,
-	}
-}
-
-// AuthConfigResolver returns Auth Configuration for an index
-type AuthConfigResolver func(ctx context.Context, index *registrytypes.IndexInfo) registrytypes.AuthConfig
-
-// PutManifestOptions is the data sent to push a manifest
-type PutManifestOptions struct {
-	MediaType string
-	Payload   []byte
-}
-
-type client struct {
-	authConfigResolver AuthConfigResolver
-	insecureRegistry   bool
-	userAgent          string
-}
-
-// ErrBlobCreated returned when a blob mount request was created
-type ErrBlobCreated struct {
-	From   reference.Named
-	Target reference.Named
-}
-
-func (err ErrBlobCreated) Error() string {
-	return fmt.Sprintf("blob mounted from: %v to: %v",
-		err.From, err.Target)
-}
-
-// ErrHTTPProto returned if attempting to use TLS with a non-TLS registry
-type ErrHTTPProto struct {
-	OrigErr string
-}
-
-func (err ErrHTTPProto) Error() string {
-	return err.OrigErr
-}
-
-var _ RegistryClient = &client{}
-
-// MountBlob into the registry, so it can be referenced by a manifest
-func (c *client) MountBlob(ctx context.Context, sourceRef reference.Canonical, targetRef reference.Named) error {
-	repoEndpoint, err := newDefaultRepositoryEndpoint(targetRef, c.insecureRegistry)
-	if err != nil {
-		return err
-	}
-	repoEndpoint.actions = trust.ActionsPushAndPull
-	repo, err := c.getRepositoryForReference(ctx, targetRef, repoEndpoint)
-	if err != nil {
-		return err
-	}
-	lu, err := repo.Blobs(ctx).Create(ctx, distributionclient.WithMountFrom(sourceRef))
-	switch err.(type) {
-	case distribution.ErrBlobMounted:
-		logrus.Debugf("mount of blob %s succeeded", sourceRef)
-		return nil
-	case nil:
-	default:
-		return errors.Wrapf(err, "failed to mount blob %s to %s", sourceRef, targetRef)
-	}
-	lu.Cancel(ctx)
-	logrus.Debugf("mount of blob %s created", sourceRef)
-	return ErrBlobCreated{From: sourceRef, Target: targetRef}
-}
-
-// PutManifest sends the manifest to a registry and returns the new digest
-func (c *client) PutManifest(ctx context.Context, ref reference.Named, manifest distribution.Manifest) (digest.Digest, error) {
-	repoEndpoint, err := newDefaultRepositoryEndpoint(ref, c.insecureRegistry)
-	if err != nil {
-		return "", err
-	}
-
-	repoEndpoint.actions = trust.ActionsPushAndPull
-	repo, err := c.getRepositoryForReference(ctx, ref, repoEndpoint)
-	if err != nil {
-		return "", err
-	}
-
-	manifestService, err := repo.Manifests(ctx)
-	if err != nil {
-		return "", err
-	}
-
-	_, opts, err := getManifestOptionsFromReference(ref)
-	if err != nil {
-		return "", err
-	}
-
-	dgst, err := manifestService.Put(ctx, manifest, opts...)
-	return dgst, errors.Wrapf(err, "failed to put manifest %s", ref)
-}
-
-func (c *client) getRepositoryForReference(ctx context.Context, ref reference.Named, repoEndpoint repositoryEndpoint) (distribution.Repository, error) {
-	repoName, err := reference.WithName(repoEndpoint.Name())
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to parse repo name from %s", ref)
-	}
-	httpTransport, err := c.getHTTPTransportForRepoEndpoint(ctx, repoEndpoint)
-	if err != nil {
-		if !strings.Contains(err.Error(), "server gave HTTP response to HTTPS client") {
-			return nil, err
-		}
-		if !repoEndpoint.endpoint.TLSConfig.InsecureSkipVerify {
-			return nil, ErrHTTPProto{OrigErr: err.Error()}
-		}
-		// --insecure was set; fall back to plain HTTP
-		if url := repoEndpoint.endpoint.URL; url != nil && url.Scheme == "https" {
-			url.Scheme = "http"
-			httpTransport, err = c.getHTTPTransportForRepoEndpoint(ctx, repoEndpoint)
-			if err != nil {
-				return nil, err
-			}
-		}
-	}
-	return distributionclient.NewRepository(repoName, repoEndpoint.BaseURL(), httpTransport)
-}
-
-func (c *client) getHTTPTransportForRepoEndpoint(ctx context.Context, repoEndpoint repositoryEndpoint) (http.RoundTripper, error) {
-	httpTransport, err := getHTTPTransport(
-		c.authConfigResolver(ctx, repoEndpoint.info.Index),
-		repoEndpoint.endpoint,
-		repoEndpoint.Name(),
-		c.userAgent,
-		repoEndpoint.actions,
-	)
-	return httpTransport, errors.Wrap(err, "failed to configure transport")
-}
-
-// GetManifest returns an ImageManifest for the reference
-func (c *client) GetManifest(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error) {
-	var result manifesttypes.ImageManifest
-	fetch := func(ctx context.Context, repo distribution.Repository, ref reference.Named) (bool, error) {
-		var err error
-		result, err = fetchManifest(ctx, repo, ref)
-		return result.Ref != nil, err
-	}
-
-	err := c.iterateEndpoints(ctx, ref, fetch)
-	return result, err
-}
-
-// GetManifestList returns a list of ImageManifest for the reference
-func (c *client) GetManifestList(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error) {
-	result := []manifesttypes.ImageManifest{}
-	fetch := func(ctx context.Context, repo distribution.Repository, ref reference.Named) (bool, error) {
-		var err error
-		result, err = fetchList(ctx, repo, ref)
-		return len(result) > 0, err
-	}
-
-	err := c.iterateEndpoints(ctx, ref, fetch)
-	return result, err
-}
-
-func getManifestOptionsFromReference(ref reference.Named) (digest.Digest, []distribution.ManifestServiceOption, error) {
-	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
-		tag := tagged.Tag()
-		return "", []distribution.ManifestServiceOption{distribution.WithTag(tag)}, nil
-	}
-	if digested, isDigested := ref.(reference.Canonical); isDigested {
-		return digested.Digest(), []distribution.ManifestServiceOption{}, nil
-	}
-	return "", nil, errors.Errorf("%s no tag or digest", ref)
-}
diff --git a/vendor/github.com/docker/cli/cli/registry/client/endpoint.go b/vendor/github.com/docker/cli/cli/registry/client/endpoint.go
deleted file mode 100644
index 95312b05..00000000
--- a/vendor/github.com/docker/cli/cli/registry/client/endpoint.go
+++ /dev/null
@@ -1,128 +0,0 @@
-package client
-
-import (
-	"net"
-	"net/http"
-	"time"
-
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/trust"
-	"github.com/docker/distribution/registry/client/auth"
-	"github.com/docker/distribution/registry/client/transport"
-	registrytypes "github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/registry"
-	"github.com/pkg/errors"
-)
-
-type repositoryEndpoint struct {
-	info     *registry.RepositoryInfo
-	endpoint registry.APIEndpoint
-	actions  []string
-}
-
-// Name returns the repository name
-func (r repositoryEndpoint) Name() string {
-	return reference.Path(r.info.Name)
-}
-
-// BaseURL returns the endpoint url
-func (r repositoryEndpoint) BaseURL() string {
-	return r.endpoint.URL.String()
-}
-
-func newDefaultRepositoryEndpoint(ref reference.Named, insecure bool) (repositoryEndpoint, error) {
-	repoInfo, err := registry.ParseRepositoryInfo(ref)
-	if err != nil {
-		return repositoryEndpoint{}, err
-	}
-	endpoint, err := getDefaultEndpointFromRepoInfo(repoInfo)
-	if err != nil {
-		return repositoryEndpoint{}, err
-	}
-	if insecure {
-		endpoint.TLSConfig.InsecureSkipVerify = true
-	}
-	return repositoryEndpoint{info: repoInfo, endpoint: endpoint}, nil
-}
-
-func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry.APIEndpoint, error) {
-	var err error
-
-	options := registry.ServiceOptions{}
-	registryService, err := registry.NewService(options)
-	if err != nil {
-		return registry.APIEndpoint{}, err
-	}
-	endpoints, err := registryService.LookupPushEndpoints(reference.Domain(repoInfo.Name))
-	if err != nil {
-		return registry.APIEndpoint{}, err
-	}
-	// Default to the highest priority endpoint to return
-	endpoint := endpoints[0]
-	if !repoInfo.Index.Secure {
-		for _, ep := range endpoints {
-			if ep.URL.Scheme == "http" {
-				endpoint = ep
-			}
-		}
-	}
-	return endpoint, nil
-}
-
-// getHTTPTransport builds a transport for use in communicating with a registry
-func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName, userAgent string, actions []string) (http.RoundTripper, error) {
-	// get the http transport, this will be used in a client to upload manifest
-	base := &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		Dial: (&net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-		}).Dial,
-		TLSHandshakeTimeout: 10 * time.Second,
-		TLSClientConfig:     endpoint.TLSConfig,
-		DisableKeepAlives:   true,
-	}
-
-	modifiers := registry.Headers(userAgent, http.Header{})
-	authTransport := transport.NewTransport(base, modifiers...)
-	challengeManager, err := registry.PingV2Registry(endpoint.URL, authTransport)
-	if err != nil {
-		return nil, errors.Wrap(err, "error pinging v2 registry")
-	}
-	if authConfig.RegistryToken != "" {
-		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
-		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
-	} else {
-		if len(actions) == 0 {
-			actions = trust.ActionsPullOnly
-		}
-		creds := registry.NewStaticCredentialStore(&authConfig)
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
-		basicHandler := auth.NewBasicHandler(creds)
-		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
-	}
-	return transport.NewTransport(base, modifiers...), nil
-}
-
-// RepoNameForReference returns the repository name from a reference
-func RepoNameForReference(ref reference.Named) (string, error) {
-	// insecure is fine since this only returns the name
-	repo, err := newDefaultRepositoryEndpoint(ref, false)
-	if err != nil {
-		return "", err
-	}
-	return repo.Name(), nil
-}
-
-type existingTokenHandler struct {
-	token string
-}
-
-func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, _ map[string]string) error {
-	req.Header.Set("Authorization", "Bearer "+th.token)
-	return nil
-}
-
-func (*existingTokenHandler) Scheme() string {
-	return "bearer"
-}
diff --git a/vendor/github.com/docker/cli/cli/registry/client/fetcher.go b/vendor/github.com/docker/cli/cli/registry/client/fetcher.go
deleted file mode 100644
index d1f255bf..00000000
--- a/vendor/github.com/docker/cli/cli/registry/client/fetcher.go
+++ /dev/null
@@ -1,307 +0,0 @@
-package client
-
-import (
-	"context"
-	"encoding/json"
-
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/manifest/types"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/manifest/ocischema"
-	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/registry/api/errcode"
-	v2 "github.com/docker/distribution/registry/api/v2"
-	distclient "github.com/docker/distribution/registry/client"
-	"github.com/docker/docker/registry"
-	"github.com/opencontainers/go-digest"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-)
-
-// fetchManifest pulls a manifest from a registry and returns it. An error
-// is returned if no manifest is found matching namedRef.
-func fetchManifest(ctx context.Context, repo distribution.Repository, ref reference.Named) (types.ImageManifest, error) {
-	manifest, err := getManifest(ctx, repo, ref)
-	if err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	switch v := manifest.(type) {
-	// Removed Schema 1 support
-	case *schema2.DeserializedManifest:
-		return pullManifestSchemaV2(ctx, ref, repo, *v)
-	case *ocischema.DeserializedManifest:
-		return pullManifestOCISchema(ctx, ref, repo, *v)
-	case *manifestlist.DeserializedManifestList:
-		return types.ImageManifest{}, errors.Errorf("%s is a manifest list", ref)
-	}
-	return types.ImageManifest{}, errors.Errorf("%s is not a manifest", ref)
-}
-
-func fetchList(ctx context.Context, repo distribution.Repository, ref reference.Named) ([]types.ImageManifest, error) {
-	manifest, err := getManifest(ctx, repo, ref)
-	if err != nil {
-		return nil, err
-	}
-
-	switch v := manifest.(type) {
-	case *manifestlist.DeserializedManifestList:
-		return pullManifestList(ctx, ref, repo, *v)
-	default:
-		return nil, errors.Errorf("unsupported manifest format: %v", v)
-	}
-}
-
-func getManifest(ctx context.Context, repo distribution.Repository, ref reference.Named) (distribution.Manifest, error) {
-	manSvc, err := repo.Manifests(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	dgst, opts, err := getManifestOptionsFromReference(ref)
-	if err != nil {
-		return nil, errors.Errorf("image manifest for %q does not exist", ref)
-	}
-	return manSvc.Get(ctx, dgst, opts...)
-}
-
-func pullManifestSchemaV2(ctx context.Context, ref reference.Named, repo distribution.Repository, mfst schema2.DeserializedManifest) (types.ImageManifest, error) {
-	manifestDesc, err := validateManifestDigest(ref, mfst)
-	if err != nil {
-		return types.ImageManifest{}, err
-	}
-	configJSON, err := pullManifestSchemaV2ImageConfig(ctx, mfst.Target().Digest, repo)
-	if err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	if manifestDesc.Platform == nil {
-		manifestDesc.Platform = &ocispec.Platform{}
-	}
-
-	// Fill in os and architecture fields from config JSON
-	if err := json.Unmarshal(configJSON, manifestDesc.Platform); err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	return types.NewImageManifest(ref, manifestDesc, &mfst), nil
-}
-
-func pullManifestOCISchema(ctx context.Context, ref reference.Named, repo distribution.Repository, mfst ocischema.DeserializedManifest) (types.ImageManifest, error) {
-	manifestDesc, err := validateManifestDigest(ref, mfst)
-	if err != nil {
-		return types.ImageManifest{}, err
-	}
-	configJSON, err := pullManifestSchemaV2ImageConfig(ctx, mfst.Target().Digest, repo)
-	if err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	if manifestDesc.Platform == nil {
-		manifestDesc.Platform = &ocispec.Platform{}
-	}
-
-	// Fill in os and architecture fields from config JSON
-	if err := json.Unmarshal(configJSON, manifestDesc.Platform); err != nil {
-		return types.ImageManifest{}, err
-	}
-
-	return types.NewOCIImageManifest(ref, manifestDesc, &mfst), nil
-}
-
-func pullManifestSchemaV2ImageConfig(ctx context.Context, dgst digest.Digest, repo distribution.Repository) ([]byte, error) {
-	blobs := repo.Blobs(ctx)
-	configJSON, err := blobs.Get(ctx, dgst)
-	if err != nil {
-		return nil, err
-	}
-
-	verifier := dgst.Verifier()
-	if _, err := verifier.Write(configJSON); err != nil {
-		return nil, err
-	}
-	if !verifier.Verified() {
-		return nil, errors.Errorf("image config verification failed for digest %s", dgst)
-	}
-	return configJSON, nil
-}
-
-// validateManifestDigest computes the manifest digest, and, if pulling by
-// digest, ensures that it matches the requested digest.
-func validateManifestDigest(ref reference.Named, mfst distribution.Manifest) (ocispec.Descriptor, error) {
-	mediaType, canonical, err := mfst.Payload()
-	if err != nil {
-		return ocispec.Descriptor{}, err
-	}
-	desc := ocispec.Descriptor{
-		Digest:    digest.FromBytes(canonical),
-		Size:      int64(len(canonical)),
-		MediaType: mediaType,
-	}
-
-	// If pull by digest, then verify the manifest digest.
-	if digested, isDigested := ref.(reference.Canonical); isDigested && digested.Digest() != desc.Digest {
-		return ocispec.Descriptor{}, errors.Errorf("manifest verification failed for digest %s", digested.Digest())
-	}
-
-	return desc, nil
-}
-
-// pullManifestList handles "manifest lists" which point to various
-// platform-specific manifests.
-func pullManifestList(ctx context.Context, ref reference.Named, repo distribution.Repository, mfstList manifestlist.DeserializedManifestList) ([]types.ImageManifest, error) {
-	if _, err := validateManifestDigest(ref, mfstList); err != nil {
-		return nil, err
-	}
-
-	infos := make([]types.ImageManifest, 0, len(mfstList.Manifests))
-	for _, manifestDescriptor := range mfstList.Manifests {
-		manSvc, err := repo.Manifests(ctx)
-		if err != nil {
-			return nil, err
-		}
-		manifest, err := manSvc.Get(ctx, manifestDescriptor.Digest)
-		if err != nil {
-			return nil, err
-		}
-
-		manifestRef, err := reference.WithDigest(ref, manifestDescriptor.Digest)
-		if err != nil {
-			return nil, err
-		}
-
-		var imageManifest types.ImageManifest
-		switch v := manifest.(type) {
-		case *schema2.DeserializedManifest:
-			imageManifest, err = pullManifestSchemaV2(ctx, manifestRef, repo, *v)
-		case *ocischema.DeserializedManifest:
-			imageManifest, err = pullManifestOCISchema(ctx, manifestRef, repo, *v)
-		default:
-			err = errors.Errorf("unsupported manifest type: %T", manifest)
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		// Replace platform from config
-		p := manifestDescriptor.Platform
-		imageManifest.Descriptor.Platform = types.OCIPlatform(&p)
-
-		infos = append(infos, imageManifest)
-	}
-	return infos, nil
-}
-
-func continueOnError(err error) bool {
-	switch v := err.(type) {
-	case errcode.Errors:
-		if len(v) == 0 {
-			return true
-		}
-		return continueOnError(v[0])
-	case errcode.Error:
-		switch e := err.(errcode.Error); e.Code {
-		case errcode.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
-			return true
-		default:
-			return false
-		}
-	case *distclient.UnexpectedHTTPResponseError:
-		return true
-	}
-	return false
-}
-
-func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, each func(context.Context, distribution.Repository, reference.Named) (bool, error)) error {
-	endpoints, err := allEndpoints(namedRef, c.insecureRegistry)
-	if err != nil {
-		return err
-	}
-
-	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
-	if err != nil {
-		return err
-	}
-
-	confirmedTLSRegistries := make(map[string]bool)
-	for _, endpoint := range endpoints {
-		if endpoint.URL.Scheme != "https" {
-			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
-				logrus.Debugf("skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
-				continue
-			}
-		}
-
-		if c.insecureRegistry {
-			endpoint.TLSConfig.InsecureSkipVerify = true
-		}
-		repoEndpoint := repositoryEndpoint{endpoint: endpoint, info: repoInfo}
-		repo, err := c.getRepositoryForReference(ctx, namedRef, repoEndpoint)
-		if err != nil {
-			logrus.Debugf("error %s with repo endpoint %+v", err, repoEndpoint)
-			if _, ok := err.(ErrHTTPProto); ok {
-				continue
-			}
-			return err
-		}
-
-		if endpoint.URL.Scheme == "http" && !c.insecureRegistry {
-			logrus.Debugf("skipping non-tls registry endpoint: %s", endpoint.URL)
-			continue
-		}
-		done, err := each(ctx, repo, namedRef)
-		if err != nil {
-			if continueOnError(err) {
-				if endpoint.URL.Scheme == "https" {
-					confirmedTLSRegistries[endpoint.URL.Host] = true
-				}
-				logrus.Debugf("continuing on error (%T) %s", err, err)
-				continue
-			}
-			logrus.Debugf("not continuing on error (%T) %s", err, err)
-			return err
-		}
-		if done {
-			return nil
-		}
-	}
-	return newNotFoundError(namedRef.String())
-}
-
-// allEndpoints returns a list of endpoints ordered by priority (v2, http).
-func allEndpoints(namedRef reference.Named, insecure bool) ([]registry.APIEndpoint, error) {
-	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
-	if err != nil {
-		return nil, err
-	}
-
-	var serviceOpts registry.ServiceOptions
-	if insecure {
-		logrus.Debugf("allowing insecure registry for: %s", reference.Domain(namedRef))
-		serviceOpts.InsecureRegistries = []string{reference.Domain(namedRef)}
-	}
-	registryService, err := registry.NewService(serviceOpts)
-	if err != nil {
-		return []registry.APIEndpoint{}, err
-	}
-	endpoints, err := registryService.LookupPullEndpoints(reference.Domain(repoInfo.Name))
-	logrus.Debugf("endpoints for %s: %v", namedRef, endpoints)
-	return endpoints, err
-}
-
-func newNotFoundError(ref string) *notFoundError {
-	return &notFoundError{err: errors.New("no such manifest: " + ref)}
-}
-
-type notFoundError struct {
-	err error
-}
-
-func (n *notFoundError) Error() string {
-	return n.err.Error()
-}
-
-// NotFound satisfies interface github.com/docker/docker/errdefs.ErrNotFound
-func (notFoundError) NotFound() {}
diff --git a/vendor/github.com/docker/cli/cli/trust/trust.go b/vendor/github.com/docker/cli/cli/trust/trust.go
deleted file mode 100644
index bb7e597a..00000000
--- a/vendor/github.com/docker/cli/cli/trust/trust.go
+++ /dev/null
@@ -1,376 +0,0 @@
-package trust
-
-import (
-	"context"
-	"encoding/json"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path"
-	"path/filepath"
-	"time"
-
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/config"
-	"github.com/docker/distribution/registry/client/auth"
-	"github.com/docker/distribution/registry/client/auth/challenge"
-	"github.com/docker/distribution/registry/client/transport"
-	registrytypes "github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/registry"
-	"github.com/docker/go-connections/tlsconfig"
-	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/client"
-	"github.com/theupdateframework/notary/passphrase"
-	"github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/trustpinning"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-)
-
-var (
-	// ReleasesRole is the role named "releases"
-	ReleasesRole = data.RoleName(path.Join(data.CanonicalTargetsRole.String(), "releases"))
-	// ActionsPullOnly defines the actions for read-only interactions with a Notary Repository
-	ActionsPullOnly = []string{"pull"}
-	// ActionsPushAndPull defines the actions for read-write interactions with a Notary Repository
-	ActionsPushAndPull = []string{"pull", "push"}
-	// NotaryServer is the endpoint serving the Notary trust server
-	NotaryServer = "https://notary.docker.io"
-)
-
-// GetTrustDirectory returns the base trust directory name
-func GetTrustDirectory() string {
-	return filepath.Join(config.Dir(), "trust")
-}
-
-// certificateDirectory returns the directory containing
-// TLS certificates for the given server. An error is
-// returned if there was an error parsing the server string.
-func certificateDirectory(server string) (string, error) {
-	u, err := url.Parse(server)
-	if err != nil {
-		return "", err
-	}
-
-	return filepath.Join(config.Dir(), "tls", u.Host), nil
-}
-
-// Server returns the base URL for the trust server.
-func Server(index *registrytypes.IndexInfo) (string, error) {
-	if s := os.Getenv("DOCKER_CONTENT_TRUST_SERVER"); s != "" {
-		urlObj, err := url.Parse(s)
-		if err != nil || urlObj.Scheme != "https" {
-			return "", errors.Errorf("valid https URL required for trust server, got %s", s)
-		}
-
-		return s, nil
-	}
-	if index.Official {
-		return NotaryServer, nil
-	}
-	return "https://" + index.Name, nil
-}
-
-type simpleCredentialStore struct {
-	auth registrytypes.AuthConfig
-}
-
-func (scs simpleCredentialStore) Basic(*url.URL) (string, string) {
-	return scs.auth.Username, scs.auth.Password
-}
-
-func (scs simpleCredentialStore) RefreshToken(*url.URL, string) string {
-	return scs.auth.IdentityToken
-}
-
-func (simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {}
-
-// GetNotaryRepository returns a NotaryRepository which stores all the
-// information needed to operate on a notary repository.
-// It creates an HTTP transport providing authentication support.
-func GetNotaryRepository(in io.Reader, out io.Writer, userAgent string, repoInfo *registry.RepositoryInfo, authConfig *registrytypes.AuthConfig, actions ...string) (client.Repository, error) {
-	server, err := Server(repoInfo.Index)
-	if err != nil {
-		return nil, err
-	}
-
-	cfg := tlsconfig.ClientDefault()
-	cfg.InsecureSkipVerify = !repoInfo.Index.Secure
-
-	// Get certificate base directory
-	certDir, err := certificateDirectory(server)
-	if err != nil {
-		return nil, err
-	}
-	logrus.Debugf("reading certificate directory: %s", certDir)
-
-	if err := registry.ReadCertsDirectory(cfg, certDir); err != nil {
-		return nil, err
-	}
-
-	base := &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		Dial: (&net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-		}).Dial,
-		TLSHandshakeTimeout: 10 * time.Second,
-		TLSClientConfig:     cfg,
-		DisableKeepAlives:   true,
-	}
-
-	// Skip configuration headers since request is not going to Docker daemon
-	modifiers := registry.Headers(userAgent, http.Header{})
-	authTransport := transport.NewTransport(base, modifiers...)
-	pingClient := &http.Client{
-		Transport: authTransport,
-		Timeout:   5 * time.Second,
-	}
-	endpointStr := server + "/v2/"
-	req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	challengeManager := challenge.NewSimpleManager()
-
-	resp, err := pingClient.Do(req)
-	if err != nil {
-		// Ignore error on ping to operate in offline mode
-		logrus.Debugf("Error pinging notary server %q: %s", endpointStr, err)
-	} else {
-		defer resp.Body.Close()
-
-		// Add response to the challenge manager to parse out
-		// authentication header and register authentication method
-		if err := challengeManager.AddResponse(resp); err != nil {
-			return nil, err
-		}
-	}
-
-	scope := auth.RepositoryScope{
-		Repository: repoInfo.Name.Name(),
-		Actions:    actions,
-	}
-	creds := simpleCredentialStore{auth: *authConfig}
-	tokenHandlerOptions := auth.TokenHandlerOptions{
-		Transport:   authTransport,
-		Credentials: creds,
-		Scopes:      []auth.Scope{scope},
-		ClientID:    registry.AuthClientID,
-	}
-	tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
-	basicHandler := auth.NewBasicHandler(creds)
-	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
-	tr := transport.NewTransport(base, modifiers...)
-
-	return client.NewFileCachedRepository(
-		GetTrustDirectory(),
-		data.GUN(repoInfo.Name.Name()),
-		server,
-		tr,
-		GetPassphraseRetriever(in, out),
-		trustpinning.TrustPinConfig{})
-}
-
-// GetPassphraseRetriever returns a passphrase retriever that utilizes Content Trust env vars
-func GetPassphraseRetriever(in io.Reader, out io.Writer) notary.PassRetriever {
-	aliasMap := map[string]string{
-		"root":     "root",
-		"snapshot": "repository",
-		"targets":  "repository",
-		"default":  "repository",
-	}
-	baseRetriever := passphrase.PromptRetrieverWithInOut(in, out, aliasMap)
-	env := map[string]string{
-		"root":     os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
-		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
-		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
-		"default":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
-	}
-
-	return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
-		if v := env[alias]; v != "" {
-			return v, numAttempts > 1, nil
-		}
-		// For non-root roles, we can also try the "default" alias if it is specified
-		if v := env["default"]; v != "" && alias != data.CanonicalRootRole.String() {
-			return v, numAttempts > 1, nil
-		}
-		return baseRetriever(keyName, alias, createNew, numAttempts)
-	}
-}
-
-// NotaryError formats an error message received from the notary service
-func NotaryError(repoName string, err error) error {
-	switch err.(type) {
-	case *json.SyntaxError:
-		logrus.Debugf("Notary syntax error: %s", err)
-		return errors.Errorf("Error: no trust data available for remote repository %s. Try running notary server and setting DOCKER_CONTENT_TRUST_SERVER to its HTTPS address?", repoName)
-	case signed.ErrExpired:
-		return errors.Errorf("Error: remote repository %s out-of-date: %v", repoName, err)
-	case trustmanager.ErrKeyNotFound:
-		return errors.Errorf("Error: signing keys for remote repository %s not found: %v", repoName, err)
-	case storage.NetworkError:
-		return errors.Errorf("Error: error contacting notary server: %v", err)
-	case storage.ErrMetaNotFound:
-		return errors.Errorf("Error: trust data missing for remote repository %s or remote repository not found: %v", repoName, err)
-	case trustpinning.ErrRootRotationFail, trustpinning.ErrValidationFail, signed.ErrInvalidKeyType:
-		return errors.Errorf("Warning: potential malicious behavior - trust data mismatch for remote repository %s: %v", repoName, err)
-	case signed.ErrNoKeys:
-		return errors.Errorf("Error: could not find signing keys for remote repository %s, or could not decrypt signing key: %v", repoName, err)
-	case signed.ErrLowVersion:
-		return errors.Errorf("Warning: potential malicious behavior - trust data version is lower than expected for remote repository %s: %v", repoName, err)
-	case signed.ErrRoleThreshold:
-		return errors.Errorf("Warning: potential malicious behavior - trust data has insufficient signatures for remote repository %s: %v", repoName, err)
-	case client.ErrRepositoryNotExist:
-		return errors.Errorf("Error: remote trust data does not exist for %s: %v", repoName, err)
-	case signed.ErrInsufficientSignatures:
-		return errors.Errorf("Error: could not produce valid signature for %s.  If Yubikey was used, was touch input provided?: %v", repoName, err)
-	}
-
-	return err
-}
-
-// GetSignableRoles returns a list of roles for which we have valid signing
-// keys, given a notary repository and a target
-func GetSignableRoles(repo client.Repository, target *client.Target) ([]data.RoleName, error) {
-	var signableRoles []data.RoleName
-
-	// translate the full key names, which includes the GUN, into just the key IDs
-	allCanonicalKeyIDs := make(map[string]struct{})
-	for fullKeyID := range repo.GetCryptoService().ListAllKeys() {
-		allCanonicalKeyIDs[path.Base(fullKeyID)] = struct{}{}
-	}
-
-	allDelegationRoles, err := repo.GetDelegationRoles()
-	if err != nil {
-		return signableRoles, err
-	}
-
-	// if there are no delegation roles, then just try to sign it into the targets role
-	if len(allDelegationRoles) == 0 {
-		signableRoles = append(signableRoles, data.CanonicalTargetsRole)
-		return signableRoles, nil
-	}
-
-	// there are delegation roles, find every delegation role we have a key for,
-	// and attempt to sign in to all those roles.
-	for _, delegationRole := range allDelegationRoles {
-		// We do not support signing any delegation role that isn't a direct child of the targets role.
-		// Also don't bother checking the keys if we can't add the target
-		// to this role due to path restrictions
-		if path.Dir(delegationRole.Name.String()) != data.CanonicalTargetsRole.String() || !delegationRole.CheckPaths(target.Name) {
-			continue
-		}
-
-		for _, canonicalKeyID := range delegationRole.KeyIDs {
-			if _, ok := allCanonicalKeyIDs[canonicalKeyID]; ok {
-				signableRoles = append(signableRoles, delegationRole.Name)
-				break
-			}
-		}
-	}
-
-	if len(signableRoles) == 0 {
-		return signableRoles, errors.Errorf("no valid signing keys for delegation roles")
-	}
-
-	return signableRoles, nil
-}
-
-// ImageRefAndAuth contains all reference information and the auth config for an image request
-type ImageRefAndAuth struct {
-	original   string
-	authConfig *registrytypes.AuthConfig
-	reference  reference.Named
-	repoInfo   *registry.RepositoryInfo
-	tag        string
-	digest     digest.Digest
-}
-
-// GetImageReferencesAndAuth retrieves the necessary reference and auth information for an image name
-// as an ImageRefAndAuth struct
-func GetImageReferencesAndAuth(ctx context.Context,
-	authResolver func(ctx context.Context, index *registrytypes.IndexInfo) registrytypes.AuthConfig,
-	imgName string,
-) (ImageRefAndAuth, error) {
-	ref, err := reference.ParseNormalizedNamed(imgName)
-	if err != nil {
-		return ImageRefAndAuth{}, err
-	}
-
-	// Resolve the Repository name from fqn to RepositoryInfo
-	repoInfo, err := registry.ParseRepositoryInfo(ref)
-	if err != nil {
-		return ImageRefAndAuth{}, err
-	}
-
-	authConfig := authResolver(ctx, repoInfo.Index)
-	return ImageRefAndAuth{
-		original:   imgName,
-		authConfig: &authConfig,
-		reference:  ref,
-		repoInfo:   repoInfo,
-		tag:        getTag(ref),
-		digest:     getDigest(ref),
-	}, nil
-}
-
-func getTag(ref reference.Named) string {
-	switch x := ref.(type) {
-	case reference.Canonical, reference.Digested:
-		return ""
-	case reference.NamedTagged:
-		return x.Tag()
-	default:
-		return ""
-	}
-}
-
-func getDigest(ref reference.Named) digest.Digest {
-	switch x := ref.(type) {
-	case reference.Canonical:
-		return x.Digest()
-	case reference.Digested:
-		return x.Digest()
-	default:
-		return digest.Digest("")
-	}
-}
-
-// AuthConfig returns the auth information (username, etc) for a given ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) AuthConfig() *registrytypes.AuthConfig {
-	return imgRefAuth.authConfig
-}
-
-// Reference returns the Image reference for a given ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) Reference() reference.Named {
-	return imgRefAuth.reference
-}
-
-// RepoInfo returns the repository information for a given ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) RepoInfo() *registry.RepositoryInfo {
-	return imgRefAuth.repoInfo
-}
-
-// Tag returns the Image tag for a given ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) Tag() string {
-	return imgRefAuth.tag
-}
-
-// Digest returns the Image digest for a given ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) Digest() digest.Digest {
-	return imgRefAuth.digest
-}
-
-// Name returns the image name used to initialize the ImageRefAndAuth
-func (imgRefAuth *ImageRefAndAuth) Name() string {
-	return imgRefAuth.original
-}
diff --git a/vendor/github.com/docker/cli/internal/lazyregexp/lazyregexp.go b/vendor/github.com/docker/cli/internal/lazyregexp/lazyregexp.go
new file mode 100644
index 00000000..62e29c55
--- /dev/null
+++ b/vendor/github.com/docker/cli/internal/lazyregexp/lazyregexp.go
@@ -0,0 +1,98 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code below was largely copied from golang.org/x/mod@v0.22;
+// https://github.com/golang/mod/blob/v0.22.0/internal/lazyregexp/lazyre.go
+// with some additional methods added.
+
+// Package lazyregexp is a thin wrapper over regexp, allowing the use of global
+// regexp variables without forcing them to be compiled at init.
+package lazyregexp
+
+import (
+	"os"
+	"regexp"
+	"strings"
+	"sync"
+)
+
+// Regexp is a wrapper around [regexp.Regexp], where the underlying regexp will be
+// compiled the first time it is needed.
+type Regexp struct {
+	str  string
+	once sync.Once
+	rx   *regexp.Regexp
+}
+
+func (r *Regexp) re() *regexp.Regexp {
+	r.once.Do(r.build)
+	return r.rx
+}
+
+func (r *Regexp) build() {
+	r.rx = regexp.MustCompile(r.str)
+	r.str = ""
+}
+
+func (r *Regexp) FindSubmatch(s []byte) [][]byte {
+	return r.re().FindSubmatch(s)
+}
+
+func (r *Regexp) FindAllStringSubmatch(s string, n int) [][]string {
+	return r.re().FindAllStringSubmatch(s, n)
+}
+
+func (r *Regexp) FindStringSubmatch(s string) []string {
+	return r.re().FindStringSubmatch(s)
+}
+
+func (r *Regexp) FindStringSubmatchIndex(s string) []int {
+	return r.re().FindStringSubmatchIndex(s)
+}
+
+func (r *Regexp) ReplaceAllString(src, repl string) string {
+	return r.re().ReplaceAllString(src, repl)
+}
+
+func (r *Regexp) FindString(s string) string {
+	return r.re().FindString(s)
+}
+
+func (r *Regexp) FindAllString(s string, n int) []string {
+	return r.re().FindAllString(s, n)
+}
+
+func (r *Regexp) MatchString(s string) bool {
+	return r.re().MatchString(s)
+}
+
+func (r *Regexp) ReplaceAllStringFunc(src string, repl func(string) string) string {
+	return r.re().ReplaceAllStringFunc(src, repl)
+}
+
+func (r *Regexp) ReplaceAllLiteralString(src, repl string) string {
+	return r.re().ReplaceAllLiteralString(src, repl)
+}
+
+func (r *Regexp) String() string {
+	return r.re().String()
+}
+
+func (r *Regexp) SubexpNames() []string {
+	return r.re().SubexpNames()
+}
+
+var inTest = len(os.Args) > 0 && strings.HasSuffix(strings.TrimSuffix(os.Args[0], ".exe"), ".test")
+
+// New creates a new lazy regexp, delaying the compiling work until it is first
+// needed. If the code is being run as part of tests, the regexp compiling will
+// happen immediately.
+func New(str string) *Regexp {
+	lr := &Regexp{str: str}
+	if inTest {
+		// In tests, always compile the regexps early.
+		lr.re()
+	}
+	return lr
+}
diff --git a/vendor/github.com/docker/cli/internal/prompt/prompt.go b/vendor/github.com/docker/cli/internal/prompt/prompt.go
new file mode 100644
index 00000000..4d47a10e
--- /dev/null
+++ b/vendor/github.com/docker/cli/internal/prompt/prompt.go
@@ -0,0 +1,116 @@
+// Package prompt provides utilities to prompt the user for input.
+
+package prompt
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/docker/cli/cli/streams"
+	"github.com/moby/term"
+)
+
+const ErrTerminated cancelledErr = "prompt terminated"
+
+type cancelledErr string
+
+func (e cancelledErr) Error() string {
+	return string(e)
+}
+
+func (cancelledErr) Cancelled() {}
+
+// DisableInputEcho disables input echo on the provided streams.In.
+// This is useful when the user provides sensitive information like passwords.
+// The function returns a restore function that should be called to restore the
+// terminal state.
+//
+// TODO(thaJeztah): implement without depending on streams?
+func DisableInputEcho(ins *streams.In) (restore func() error, _ error) {
+	oldState, err := term.SaveState(ins.FD())
+	if err != nil {
+		return nil, err
+	}
+	restore = func() error {
+		return term.RestoreTerminal(ins.FD(), oldState)
+	}
+	return restore, term.DisableEcho(ins.FD(), oldState)
+}
+
+// ReadInput requests input from the user.
+//
+// It returns an empty string ("") with an [ErrTerminated] if the user terminates
+// the CLI with SIGINT or SIGTERM while the prompt is active. If the prompt
+// returns an error, the caller should close the [io.Reader] used for the prompt
+// and propagate the error up the stack to prevent the background goroutine
+// from blocking indefinitely.
+func ReadInput(ctx context.Context, in io.Reader, out io.Writer, message string) (string, error) {
+	_, _ = out.Write([]byte(message))
+
+	result := make(chan string)
+	go func() {
+		scanner := bufio.NewScanner(in)
+		if scanner.Scan() {
+			result <- strings.TrimSpace(scanner.Text())
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		_, _ = out.Write([]byte("\n"))
+		return "", ErrTerminated
+	case r := <-result:
+		return r, nil
+	}
+}
+
+// Confirm requests and checks confirmation from the user.
+//
+// It displays the provided message followed by "[y/N]". If the user
+// input 'y' or 'Y' it returns true otherwise false. If no message is provided,
+// "Are you sure you want to proceed? [y/N] " will be used instead.
+//
+// It returns false with an [ErrTerminated] if the user terminates
+// the CLI with SIGINT or SIGTERM while the prompt is active. If the prompt
+// returns an error, the caller should close the [io.Reader] used for the prompt
+// and propagate the error up the stack to prevent the background goroutine
+// from blocking indefinitely.
+func Confirm(ctx context.Context, in io.Reader, out io.Writer, message string) (bool, error) {
+	if message == "" {
+		message = "Are you sure you want to proceed?"
+	}
+	message += " [y/N] "
+
+	_, _ = out.Write([]byte(message))
+
+	// On Windows, force the use of the regular OS stdin stream.
+	if runtime.GOOS == "windows" {
+		in = streams.NewIn(os.Stdin)
+	}
+
+	result := make(chan bool)
+
+	go func() {
+		var res bool
+		scanner := bufio.NewScanner(in)
+		if scanner.Scan() {
+			answer := strings.TrimSpace(scanner.Text())
+			if strings.EqualFold(answer, "y") {
+				res = true
+			}
+		}
+		result <- res
+	}()
+
+	select {
+	case <-ctx.Done():
+		_, _ = out.Write([]byte("\n"))
+		return false, ErrTerminated
+	case r := <-result:
+		return r, nil
+	}
+}
diff --git a/vendor/github.com/docker/cli/internal/tui/chip.go b/vendor/github.com/docker/cli/internal/tui/chip.go
index bb383109..02a9b8b8 100644
--- a/vendor/github.com/docker/cli/internal/tui/chip.go
+++ b/vendor/github.com/docker/cli/internal/tui/chip.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
diff --git a/vendor/github.com/docker/cli/internal/tui/colors.go b/vendor/github.com/docker/cli/internal/tui/colors.go
index 796aa390..d82d61dd 100644
--- a/vendor/github.com/docker/cli/internal/tui/colors.go
+++ b/vendor/github.com/docker/cli/internal/tui/colors.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
diff --git a/vendor/github.com/docker/cli/internal/tui/count.go b/vendor/github.com/docker/cli/internal/tui/count.go
index 319776e1..5d7ebd94 100644
--- a/vendor/github.com/docker/cli/internal/tui/count.go
+++ b/vendor/github.com/docker/cli/internal/tui/count.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
diff --git a/vendor/github.com/docker/cli/internal/tui/note.go b/vendor/github.com/docker/cli/internal/tui/note.go
index c955b8cd..d2bc0b9a 100644
--- a/vendor/github.com/docker/cli/internal/tui/note.go
+++ b/vendor/github.com/docker/cli/internal/tui/note.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
@@ -15,19 +15,39 @@ var InfoHeader = Str{
 	Fancy: aec.Bold.Apply(aec.LightCyanB.Apply(aec.BlackF.Apply("i")) + " " + aec.LightCyanF.Apply("Info → ")),
 }
 
-func (o Output) PrintNote(format string, args ...any) {
+type options struct {
+	header Str
+}
+
+type noteOptions func(o *options)
+
+func withHeader(header Str) noteOptions {
+	return func(o *options) {
+		o.header = header
+	}
+}
+
+func (o Output) printNoteWithOptions(format string, args []any, opts ...noteOptions) {
 	if o.isTerminal {
 		// TODO: Handle all flags
 		format = strings.ReplaceAll(format, "--platform", ColorFlag.Apply("--platform"))
 	}
 
-	header := o.Sprint(InfoHeader)
+	opt := &options{
+		header: InfoHeader,
+	}
 
-	_, _ = fmt.Fprint(o, "\n", header)
+	for _, override := range opts {
+		override(opt)
+	}
+
+	h := o.Sprint(opt.header)
+
+	_, _ = fmt.Fprint(o, "\n", h)
 	s := fmt.Sprintf(format, args...)
 	for idx, line := range strings.Split(s, "\n") {
 		if idx > 0 {
-			_, _ = fmt.Fprint(o, strings.Repeat(" ", Width(header)))
+			_, _ = fmt.Fprint(o, strings.Repeat(" ", Width(h)))
 		}
 
 		l := line
@@ -37,3 +57,16 @@ func (o Output) PrintNote(format string, args ...any) {
 		_, _ = fmt.Fprintln(o, l)
 	}
 }
+
+func (o Output) PrintNote(format string, args ...any) {
+	o.printNoteWithOptions(format, args, withHeader(InfoHeader))
+}
+
+var warningHeader = Str{
+	Plain: " Warn -> ",
+	Fancy: aec.Bold.Apply(aec.LightYellowB.Apply(aec.BlackF.Apply("w")) + " " + ColorWarning.Apply("Warn → ")),
+}
+
+func (o Output) PrintWarning(format string, args ...any) {
+	o.printNoteWithOptions(format, args, withHeader(warningHeader))
+}
diff --git a/vendor/github.com/docker/cli/internal/tui/output.go b/vendor/github.com/docker/cli/internal/tui/output.go
index 7fc194ac..1f526d3f 100644
--- a/vendor/github.com/docker/cli/internal/tui/output.go
+++ b/vendor/github.com/docker/cli/internal/tui/output.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
diff --git a/vendor/github.com/docker/cli/internal/tui/str.go b/vendor/github.com/docker/cli/internal/tui/str.go
index 490e474f..c1ea9c95 100644
--- a/vendor/github.com/docker/cli/internal/tui/str.go
+++ b/vendor/github.com/docker/cli/internal/tui/str.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package tui
 
diff --git a/vendor/github.com/docker/cli/opts/duration.go b/vendor/github.com/docker/cli/opts/duration.go
index d55c51e6..41a27a56 100644
--- a/vendor/github.com/docker/cli/opts/duration.go
+++ b/vendor/github.com/docker/cli/opts/duration.go
@@ -1,9 +1,8 @@
 package opts
 
 import (
+	"errors"
 	"time"
-
-	"github.com/pkg/errors"
 )
 
 // PositiveDurationOpt is an option type for time.Duration that uses a pointer.
@@ -20,7 +19,7 @@ func (d *PositiveDurationOpt) Set(s string) error {
 		return err
 	}
 	if *d.DurationOpt.value < 0 {
-		return errors.Errorf("duration cannot be negative")
+		return errors.New("duration cannot be negative")
 	}
 	return nil
 }
diff --git a/vendor/github.com/docker/cli/opts/env.go b/vendor/github.com/docker/cli/opts/env.go
index 214d6f44..675ddda9 100644
--- a/vendor/github.com/docker/cli/opts/env.go
+++ b/vendor/github.com/docker/cli/opts/env.go
@@ -1,10 +1,9 @@
 package opts
 
 import (
+	"errors"
 	"os"
 	"strings"
-
-	"github.com/pkg/errors"
 )
 
 // ValidateEnv validates an environment variable and returns it.
diff --git a/vendor/github.com/docker/cli/opts/gpus.go b/vendor/github.com/docker/cli/opts/gpus.go
index 993f6da9..6a56c49c 100644
--- a/vendor/github.com/docker/cli/opts/gpus.go
+++ b/vendor/github.com/docker/cli/opts/gpus.go
@@ -2,12 +2,12 @@ package opts
 
 import (
 	"encoding/csv"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/pkg/errors"
 )
 
 // GpuOpts is a Value type for parsing mounts
@@ -20,7 +20,14 @@ func parseCount(s string) (int, error) {
 		return -1, nil
 	}
 	i, err := strconv.Atoi(s)
-	return i, errors.Wrap(err, "count must be an integer")
+	if err != nil {
+		var numErr *strconv.NumError
+		if errors.As(err, &numErr) {
+			err = numErr.Err
+		}
+		return 0, fmt.Errorf(`invalid count (%s): value must be either "all" or an integer: %w`, s, err)
+	}
+	return i, nil
 }
 
 // Set a new mount value
@@ -69,7 +76,7 @@ func (o *GpuOpts) Set(value string) error {
 			r := csv.NewReader(strings.NewReader(val))
 			optFields, err := r.Read()
 			if err != nil {
-				return errors.Wrap(err, "failed to read gpu options")
+				return fmt.Errorf("failed to read gpu options: %w", err)
 			}
 			req.Options = ConvertKVStringsToMap(optFields)
 		default:
diff --git a/vendor/github.com/docker/cli/opts/mount.go b/vendor/github.com/docker/cli/opts/mount.go
index 275a4d7f..05c1cd0b 100644
--- a/vendor/github.com/docker/cli/opts/mount.go
+++ b/vendor/github.com/docker/cli/opts/mount.go
@@ -100,7 +100,7 @@ func (m *MountOpt) Set(value string) error {
 			mount.Type = mounttypes.Type(strings.ToLower(val))
 		case "source", "src":
 			mount.Source = val
-			if strings.HasPrefix(val, "."+string(filepath.Separator)) || val == "." {
+			if !filepath.IsAbs(val) && strings.HasPrefix(val, ".") {
 				if abs, err := filepath.Abs(val); err == nil {
 					mount.Source = abs
 				}
@@ -135,8 +135,7 @@ func (m *MountOpt) Set(value string) error {
 				// TODO: implicitly set propagation and error if the user specifies a propagation in a future refactor/UX polish pass
 				// https://github.com/docker/cli/pull/4316#discussion_r1341974730
 			default:
-				return fmt.Errorf("invalid value for %s: %s (must be \"enabled\", \"disabled\", \"writable\", or \"readonly\")",
-					key, val)
+				return fmt.Errorf(`invalid value for %s: %s (must be "enabled", "disabled", "writable", or "readonly")`, key, val)
 			}
 		case "volume-subpath":
 			volumeOptions().Subpath = val
diff --git a/vendor/github.com/docker/cli/opts/network.go b/vendor/github.com/docker/cli/opts/network.go
index c3510870..43b3a09d 100644
--- a/vendor/github.com/docker/cli/opts/network.go
+++ b/vendor/github.com/docker/cli/opts/network.go
@@ -89,7 +89,11 @@ func (n *NetworkOpt) Set(value string) error { //nolint:gocyclo
 			case gwPriorityOpt:
 				netOpt.GwPriority, err = strconv.Atoi(val)
 				if err != nil {
-					return fmt.Errorf("invalid gw-priority: %w", err)
+					var numErr *strconv.NumError
+					if errors.As(err, &numErr) {
+						err = numErr.Err
+					}
+					return fmt.Errorf("invalid gw-priority (%s): %w", val, err)
 				}
 			default:
 				return errors.New("invalid field key " + key)
diff --git a/vendor/github.com/docker/cli/opts/opts.go b/vendor/github.com/docker/cli/opts/opts.go
index 061fda57..1a885db3 100644
--- a/vendor/github.com/docker/cli/opts/opts.go
+++ b/vendor/github.com/docker/cli/opts/opts.go
@@ -1,21 +1,21 @@
 package opts
 
 import (
+	"errors"
 	"fmt"
 	"math/big"
 	"net"
 	"path"
-	"regexp"
 	"strings"
 
+	"github.com/docker/cli/internal/lazyregexp"
 	"github.com/docker/docker/api/types/filters"
-	units "github.com/docker/go-units"
-	"github.com/pkg/errors"
+	"github.com/docker/go-units"
 )
 
 var (
-	alphaRegexp  = regexp.MustCompile(`[a-zA-Z]`)
-	domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
+	alphaRegexp  = lazyregexp.New(`[a-zA-Z]`)
+	domainRegexp = lazyregexp.New(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
 )
 
 // ListOpts holds a list of values and a validation function.
@@ -80,10 +80,22 @@ func (opts *ListOpts) GetMap() map[string]struct{} {
 }
 
 // GetAll returns the values of slice.
+//
+// Deprecated: use [ListOpts.GetSlice] instead. This method will be removed in a future release.
 func (opts *ListOpts) GetAll() []string {
 	return *opts.values
 }
 
+// GetSlice returns the values of slice.
+//
+// It implements [cobra.SliceValue] to allow shell completion to be provided
+// multiple times.
+//
+// [cobra.SliceValue]: https://pkg.go.dev/github.com/spf13/cobra@v1.9.1#SliceValue
+func (opts *ListOpts) GetSlice() []string {
+	return *opts.values
+}
+
 // GetAllOrEmpty returns the values of the slice
 // or an empty slice when there are no values.
 func (opts *ListOpts) GetAllOrEmpty() []string {
diff --git a/vendor/github.com/docker/cli/opts/config.go b/vendor/github.com/docker/cli/opts/swarmopts/config.go
similarity index 88%
rename from vendor/github.com/docker/cli/opts/config.go
rename to vendor/github.com/docker/cli/opts/swarmopts/config.go
index 1fc0eb35..ff137304 100644
--- a/vendor/github.com/docker/cli/opts/config.go
+++ b/vendor/github.com/docker/cli/opts/swarmopts/config.go
@@ -1,4 +1,4 @@
-package opts
+package swarmopts
 
 import (
 	"encoding/csv"
@@ -8,12 +8,12 @@ import (
 	"strconv"
 	"strings"
 
-	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/swarm"
 )
 
 // ConfigOpt is a Value type for parsing configs
 type ConfigOpt struct {
-	values []*swarmtypes.ConfigReference
+	values []*swarm.ConfigReference
 }
 
 // Set a new config value
@@ -24,8 +24,8 @@ func (o *ConfigOpt) Set(value string) error {
 		return err
 	}
 
-	options := &swarmtypes.ConfigReference{
-		File: &swarmtypes.ConfigReferenceFileTarget{
+	options := &swarm.ConfigReference{
+		File: &swarm.ConfigReferenceFileTarget{
 			UID:  "0",
 			GID:  "0",
 			Mode: 0o444,
@@ -95,6 +95,6 @@ func (o *ConfigOpt) String() string {
 }
 
 // Value returns the config requests
-func (o *ConfigOpt) Value() []*swarmtypes.ConfigReference {
+func (o *ConfigOpt) Value() []*swarm.ConfigReference {
 	return o.values
 }
diff --git a/vendor/github.com/docker/cli/opts/port.go b/vendor/github.com/docker/cli/opts/swarmopts/port.go
similarity index 84%
rename from vendor/github.com/docker/cli/opts/port.go
rename to vendor/github.com/docker/cli/opts/swarmopts/port.go
index 0407355e..e15c6b83 100644
--- a/vendor/github.com/docker/cli/opts/port.go
+++ b/vendor/github.com/docker/cli/opts/swarmopts/port.go
@@ -1,4 +1,4 @@
-package opts
+package swarmopts
 
 import (
 	"encoding/csv"
@@ -46,42 +46,50 @@ func (p *PortOpt) Set(value string) error {
 			// TODO(thaJeztah): these options should not be case-insensitive.
 			key, val, ok := strings.Cut(strings.ToLower(field), "=")
 			if !ok || key == "" {
-				return fmt.Errorf("invalid field %s", field)
+				return fmt.Errorf("invalid field: %s", field)
 			}
 			switch key {
 			case portOptProtocol:
 				if val != string(swarm.PortConfigProtocolTCP) && val != string(swarm.PortConfigProtocolUDP) && val != string(swarm.PortConfigProtocolSCTP) {
-					return fmt.Errorf("invalid protocol value %s", val)
+					return fmt.Errorf("invalid protocol value '%s'", val)
 				}
 
 				pConfig.Protocol = swarm.PortConfigProtocol(val)
 			case portOptMode:
 				if val != string(swarm.PortConfigPublishModeIngress) && val != string(swarm.PortConfigPublishModeHost) {
-					return fmt.Errorf("invalid publish mode value %s", val)
+					return fmt.Errorf("invalid publish mode value (%s): must be either '%s' or '%s'", val, swarm.PortConfigPublishModeIngress, swarm.PortConfigPublishModeHost)
 				}
 
 				pConfig.PublishMode = swarm.PortConfigPublishMode(val)
 			case portOptTargetPort:
 				tPort, err := strconv.ParseUint(val, 10, 16)
 				if err != nil {
-					return err
+					var numErr *strconv.NumError
+					if errors.As(err, &numErr) {
+						err = numErr.Err
+					}
+					return fmt.Errorf("invalid target port (%s): value must be an integer: %w", val, err)
 				}
 
 				pConfig.TargetPort = uint32(tPort)
 			case portOptPublishedPort:
 				pPort, err := strconv.ParseUint(val, 10, 16)
 				if err != nil {
-					return err
+					var numErr *strconv.NumError
+					if errors.As(err, &numErr) {
+						err = numErr.Err
+					}
+					return fmt.Errorf("invalid published port (%s): value must be an integer: %w", val, err)
 				}
 
 				pConfig.PublishedPort = uint32(pPort)
 			default:
-				return fmt.Errorf("invalid field key %s", key)
+				return fmt.Errorf("invalid field key: %s", key)
 			}
 		}
 
 		if pConfig.TargetPort == 0 {
-			return fmt.Errorf("missing mandatory field %q", portOptTargetPort)
+			return fmt.Errorf("missing mandatory field '%s'", portOptTargetPort)
 		}
 
 		if pConfig.PublishMode == "" {
diff --git a/vendor/github.com/docker/cli/opts/secret.go b/vendor/github.com/docker/cli/opts/swarmopts/secret.go
similarity index 88%
rename from vendor/github.com/docker/cli/opts/secret.go
rename to vendor/github.com/docker/cli/opts/swarmopts/secret.go
index bdf232de..9f97627a 100644
--- a/vendor/github.com/docker/cli/opts/secret.go
+++ b/vendor/github.com/docker/cli/opts/swarmopts/secret.go
@@ -1,4 +1,4 @@
-package opts
+package swarmopts
 
 import (
 	"encoding/csv"
@@ -8,12 +8,12 @@ import (
 	"strconv"
 	"strings"
 
-	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/swarm"
 )
 
 // SecretOpt is a Value type for parsing secrets
 type SecretOpt struct {
-	values []*swarmtypes.SecretReference
+	values []*swarm.SecretReference
 }
 
 // Set a new secret value
@@ -24,8 +24,8 @@ func (o *SecretOpt) Set(value string) error {
 		return err
 	}
 
-	options := &swarmtypes.SecretReference{
-		File: &swarmtypes.SecretReferenceFileTarget{
+	options := &swarm.SecretReference{
+		File: &swarm.SecretReferenceFileTarget{
 			UID:  "0",
 			GID:  "0",
 			Mode: 0o444,
@@ -94,6 +94,6 @@ func (o *SecretOpt) String() string {
 }
 
 // Value returns the secret requests
-func (o *SecretOpt) Value() []*swarmtypes.SecretReference {
+func (o *SecretOpt) Value() []*swarm.SecretReference {
 	return o.values
 }
diff --git a/vendor/github.com/docker/cli/templates/templates.go b/vendor/github.com/docker/cli/templates/templates.go
index da2354ca..f0726eec 100644
--- a/vendor/github.com/docker/cli/templates/templates.go
+++ b/vendor/github.com/docker/cli/templates/templates.go
@@ -1,5 +1,5 @@
 // FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
-//go:build go1.22
+//go:build go1.23
 
 package templates
 
diff --git a/vendor/github.com/docker/distribution/manifest/doc.go b/vendor/github.com/docker/distribution/manifest/doc.go
deleted file mode 100644
index 88367b0a..00000000
--- a/vendor/github.com/docker/distribution/manifest/doc.go
+++ /dev/null
@@ -1 +0,0 @@
-package manifest
diff --git a/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go b/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go
deleted file mode 100644
index bea2341c..00000000
--- a/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go
+++ /dev/null
@@ -1,239 +0,0 @@
-package manifestlist
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest"
-	"github.com/opencontainers/go-digest"
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-const (
-	// MediaTypeManifestList specifies the mediaType for manifest lists.
-	MediaTypeManifestList = "application/vnd.docker.distribution.manifest.list.v2+json"
-)
-
-// SchemaVersion provides a pre-initialized version structure for this
-// packages version of the manifest.
-var SchemaVersion = manifest.Versioned{
-	SchemaVersion: 2,
-	MediaType:     MediaTypeManifestList,
-}
-
-// OCISchemaVersion provides a pre-initialized version structure for this
-// packages OCIschema version of the manifest.
-var OCISchemaVersion = manifest.Versioned{
-	SchemaVersion: 2,
-	MediaType:     v1.MediaTypeImageIndex,
-}
-
-func init() {
-	manifestListFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
-		m := new(DeserializedManifestList)
-		err := m.UnmarshalJSON(b)
-		if err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-
-		if m.MediaType != MediaTypeManifestList {
-			err = fmt.Errorf("mediaType in manifest list should be '%s' not '%s'",
-				MediaTypeManifestList, m.MediaType)
-
-			return nil, distribution.Descriptor{}, err
-		}
-
-		dgst := digest.FromBytes(b)
-		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: MediaTypeManifestList}, err
-	}
-	err := distribution.RegisterManifestSchema(MediaTypeManifestList, manifestListFunc)
-	if err != nil {
-		panic(fmt.Sprintf("Unable to register manifest: %s", err))
-	}
-
-	imageIndexFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
-		if err := validateIndex(b); err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-		m := new(DeserializedManifestList)
-		err := m.UnmarshalJSON(b)
-		if err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-
-		if m.MediaType != "" && m.MediaType != v1.MediaTypeImageIndex {
-			err = fmt.Errorf("if present, mediaType in image index should be '%s' not '%s'",
-				v1.MediaTypeImageIndex, m.MediaType)
-
-			return nil, distribution.Descriptor{}, err
-		}
-
-		dgst := digest.FromBytes(b)
-		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: v1.MediaTypeImageIndex}, err
-	}
-	err = distribution.RegisterManifestSchema(v1.MediaTypeImageIndex, imageIndexFunc)
-	if err != nil {
-		panic(fmt.Sprintf("Unable to register OCI Image Index: %s", err))
-	}
-}
-
-// PlatformSpec specifies a platform where a particular image manifest is
-// applicable.
-type PlatformSpec struct {
-	// Architecture field specifies the CPU architecture, for example
-	// `amd64` or `ppc64`.
-	Architecture string `json:"architecture"`
-
-	// OS specifies the operating system, for example `linux` or `windows`.
-	OS string `json:"os"`
-
-	// OSVersion is an optional field specifying the operating system
-	// version, for example `10.0.10586`.
-	OSVersion string `json:"os.version,omitempty"`
-
-	// OSFeatures is an optional field specifying an array of strings,
-	// each listing a required OS feature (for example on Windows `win32k`).
-	OSFeatures []string `json:"os.features,omitempty"`
-
-	// Variant is an optional field specifying a variant of the CPU, for
-	// example `ppc64le` to specify a little-endian version of a PowerPC CPU.
-	Variant string `json:"variant,omitempty"`
-
-	// Features is an optional field specifying an array of strings, each
-	// listing a required CPU feature (for example `sse4` or `aes`).
-	Features []string `json:"features,omitempty"`
-}
-
-// A ManifestDescriptor references a platform-specific manifest.
-type ManifestDescriptor struct {
-	distribution.Descriptor
-
-	// Platform specifies which platform the manifest pointed to by the
-	// descriptor runs on.
-	Platform PlatformSpec `json:"platform"`
-}
-
-// ManifestList references manifests for various platforms.
-type ManifestList struct {
-	manifest.Versioned
-
-	// Config references the image configuration as a blob.
-	Manifests []ManifestDescriptor `json:"manifests"`
-}
-
-// References returns the distribution descriptors for the referenced image
-// manifests.
-func (m ManifestList) References() []distribution.Descriptor {
-	dependencies := make([]distribution.Descriptor, len(m.Manifests))
-	for i := range m.Manifests {
-		dependencies[i] = m.Manifests[i].Descriptor
-	}
-
-	return dependencies
-}
-
-// DeserializedManifestList wraps ManifestList with a copy of the original
-// JSON.
-type DeserializedManifestList struct {
-	ManifestList
-
-	// canonical is the canonical byte representation of the Manifest.
-	canonical []byte
-}
-
-// FromDescriptors takes a slice of descriptors, and returns a
-// DeserializedManifestList which contains the resulting manifest list
-// and its JSON representation.
-func FromDescriptors(descriptors []ManifestDescriptor) (*DeserializedManifestList, error) {
-	var mediaType string
-	if len(descriptors) > 0 && descriptors[0].Descriptor.MediaType == v1.MediaTypeImageManifest {
-		mediaType = v1.MediaTypeImageIndex
-	} else {
-		mediaType = MediaTypeManifestList
-	}
-
-	return FromDescriptorsWithMediaType(descriptors, mediaType)
-}
-
-// FromDescriptorsWithMediaType is for testing purposes, it's useful to be able to specify the media type explicitly
-func FromDescriptorsWithMediaType(descriptors []ManifestDescriptor, mediaType string) (*DeserializedManifestList, error) {
-	m := ManifestList{
-		Versioned: manifest.Versioned{
-			SchemaVersion: 2,
-			MediaType:     mediaType,
-		},
-	}
-
-	m.Manifests = make([]ManifestDescriptor, len(descriptors))
-	copy(m.Manifests, descriptors)
-
-	deserialized := DeserializedManifestList{
-		ManifestList: m,
-	}
-
-	var err error
-	deserialized.canonical, err = json.MarshalIndent(&m, "", "   ")
-	return &deserialized, err
-}
-
-// UnmarshalJSON populates a new ManifestList struct from JSON data.
-func (m *DeserializedManifestList) UnmarshalJSON(b []byte) error {
-	m.canonical = make([]byte, len(b))
-	// store manifest list in canonical
-	copy(m.canonical, b)
-
-	// Unmarshal canonical JSON into ManifestList object
-	var manifestList ManifestList
-	if err := json.Unmarshal(m.canonical, &manifestList); err != nil {
-		return err
-	}
-
-	m.ManifestList = manifestList
-
-	return nil
-}
-
-// MarshalJSON returns the contents of canonical. If canonical is empty,
-// marshals the inner contents.
-func (m *DeserializedManifestList) MarshalJSON() ([]byte, error) {
-	if len(m.canonical) > 0 {
-		return m.canonical, nil
-	}
-
-	return nil, errors.New("JSON representation not initialized in DeserializedManifestList")
-}
-
-// Payload returns the raw content of the manifest list. The contents can be
-// used to calculate the content identifier.
-func (m DeserializedManifestList) Payload() (string, []byte, error) {
-	var mediaType string
-	if m.MediaType == "" {
-		mediaType = v1.MediaTypeImageIndex
-	} else {
-		mediaType = m.MediaType
-	}
-
-	return mediaType, m.canonical, nil
-}
-
-// unknownDocument represents a manifest, manifest list, or index that has not
-// yet been validated
-type unknownDocument struct {
-	Config interface{} `json:"config,omitempty"`
-	Layers interface{} `json:"layers,omitempty"`
-}
-
-// validateIndex returns an error if the byte slice is invalid JSON or if it
-// contains fields that belong to a manifest
-func validateIndex(b []byte) error {
-	var doc unknownDocument
-	if err := json.Unmarshal(b, &doc); err != nil {
-		return err
-	}
-	if doc.Config != nil || doc.Layers != nil {
-		return errors.New("index: expected index but found manifest")
-	}
-	return nil
-}
diff --git a/vendor/github.com/docker/distribution/manifest/ocischema/builder.go b/vendor/github.com/docker/distribution/manifest/ocischema/builder.go
deleted file mode 100644
index b89bf5b7..00000000
--- a/vendor/github.com/docker/distribution/manifest/ocischema/builder.go
+++ /dev/null
@@ -1,107 +0,0 @@
-package ocischema
-
-import (
-	"context"
-	"errors"
-
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest"
-	"github.com/opencontainers/go-digest"
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// Builder is a type for constructing manifests.
-type Builder struct {
-	// bs is a BlobService used to publish the configuration blob.
-	bs distribution.BlobService
-
-	// configJSON references
-	configJSON []byte
-
-	// layers is a list of layer descriptors that gets built by successive
-	// calls to AppendReference.
-	layers []distribution.Descriptor
-
-	// Annotations contains arbitrary metadata relating to the targeted content.
-	annotations map[string]string
-
-	// For testing purposes
-	mediaType string
-}
-
-// NewManifestBuilder is used to build new manifests for the current schema
-// version. It takes a BlobService so it can publish the configuration blob
-// as part of the Build process, and annotations.
-func NewManifestBuilder(bs distribution.BlobService, configJSON []byte, annotations map[string]string) distribution.ManifestBuilder {
-	mb := &Builder{
-		bs:          bs,
-		configJSON:  make([]byte, len(configJSON)),
-		annotations: annotations,
-		mediaType:   v1.MediaTypeImageManifest,
-	}
-	copy(mb.configJSON, configJSON)
-
-	return mb
-}
-
-// SetMediaType assigns the passed mediatype or error if the mediatype is not a
-// valid media type for oci image manifests currently: "" or "application/vnd.oci.image.manifest.v1+json"
-func (mb *Builder) SetMediaType(mediaType string) error {
-	if mediaType != "" && mediaType != v1.MediaTypeImageManifest {
-		return errors.New("invalid media type for OCI image manifest")
-	}
-
-	mb.mediaType = mediaType
-	return nil
-}
-
-// Build produces a final manifest from the given references.
-func (mb *Builder) Build(ctx context.Context) (distribution.Manifest, error) {
-	m := Manifest{
-		Versioned: manifest.Versioned{
-			SchemaVersion: 2,
-			MediaType:     mb.mediaType,
-		},
-		Layers:      make([]distribution.Descriptor, len(mb.layers)),
-		Annotations: mb.annotations,
-	}
-	copy(m.Layers, mb.layers)
-
-	configDigest := digest.FromBytes(mb.configJSON)
-
-	var err error
-	m.Config, err = mb.bs.Stat(ctx, configDigest)
-	switch err {
-	case nil:
-		// Override MediaType, since Put always replaces the specified media
-		// type with application/octet-stream in the descriptor it returns.
-		m.Config.MediaType = v1.MediaTypeImageConfig
-		return FromStruct(m)
-	case distribution.ErrBlobUnknown:
-		// nop
-	default:
-		return nil, err
-	}
-
-	// Add config to the blob store
-	m.Config, err = mb.bs.Put(ctx, v1.MediaTypeImageConfig, mb.configJSON)
-	// Override MediaType, since Put always replaces the specified media
-	// type with application/octet-stream in the descriptor it returns.
-	m.Config.MediaType = v1.MediaTypeImageConfig
-	if err != nil {
-		return nil, err
-	}
-
-	return FromStruct(m)
-}
-
-// AppendReference adds a reference to the current ManifestBuilder.
-func (mb *Builder) AppendReference(d distribution.Describable) error {
-	mb.layers = append(mb.layers, d.Descriptor())
-	return nil
-}
-
-// References returns the current references added to this builder.
-func (mb *Builder) References() []distribution.Descriptor {
-	return mb.layers
-}
diff --git a/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go b/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go
deleted file mode 100644
index d51f8deb..00000000
--- a/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go
+++ /dev/null
@@ -1,146 +0,0 @@
-package ocischema
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest"
-	"github.com/opencontainers/go-digest"
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-var (
-	// SchemaVersion provides a pre-initialized version structure for this
-	// packages version of the manifest.
-	SchemaVersion = manifest.Versioned{
-		SchemaVersion: 2, // historical value here.. does not pertain to OCI or docker version
-		MediaType:     v1.MediaTypeImageManifest,
-	}
-)
-
-func init() {
-	ocischemaFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
-		if err := validateManifest(b); err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-		m := new(DeserializedManifest)
-		err := m.UnmarshalJSON(b)
-		if err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-
-		dgst := digest.FromBytes(b)
-		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: v1.MediaTypeImageManifest}, err
-	}
-	err := distribution.RegisterManifestSchema(v1.MediaTypeImageManifest, ocischemaFunc)
-	if err != nil {
-		panic(fmt.Sprintf("Unable to register manifest: %s", err))
-	}
-}
-
-// Manifest defines a ocischema manifest.
-type Manifest struct {
-	manifest.Versioned
-
-	// Config references the image configuration as a blob.
-	Config distribution.Descriptor `json:"config"`
-
-	// Layers lists descriptors for the layers referenced by the
-	// configuration.
-	Layers []distribution.Descriptor `json:"layers"`
-
-	// Annotations contains arbitrary metadata for the image manifest.
-	Annotations map[string]string `json:"annotations,omitempty"`
-}
-
-// References returns the descriptors of this manifests references.
-func (m Manifest) References() []distribution.Descriptor {
-	references := make([]distribution.Descriptor, 0, 1+len(m.Layers))
-	references = append(references, m.Config)
-	references = append(references, m.Layers...)
-	return references
-}
-
-// Target returns the target of this manifest.
-func (m Manifest) Target() distribution.Descriptor {
-	return m.Config
-}
-
-// DeserializedManifest wraps Manifest with a copy of the original JSON.
-// It satisfies the distribution.Manifest interface.
-type DeserializedManifest struct {
-	Manifest
-
-	// canonical is the canonical byte representation of the Manifest.
-	canonical []byte
-}
-
-// FromStruct takes a Manifest structure, marshals it to JSON, and returns a
-// DeserializedManifest which contains the manifest and its JSON representation.
-func FromStruct(m Manifest) (*DeserializedManifest, error) {
-	var deserialized DeserializedManifest
-	deserialized.Manifest = m
-
-	var err error
-	deserialized.canonical, err = json.MarshalIndent(&m, "", "   ")
-	return &deserialized, err
-}
-
-// UnmarshalJSON populates a new Manifest struct from JSON data.
-func (m *DeserializedManifest) UnmarshalJSON(b []byte) error {
-	m.canonical = make([]byte, len(b))
-	// store manifest in canonical
-	copy(m.canonical, b)
-
-	// Unmarshal canonical JSON into Manifest object
-	var manifest Manifest
-	if err := json.Unmarshal(m.canonical, &manifest); err != nil {
-		return err
-	}
-
-	if manifest.MediaType != "" && manifest.MediaType != v1.MediaTypeImageManifest {
-		return fmt.Errorf("if present, mediaType in manifest should be '%s' not '%s'",
-			v1.MediaTypeImageManifest, manifest.MediaType)
-	}
-
-	m.Manifest = manifest
-
-	return nil
-}
-
-// MarshalJSON returns the contents of canonical. If canonical is empty,
-// marshals the inner contents.
-func (m *DeserializedManifest) MarshalJSON() ([]byte, error) {
-	if len(m.canonical) > 0 {
-		return m.canonical, nil
-	}
-
-	return nil, errors.New("JSON representation not initialized in DeserializedManifest")
-}
-
-// Payload returns the raw content of the manifest. The contents can be used to
-// calculate the content identifier.
-func (m DeserializedManifest) Payload() (string, []byte, error) {
-	return v1.MediaTypeImageManifest, m.canonical, nil
-}
-
-// unknownDocument represents a manifest, manifest list, or index that has not
-// yet been validated
-type unknownDocument struct {
-	Manifests interface{} `json:"manifests,omitempty"`
-}
-
-// validateManifest returns an error if the byte slice is invalid JSON or if it
-// contains fields that belong to a index
-func validateManifest(b []byte) error {
-	var doc unknownDocument
-	if err := json.Unmarshal(b, &doc); err != nil {
-		return err
-	}
-	if doc.Manifests != nil {
-		return errors.New("ocimanifest: expected manifest but found index")
-	}
-	return nil
-}
diff --git a/vendor/github.com/docker/distribution/manifest/schema2/builder.go b/vendor/github.com/docker/distribution/manifest/schema2/builder.go
deleted file mode 100644
index 3facaae6..00000000
--- a/vendor/github.com/docker/distribution/manifest/schema2/builder.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package schema2
-
-import (
-	"context"
-
-	"github.com/docker/distribution"
-	"github.com/opencontainers/go-digest"
-)
-
-// builder is a type for constructing manifests.
-type builder struct {
-	// bs is a BlobService used to publish the configuration blob.
-	bs distribution.BlobService
-
-	// configMediaType is media type used to describe configuration
-	configMediaType string
-
-	// configJSON references
-	configJSON []byte
-
-	// dependencies is a list of descriptors that gets built by successive
-	// calls to AppendReference. In case of image configuration these are layers.
-	dependencies []distribution.Descriptor
-}
-
-// NewManifestBuilder is used to build new manifests for the current schema
-// version. It takes a BlobService so it can publish the configuration blob
-// as part of the Build process.
-func NewManifestBuilder(bs distribution.BlobService, configMediaType string, configJSON []byte) distribution.ManifestBuilder {
-	mb := &builder{
-		bs:              bs,
-		configMediaType: configMediaType,
-		configJSON:      make([]byte, len(configJSON)),
-	}
-	copy(mb.configJSON, configJSON)
-
-	return mb
-}
-
-// Build produces a final manifest from the given references.
-func (mb *builder) Build(ctx context.Context) (distribution.Manifest, error) {
-	m := Manifest{
-		Versioned: SchemaVersion,
-		Layers:    make([]distribution.Descriptor, len(mb.dependencies)),
-	}
-	copy(m.Layers, mb.dependencies)
-
-	configDigest := digest.FromBytes(mb.configJSON)
-
-	var err error
-	m.Config, err = mb.bs.Stat(ctx, configDigest)
-	switch err {
-	case nil:
-		// Override MediaType, since Put always replaces the specified media
-		// type with application/octet-stream in the descriptor it returns.
-		m.Config.MediaType = mb.configMediaType
-		return FromStruct(m)
-	case distribution.ErrBlobUnknown:
-		// nop
-	default:
-		return nil, err
-	}
-
-	// Add config to the blob store
-	m.Config, err = mb.bs.Put(ctx, mb.configMediaType, mb.configJSON)
-	// Override MediaType, since Put always replaces the specified media
-	// type with application/octet-stream in the descriptor it returns.
-	m.Config.MediaType = mb.configMediaType
-	if err != nil {
-		return nil, err
-	}
-
-	return FromStruct(m)
-}
-
-// AppendReference adds a reference to the current ManifestBuilder.
-func (mb *builder) AppendReference(d distribution.Describable) error {
-	mb.dependencies = append(mb.dependencies, d.Descriptor())
-	return nil
-}
-
-// References returns the current references added to this builder.
-func (mb *builder) References() []distribution.Descriptor {
-	return mb.dependencies
-}
diff --git a/vendor/github.com/docker/distribution/manifest/schema2/manifest.go b/vendor/github.com/docker/distribution/manifest/schema2/manifest.go
deleted file mode 100644
index 41f48029..00000000
--- a/vendor/github.com/docker/distribution/manifest/schema2/manifest.go
+++ /dev/null
@@ -1,144 +0,0 @@
-package schema2
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/manifest"
-	"github.com/opencontainers/go-digest"
-)
-
-const (
-	// MediaTypeManifest specifies the mediaType for the current version.
-	MediaTypeManifest = "application/vnd.docker.distribution.manifest.v2+json"
-
-	// MediaTypeImageConfig specifies the mediaType for the image configuration.
-	MediaTypeImageConfig = "application/vnd.docker.container.image.v1+json"
-
-	// MediaTypePluginConfig specifies the mediaType for plugin configuration.
-	MediaTypePluginConfig = "application/vnd.docker.plugin.v1+json"
-
-	// MediaTypeLayer is the mediaType used for layers referenced by the
-	// manifest.
-	MediaTypeLayer = "application/vnd.docker.image.rootfs.diff.tar.gzip"
-
-	// MediaTypeForeignLayer is the mediaType used for layers that must be
-	// downloaded from foreign URLs.
-	MediaTypeForeignLayer = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
-
-	// MediaTypeUncompressedLayer is the mediaType used for layers which
-	// are not compressed.
-	MediaTypeUncompressedLayer = "application/vnd.docker.image.rootfs.diff.tar"
-)
-
-var (
-	// SchemaVersion provides a pre-initialized version structure for this
-	// packages version of the manifest.
-	SchemaVersion = manifest.Versioned{
-		SchemaVersion: 2,
-		MediaType:     MediaTypeManifest,
-	}
-)
-
-func init() {
-	schema2Func := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
-		m := new(DeserializedManifest)
-		err := m.UnmarshalJSON(b)
-		if err != nil {
-			return nil, distribution.Descriptor{}, err
-		}
-
-		dgst := digest.FromBytes(b)
-		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: MediaTypeManifest}, err
-	}
-	err := distribution.RegisterManifestSchema(MediaTypeManifest, schema2Func)
-	if err != nil {
-		panic(fmt.Sprintf("Unable to register manifest: %s", err))
-	}
-}
-
-// Manifest defines a schema2 manifest.
-type Manifest struct {
-	manifest.Versioned
-
-	// Config references the image configuration as a blob.
-	Config distribution.Descriptor `json:"config"`
-
-	// Layers lists descriptors for the layers referenced by the
-	// configuration.
-	Layers []distribution.Descriptor `json:"layers"`
-}
-
-// References returns the descriptors of this manifests references.
-func (m Manifest) References() []distribution.Descriptor {
-	references := make([]distribution.Descriptor, 0, 1+len(m.Layers))
-	references = append(references, m.Config)
-	references = append(references, m.Layers...)
-	return references
-}
-
-// Target returns the target of this manifest.
-func (m Manifest) Target() distribution.Descriptor {
-	return m.Config
-}
-
-// DeserializedManifest wraps Manifest with a copy of the original JSON.
-// It satisfies the distribution.Manifest interface.
-type DeserializedManifest struct {
-	Manifest
-
-	// canonical is the canonical byte representation of the Manifest.
-	canonical []byte
-}
-
-// FromStruct takes a Manifest structure, marshals it to JSON, and returns a
-// DeserializedManifest which contains the manifest and its JSON representation.
-func FromStruct(m Manifest) (*DeserializedManifest, error) {
-	var deserialized DeserializedManifest
-	deserialized.Manifest = m
-
-	var err error
-	deserialized.canonical, err = json.MarshalIndent(&m, "", "   ")
-	return &deserialized, err
-}
-
-// UnmarshalJSON populates a new Manifest struct from JSON data.
-func (m *DeserializedManifest) UnmarshalJSON(b []byte) error {
-	m.canonical = make([]byte, len(b))
-	// store manifest in canonical
-	copy(m.canonical, b)
-
-	// Unmarshal canonical JSON into Manifest object
-	var manifest Manifest
-	if err := json.Unmarshal(m.canonical, &manifest); err != nil {
-		return err
-	}
-
-	if manifest.MediaType != MediaTypeManifest {
-		return fmt.Errorf("mediaType in manifest should be '%s' not '%s'",
-			MediaTypeManifest, manifest.MediaType)
-
-	}
-
-	m.Manifest = manifest
-
-	return nil
-}
-
-// MarshalJSON returns the contents of canonical. If canonical is empty,
-// marshals the inner contents.
-func (m *DeserializedManifest) MarshalJSON() ([]byte, error) {
-	if len(m.canonical) > 0 {
-		return m.canonical, nil
-	}
-
-	return nil, errors.New("JSON representation not initialized in DeserializedManifest")
-}
-
-// Payload returns the raw content of the manifest. The contents can be used to
-// calculate the content identifier.
-func (m DeserializedManifest) Payload() (string, []byte, error) {
-	return m.MediaType, m.canonical, nil
-}
diff --git a/vendor/github.com/docker/distribution/manifest/versioned.go b/vendor/github.com/docker/distribution/manifest/versioned.go
deleted file mode 100644
index caa6b14e..00000000
--- a/vendor/github.com/docker/distribution/manifest/versioned.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package manifest
-
-// Versioned provides a struct with the manifest schemaVersion and mediaType.
-// Incoming content with unknown schema version can be decoded against this
-// struct to check the version.
-type Versioned struct {
-	// SchemaVersion is the image manifest schema that this image follows
-	SchemaVersion int `json:"schemaVersion"`
-
-	// MediaType is the media type of this schema.
-	MediaType string `json:"mediaType,omitempty"`
-}
diff --git a/vendor/github.com/docker/distribution/registry/client/auth/api_version.go b/vendor/github.com/docker/distribution/registry/client/auth/api_version.go
deleted file mode 100644
index 7d8f1d95..00000000
--- a/vendor/github.com/docker/distribution/registry/client/auth/api_version.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package auth
-
-import (
-	"net/http"
-	"strings"
-)
-
-// APIVersion represents a version of an API including its
-// type and version number.
-type APIVersion struct {
-	// Type refers to the name of a specific API specification
-	// such as "registry"
-	Type string
-
-	// Version is the version of the API specification implemented,
-	// This may omit the revision number and only include
-	// the major and minor version, such as "2.0"
-	Version string
-}
-
-// String returns the string formatted API Version
-func (v APIVersion) String() string {
-	return v.Type + "/" + v.Version
-}
-
-// APIVersions gets the API versions out of an HTTP response using the provided
-// version header as the key for the HTTP header.
-func APIVersions(resp *http.Response, versionHeader string) []APIVersion {
-	versions := []APIVersion{}
-	if versionHeader != "" {
-		for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey(versionHeader)] {
-			for _, version := range strings.Fields(supportedVersions) {
-				versions = append(versions, ParseAPIVersion(version))
-			}
-		}
-	}
-	return versions
-}
-
-// ParseAPIVersion parses an API version string into an APIVersion
-// Format (Expected, not enforced):
-// API version string = <API type> '/' <API version>
-// API type = [a-z][a-z0-9]*
-// API version = [0-9]+(\.[0-9]+)?
-// TODO(dmcgowan): Enforce format, add error condition, remove unknown type
-func ParseAPIVersion(versionStr string) APIVersion {
-	idx := strings.IndexRune(versionStr, '/')
-	if idx == -1 {
-		return APIVersion{
-			Type:    "unknown",
-			Version: versionStr,
-		}
-	}
-	return APIVersion{
-		Type:    strings.ToLower(versionStr[:idx]),
-		Version: versionStr[idx+1:],
-	}
-}
diff --git a/vendor/github.com/docker/distribution/registry/client/auth/session.go b/vendor/github.com/docker/distribution/registry/client/auth/session.go
deleted file mode 100644
index aad8a0e6..00000000
--- a/vendor/github.com/docker/distribution/registry/client/auth/session.go
+++ /dev/null
@@ -1,530 +0,0 @@
-package auth
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/docker/distribution/registry/client"
-	"github.com/docker/distribution/registry/client/auth/challenge"
-	"github.com/docker/distribution/registry/client/transport"
-)
-
-var (
-	// ErrNoBasicAuthCredentials is returned if a request can't be authorized with
-	// basic auth due to lack of credentials.
-	ErrNoBasicAuthCredentials = errors.New("no basic auth credentials")
-
-	// ErrNoToken is returned if a request is successful but the body does not
-	// contain an authorization token.
-	ErrNoToken = errors.New("authorization server did not include a token in the response")
-)
-
-const defaultClientID = "registry-client"
-
-// AuthenticationHandler is an interface for authorizing a request from
-// params from a "WWW-Authenicate" header for a single scheme.
-type AuthenticationHandler interface {
-	// Scheme returns the scheme as expected from the "WWW-Authenicate" header.
-	Scheme() string
-
-	// AuthorizeRequest adds the authorization header to a request (if needed)
-	// using the parameters from "WWW-Authenticate" method. The parameters
-	// values depend on the scheme.
-	AuthorizeRequest(req *http.Request, params map[string]string) error
-}
-
-// CredentialStore is an interface for getting credentials for
-// a given URL
-type CredentialStore interface {
-	// Basic returns basic auth for the given URL
-	Basic(*url.URL) (string, string)
-
-	// RefreshToken returns a refresh token for the
-	// given URL and service
-	RefreshToken(*url.URL, string) string
-
-	// SetRefreshToken sets the refresh token if none
-	// is provided for the given url and service
-	SetRefreshToken(realm *url.URL, service, token string)
-}
-
-// NewAuthorizer creates an authorizer which can handle multiple authentication
-// schemes. The handlers are tried in order, the higher priority authentication
-// methods should be first. The challengeMap holds a list of challenges for
-// a given root API endpoint (for example "https://registry-1.docker.io/v2/").
-func NewAuthorizer(manager challenge.Manager, handlers ...AuthenticationHandler) transport.RequestModifier {
-	return &endpointAuthorizer{
-		challenges: manager,
-		handlers:   handlers,
-	}
-}
-
-type endpointAuthorizer struct {
-	challenges challenge.Manager
-	handlers   []AuthenticationHandler
-}
-
-func (ea *endpointAuthorizer) ModifyRequest(req *http.Request) error {
-	pingPath := req.URL.Path
-	if v2Root := strings.Index(req.URL.Path, "/v2/"); v2Root != -1 {
-		pingPath = pingPath[:v2Root+4]
-	} else if v1Root := strings.Index(req.URL.Path, "/v1/"); v1Root != -1 {
-		pingPath = pingPath[:v1Root] + "/v2/"
-	} else {
-		return nil
-	}
-
-	ping := url.URL{
-		Host:   req.URL.Host,
-		Scheme: req.URL.Scheme,
-		Path:   pingPath,
-	}
-
-	challenges, err := ea.challenges.GetChallenges(ping)
-	if err != nil {
-		return err
-	}
-
-	if len(challenges) > 0 {
-		for _, handler := range ea.handlers {
-			for _, c := range challenges {
-				if c.Scheme != handler.Scheme() {
-					continue
-				}
-				if err := handler.AuthorizeRequest(req, c.Parameters); err != nil {
-					return err
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// This is the minimum duration a token can last (in seconds).
-// A token must not live less than 60 seconds because older versions
-// of the Docker client didn't read their expiration from the token
-// response and assumed 60 seconds.  So to remain compatible with
-// those implementations, a token must live at least this long.
-const minimumTokenLifetimeSeconds = 60
-
-// Private interface for time used by this package to enable tests to provide their own implementation.
-type clock interface {
-	Now() time.Time
-}
-
-type tokenHandler struct {
-	creds     CredentialStore
-	transport http.RoundTripper
-	clock     clock
-
-	offlineAccess bool
-	forceOAuth    bool
-	clientID      string
-	scopes        []Scope
-
-	tokenLock       sync.Mutex
-	tokenCache      string
-	tokenExpiration time.Time
-
-	logger Logger
-}
-
-// Scope is a type which is serializable to a string
-// using the allow scope grammar.
-type Scope interface {
-	String() string
-}
-
-// RepositoryScope represents a token scope for access
-// to a repository.
-type RepositoryScope struct {
-	Repository string
-	Class      string
-	Actions    []string
-}
-
-// String returns the string representation of the repository
-// using the scope grammar
-func (rs RepositoryScope) String() string {
-	repoType := "repository"
-	// Keep existing format for image class to maintain backwards compatibility
-	// with authorization servers which do not support the expanded grammar.
-	if rs.Class != "" && rs.Class != "image" {
-		repoType = fmt.Sprintf("%s(%s)", repoType, rs.Class)
-	}
-	return fmt.Sprintf("%s:%s:%s", repoType, rs.Repository, strings.Join(rs.Actions, ","))
-}
-
-// RegistryScope represents a token scope for access
-// to resources in the registry.
-type RegistryScope struct {
-	Name    string
-	Actions []string
-}
-
-// String returns the string representation of the user
-// using the scope grammar
-func (rs RegistryScope) String() string {
-	return fmt.Sprintf("registry:%s:%s", rs.Name, strings.Join(rs.Actions, ","))
-}
-
-// Logger defines the injectable logging interface, used on TokenHandlers.
-type Logger interface {
-	Debugf(format string, args ...interface{})
-}
-
-func logDebugf(logger Logger, format string, args ...interface{}) {
-	if logger == nil {
-		return
-	}
-	logger.Debugf(format, args...)
-}
-
-// TokenHandlerOptions is used to configure a new token handler
-type TokenHandlerOptions struct {
-	Transport   http.RoundTripper
-	Credentials CredentialStore
-
-	OfflineAccess bool
-	ForceOAuth    bool
-	ClientID      string
-	Scopes        []Scope
-	Logger        Logger
-}
-
-// An implementation of clock for providing real time data.
-type realClock struct{}
-
-// Now implements clock
-func (realClock) Now() time.Time { return time.Now() }
-
-// NewTokenHandler creates a new AuthenicationHandler which supports
-// fetching tokens from a remote token server.
-func NewTokenHandler(transport http.RoundTripper, creds CredentialStore, scope string, actions ...string) AuthenticationHandler {
-	// Create options...
-	return NewTokenHandlerWithOptions(TokenHandlerOptions{
-		Transport:   transport,
-		Credentials: creds,
-		Scopes: []Scope{
-			RepositoryScope{
-				Repository: scope,
-				Actions:    actions,
-			},
-		},
-	})
-}
-
-// NewTokenHandlerWithOptions creates a new token handler using the provided
-// options structure.
-func NewTokenHandlerWithOptions(options TokenHandlerOptions) AuthenticationHandler {
-	handler := &tokenHandler{
-		transport:     options.Transport,
-		creds:         options.Credentials,
-		offlineAccess: options.OfflineAccess,
-		forceOAuth:    options.ForceOAuth,
-		clientID:      options.ClientID,
-		scopes:        options.Scopes,
-		clock:         realClock{},
-		logger:        options.Logger,
-	}
-
-	return handler
-}
-
-func (th *tokenHandler) client() *http.Client {
-	return &http.Client{
-		Transport: th.transport,
-		Timeout:   15 * time.Second,
-	}
-}
-
-func (th *tokenHandler) Scheme() string {
-	return "bearer"
-}
-
-func (th *tokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
-	var additionalScopes []string
-	if fromParam := req.URL.Query().Get("from"); fromParam != "" {
-		additionalScopes = append(additionalScopes, RepositoryScope{
-			Repository: fromParam,
-			Actions:    []string{"pull"},
-		}.String())
-	}
-
-	token, err := th.getToken(params, additionalScopes...)
-	if err != nil {
-		return err
-	}
-
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-
-	return nil
-}
-
-func (th *tokenHandler) getToken(params map[string]string, additionalScopes ...string) (string, error) {
-	th.tokenLock.Lock()
-	defer th.tokenLock.Unlock()
-	scopes := make([]string, 0, len(th.scopes)+len(additionalScopes))
-	for _, scope := range th.scopes {
-		scopes = append(scopes, scope.String())
-	}
-	var addedScopes bool
-	for _, scope := range additionalScopes {
-		if hasScope(scopes, scope) {
-			continue
-		}
-		scopes = append(scopes, scope)
-		addedScopes = true
-	}
-
-	now := th.clock.Now()
-	if now.After(th.tokenExpiration) || addedScopes {
-		token, expiration, err := th.fetchToken(params, scopes)
-		if err != nil {
-			return "", err
-		}
-
-		// do not update cache for added scope tokens
-		if !addedScopes {
-			th.tokenCache = token
-			th.tokenExpiration = expiration
-		}
-
-		return token, nil
-	}
-
-	return th.tokenCache, nil
-}
-
-func hasScope(scopes []string, scope string) bool {
-	for _, s := range scopes {
-		if s == scope {
-			return true
-		}
-	}
-	return false
-}
-
-type postTokenResponse struct {
-	AccessToken  string    `json:"access_token"`
-	RefreshToken string    `json:"refresh_token"`
-	ExpiresIn    int       `json:"expires_in"`
-	IssuedAt     time.Time `json:"issued_at"`
-	Scope        string    `json:"scope"`
-}
-
-func (th *tokenHandler) fetchTokenWithOAuth(realm *url.URL, refreshToken, service string, scopes []string) (token string, expiration time.Time, err error) {
-	form := url.Values{}
-	form.Set("scope", strings.Join(scopes, " "))
-	form.Set("service", service)
-
-	clientID := th.clientID
-	if clientID == "" {
-		// Use default client, this is a required field
-		clientID = defaultClientID
-	}
-	form.Set("client_id", clientID)
-
-	if refreshToken != "" {
-		form.Set("grant_type", "refresh_token")
-		form.Set("refresh_token", refreshToken)
-	} else if th.creds != nil {
-		form.Set("grant_type", "password")
-		username, password := th.creds.Basic(realm)
-		form.Set("username", username)
-		form.Set("password", password)
-
-		// attempt to get a refresh token
-		form.Set("access_type", "offline")
-	} else {
-		// refuse to do oauth without a grant type
-		return "", time.Time{}, fmt.Errorf("no supported grant type")
-	}
-
-	resp, err := th.client().PostForm(realm.String(), form)
-	if err != nil {
-		return "", time.Time{}, err
-	}
-	defer resp.Body.Close()
-
-	if !client.SuccessStatus(resp.StatusCode) {
-		err := client.HandleErrorResponse(resp)
-		return "", time.Time{}, err
-	}
-
-	decoder := json.NewDecoder(resp.Body)
-
-	var tr postTokenResponse
-	if err = decoder.Decode(&tr); err != nil {
-		return "", time.Time{}, fmt.Errorf("unable to decode token response: %s", err)
-	}
-
-	if tr.RefreshToken != "" && tr.RefreshToken != refreshToken {
-		th.creds.SetRefreshToken(realm, service, tr.RefreshToken)
-	}
-
-	if tr.ExpiresIn < minimumTokenLifetimeSeconds {
-		// The default/minimum lifetime.
-		tr.ExpiresIn = minimumTokenLifetimeSeconds
-		logDebugf(th.logger, "Increasing token expiration to: %d seconds", tr.ExpiresIn)
-	}
-
-	if tr.IssuedAt.IsZero() {
-		// issued_at is optional in the token response.
-		tr.IssuedAt = th.clock.Now().UTC()
-	}
-
-	return tr.AccessToken, tr.IssuedAt.Add(time.Duration(tr.ExpiresIn) * time.Second), nil
-}
-
-type getTokenResponse struct {
-	Token        string    `json:"token"`
-	AccessToken  string    `json:"access_token"`
-	ExpiresIn    int       `json:"expires_in"`
-	IssuedAt     time.Time `json:"issued_at"`
-	RefreshToken string    `json:"refresh_token"`
-}
-
-func (th *tokenHandler) fetchTokenWithBasicAuth(realm *url.URL, service string, scopes []string) (token string, expiration time.Time, err error) {
-
-	req, err := http.NewRequest("GET", realm.String(), nil)
-	if err != nil {
-		return "", time.Time{}, err
-	}
-
-	reqParams := req.URL.Query()
-
-	if service != "" {
-		reqParams.Add("service", service)
-	}
-
-	for _, scope := range scopes {
-		reqParams.Add("scope", scope)
-	}
-
-	if th.offlineAccess {
-		reqParams.Add("offline_token", "true")
-		clientID := th.clientID
-		if clientID == "" {
-			clientID = defaultClientID
-		}
-		reqParams.Add("client_id", clientID)
-	}
-
-	if th.creds != nil {
-		username, password := th.creds.Basic(realm)
-		if username != "" && password != "" {
-			reqParams.Add("account", username)
-			req.SetBasicAuth(username, password)
-		}
-	}
-
-	req.URL.RawQuery = reqParams.Encode()
-
-	resp, err := th.client().Do(req)
-	if err != nil {
-		return "", time.Time{}, err
-	}
-	defer resp.Body.Close()
-
-	if !client.SuccessStatus(resp.StatusCode) {
-		err := client.HandleErrorResponse(resp)
-		return "", time.Time{}, err
-	}
-
-	decoder := json.NewDecoder(resp.Body)
-
-	var tr getTokenResponse
-	if err = decoder.Decode(&tr); err != nil {
-		return "", time.Time{}, fmt.Errorf("unable to decode token response: %s", err)
-	}
-
-	if tr.RefreshToken != "" && th.creds != nil {
-		th.creds.SetRefreshToken(realm, service, tr.RefreshToken)
-	}
-
-	// `access_token` is equivalent to `token` and if both are specified
-	// the choice is undefined.  Canonicalize `access_token` by sticking
-	// things in `token`.
-	if tr.AccessToken != "" {
-		tr.Token = tr.AccessToken
-	}
-
-	if tr.Token == "" {
-		return "", time.Time{}, ErrNoToken
-	}
-
-	if tr.ExpiresIn < minimumTokenLifetimeSeconds {
-		// The default/minimum lifetime.
-		tr.ExpiresIn = minimumTokenLifetimeSeconds
-		logDebugf(th.logger, "Increasing token expiration to: %d seconds", tr.ExpiresIn)
-	}
-
-	if tr.IssuedAt.IsZero() {
-		// issued_at is optional in the token response.
-		tr.IssuedAt = th.clock.Now().UTC()
-	}
-
-	return tr.Token, tr.IssuedAt.Add(time.Duration(tr.ExpiresIn) * time.Second), nil
-}
-
-func (th *tokenHandler) fetchToken(params map[string]string, scopes []string) (token string, expiration time.Time, err error) {
-	realm, ok := params["realm"]
-	if !ok {
-		return "", time.Time{}, errors.New("no realm specified for token auth challenge")
-	}
-
-	// TODO(dmcgowan): Handle empty scheme and relative realm
-	realmURL, err := url.Parse(realm)
-	if err != nil {
-		return "", time.Time{}, fmt.Errorf("invalid token auth challenge realm: %s", err)
-	}
-
-	service := params["service"]
-
-	var refreshToken string
-
-	if th.creds != nil {
-		refreshToken = th.creds.RefreshToken(realmURL, service)
-	}
-
-	if refreshToken != "" || th.forceOAuth {
-		return th.fetchTokenWithOAuth(realmURL, refreshToken, service, scopes)
-	}
-
-	return th.fetchTokenWithBasicAuth(realmURL, service, scopes)
-}
-
-type basicHandler struct {
-	creds CredentialStore
-}
-
-// NewBasicHandler creaters a new authentiation handler which adds
-// basic authentication credentials to a request.
-func NewBasicHandler(creds CredentialStore) AuthenticationHandler {
-	return &basicHandler{
-		creds: creds,
-	}
-}
-
-func (*basicHandler) Scheme() string {
-	return "basic"
-}
-
-func (bh *basicHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
-	if bh.creds != nil {
-		username, password := bh.creds.Basic(req.URL)
-		if username != "" && password != "" {
-			req.SetBasicAuth(username, password)
-			return nil
-		}
-	}
-	return ErrNoBasicAuthCredentials
-}
diff --git a/vendor/github.com/docker/distribution/uuid/uuid.go b/vendor/github.com/docker/distribution/uuid/uuid.go
deleted file mode 100644
index d433ccaf..00000000
--- a/vendor/github.com/docker/distribution/uuid/uuid.go
+++ /dev/null
@@ -1,126 +0,0 @@
-// Package uuid provides simple UUID generation. Only version 4 style UUIDs
-// can be generated.
-//
-// Please see http://tools.ietf.org/html/rfc4122 for details on UUIDs.
-package uuid
-
-import (
-	"crypto/rand"
-	"fmt"
-	"io"
-	"os"
-	"syscall"
-	"time"
-)
-
-const (
-	// Bits is the number of bits in a UUID
-	Bits = 128
-
-	// Size is the number of bytes in a UUID
-	Size = Bits / 8
-
-	format = "%08x-%04x-%04x-%04x-%012x"
-)
-
-var (
-	// ErrUUIDInvalid indicates a parsed string is not a valid uuid.
-	ErrUUIDInvalid = fmt.Errorf("invalid uuid")
-
-	// Loggerf can be used to override the default logging destination. Such
-	// log messages in this library should be logged at warning or higher.
-	Loggerf = func(format string, args ...interface{}) {}
-)
-
-// UUID represents a UUID value. UUIDs can be compared and set to other values
-// and accessed by byte.
-type UUID [Size]byte
-
-// Generate creates a new, version 4 uuid.
-func Generate() (u UUID) {
-	const (
-		// ensures we backoff for less than 450ms total. Use the following to
-		// select new value, in units of 10ms:
-		// 	n*(n+1)/2 = d -> n^2 + n - 2d -> n = (sqrt(8d + 1) - 1)/2
-		maxretries = 9
-		backoff    = time.Millisecond * 10
-	)
-
-	var (
-		totalBackoff time.Duration
-		count        int
-		retries      int
-	)
-
-	for {
-		// This should never block but the read may fail. Because of this,
-		// we just try to read the random number generator until we get
-		// something. This is a very rare condition but may happen.
-		b := time.Duration(retries) * backoff
-		time.Sleep(b)
-		totalBackoff += b
-
-		n, err := io.ReadFull(rand.Reader, u[count:])
-		if err != nil {
-			if retryOnError(err) && retries < maxretries {
-				count += n
-				retries++
-				Loggerf("error generating version 4 uuid, retrying: %v", err)
-				continue
-			}
-
-			// Any other errors represent a system problem. What did someone
-			// do to /dev/urandom?
-			panic(fmt.Errorf("error reading random number generator, retried for %v: %v", totalBackoff.String(), err))
-		}
-
-		break
-	}
-
-	u[6] = (u[6] & 0x0f) | 0x40 // set version byte
-	u[8] = (u[8] & 0x3f) | 0x80 // set high order byte 0b10{8,9,a,b}
-
-	return u
-}
-
-// Parse attempts to extract a uuid from the string or returns an error.
-func Parse(s string) (u UUID, err error) {
-	if len(s) != 36 {
-		return UUID{}, ErrUUIDInvalid
-	}
-
-	// create stack addresses for each section of the uuid.
-	p := make([][]byte, 5)
-
-	if _, err := fmt.Sscanf(s, format, &p[0], &p[1], &p[2], &p[3], &p[4]); err != nil {
-		return u, err
-	}
-
-	copy(u[0:4], p[0])
-	copy(u[4:6], p[1])
-	copy(u[6:8], p[2])
-	copy(u[8:10], p[3])
-	copy(u[10:16], p[4])
-
-	return
-}
-
-func (u UUID) String() string {
-	return fmt.Sprintf(format, u[:4], u[4:6], u[6:8], u[8:10], u[10:])
-}
-
-// retryOnError tries to detect whether or not retrying would be fruitful.
-func retryOnError(err error) bool {
-	switch err := err.(type) {
-	case *os.PathError:
-		return retryOnError(err.Err) // unpack the target error
-	case syscall.Errno:
-		if err == syscall.EPERM {
-			// EPERM represents an entropy pool exhaustion, a condition under
-			// which we backoff and retry.
-			return true
-		}
-	}
-
-	return false
-}
diff --git a/vendor/github.com/docker/docker/AUTHORS b/vendor/github.com/docker/docker/AUTHORS
index 88032def..c7c64947 100644
--- a/vendor/github.com/docker/docker/AUTHORS
+++ b/vendor/github.com/docker/docker/AUTHORS
@@ -2,6 +2,7 @@
 # This file lists all contributors to the repository.
 # See hack/generate-authors.sh to make modifications.
 
+17neverends <ionianrise@gmail.com>
 7sunarni <710720732@qq.com>
 Aanand Prasad <aanand.prasad@gmail.com>
 Aarni Koskela <akx@iki.fi>
@@ -189,6 +190,7 @@ Anes Hasicic <anes.hasicic@gmail.com>
 Angel Velazquez <angelcar@amazon.com>
 Anil Belur <askb23@gmail.com>
 Anil Madhavapeddy <anil@recoil.org>
+Anirudh Aithal <aithal@amazon.com>
 Ankit Jain <ajatkj@yahoo.co.in>
 Ankush Agarwal <ankushagarwal11@gmail.com>
 Anonmily <michelle@michelleliu.io>
@@ -227,7 +229,7 @@ Arun Gupta <arun.gupta@gmail.com>
 Asad Saeeduddin <masaeedu@gmail.com>
 Asbjørn Enge <asbjorn@hanafjedle.net>
 Ashly Mathew <ashly.mathew@sap.com>
-Austin Vazquez <macedonv@amazon.com>
+Austin Vazquez <austin.vazquez.dev@gmail.com>
 averagehuman <averagehuman@users.noreply.github.com>
 Avi Das <andas222@gmail.com>
 Avi Kivity <avi@scylladb.com>
@@ -293,6 +295,7 @@ Brandon Liu <bdon@bdon.org>
 Brandon Philips <brandon.philips@coreos.com>
 Brandon Rhodes <brandon@rhodesmill.org>
 Brendan Dixon <brendand@microsoft.com>
+Brendon Smith <bws@bws.bio>
 Brennan Kinney <5098581+polarathene@users.noreply.github.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Brett Higgins <brhiggins@arbor.net>
@@ -347,6 +350,7 @@ Casey Bisson <casey.bisson@joyent.com>
 Catalin Pirvu <pirvu.catalin94@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
+Cesar Talledo <cesar.talledo@docker.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
 Chad Swenson <chadswen@gmail.com>
 Chance Zibolski <chance.zibolski@gmail.com>
@@ -375,6 +379,7 @@ Chen Qiu <cheney-90@hotmail.com>
 Cheng-mean Liu <soccerl@microsoft.com>
 Chengfei Shang <cfshang@alauda.io>
 Chengguang Xu <cgxu519@gmx.com>
+Chengyu Zhu <hudson@cyzhu.com>
 Chentianze <cmoman@126.com>
 Chenyang Yan <memory.yancy@gmail.com>
 chenyuzhu <chenyuzhi@oschina.cn>
@@ -1207,6 +1212,7 @@ K. Heller <pestophagous@gmail.com>
 Kai Blin <kai@samba.org>
 Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
 Kaijie Chen <chen@kaijie.org>
+Kaita Nakamura <kaita.nakamura0830@gmail.com>
 Kamil Domański <kamil@domanski.co>
 Kamjar Gerami <kami.gerami@gmail.com>
 Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
@@ -1281,6 +1287,7 @@ Krasi Georgiev <krasi@vip-consult.solutions>
 Krasimir Georgiev <support@vip-consult.co.uk>
 Kris-Mikael Krister <krismikael@protonmail.com>
 Kristian Haugene <kristian.haugene@capgemini.com>
+Kristian Heljas <kristian@kristian.ee>
 Kristina Zabunova <triara.xiii@gmail.com>
 Krystian Wojcicki <kwojcicki@sympatico.ca>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
@@ -1482,6 +1489,7 @@ Matthias Kühnle <git.nivoc@neverbox.com>
 Matthias Rampke <mr@soundcloud.com>
 Matthieu Fronton <m@tthieu.fr>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Matthieu MOREL <matthieu.morel35@gmail.com>
 Mattias Jernberg <nostrad@gmail.com>
 Mauricio Garavaglia <mauricio@medallia.com>
 mauriyouth <mauriyouth@gmail.com>
@@ -1712,6 +1720,7 @@ Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick St. laurent <patrick@saint-laurent.us>
 Patrick Stapleton <github@gdi2290.com>
 Patrik Cyvoct <patrik@ptrk.io>
+Patrik Leifert <patrikleifert@hotmail.com>
 pattichen <craftsbear@gmail.com>
 Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
 Paul <paul9869@gmail.com>
@@ -1870,6 +1879,7 @@ Robert Obryk <robryk@gmail.com>
 Robert Schneider <mail@shakeme.info>
 Robert Shade <robert.shade@gmail.com>
 Robert Stern <lexandro2000@gmail.com>
+Robert Sturla <robertsturla@outlook.com>
 Robert Terhaar <rterhaar@atlanticdynamic.com>
 Robert Wallis <smilingrob@gmail.com>
 Robert Wang <robert@arctic.tw>
diff --git a/vendor/github.com/docker/docker/api/common.go b/vendor/github.com/docker/docker/api/common.go
index 2c62cd40..702d3dca 100644
--- a/vendor/github.com/docker/docker/api/common.go
+++ b/vendor/github.com/docker/docker/api/common.go
@@ -1,9 +1,9 @@
-package api // import "github.com/docker/docker/api"
+package api
 
 // Common constants for daemon and client.
 const (
 	// DefaultVersion of the current REST API.
-	DefaultVersion = "1.48"
+	DefaultVersion = "1.51"
 
 	// MinSupportedAPIVersion is the minimum API version that can be supported
 	// by the API server, specified as "major.minor". Note that the daemon
diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml
index a4881f95..3880635d 100644
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
 consumes:
   - "application/json"
   - "text/plain"
-basePath: "/v1.48"
+basePath: "/v1.51"
 info:
   title: "Docker Engine API"
-  version: "1.48"
+  version: "1.51"
   x-logo:
     url: "https://docs.docker.com/assets/images/logo-docker-main.png"
   description: |
@@ -55,8 +55,8 @@ info:
     the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
     is returned.
 
-    If you omit the version-prefix, the current version of the API (v1.48) is used.
-    For example, calling `/info` is the same as calling `/v1.48/info`. Using the
+    If you omit the version-prefix, the current version of the API (v1.50) is used.
+    For example, calling `/info` is the same as calling `/v1.51/info`. Using the
     API without a version-prefix is deprecated and will be removed in a future release.
 
     Engine releases in the near future should support this version of the API,
@@ -1428,63 +1428,10 @@ definitions:
       when starting a container from the image.
     type: "object"
     properties:
-      Hostname:
-        description: |
-          The hostname to use for the container, as a valid RFC 1123 hostname.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        example: ""
-      Domainname:
-        description: |
-          The domain name to use for the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        example: ""
       User:
         description: "The user that commands are run as inside the container."
         type: "string"
         example: "web:web"
-      AttachStdin:
-        description: |
-          Whether to attach to `stdin`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      AttachStdout:
-        description: |
-          Whether to attach to `stdout`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      AttachStderr:
-        description: |
-          Whether to attach to `stderr`.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
       ExposedPorts:
         description: |
           An object mapping ports to an empty object in the form:
@@ -1501,39 +1448,6 @@ definitions:
           "80/tcp": {},
           "443/tcp": {}
         }
-      Tty:
-        description: |
-          Attach standard streams to a TTY, including `stdin` if it is not closed.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      OpenStdin:
-        description: |
-          Open `stdin`
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-      StdinOnce:
-        description: |
-          Close `stdin` after one attached client disconnects.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always false. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
       Env:
         description: |
           A list of environment variables to set inside the container in the
@@ -1559,18 +1473,6 @@ definitions:
         default: false
         example: false
         x-nullable: true
-      Image:
-        description: |
-          The name (or reference) of the image to use when creating the container,
-          or which was used when the container was created.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always empty. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        default: ""
-        example: ""
       Volumes:
         description: |
           An object mapping mount point paths inside the container to empty
@@ -1599,30 +1501,6 @@ definitions:
         items:
           type: "string"
         example: []
-      NetworkDisabled:
-        description: |
-          Disable networking for the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "boolean"
-        default: false
-        example: false
-        x-nullable: true
-      MacAddress:
-        description: |
-          MAC address of the container.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "string"
-        default: ""
-        example: ""
-        x-nullable: true
       OnBuild:
         description: |
           `ONBUILD` metadata that were defined in the image's `Dockerfile`.
@@ -1645,17 +1523,6 @@ definitions:
         type: "string"
         example: "SIGTERM"
         x-nullable: true
-      StopTimeout:
-        description: |
-          Timeout to stop a container in seconds.
-
-          <p><br /></p>
-
-          > **Deprecated**: this field is not part of the image specification and is
-          > always omitted. It must not be used, and will be removed in API v1.48.
-        type: "integer"
-        default: 10
-        x-nullable: true
       Shell:
         description: |
           Shell for when `RUN`, `CMD`, and `ENTRYPOINT` uses a shell.
@@ -1666,19 +1533,11 @@ definitions:
         example: ["/bin/sh", "-c"]
     # FIXME(thaJeztah): temporarily using a full example to remove some "omitempty" fields. Remove once the fields are removed.
     example:
-      "Hostname": ""
-      "Domainname": ""
       "User": "web:web"
-      "AttachStdin": false
-      "AttachStdout": false
-      "AttachStderr": false
       "ExposedPorts": {
         "80/tcp": {},
         "443/tcp": {}
       }
-      "Tty": false
-      "OpenStdin": false
-      "StdinOnce": false
       "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
       "Cmd": ["/bin/sh"]
       "Healthcheck": {
@@ -1690,7 +1549,6 @@ definitions:
         "StartInterval": 0
       }
       "ArgsEscaped": true
-      "Image": ""
       "Volumes": {
         "/app/data": {},
         "/app/config": {}
@@ -2338,8 +2196,7 @@ definitions:
           Number of containers using this image. Includes both stopped and running
           containers.
 
-          This size is not calculated by default, and depends on which API endpoint
-          is used. `-1` indicates that the value has not been set / calculated.
+          `-1` indicates that the value has not been set / calculated.
         x-nullable: false
         type: "integer"
         example: 2
@@ -2956,6 +2813,23 @@ definitions:
       progressDetail:
         $ref: "#/definitions/ProgressDetail"
 
+  DeviceInfo:
+    type: "object"
+    description: |
+      DeviceInfo represents a device that can be used by a container.
+    properties:
+      Source:
+        type: "string"
+        example: "cdi"
+        description: |
+          The origin device driver.
+      ID:
+        type: "string"
+        example: "vendor.com/gpu=0"
+        description: |
+          The unique identifier for the device within its source driver.
+          For CDI devices, this would be an FQDN like "vendor.com/gpu=0".
+
   ErrorDetail:
     type: "object"
     properties:
@@ -3039,7 +2913,8 @@ definitions:
           be used. If multiple endpoints have the same priority, endpoints are
           lexicographically sorted based on their network name, and the one
           that sorts first is picked.
-        type: "number"
+        type: "integer"
+        format: "int64"
         example:
           - 10
 
@@ -5508,8 +5383,11 @@ definitions:
           com.example.some-other-label: "some-other-value"
       Data:
         description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          data to store as secret.
+          Data is the data to store as a secret, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          It must be empty if the Driver field is set, in which case the data is
+          loaded from an external secret store. The maximum allowed size is 500KB,
+          as defined in [MaxSecretSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize).
 
           This field is only used to _create_ a secret, and is not returned by
           other endpoints.
@@ -5560,8 +5438,9 @@ definitions:
           type: "string"
       Data:
         description: |
-          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5))
-          config data.
+          Data is the data to store as a config, formatted as a Base64-url-safe-encoded
+          ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-5)) string.
+          The maximum allowed size is 1000KB, as defined in [MaxConfigSize](https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize).
         type: "string"
       Templating:
         description: |
@@ -5984,7 +5863,7 @@ definitions:
         type: "integer"
         format: "uint64"
         x-nullable: true
-        example: 18446744073709551615
+        example: "18446744073709551615"
 
   ContainerThrottlingData:
     description: |
@@ -6852,6 +6731,17 @@ definitions:
               description: "The network pool size"
               type: "integer"
               example: "24"
+      FirewallBackend:
+        $ref: "#/definitions/FirewallInfo"
+      DiscoveredDevices:
+        description: |
+          List of devices discovered by device drivers.
+
+          Each device includes information about its source driver, kind, name,
+          and additional driver-specific attributes.
+        type: "array"
+        items:
+          $ref: "#/definitions/DeviceInfo"
       Warnings:
         description: |
           List of warnings / informational messages about missing features, or
@@ -6935,6 +6825,37 @@ definitions:
             default: "plugins.moby"
             example: "plugins.moby"
 
+  FirewallInfo:
+    description: |
+      Information about the daemon's firewalling configuration.
+
+      This field is currently only used on Linux, and omitted on other platforms.
+    type: "object"
+    x-nullable: true
+    properties:
+      Driver:
+        description: |
+          The name of the firewall backend driver.
+        type: "string"
+        example: "nftables"
+      Info:
+        description: |
+          Information about the firewall backend, provided as
+          "label" / "value" pairs.
+
+          <p><br /></p>
+
+          > **Note**: The information returned in this field, including the
+          > formatting of values and labels, should not be considered stable,
+          > and may change without notice.
+        type: "array"
+        items:
+          type: "array"
+          items:
+            type: "string"
+        example:
+          - ["ReloadedAt", "2025-01-01T00:00:00Z"]
+
   # PluginsInfo is a temp struct holding Plugins name
   # registered with docker daemon. It is used by Info struct
   PluginsInfo:
@@ -6980,32 +6901,6 @@ definitions:
     type: "object"
     x-nullable: true
     properties:
-      AllowNondistributableArtifactsCIDRs:
-        description: |
-          List of IP ranges to which nondistributable artifacts can be pushed,
-          using the CIDR syntax [RFC 4632](https://tools.ietf.org/html/4632).
-
-          <p><br /></p>
-
-          > **Deprecated**: Pushing nondistributable artifacts is now always enabled
-          > and this field is always `null`. This field will be removed in a API v1.49.
-        type: "array"
-        items:
-          type: "string"
-        example: []
-      AllowNondistributableArtifactsHostnames:
-        description: |
-          List of registry hostnames to which nondistributable artifacts can be
-          pushed, using the format `<hostname>[:<port>]` or `<IP address>[:<port>]`.
-
-          <p><br /></p>
-
-          > **Deprecated**: Pushing nondistributable artifacts is now always enabled
-          > and this field is always `null`. This field will be removed in a API v1.49.
-        type: "array"
-        items:
-          type: "string"
-        example: []
       InsecureRegistryCIDRs:
         description: |
           List of IP ranges of insecure registries, using the CIDR syntax
@@ -7175,13 +7070,6 @@ definitions:
         description: "Actual commit ID of external tool."
         type: "string"
         example: "cfb82a876ecc11b5ca0977d1733adbe58599088a"
-      Expected:
-        description: |
-          Commit ID of external tool expected by dockerd as set at build time.
-
-          **Deprecated**: This field is deprecated and will be omitted in a API v1.49.
-        type: "string"
-        example: "2d41c047c83e09a6d61d464906feb2a2f3c52aa4"
 
   SwarmInfo:
     description: |
@@ -9930,6 +9818,18 @@ paths:
           description: "Do not delete untagged parent images"
           type: "boolean"
           default: false
+        - name: "platforms"
+          in: "query"
+          description: |
+            Select platform-specific content to delete.
+            Multiple values are accepted.
+            Each platform is a OCI platform encoded as a JSON string.
+          type: "array"
+          items:
+            # This should be OCIPlatform
+            # but $ref is not supported for array in query in Swagger 2.0
+            # $ref: "#/definitions/OCIPlatform"
+            type: "string"
       tags: ["Image"]
   /images/search:
     get:
@@ -10487,13 +10387,9 @@ paths:
 
         ### Image tarball format
 
-        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+        An image tarball contains [Content as defined in the OCI Image Layout Specification](https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#content).
 
-        - `VERSION`: currently `1.0` - the file format version
-        - `json`: detailed layer information, similar to `docker inspect layer_id`
-        - `layer.tar`: A tarfile containing the filesystem changes in this layer
-
-        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+        Additionally, includes the manifest.json file associated with a backwards compatible docker save format.
 
         If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.
 
@@ -10533,6 +10429,7 @@ paths:
             If not provided, the full multi-platform image will be saved.
 
             Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
+      tags: ["Image"]
   /images/get:
     get:
       summary: "Export several images"
@@ -10567,6 +10464,16 @@ paths:
           type: "array"
           items:
             type: "string"
+        - name: "platform"
+          type: "string"
+          in: "query"
+          description: |
+            JSON encoded OCI platform describing a platform which will be used
+            to select a platform-specific image to be saved if the image is
+            multi-platform.
+            If not provided, the full multi-platform image will be saved.
+
+            Example: `{"os": "linux", "architecture": "arm", "variant": "v5"}`
       tags: ["Image"]
   /images/load:
     post:
diff --git a/vendor/github.com/docker/docker/api/types/blkiodev/blkio.go b/vendor/github.com/docker/docker/api/types/blkiodev/blkio.go
index bf3463b9..931ae10a 100644
--- a/vendor/github.com/docker/docker/api/types/blkiodev/blkio.go
+++ b/vendor/github.com/docker/docker/api/types/blkiodev/blkio.go
@@ -1,4 +1,4 @@
-package blkiodev // import "github.com/docker/docker/api/types/blkiodev"
+package blkiodev
 
 import "fmt"
 
diff --git a/vendor/github.com/docker/docker/api/types/build/build.go b/vendor/github.com/docker/docker/api/types/build/build.go
new file mode 100644
index 00000000..c43a0e21
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/build/build.go
@@ -0,0 +1,91 @@
+package build
+
+import (
+	"io"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// BuilderVersion sets the version of underlying builder to use
+type BuilderVersion string
+
+const (
+	// BuilderV1 is the first generation builder in docker daemon
+	BuilderV1 BuilderVersion = "1"
+	// BuilderBuildKit is builder based on moby/buildkit project
+	BuilderBuildKit BuilderVersion = "2"
+)
+
+// Result contains the image id of a successful build.
+type Result struct {
+	ID string
+}
+
+// ImageBuildOptions holds the information
+// necessary to build images.
+type ImageBuildOptions struct {
+	Tags           []string
+	SuppressOutput bool
+	RemoteContext  string
+	NoCache        bool
+	Remove         bool
+	ForceRemove    bool
+	PullParent     bool
+	Isolation      container.Isolation
+	CPUSetCPUs     string
+	CPUSetMems     string
+	CPUShares      int64
+	CPUQuota       int64
+	CPUPeriod      int64
+	Memory         int64
+	MemorySwap     int64
+	CgroupParent   string
+	NetworkMode    string
+	ShmSize        int64
+	Dockerfile     string
+	Ulimits        []*container.Ulimit
+	// BuildArgs needs to be a *string instead of just a string so that
+	// we can tell the difference between "" (empty string) and no value
+	// at all (nil). See the parsing of buildArgs in
+	// api/server/router/build/build_routes.go for even more info.
+	BuildArgs   map[string]*string
+	AuthConfigs map[string]registry.AuthConfig
+	Context     io.Reader
+	Labels      map[string]string
+	// squash the resulting image's layers to the parent
+	// preserves the original image and creates a new one from the parent with all
+	// the changes applied to a single layer
+	Squash bool
+	// CacheFrom specifies images that are used for matching cache. Images
+	// specified here do not need to have a valid parent chain to match cache.
+	CacheFrom   []string
+	SecurityOpt []string
+	ExtraHosts  []string // List of extra hosts
+	Target      string
+	SessionID   string
+	Platform    string
+	// Version specifies the version of the underlying builder to use
+	Version BuilderVersion
+	// BuildID is an optional identifier that can be passed together with the
+	// build request. The same identifier can be used to gracefully cancel the
+	// build with the cancel request.
+	BuildID string
+	// Outputs defines configurations for exporting build results. Only supported
+	// in BuildKit mode
+	Outputs []ImageBuildOutput
+}
+
+// ImageBuildOutput defines configuration for exporting a build result
+type ImageBuildOutput struct {
+	Type  string
+	Attrs map[string]string
+}
+
+// ImageBuildResponse holds information
+// returned by a server after building
+// an image.
+type ImageBuildResponse struct {
+	Body   io.ReadCloser
+	OSType string
+}
diff --git a/vendor/github.com/docker/docker/api/types/build/cache.go b/vendor/github.com/docker/docker/api/types/build/cache.go
new file mode 100644
index 00000000..42c84045
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/build/cache.go
@@ -0,0 +1,52 @@
+package build
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+// CacheRecord contains information about a build cache record.
+type CacheRecord struct {
+	// ID is the unique ID of the build cache record.
+	ID string
+	// Parent is the ID of the parent build cache record.
+	//
+	// Deprecated: deprecated in API v1.42 and up, as it was deprecated in BuildKit; use Parents instead.
+	Parent string `json:"Parent,omitempty"`
+	// Parents is the list of parent build cache record IDs.
+	Parents []string `json:" Parents,omitempty"`
+	// Type is the cache record type.
+	Type string
+	// Description is a description of the build-step that produced the build cache.
+	Description string
+	// InUse indicates if the build cache is in use.
+	InUse bool
+	// Shared indicates if the build cache is shared.
+	Shared bool
+	// Size is the amount of disk space used by the build cache (in bytes).
+	Size int64
+	// CreatedAt is the date and time at which the build cache was created.
+	CreatedAt time.Time
+	// LastUsedAt is the date and time at which the build cache was last used.
+	LastUsedAt *time.Time
+	UsageCount int
+}
+
+// CachePruneOptions hold parameters to prune the build cache.
+type CachePruneOptions struct {
+	All           bool
+	ReservedSpace int64
+	MaxUsedSpace  int64
+	MinFreeSpace  int64
+	Filters       filters.Args
+
+	KeepStorage int64 // Deprecated: deprecated in API 1.48.
+}
+
+// CachePruneReport contains the response for Engine API:
+// POST "/build/prune"
+type CachePruneReport struct {
+	CachesDeleted  []string
+	SpaceReclaimed uint64
+}
diff --git a/vendor/github.com/docker/docker/api/types/build/disk_usage.go b/vendor/github.com/docker/docker/api/types/build/disk_usage.go
new file mode 100644
index 00000000..e969b6d6
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/build/disk_usage.go
@@ -0,0 +1,8 @@
+package build
+
+// CacheDiskUsage contains disk usage for the build cache.
+type CacheDiskUsage struct {
+	TotalSize   int64
+	Reclaimable int64
+	Items       []*CacheRecord
+}
diff --git a/vendor/github.com/docker/docker/api/types/client.go b/vendor/github.com/docker/docker/api/types/client.go
index dce8260f..42fe03ec 100644
--- a/vendor/github.com/docker/docker/api/types/client.go
+++ b/vendor/github.com/docker/docker/api/types/client.go
@@ -1,14 +1,9 @@
-package types // import "github.com/docker/docker/api/types"
+package types
 
 import (
 	"bufio"
 	"context"
-	"io"
 	"net"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/registry"
 )
 
 // NewHijackedResponse initializes a [HijackedResponse] type.
@@ -51,165 +46,6 @@ func (h *HijackedResponse) CloseWrite() error {
 	return nil
 }
 
-// ImageBuildOptions holds the information
-// necessary to build images.
-type ImageBuildOptions struct {
-	Tags           []string
-	SuppressOutput bool
-	RemoteContext  string
-	NoCache        bool
-	Remove         bool
-	ForceRemove    bool
-	PullParent     bool
-	Isolation      container.Isolation
-	CPUSetCPUs     string
-	CPUSetMems     string
-	CPUShares      int64
-	CPUQuota       int64
-	CPUPeriod      int64
-	Memory         int64
-	MemorySwap     int64
-	CgroupParent   string
-	NetworkMode    string
-	ShmSize        int64
-	Dockerfile     string
-	Ulimits        []*container.Ulimit
-	// BuildArgs needs to be a *string instead of just a string so that
-	// we can tell the difference between "" (empty string) and no value
-	// at all (nil). See the parsing of buildArgs in
-	// api/server/router/build/build_routes.go for even more info.
-	BuildArgs   map[string]*string
-	AuthConfigs map[string]registry.AuthConfig
-	Context     io.Reader
-	Labels      map[string]string
-	// squash the resulting image's layers to the parent
-	// preserves the original image and creates a new one from the parent with all
-	// the changes applied to a single layer
-	Squash bool
-	// CacheFrom specifies images that are used for matching cache. Images
-	// specified here do not need to have a valid parent chain to match cache.
-	CacheFrom   []string
-	SecurityOpt []string
-	ExtraHosts  []string // List of extra hosts
-	Target      string
-	SessionID   string
-	Platform    string
-	// Version specifies the version of the underlying builder to use
-	Version BuilderVersion
-	// BuildID is an optional identifier that can be passed together with the
-	// build request. The same identifier can be used to gracefully cancel the
-	// build with the cancel request.
-	BuildID string
-	// Outputs defines configurations for exporting build results. Only supported
-	// in BuildKit mode
-	Outputs []ImageBuildOutput
-}
-
-// ImageBuildOutput defines configuration for exporting a build result
-type ImageBuildOutput struct {
-	Type  string
-	Attrs map[string]string
-}
-
-// BuilderVersion sets the version of underlying builder to use
-type BuilderVersion string
-
-const (
-	// BuilderV1 is the first generation builder in docker daemon
-	BuilderV1 BuilderVersion = "1"
-	// BuilderBuildKit is builder based on moby/buildkit project
-	BuilderBuildKit BuilderVersion = "2"
-)
-
-// ImageBuildResponse holds information
-// returned by a server after building
-// an image.
-type ImageBuildResponse struct {
-	Body   io.ReadCloser
-	OSType string
-}
-
-// NodeListOptions holds parameters to list nodes with.
-type NodeListOptions struct {
-	Filters filters.Args
-}
-
-// NodeRemoveOptions holds parameters to remove nodes with.
-type NodeRemoveOptions struct {
-	Force bool
-}
-
-// ServiceCreateOptions contains the options to use when creating a service.
-type ServiceCreateOptions struct {
-	// EncodedRegistryAuth is the encoded registry authorization credentials to
-	// use when updating the service.
-	//
-	// This field follows the format of the X-Registry-Auth header.
-	EncodedRegistryAuth string
-
-	// QueryRegistry indicates whether the service update requires
-	// contacting a registry. A registry may be contacted to retrieve
-	// the image digest and manifest, which in turn can be used to update
-	// platform or other information about the service.
-	QueryRegistry bool
-}
-
-// Values for RegistryAuthFrom in ServiceUpdateOptions
-const (
-	RegistryAuthFromSpec         = "spec"
-	RegistryAuthFromPreviousSpec = "previous-spec"
-)
-
-// ServiceUpdateOptions contains the options to be used for updating services.
-type ServiceUpdateOptions struct {
-	// EncodedRegistryAuth is the encoded registry authorization credentials to
-	// use when updating the service.
-	//
-	// This field follows the format of the X-Registry-Auth header.
-	EncodedRegistryAuth string
-
-	// TODO(stevvooe): Consider moving the version parameter of ServiceUpdate
-	// into this field. While it does open API users up to racy writes, most
-	// users may not need that level of consistency in practice.
-
-	// RegistryAuthFrom specifies where to find the registry authorization
-	// credentials if they are not given in EncodedRegistryAuth. Valid
-	// values are "spec" and "previous-spec".
-	RegistryAuthFrom string
-
-	// Rollback indicates whether a server-side rollback should be
-	// performed. When this is set, the provided spec will be ignored.
-	// The valid values are "previous" and "none". An empty value is the
-	// same as "none".
-	Rollback string
-
-	// QueryRegistry indicates whether the service update requires
-	// contacting a registry. A registry may be contacted to retrieve
-	// the image digest and manifest, which in turn can be used to update
-	// platform or other information about the service.
-	QueryRegistry bool
-}
-
-// ServiceListOptions holds parameters to list services with.
-type ServiceListOptions struct {
-	Filters filters.Args
-
-	// Status indicates whether the server should include the service task
-	// count of running and desired tasks.
-	Status bool
-}
-
-// ServiceInspectOptions holds parameters related to the "service inspect"
-// operation.
-type ServiceInspectOptions struct {
-	InsertDefaults bool
-}
-
-// TaskListOptions holds parameters to list tasks with.
-type TaskListOptions struct {
-	Filters filters.Args
-}
-
 // PluginRemoveOptions holds parameters to remove plugins.
 type PluginRemoveOptions struct {
 	Force bool
@@ -243,13 +79,6 @@ type PluginInstallOptions struct {
 	Args                  []string
 }
 
-// SwarmUnlockKeyResponse contains the response for Engine API:
-// GET /swarm/unlockkey
-type SwarmUnlockKeyResponse struct {
-	// UnlockKey is the unlock key in ASCII-armored format.
-	UnlockKey string
-}
-
 // PluginCreateOptions hold all options to plugin create.
 type PluginCreateOptions struct {
 	RepoName string
diff --git a/vendor/github.com/docker/docker/api/types/container/config.go b/vendor/github.com/docker/docker/api/types/container/config.go
index d6b03e8b..05554165 100644
--- a/vendor/github.com/docker/docker/api/types/container/config.go
+++ b/vendor/github.com/docker/docker/api/types/container/config.go
@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import (
 	"time"
diff --git a/vendor/github.com/docker/docker/api/types/container/container.go b/vendor/github.com/docker/docker/api/types/container/container.go
index 65fabbf4..a191ca8b 100644
--- a/vendor/github.com/docker/docker/api/types/container/container.go
+++ b/vendor/github.com/docker/docker/api/types/container/container.go
@@ -104,7 +104,7 @@ type MountPoint struct {
 // State stores container's running state
 // it's part of ContainerJSONBase and returned by "inspect" command
 type State struct {
-	Status     string // String representation of the container state. Can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
+	Status     ContainerState // String representation of the container state. Can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
 	Running    bool
 	Paused     bool
 	Restarting bool
@@ -132,7 +132,7 @@ type Summary struct {
 	SizeRw                  int64 `json:",omitempty"`
 	SizeRootFs              int64 `json:",omitempty"`
 	Labels                  map[string]string
-	State                   string
+	State                   ContainerState
 	Status                  string
 	HostConfig              struct {
 		NetworkMode string            `json:",omitempty"`
diff --git a/vendor/github.com/docker/docker/api/types/container/disk_usage.go b/vendor/github.com/docker/docker/api/types/container/disk_usage.go
new file mode 100644
index 00000000..05b6cbe9
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/disk_usage.go
@@ -0,0 +1,8 @@
+package container
+
+// DiskUsage contains disk usage for containers.
+type DiskUsage struct {
+	TotalSize   int64
+	Reclaimable int64
+	Items       []*Summary
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/exec.go b/vendor/github.com/docker/docker/api/types/container/exec.go
index f4b22376..e455cd27 100644
--- a/vendor/github.com/docker/docker/api/types/container/exec.go
+++ b/vendor/github.com/docker/docker/api/types/container/exec.go
@@ -18,11 +18,13 @@ type ExecOptions struct {
 	AttachStdin  bool     // Attach the standard input, makes possible user interaction
 	AttachStderr bool     // Attach the standard error
 	AttachStdout bool     // Attach the standard output
-	Detach       bool     // Execute in detach mode
 	DetachKeys   string   // Escape keys for detach
 	Env          []string // Environment variables
 	WorkingDir   string   // Working directory
 	Cmd          []string // Execution commands and args
+
+	// Deprecated: the Detach field is not used, and will be removed in a future release.
+	Detach bool
 }
 
 // ExecStartOptions is a temp struct used by execStart
diff --git a/vendor/github.com/docker/docker/api/types/container/health.go b/vendor/github.com/docker/docker/api/types/container/health.go
index 93663746..96e91cc8 100644
--- a/vendor/github.com/docker/docker/api/types/container/health.go
+++ b/vendor/github.com/docker/docker/api/types/container/health.go
@@ -1,18 +1,27 @@
 package container
 
-import "time"
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+// HealthStatus is a string representation of the container's health.
+//
+// It currently is an alias for string, but may become a distinct type in future.
+type HealthStatus = string
 
 // Health states
 const (
-	NoHealthcheck = "none"      // Indicates there is no healthcheck
-	Starting      = "starting"  // Starting indicates that the container is not yet ready
-	Healthy       = "healthy"   // Healthy indicates that the container is running correctly
-	Unhealthy     = "unhealthy" // Unhealthy indicates that the container has a problem
+	NoHealthcheck HealthStatus = "none"      // Indicates there is no healthcheck
+	Starting      HealthStatus = "starting"  // Starting indicates that the container is not yet ready
+	Healthy       HealthStatus = "healthy"   // Healthy indicates that the container is running correctly
+	Unhealthy     HealthStatus = "unhealthy" // Unhealthy indicates that the container has a problem
 )
 
 // Health stores information about the container's healthcheck results
 type Health struct {
-	Status        string               // Status is one of [Starting], [Healthy] or [Unhealthy].
+	Status        HealthStatus         // Status is one of [Starting], [Healthy] or [Unhealthy].
 	FailingStreak int                  // FailingStreak is the number of consecutive failures
 	Log           []*HealthcheckResult // Log contains the last few results (oldest first)
 }
@@ -24,3 +33,18 @@ type HealthcheckResult struct {
 	ExitCode int       // ExitCode meanings: 0=healthy, 1=unhealthy, 2=reserved (considered unhealthy), else=error running probe
 	Output   string    // Output from last check
 }
+
+var validHealths = []string{
+	NoHealthcheck, Starting, Healthy, Unhealthy,
+}
+
+// ValidateHealthStatus checks if the provided string is a valid
+// container [HealthStatus].
+func ValidateHealthStatus(s HealthStatus) error {
+	switch s {
+	case NoHealthcheck, Starting, Healthy, Unhealthy:
+		return nil
+	default:
+		return errInvalidParameter{error: fmt.Errorf("invalid value for health (%s): must be one of %s", s, strings.Join(validHealths, ", "))}
+	}
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/hostconfig.go b/vendor/github.com/docker/docker/api/types/container/hostconfig.go
index 83198305..f63f049c 100644
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig.go
@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import (
 	"errors"
@@ -145,7 +145,7 @@ func (n NetworkMode) IsDefault() bool {
 
 // IsPrivate indicates whether container uses its private network stack.
 func (n NetworkMode) IsPrivate() bool {
-	return !(n.IsHost() || n.IsContainer())
+	return !n.IsHost() && !n.IsContainer()
 }
 
 // IsContainer indicates whether container uses a container network stack.
@@ -230,7 +230,7 @@ type PidMode string
 
 // IsPrivate indicates whether the container uses its own new pid namespace.
 func (n PidMode) IsPrivate() bool {
-	return !(n.IsHost() || n.IsContainer())
+	return !n.IsHost() && !n.IsContainer()
 }
 
 // IsHost indicates whether the container uses the host's pid namespace.
diff --git a/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go b/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go
index cdee49ea..cd6a7a9b 100644
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig_unix.go
@@ -1,6 +1,6 @@
 //go:build !windows
 
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import "github.com/docker/docker/api/types/network"
 
diff --git a/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go b/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go
index f0854554..db63e190 100644
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig_windows.go
@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 import "github.com/docker/docker/api/types/network"
 
diff --git a/vendor/github.com/docker/docker/api/types/container/state.go b/vendor/github.com/docker/docker/api/types/container/state.go
new file mode 100644
index 00000000..78d5c4fe
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/container/state.go
@@ -0,0 +1,64 @@
+package container
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ContainerState is a string representation of the container's current state.
+//
+// It currently is an alias for string, but may become a distinct type in the future.
+type ContainerState = string
+
+const (
+	StateCreated    ContainerState = "created"    // StateCreated indicates the container is created, but not (yet) started.
+	StateRunning    ContainerState = "running"    // StateRunning indicates that the container is running.
+	StatePaused     ContainerState = "paused"     // StatePaused indicates that the container's current state is paused.
+	StateRestarting ContainerState = "restarting" // StateRestarting indicates that the container is currently restarting.
+	StateRemoving   ContainerState = "removing"   // StateRemoving indicates that the container is being removed.
+	StateExited     ContainerState = "exited"     // StateExited indicates that the container exited.
+	StateDead       ContainerState = "dead"       // StateDead indicates that the container failed to be deleted. Containers in this state are attempted to be cleaned up when the daemon restarts.
+)
+
+var validStates = []ContainerState{
+	StateCreated, StateRunning, StatePaused, StateRestarting, StateRemoving, StateExited, StateDead,
+}
+
+// ValidateContainerState checks if the provided string is a valid
+// container [ContainerState].
+func ValidateContainerState(s ContainerState) error {
+	switch s {
+	case StateCreated, StateRunning, StatePaused, StateRestarting, StateRemoving, StateExited, StateDead:
+		return nil
+	default:
+		return errInvalidParameter{error: fmt.Errorf("invalid value for state (%s): must be one of %s", s, strings.Join(validStates, ", "))}
+	}
+}
+
+// StateStatus is used to return container wait results.
+// Implements exec.ExitCode interface.
+// This type is needed as State include a sync.Mutex field which make
+// copying it unsafe.
+type StateStatus struct {
+	exitCode int
+	err      error
+}
+
+// ExitCode returns current exitcode for the state.
+func (s StateStatus) ExitCode() int {
+	return s.exitCode
+}
+
+// Err returns current error for the state. Returns nil if the container had
+// exited on its own.
+func (s StateStatus) Err() error {
+	return s.err
+}
+
+// NewStateStatus returns a new StateStatus with the given exit code and error.
+func NewStateStatus(exitCode int, err error) StateStatus {
+	return StateStatus{
+		exitCode: exitCode,
+		err:      err,
+	}
+}
diff --git a/vendor/github.com/docker/docker/api/types/container/waitcondition.go b/vendor/github.com/docker/docker/api/types/container/waitcondition.go
index cd8311f9..64820fe3 100644
--- a/vendor/github.com/docker/docker/api/types/container/waitcondition.go
+++ b/vendor/github.com/docker/docker/api/types/container/waitcondition.go
@@ -1,4 +1,4 @@
-package container // import "github.com/docker/docker/api/types/container"
+package container
 
 // WaitCondition is a type used to specify a container state for which
 // to wait.
diff --git a/vendor/github.com/docker/docker/api/types/events/events.go b/vendor/github.com/docker/docker/api/types/events/events.go
index e225df4e..952c0ff2 100644
--- a/vendor/github.com/docker/docker/api/types/events/events.go
+++ b/vendor/github.com/docker/docker/api/types/events/events.go
@@ -1,4 +1,5 @@
-package events // import "github.com/docker/docker/api/types/events"
+package events
+
 import "github.com/docker/docker/api/types/filters"
 
 // Type is used for event-types.
@@ -111,11 +112,14 @@ type Actor struct {
 
 // Message represents the information an event contains
 type Message struct {
-	// Deprecated information from JSONMessage.
+	// Deprecated: use Action instead.
+	// Information from JSONMessage.
 	// With data only in container events.
-	Status string `json:"status,omitempty"` // Deprecated: use Action instead.
-	ID     string `json:"id,omitempty"`     // Deprecated: use Actor.ID instead.
-	From   string `json:"from,omitempty"`   // Deprecated: use Actor.Attributes["image"] instead.
+	Status string `json:"status,omitempty"`
+	// Deprecated: use Actor.ID instead.
+	ID string `json:"id,omitempty"`
+	// Deprecated: use Actor.Attributes["image"] instead.
+	From string `json:"from,omitempty"`
 
 	Type   Type
 	Action Action
diff --git a/vendor/github.com/docker/docker/api/types/filters/parse.go b/vendor/github.com/docker/docker/api/types/filters/parse.go
index 2085ff38..86f4bdb2 100644
--- a/vendor/github.com/docker/docker/api/types/filters/parse.go
+++ b/vendor/github.com/docker/docker/api/types/filters/parse.go
@@ -2,7 +2,7 @@
 Package filters provides tools for encoding a mapping of keys to a set of
 multiple values.
 */
-package filters // import "github.com/docker/docker/api/types/filters"
+package filters
 
 import (
 	"encoding/json"
diff --git a/vendor/github.com/docker/docker/api/types/image/disk_usage.go b/vendor/github.com/docker/docker/api/types/image/disk_usage.go
new file mode 100644
index 00000000..b29d925c
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/image/disk_usage.go
@@ -0,0 +1,8 @@
+package image
+
+// DiskUsage contains disk usage for images.
+type DiskUsage struct {
+	TotalSize   int64
+	Reclaimable int64
+	Items       []*Summary
+}
diff --git a/vendor/github.com/docker/docker/api/types/image/image_history.go b/vendor/github.com/docker/docker/api/types/image/image_history.go
index e302bb0a..a6cdab84 100644
--- a/vendor/github.com/docker/docker/api/types/image/image_history.go
+++ b/vendor/github.com/docker/docker/api/types/image/image_history.go
@@ -1,4 +1,4 @@
-package image // import "github.com/docker/docker/api/types/image"
+package image
 
 // ----------------------------------------------------------------------------
 // Code generated by `swagger generate operation`. DO NOT EDIT.
diff --git a/vendor/github.com/docker/docker/api/types/image/image_inspect.go b/vendor/github.com/docker/docker/api/types/image/image_inspect.go
index 78e81f05..3bdb4742 100644
--- a/vendor/github.com/docker/docker/api/types/image/image_inspect.go
+++ b/vendor/github.com/docker/docker/api/types/image/image_inspect.go
@@ -3,6 +3,7 @@ package image
 import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/storage"
+	dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -84,7 +85,7 @@ type InspectResponse struct {
 	// Author is the name of the author that was specified when committing the
 	// image, or as specified through MAINTAINER (deprecated) in the Dockerfile.
 	Author string
-	Config *container.Config
+	Config *dockerspec.DockerOCIImageConfig
 
 	// Architecture is the hardware CPU architecture that the image runs on.
 	Architecture string
@@ -128,11 +129,12 @@ type InspectResponse struct {
 	// compatibility.
 	Descriptor *ocispec.Descriptor `json:"Descriptor,omitempty"`
 
-	// Manifests is a list of image manifests available in this image.  It
+	// Manifests is a list of image manifests available in this image. It
 	// provides a more detailed view of the platform-specific image manifests or
 	// other image-attached data like build attestations.
 	//
-	// Only available if the daemon provides a multi-platform image store.
+	// Only available if the daemon provides a multi-platform image store, the client
+	// requests manifests AND does not request a specific platform.
 	//
 	// WARNING: This is experimental and may change at any time without any backward
 	// compatibility.
diff --git a/vendor/github.com/docker/docker/api/types/image/opts.go b/vendor/github.com/docker/docker/api/types/image/opts.go
index 919510fe..9e33a42f 100644
--- a/vendor/github.com/docker/docker/api/types/image/opts.go
+++ b/vendor/github.com/docker/docker/api/types/image/opts.go
@@ -75,6 +75,8 @@ type ListOptions struct {
 	SharedSize bool
 
 	// ContainerCount indicates whether container count should be computed.
+	//
+	// Deprecated: This field has been unused and is no longer required and will be removed in a future version.
 	ContainerCount bool
 
 	// Manifests indicates whether the image manifests should be returned.
@@ -83,6 +85,7 @@ type ListOptions struct {
 
 // RemoveOptions holds parameters to remove images.
 type RemoveOptions struct {
+	Platforms     []ocispec.Platform
 	Force         bool
 	PruneChildren bool
 }
@@ -106,6 +109,11 @@ type LoadOptions struct {
 type InspectOptions struct {
 	// Manifests returns the image manifests.
 	Manifests bool
+
+	// Platform selects the specific platform of a multi-platform image to inspect.
+	//
+	// This option is only available for API version 1.49 and up.
+	Platform *ocispec.Platform
 }
 
 // SaveOptions holds parameters to save images.
diff --git a/vendor/github.com/docker/docker/api/types/mount/mount.go b/vendor/github.com/docker/docker/api/types/mount/mount.go
index d98dbec9..090d436c 100644
--- a/vendor/github.com/docker/docker/api/types/mount/mount.go
+++ b/vendor/github.com/docker/docker/api/types/mount/mount.go
@@ -1,4 +1,4 @@
-package mount // import "github.com/docker/docker/api/types/mount"
+package mount
 
 import (
 	"os"
diff --git a/vendor/github.com/docker/docker/api/types/network/network.go b/vendor/github.com/docker/docker/api/types/network/network.go
index d34b8ab7..4a0cb479 100644
--- a/vendor/github.com/docker/docker/api/types/network/network.go
+++ b/vendor/github.com/docker/docker/api/types/network/network.go
@@ -1,4 +1,4 @@
-package network // import "github.com/docker/docker/api/types/network"
+package network
 
 import (
 	"time"
diff --git a/vendor/github.com/docker/docker/api/types/plugin_responses.go b/vendor/github.com/docker/docker/api/types/plugin_responses.go
index 60d1fb5a..18f743fc 100644
--- a/vendor/github.com/docker/docker/api/types/plugin_responses.go
+++ b/vendor/github.com/docker/docker/api/types/plugin_responses.go
@@ -1,4 +1,4 @@
-package types // import "github.com/docker/docker/api/types"
+package types
 
 import (
 	"encoding/json"
diff --git a/vendor/github.com/docker/docker/api/types/registry/authconfig.go b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
index ebd5e4b9..fa9037bd 100644
--- a/vendor/github.com/docker/docker/api/types/registry/authconfig.go
+++ b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
@@ -1,4 +1,5 @@
-package registry // import "github.com/docker/docker/api/types/registry"
+package registry
+
 import (
 	"context"
 	"encoding/base64"
@@ -82,6 +83,8 @@ func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
 // Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an
 // error occurs. It is up to the caller to decide if authentication is required,
 // and if the error can be ignored.
+//
+// Deprecated: this function is no longer used and will be removed in the next release.
 func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {
 	return decodeAuthConfigFromReader(rdr)
 }
diff --git a/vendor/github.com/docker/docker/api/types/registry/authenticate.go b/vendor/github.com/docker/docker/api/types/registry/authenticate.go
index f0a2113e..42cac443 100644
--- a/vendor/github.com/docker/docker/api/types/registry/authenticate.go
+++ b/vendor/github.com/docker/docker/api/types/registry/authenticate.go
@@ -1,4 +1,4 @@
-package registry // import "github.com/docker/docker/api/types/registry"
+package registry
 
 // ----------------------------------------------------------------------------
 // DO NOT EDIT THIS FILE
diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go
index b0a4d604..9319c964 100644
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@@ -1,4 +1,7 @@
-package registry // import "github.com/docker/docker/api/types/registry"
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
+package registry
 
 import (
 	"encoding/json"
@@ -15,23 +18,26 @@ type ServiceConfig struct {
 	InsecureRegistryCIDRs []*NetIPNet           `json:"InsecureRegistryCIDRs"`
 	IndexConfigs          map[string]*IndexInfo `json:"IndexConfigs"`
 	Mirrors               []string
+
+	// ExtraFields is for internal use to include deprecated fields on older API versions.
+	ExtraFields map[string]any `json:"-"`
 }
 
 // MarshalJSON implements a custom marshaler to include legacy fields
 // in API responses.
-func (sc ServiceConfig) MarshalJSON() ([]byte, error) {
-	tmp := map[string]interface{}{
-		"InsecureRegistryCIDRs": sc.InsecureRegistryCIDRs,
-		"IndexConfigs":          sc.IndexConfigs,
-		"Mirrors":               sc.Mirrors,
+func (sc *ServiceConfig) MarshalJSON() ([]byte, error) {
+	type tmp ServiceConfig
+	base, err := json.Marshal((*tmp)(sc))
+	if err != nil {
+		return nil, err
 	}
-	if sc.AllowNondistributableArtifactsCIDRs != nil {
-		tmp["AllowNondistributableArtifactsCIDRs"] = nil
+	var merged map[string]any
+	_ = json.Unmarshal(base, &merged)
+
+	for k, v := range sc.ExtraFields {
+		merged[k] = v
 	}
-	if sc.AllowNondistributableArtifactsHostnames != nil {
-		tmp["AllowNondistributableArtifactsHostnames"] = nil
-	}
-	return json.Marshal(tmp)
+	return json.Marshal(merged)
 }
 
 // NetIPNet is the net.IPNet type, which can be marshalled and
@@ -49,15 +55,17 @@ func (ipnet *NetIPNet) MarshalJSON() ([]byte, error) {
 }
 
 // UnmarshalJSON sets the IPNet from a byte array of JSON
-func (ipnet *NetIPNet) UnmarshalJSON(b []byte) (err error) {
+func (ipnet *NetIPNet) UnmarshalJSON(b []byte) error {
 	var ipnetStr string
-	if err = json.Unmarshal(b, &ipnetStr); err == nil {
-		var cidr *net.IPNet
-		if _, cidr, err = net.ParseCIDR(ipnetStr); err == nil {
-			*ipnet = NetIPNet(*cidr)
-		}
+	if err := json.Unmarshal(b, &ipnetStr); err != nil {
+		return err
 	}
-	return
+	_, cidr, err := net.ParseCIDR(ipnetStr)
+	if err != nil {
+		return err
+	}
+	*ipnet = NetIPNet(*cidr)
+	return nil
 }
 
 // IndexInfo contains information about a registry
diff --git a/vendor/github.com/docker/docker/api/types/strslice/strslice.go b/vendor/github.com/docker/docker/api/types/strslice/strslice.go
index 82921ceb..bad493fb 100644
--- a/vendor/github.com/docker/docker/api/types/strslice/strslice.go
+++ b/vendor/github.com/docker/docker/api/types/strslice/strslice.go
@@ -1,4 +1,4 @@
-package strslice // import "github.com/docker/docker/api/types/strslice"
+package strslice
 
 import "encoding/json"
 
diff --git a/vendor/github.com/docker/docker/api/types/swarm/common.go b/vendor/github.com/docker/docker/api/types/swarm/common.go
index 5ded7dba..b42812e0 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/common.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/common.go
@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 import (
 	"strconv"
diff --git a/vendor/github.com/docker/docker/api/types/swarm/config.go b/vendor/github.com/docker/docker/api/types/swarm/config.go
index 16202ccc..80a6ffdb 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/config.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/config.go
@@ -1,6 +1,10 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
-import "os"
+import (
+	"os"
+
+	"github.com/docker/docker/api/types/filters"
+)
 
 // Config represents a config.
 type Config struct {
@@ -12,6 +16,12 @@ type Config struct {
 // ConfigSpec represents a config specification from a config in swarm
 type ConfigSpec struct {
 	Annotations
+
+	// Data is the data to store as a config.
+	//
+	// The maximum allowed size is 1000KB, as defined in [MaxConfigSize].
+	//
+	// [MaxConfigSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize
 	Data []byte `json:",omitempty"`
 
 	// Templating controls whether and how to evaluate the config payload as
@@ -38,3 +48,15 @@ type ConfigReference struct {
 	ConfigID   string
 	ConfigName string
 }
+
+// ConfigCreateResponse contains the information returned to a client
+// on the creation of a new config.
+type ConfigCreateResponse struct {
+	// ID is the id of the created config.
+	ID string
+}
+
+// ConfigListOptions holds parameters to list configs
+type ConfigListOptions struct {
+	Filters filters.Args
+}
diff --git a/vendor/github.com/docker/docker/api/types/swarm/container.go b/vendor/github.com/docker/docker/api/types/swarm/container.go
index 30e3de70..f9416bac 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/container.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/container.go
@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 import (
 	"time"
diff --git a/vendor/github.com/docker/docker/api/types/swarm/network.go b/vendor/github.com/docker/docker/api/types/swarm/network.go
index 98ef3284..4b880723 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/network.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/network.go
@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 import (
 	"github.com/docker/docker/api/types/network"
diff --git a/vendor/github.com/docker/docker/api/types/swarm/node.go b/vendor/github.com/docker/docker/api/types/swarm/node.go
index bb98d5ee..2018a031 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/node.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/node.go
@@ -1,4 +1,6 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
+
+import "github.com/docker/docker/api/types/filters"
 
 // Node represents a node.
 type Node struct {
@@ -137,3 +139,13 @@ const (
 type Topology struct {
 	Segments map[string]string `json:",omitempty"`
 }
+
+// NodeListOptions holds parameters to list nodes with.
+type NodeListOptions struct {
+	Filters filters.Args
+}
+
+// NodeRemoveOptions holds parameters to remove nodes with.
+type NodeRemoveOptions struct {
+	Force bool
+}
diff --git a/vendor/github.com/docker/docker/api/types/swarm/runtime.go b/vendor/github.com/docker/docker/api/types/swarm/runtime.go
index 0c77403c..8a28320f 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/runtime.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/runtime.go
@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 // RuntimeType is the type of runtime used for the TaskSpec
 type RuntimeType string
diff --git a/vendor/github.com/docker/docker/api/types/swarm/runtime/gen.go b/vendor/github.com/docker/docker/api/types/swarm/runtime/gen.go
index 292bd7af..90e572cf 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/runtime/gen.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/runtime/gen.go
@@ -1,3 +1,3 @@
 //go:generate protoc --gogofaster_out=import_path=github.com/docker/docker/api/types/swarm/runtime:. plugin.proto
 
-package runtime // import "github.com/docker/docker/api/types/swarm/runtime"
+package runtime
diff --git a/vendor/github.com/docker/docker/api/types/swarm/secret.go b/vendor/github.com/docker/docker/api/types/swarm/secret.go
index d5213ec9..d9482ab5 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/secret.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/secret.go
@@ -1,6 +1,10 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
-import "os"
+import (
+	"os"
+
+	"github.com/docker/docker/api/types/filters"
+)
 
 // Secret represents a secret.
 type Secret struct {
@@ -12,8 +16,22 @@ type Secret struct {
 // SecretSpec represents a secret specification from a secret in swarm
 type SecretSpec struct {
 	Annotations
-	Data   []byte  `json:",omitempty"`
-	Driver *Driver `json:",omitempty"` // name of the secrets driver used to fetch the secret's value from an external secret store
+
+	// Data is the data to store as a secret. It must be empty if a
+	// [Driver] is used, in which case the data is loaded from an external
+	// secret store. The maximum allowed size is 500KB, as defined in
+	// [MaxSecretSize].
+	//
+	// This field is only used to create the secret, and is not returned
+	// by other endpoints.
+	//
+	// [MaxSecretSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize
+	Data []byte `json:",omitempty"`
+
+	// Driver is the name of the secrets driver used to fetch the secret's
+	// value from an external secret store. If not set, the default built-in
+	// store is used.
+	Driver *Driver `json:",omitempty"`
 
 	// Templating controls whether and how to evaluate the secret payload as
 	// a template. If it is not set, no templating is used.
@@ -34,3 +52,15 @@ type SecretReference struct {
 	SecretID   string
 	SecretName string
 }
+
+// SecretCreateResponse contains the information returned to a client
+// on the creation of a new secret.
+type SecretCreateResponse struct {
+	// ID is the id of the created secret.
+	ID string
+}
+
+// SecretListOptions holds parameters to list secrets
+type SecretListOptions struct {
+	Filters filters.Args
+}
diff --git a/vendor/github.com/docker/docker/api/types/swarm/service.go b/vendor/github.com/docker/docker/api/types/swarm/service.go
index 5b6d5ec1..56c660c1 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/service.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/service.go
@@ -1,6 +1,10 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
-import "time"
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/filters"
+)
 
 // Service represents a service.
 type Service struct {
@@ -200,3 +204,69 @@ type JobStatus struct {
 	// Swarm manager.
 	LastExecution time.Time `json:",omitempty"`
 }
+
+// ServiceCreateOptions contains the options to use when creating a service.
+type ServiceCreateOptions struct {
+	// EncodedRegistryAuth is the encoded registry authorization credentials to
+	// use when updating the service.
+	//
+	// This field follows the format of the X-Registry-Auth header.
+	EncodedRegistryAuth string
+
+	// QueryRegistry indicates whether the service update requires
+	// contacting a registry. A registry may be contacted to retrieve
+	// the image digest and manifest, which in turn can be used to update
+	// platform or other information about the service.
+	QueryRegistry bool
+}
+
+// Values for RegistryAuthFrom in ServiceUpdateOptions
+const (
+	RegistryAuthFromSpec         = "spec"
+	RegistryAuthFromPreviousSpec = "previous-spec"
+)
+
+// ServiceUpdateOptions contains the options to be used for updating services.
+type ServiceUpdateOptions struct {
+	// EncodedRegistryAuth is the encoded registry authorization credentials to
+	// use when updating the service.
+	//
+	// This field follows the format of the X-Registry-Auth header.
+	EncodedRegistryAuth string
+
+	// TODO(stevvooe): Consider moving the version parameter of ServiceUpdate
+	// into this field. While it does open API users up to racy writes, most
+	// users may not need that level of consistency in practice.
+
+	// RegistryAuthFrom specifies where to find the registry authorization
+	// credentials if they are not given in EncodedRegistryAuth. Valid
+	// values are "spec" and "previous-spec".
+	RegistryAuthFrom string
+
+	// Rollback indicates whether a server-side rollback should be
+	// performed. When this is set, the provided spec will be ignored.
+	// The valid values are "previous" and "none". An empty value is the
+	// same as "none".
+	Rollback string
+
+	// QueryRegistry indicates whether the service update requires
+	// contacting a registry. A registry may be contacted to retrieve
+	// the image digest and manifest, which in turn can be used to update
+	// platform or other information about the service.
+	QueryRegistry bool
+}
+
+// ServiceListOptions holds parameters to list services with.
+type ServiceListOptions struct {
+	Filters filters.Args
+
+	// Status indicates whether the server should include the service task
+	// count of running and desired tasks.
+	Status bool
+}
+
+// ServiceInspectOptions holds parameters related to the "service inspect"
+// operation.
+type ServiceInspectOptions struct {
+	InsertDefaults bool
+}
diff --git a/vendor/github.com/docker/docker/api/types/swarm/swarm.go b/vendor/github.com/docker/docker/api/types/swarm/swarm.go
index 1b4be6ff..38f3e666 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/swarm.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/swarm.go
@@ -1,4 +1,4 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 import (
 	"time"
@@ -235,3 +235,10 @@ type UpdateFlags struct {
 	RotateManagerToken     bool
 	RotateManagerUnlockKey bool
 }
+
+// UnlockKeyResponse contains the response for Engine API:
+// GET /swarm/unlockkey
+type UnlockKeyResponse struct {
+	// UnlockKey is the unlock key in ASCII-armored format.
+	UnlockKey string
+}
diff --git a/vendor/github.com/docker/docker/api/types/swarm/task.go b/vendor/github.com/docker/docker/api/types/swarm/task.go
index ad3eeca0..4dc95e8b 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/task.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/task.go
@@ -1,8 +1,9 @@
-package swarm // import "github.com/docker/docker/api/types/swarm"
+package swarm
 
 import (
 	"time"
 
+	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm/runtime"
 )
 
@@ -223,3 +224,8 @@ type VolumeAttachment struct {
 	// in the ContainerSpec, that this volume fulfills.
 	Target string `json:",omitempty"`
 }
+
+// TaskListOptions holds parameters to list tasks with.
+type TaskListOptions struct {
+	Filters filters.Args
+}
diff --git a/vendor/github.com/docker/docker/api/types/system/disk_usage.go b/vendor/github.com/docker/docker/api/types/system/disk_usage.go
new file mode 100644
index 00000000..99078cf1
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/system/disk_usage.go
@@ -0,0 +1,17 @@
+package system
+
+import (
+	"github.com/docker/docker/api/types/build"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/volume"
+)
+
+// DiskUsage contains response of Engine API for API 1.49 and greater:
+// GET "/system/df"
+type DiskUsage struct {
+	Images     *image.DiskUsage
+	Containers *container.DiskUsage
+	Volumes    *volume.DiskUsage
+	BuildCache *build.CacheDiskUsage
+}
diff --git a/vendor/github.com/docker/docker/api/types/system/info.go b/vendor/github.com/docker/docker/api/types/system/info.go
index 8a2444da..047639ed 100644
--- a/vendor/github.com/docker/docker/api/types/system/info.go
+++ b/vendor/github.com/docker/docker/api/types/system/info.go
@@ -29,8 +29,6 @@ type Info struct {
 	CPUSet             bool
 	PidsLimit          bool
 	IPv4Forwarding     bool
-	BridgeNfIptables   bool `json:"BridgeNfIptables"`  // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
-	BridgeNfIP6tables  bool `json:"BridgeNfIp6tables"` // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
 	Debug              bool
 	NFd                int
 	OomKillDisable     bool
@@ -73,7 +71,9 @@ type Info struct {
 	SecurityOptions     []string
 	ProductLicense      string               `json:",omitempty"`
 	DefaultAddressPools []NetworkAddressPool `json:",omitempty"`
+	FirewallBackend     *FirewallInfo        `json:"FirewallBackend,omitempty"`
 	CDISpecDirs         []string
+	DiscoveredDevices   []DeviceInfo `json:",omitempty"`
 
 	Containerd *ContainerdInfo `json:",omitempty"`
 
@@ -143,7 +143,7 @@ type Commit struct {
 	// Expected is the commit ID of external tool expected by dockerd as set at build time.
 	//
 	// Deprecated: this field is no longer used in API v1.49, but kept for backward-compatibility with older API versions.
-	Expected string
+	Expected string `json:",omitempty"`
 }
 
 // NetworkAddressPool is a temp struct used by [Info] struct.
@@ -151,3 +151,20 @@ type NetworkAddressPool struct {
 	Base string
 	Size int
 }
+
+// FirewallInfo describes the firewall backend.
+type FirewallInfo struct {
+	// Driver is the name of the firewall backend driver.
+	Driver string `json:"Driver"`
+	// Info is a list of label/value pairs, containing information related to the firewall.
+	Info [][2]string `json:"Info,omitempty"`
+}
+
+// DeviceInfo represents a discoverable device from a device driver.
+type DeviceInfo struct {
+	// Source indicates the origin device driver.
+	Source string `json:"Source"`
+	// ID is the unique identifier for the device.
+	// Example: CDI FQDN like "vendor.com/gpu=0", or other driver-specific device ID
+	ID string `json:"ID"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/time/timestamp.go b/vendor/github.com/docker/docker/api/types/time/timestamp.go
index cab5c32e..0e1df38a 100644
--- a/vendor/github.com/docker/docker/api/types/time/timestamp.go
+++ b/vendor/github.com/docker/docker/api/types/time/timestamp.go
@@ -1,4 +1,4 @@
-package time // import "github.com/docker/docker/api/types/time"
+package time
 
 import (
 	"fmt"
@@ -30,7 +30,7 @@ func GetTimestamp(value string, reference time.Time) (string, error) {
 
 	var format string
 	// if the string has a Z or a + or three dashes use parse otherwise use parseinlocation
-	parseInLocation := !(strings.ContainsAny(value, "zZ+") || strings.Count(value, "-") == 3)
+	parseInLocation := !strings.ContainsAny(value, "zZ+") && strings.Count(value, "-") != 3
 
 	if strings.Contains(value, ".") {
 		if parseInLocation {
@@ -105,23 +105,23 @@ func GetTimestamp(value string, reference time.Time) (string, error) {
 //	since := time.Unix(seconds, nanoseconds)
 //
 // returns seconds as defaultSeconds if value == ""
-func ParseTimestamps(value string, defaultSeconds int64) (seconds int64, nanoseconds int64, err error) {
+func ParseTimestamps(value string, defaultSeconds int64) (seconds int64, nanoseconds int64, _ error) {
 	if value == "" {
 		return defaultSeconds, 0, nil
 	}
 	return parseTimestamp(value)
 }
 
-func parseTimestamp(value string) (sec int64, nsec int64, err error) {
+func parseTimestamp(value string) (seconds int64, nanoseconds int64, _ error) {
 	s, n, ok := strings.Cut(value, ".")
-	sec, err = strconv.ParseInt(s, 10, 64)
+	sec, err := strconv.ParseInt(s, 10, 64)
 	if err != nil {
 		return sec, 0, err
 	}
 	if !ok {
 		return sec, 0, nil
 	}
-	nsec, err = strconv.ParseInt(n, 10, 64)
+	nsec, err := strconv.ParseInt(n, 10, 64)
 	if err != nil {
 		return sec, nsec, err
 	}
diff --git a/vendor/github.com/docker/docker/api/types/types.go b/vendor/github.com/docker/docker/api/types/types.go
index 82ae339c..8bbadeb2 100644
--- a/vendor/github.com/docker/docker/api/types/types.go
+++ b/vendor/github.com/docker/docker/api/types/types.go
@@ -1,10 +1,8 @@
-package types // import "github.com/docker/docker/api/types"
+package types
 
 import (
-	"time"
-
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/volume"
@@ -24,7 +22,7 @@ type Ping struct {
 	APIVersion     string
 	OSType         string
 	Experimental   bool
-	BuilderVersion BuilderVersion
+	BuilderVersion build.BuilderVersion
 
 	// SwarmStatus provides information about the current swarm status of the
 	// engine, obtained from the "Swarm" header in the API response.
@@ -91,41 +89,10 @@ type DiskUsage struct {
 	Images      []*image.Summary
 	Containers  []*container.Summary
 	Volumes     []*volume.Volume
-	BuildCache  []*BuildCache
+	BuildCache  []*build.CacheRecord
 	BuilderSize int64 `json:",omitempty"` // Deprecated: deprecated in API 1.38, and no longer used since API 1.40.
 }
 
-// BuildCachePruneReport contains the response for Engine API:
-// POST "/build/prune"
-type BuildCachePruneReport struct {
-	CachesDeleted  []string
-	SpaceReclaimed uint64
-}
-
-// SecretCreateResponse contains the information returned to a client
-// on the creation of a new secret.
-type SecretCreateResponse struct {
-	// ID is the id of the created secret.
-	ID string
-}
-
-// SecretListOptions holds parameters to list secrets
-type SecretListOptions struct {
-	Filters filters.Args
-}
-
-// ConfigCreateResponse contains the information returned to a client
-// on the creation of a new config.
-type ConfigCreateResponse struct {
-	// ID is the id of the created config.
-	ID string
-}
-
-// ConfigListOptions holds parameters to list configs
-type ConfigListOptions struct {
-	Filters filters.Args
-}
-
 // PushResult contains the tag, manifest digest, and manifest size from the
 // push. It's used to signal this information to the trust code in the client
 // so it can sign the manifest if necessary.
@@ -134,46 +101,3 @@ type PushResult struct {
 	Digest string
 	Size   int
 }
-
-// BuildResult contains the image id of a successful build
-type BuildResult struct {
-	ID string
-}
-
-// BuildCache contains information about a build cache record.
-type BuildCache struct {
-	// ID is the unique ID of the build cache record.
-	ID string
-	// Parent is the ID of the parent build cache record.
-	//
-	// Deprecated: deprecated in API v1.42 and up, as it was deprecated in BuildKit; use Parents instead.
-	Parent string `json:"Parent,omitempty"`
-	// Parents is the list of parent build cache record IDs.
-	Parents []string `json:" Parents,omitempty"`
-	// Type is the cache record type.
-	Type string
-	// Description is a description of the build-step that produced the build cache.
-	Description string
-	// InUse indicates if the build cache is in use.
-	InUse bool
-	// Shared indicates if the build cache is shared.
-	Shared bool
-	// Size is the amount of disk space used by the build cache (in bytes).
-	Size int64
-	// CreatedAt is the date and time at which the build cache was created.
-	CreatedAt time.Time
-	// LastUsedAt is the date and time at which the build cache was last used.
-	LastUsedAt *time.Time
-	UsageCount int
-}
-
-// BuildCachePruneOptions hold parameters to prune the build cache
-type BuildCachePruneOptions struct {
-	All           bool
-	ReservedSpace int64
-	MaxUsedSpace  int64
-	MinFreeSpace  int64
-	Filters       filters.Args
-
-	KeepStorage int64 // Deprecated: deprecated in API 1.48.
-}
diff --git a/vendor/github.com/docker/docker/api/types/types_deprecated.go b/vendor/github.com/docker/docker/api/types/types_deprecated.go
index 93e4336a..8456a456 100644
--- a/vendor/github.com/docker/docker/api/types/types_deprecated.go
+++ b/vendor/github.com/docker/docker/api/types/types_deprecated.go
@@ -3,10 +3,12 @@ package types
 import (
 	"context"
 
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/common"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/storage"
+	"github.com/docker/docker/api/types/swarm"
 )
 
 // IDResponse Response to an API call that returns just an Id.
@@ -113,3 +115,127 @@ type ImageInspect = image.InspectResponse
 //
 // Deprecated: moved to [github.com/docker/docker/api/types/registry.RequestAuthConfig].
 type RequestPrivilegeFunc func(context.Context) (string, error)
+
+// SecretCreateResponse contains the information returned to a client
+// on the creation of a new secret.
+//
+// Deprecated: use [swarm.SecretCreateResponse].
+type SecretCreateResponse = swarm.SecretCreateResponse
+
+// SecretListOptions holds parameters to list secrets
+//
+// Deprecated: use [swarm.SecretListOptions].
+type SecretListOptions = swarm.SecretListOptions
+
+// ConfigCreateResponse contains the information returned to a client
+// on the creation of a new config.
+//
+// Deprecated: use [swarm.ConfigCreateResponse].
+type ConfigCreateResponse = swarm.ConfigCreateResponse
+
+// ConfigListOptions holds parameters to list configs
+//
+// Deprecated: use [swarm.ConfigListOptions].
+type ConfigListOptions = swarm.ConfigListOptions
+
+// NodeListOptions holds parameters to list nodes with.
+//
+// Deprecated: use [swarm.NodeListOptions].
+type NodeListOptions = swarm.NodeListOptions
+
+// NodeRemoveOptions holds parameters to remove nodes with.
+//
+// Deprecated: use [swarm.NodeRemoveOptions].
+type NodeRemoveOptions = swarm.NodeRemoveOptions
+
+// TaskListOptions holds parameters to list tasks with.
+//
+// Deprecated: use [swarm.TaskListOptions].
+type TaskListOptions = swarm.TaskListOptions
+
+// ServiceCreateOptions contains the options to use when creating a service.
+//
+// Deprecated: use [swarm.ServiceCreateOptions].
+type ServiceCreateOptions = swarm.ServiceCreateOptions
+
+// ServiceUpdateOptions contains the options to be used for updating services.
+//
+// Deprecated: use [swarm.ServiceCreateOptions].
+type ServiceUpdateOptions = swarm.ServiceUpdateOptions
+
+const (
+	RegistryAuthFromSpec         = swarm.RegistryAuthFromSpec         // Deprecated: use [swarm.RegistryAuthFromSpec].
+	RegistryAuthFromPreviousSpec = swarm.RegistryAuthFromPreviousSpec // Deprecated: use [swarm.RegistryAuthFromPreviousSpec].
+)
+
+// ServiceListOptions holds parameters to list services with.
+//
+// Deprecated: use [swarm.ServiceListOptions].
+type ServiceListOptions = swarm.ServiceListOptions
+
+// ServiceInspectOptions holds parameters related to the "service inspect"
+// operation.
+//
+// Deprecated: use [swarm.ServiceInspectOptions].
+type ServiceInspectOptions = swarm.ServiceInspectOptions
+
+// SwarmUnlockKeyResponse contains the response for Engine API:
+// GET /swarm/unlockkey
+//
+// Deprecated: use [swarm.UnlockKeyResponse].
+type SwarmUnlockKeyResponse = swarm.UnlockKeyResponse
+
+// BuildCache contains information about a build cache record.
+//
+// Deprecated: deprecated in API 1.49. Use [build.CacheRecord] instead.
+type BuildCache = build.CacheRecord
+
+// BuildCachePruneOptions hold parameters to prune the build cache
+//
+// Deprecated: use [build.CachePruneOptions].
+type BuildCachePruneOptions = build.CachePruneOptions
+
+// BuildCachePruneReport contains the response for Engine API:
+// POST "/build/prune"
+//
+// Deprecated: use [build.CachePruneReport].
+type BuildCachePruneReport = build.CachePruneReport
+
+// BuildResult contains the image id of a successful build/
+//
+// Deprecated: use [build.Result].
+type BuildResult = build.Result
+
+// ImageBuildOptions holds the information
+// necessary to build images.
+//
+// Deprecated: use [build.ImageBuildOptions].
+type ImageBuildOptions = build.ImageBuildOptions
+
+// ImageBuildOutput defines configuration for exporting a build result
+//
+// Deprecated: use [build.ImageBuildOutput].
+type ImageBuildOutput = build.ImageBuildOutput
+
+// ImageBuildResponse holds information
+// returned by a server after building
+// an image.
+//
+// Deprecated: use [build.ImageBuildResponse].
+type ImageBuildResponse = build.ImageBuildResponse
+
+// BuilderVersion sets the version of underlying builder to use
+//
+// Deprecated: use [build.BuilderVersion].
+type BuilderVersion = build.BuilderVersion
+
+const (
+	// BuilderV1 is the first generation builder in docker daemon
+	//
+	// Deprecated: use [build.BuilderV1].
+	BuilderV1 = build.BuilderV1
+	// BuilderBuildKit is builder based on moby/buildkit project
+	//
+	// Deprecated: use [build.BuilderBuildKit].
+	BuilderBuildKit = build.BuilderBuildKit
+)
diff --git a/vendor/github.com/docker/docker/api/types/versions/compare.go b/vendor/github.com/docker/docker/api/types/versions/compare.go
index 621725a3..1a0325c7 100644
--- a/vendor/github.com/docker/docker/api/types/versions/compare.go
+++ b/vendor/github.com/docker/docker/api/types/versions/compare.go
@@ -1,4 +1,4 @@
-package versions // import "github.com/docker/docker/api/types/versions"
+package versions
 
 import (
 	"strconv"
diff --git a/vendor/github.com/docker/docker/api/types/volume/disk_usage.go b/vendor/github.com/docker/docker/api/types/volume/disk_usage.go
new file mode 100644
index 00000000..3d716c6e
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/volume/disk_usage.go
@@ -0,0 +1,8 @@
+package volume
+
+// DiskUsage contains disk usage for volumes.
+type DiskUsage struct {
+	TotalSize   int64
+	Reclaimable int64
+	Items       []*Volume
+}
diff --git a/vendor/github.com/docker/docker/api/types/volume/options.go b/vendor/github.com/docker/docker/api/types/volume/options.go
index 0b9645e0..875524fb 100644
--- a/vendor/github.com/docker/docker/api/types/volume/options.go
+++ b/vendor/github.com/docker/docker/api/types/volume/options.go
@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/types/volume"
+package volume
 
 import "github.com/docker/docker/api/types/filters"
 
diff --git a/vendor/github.com/docker/docker/api/types/volume/volume_update.go b/vendor/github.com/docker/docker/api/types/volume/volume_update.go
index f958f80a..c26ed44c 100644
--- a/vendor/github.com/docker/docker/api/types/volume/volume_update.go
+++ b/vendor/github.com/docker/docker/api/types/volume/volume_update.go
@@ -1,4 +1,4 @@
-package volume // import "github.com/docker/docker/api/types/volume"
+package volume
 
 // UpdateOptions is configuration to update a Volume with.
 type UpdateOptions struct {
diff --git a/vendor/github.com/docker/docker/client/build_cancel.go b/vendor/github.com/docker/docker/client/build_cancel.go
index 51a73cdb..a5eeb817 100644
--- a/vendor/github.com/docker/docker/client/build_cancel.go
+++ b/vendor/github.com/docker/docker/client/build_cancel.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/build_prune.go b/vendor/github.com/docker/docker/client/build_prune.go
index 92b47d18..6f0f59e3 100644
--- a/vendor/github.com/docker/docker/client/build_prune.go
+++ b/vendor/github.com/docker/docker/client/build_prune.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -6,13 +6,13 @@ import (
 	"net/url"
 	"strconv"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
 )
 
 // BuildCachePrune requests the daemon to delete unused cache data
-func (cli *Client) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
+func (cli *Client) BuildCachePrune(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error) {
 	if err := cli.NewVersionError(ctx, "1.31", "build prune"); err != nil {
 		return nil, err
 	}
@@ -47,7 +47,7 @@ func (cli *Client) BuildCachePrune(ctx context.Context, opts types.BuildCachePru
 		return nil, err
 	}
 
-	report := types.BuildCachePruneReport{}
+	report := build.CachePruneReport{}
 	if err := json.NewDecoder(resp.Body).Decode(&report); err != nil {
 		return nil, errors.Wrap(err, "error retrieving disk usage")
 	}
diff --git a/vendor/github.com/docker/docker/client/checkpoint.go b/vendor/github.com/docker/docker/client/checkpoint.go
index f690f7c9..d020574c 100644
--- a/vendor/github.com/docker/docker/client/checkpoint.go
+++ b/vendor/github.com/docker/docker/client/checkpoint.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/checkpoint_create.go b/vendor/github.com/docker/docker/client/checkpoint_create.go
index 7b06fee3..961a5fe6 100644
--- a/vendor/github.com/docker/docker/client/checkpoint_create.go
+++ b/vendor/github.com/docker/docker/client/checkpoint_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/checkpoint_delete.go b/vendor/github.com/docker/docker/client/checkpoint_delete.go
index d15162ea..4c51b25f 100644
--- a/vendor/github.com/docker/docker/client/checkpoint_delete.go
+++ b/vendor/github.com/docker/docker/client/checkpoint_delete.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/checkpoint_list.go b/vendor/github.com/docker/docker/client/checkpoint_list.go
index 9e7963f0..8164c766 100644
--- a/vendor/github.com/docker/docker/client/checkpoint_list.go
+++ b/vendor/github.com/docker/docker/client/checkpoint_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
index cd47f05e..d6e014dd 100644
--- a/vendor/github.com/docker/docker/client/client.go
+++ b/vendor/github.com/docker/docker/client/client.go
@@ -39,7 +39,7 @@ For example, to list running containers (the equivalent of "docker ps"):
 		}
 	}
 */
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/client_interfaces.go b/vendor/github.com/docker/docker/client/client_interfaces.go
index f70d8ffa..df7aad43 100644
--- a/vendor/github.com/docker/docker/client/client_interfaces.go
+++ b/vendor/github.com/docker/docker/client/client_interfaces.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
@@ -109,8 +110,8 @@ type DistributionAPIClient interface {
 
 // ImageAPIClient defines API client methods for the images
 type ImageAPIClient interface {
-	ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error)
-	BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
+	ImageBuild(ctx context.Context, context io.Reader, options build.ImageBuildOptions) (build.ImageBuildResponse, error)
+	BuildCachePrune(ctx context.Context, opts build.CachePruneOptions) (*build.CachePruneReport, error)
 	BuildCancel(ctx context.Context, id string) error
 	ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
 	ImageImport(ctx context.Context, source image.ImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
@@ -154,8 +155,8 @@ type NetworkAPIClient interface {
 // NodeAPIClient defines API client methods for the nodes
 type NodeAPIClient interface {
 	NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error)
-	NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error)
-	NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error
+	NodeList(ctx context.Context, options swarm.NodeListOptions) ([]swarm.Node, error)
+	NodeRemove(ctx context.Context, nodeID string, options swarm.NodeRemoveOptions) error
 	NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error
 }
 
@@ -175,22 +176,22 @@ type PluginAPIClient interface {
 
 // ServiceAPIClient defines API client methods for the services
 type ServiceAPIClient interface {
-	ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (swarm.ServiceCreateResponse, error)
-	ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
-	ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error)
+	ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options swarm.ServiceCreateOptions) (swarm.ServiceCreateResponse, error)
+	ServiceInspectWithRaw(ctx context.Context, serviceID string, options swarm.ServiceInspectOptions) (swarm.Service, []byte, error)
+	ServiceList(ctx context.Context, options swarm.ServiceListOptions) ([]swarm.Service, error)
 	ServiceRemove(ctx context.Context, serviceID string) error
-	ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (swarm.ServiceUpdateResponse, error)
+	ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options swarm.ServiceUpdateOptions) (swarm.ServiceUpdateResponse, error)
 	ServiceLogs(ctx context.Context, serviceID string, options container.LogsOptions) (io.ReadCloser, error)
 	TaskLogs(ctx context.Context, taskID string, options container.LogsOptions) (io.ReadCloser, error)
 	TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error)
-	TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error)
+	TaskList(ctx context.Context, options swarm.TaskListOptions) ([]swarm.Task, error)
 }
 
 // SwarmAPIClient defines API client methods for the swarm
 type SwarmAPIClient interface {
 	SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error)
 	SwarmJoin(ctx context.Context, req swarm.JoinRequest) error
-	SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error)
+	SwarmGetUnlockKey(ctx context.Context) (swarm.UnlockKeyResponse, error)
 	SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error
 	SwarmLeave(ctx context.Context, force bool) error
 	SwarmInspect(ctx context.Context) (swarm.Swarm, error)
@@ -219,8 +220,8 @@ type VolumeAPIClient interface {
 
 // SecretAPIClient defines API client methods for secrets
 type SecretAPIClient interface {
-	SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error)
-	SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error)
+	SecretList(ctx context.Context, options swarm.SecretListOptions) ([]swarm.Secret, error)
+	SecretCreate(ctx context.Context, secret swarm.SecretSpec) (swarm.SecretCreateResponse, error)
 	SecretRemove(ctx context.Context, id string) error
 	SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error)
 	SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error
@@ -228,8 +229,8 @@ type SecretAPIClient interface {
 
 // ConfigAPIClient defines API client methods for configs
 type ConfigAPIClient interface {
-	ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error)
-	ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+	ConfigList(ctx context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error)
+	ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (swarm.ConfigCreateResponse, error)
 	ConfigRemove(ctx context.Context, id string) error
 	ConfigInspectWithRaw(ctx context.Context, name string) (swarm.Config, []byte, error)
 	ConfigUpdate(ctx context.Context, id string, version swarm.Version, config swarm.ConfigSpec) error
diff --git a/vendor/github.com/docker/docker/client/client_unix.go b/vendor/github.com/docker/docker/client/client_unix.go
index 9fe78ea4..e5b921b4 100644
--- a/vendor/github.com/docker/docker/client/client_unix.go
+++ b/vendor/github.com/docker/docker/client/client_unix.go
@@ -1,6 +1,6 @@
 //go:build !windows
 
-package client // import "github.com/docker/docker/client"
+package client
 
 // DefaultDockerHost defines OS-specific default host if the DOCKER_HOST
 // (EnvOverrideHost) environment variable is unset or empty.
diff --git a/vendor/github.com/docker/docker/client/client_windows.go b/vendor/github.com/docker/docker/client/client_windows.go
index 56572d1a..19b954b2 100644
--- a/vendor/github.com/docker/docker/client/client_windows.go
+++ b/vendor/github.com/docker/docker/client/client_windows.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 // DefaultDockerHost defines OS-specific default host if the DOCKER_HOST
 // (EnvOverrideHost) environment variable is unset or empty.
diff --git a/vendor/github.com/docker/docker/client/config_create.go b/vendor/github.com/docker/docker/client/config_create.go
index c7ea6d2e..a39168e2 100644
--- a/vendor/github.com/docker/docker/client/config_create.go
+++ b/vendor/github.com/docker/docker/client/config_create.go
@@ -1,16 +1,15 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // ConfigCreate creates a new config.
-func (cli *Client) ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
-	var response types.ConfigCreateResponse
+func (cli *Client) ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (swarm.ConfigCreateResponse, error) {
+	var response swarm.ConfigCreateResponse
 	if err := cli.NewVersionError(ctx, "1.30", "config create"); err != nil {
 		return response, err
 	}
diff --git a/vendor/github.com/docker/docker/client/config_inspect.go b/vendor/github.com/docker/docker/client/config_inspect.go
index 679a42c7..a9f0a8b0 100644
--- a/vendor/github.com/docker/docker/client/config_inspect.go
+++ b/vendor/github.com/docker/docker/client/config_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/config_list.go b/vendor/github.com/docker/docker/client/config_list.go
index 7e4a8ea5..6f8a1c21 100644
--- a/vendor/github.com/docker/docker/client/config_list.go
+++ b/vendor/github.com/docker/docker/client/config_list.go
@@ -1,17 +1,16 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // ConfigList returns the list of configs.
-func (cli *Client) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (cli *Client) ConfigList(ctx context.Context, options swarm.ConfigListOptions) ([]swarm.Config, error) {
 	if err := cli.NewVersionError(ctx, "1.30", "config list"); err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/docker/docker/client/config_remove.go b/vendor/github.com/docker/docker/client/config_remove.go
index a2955c68..99d33b1c 100644
--- a/vendor/github.com/docker/docker/client/config_remove.go
+++ b/vendor/github.com/docker/docker/client/config_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/config_update.go b/vendor/github.com/docker/docker/client/config_update.go
index ddb219cf..9bc137f7 100644
--- a/vendor/github.com/docker/docker/client/config_update.go
+++ b/vendor/github.com/docker/docker/client/config_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_attach.go b/vendor/github.com/docker/docker/client/container_attach.go
index 2e7a13e5..1fb3493e 100644
--- a/vendor/github.com/docker/docker/client/container_attach.go
+++ b/vendor/github.com/docker/docker/client/container_attach.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_commit.go b/vendor/github.com/docker/docker/client/container_commit.go
index 9b46a1f3..2b5b9852 100644
--- a/vendor/github.com/docker/docker/client/container_commit.go
+++ b/vendor/github.com/docker/docker/client/container_commit.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -32,7 +32,7 @@ func (cli *Client) ContainerCommit(ctx context.Context, containerID string, opti
 		if tagged, ok := ref.(reference.Tagged); ok {
 			tag = tagged.Tag()
 		}
-		repository = reference.FamiliarName(ref)
+		repository = ref.Name()
 	}
 
 	query := url.Values{}
diff --git a/vendor/github.com/docker/docker/client/container_copy.go b/vendor/github.com/docker/docker/client/container_copy.go
index 39584d37..7c4130dc 100644
--- a/vendor/github.com/docker/docker/client/container_copy.go
+++ b/vendor/github.com/docker/docker/client/container_copy.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_create.go b/vendor/github.com/docker/docker/client/container_create.go
index 9b8616f7..0625cb12 100644
--- a/vendor/github.com/docker/docker/client/container_create.go
+++ b/vendor/github.com/docker/docker/client/container_create.go
@@ -1,8 +1,9 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"net/url"
 	"path"
 	"sort"
@@ -54,6 +55,19 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 			// When using API under 1.42, the Linux daemon doesn't respect the ConsoleSize
 			hostConfig.ConsoleSize = [2]uint{0, 0}
 		}
+		if versions.LessThan(cli.ClientVersion(), "1.44") {
+			for _, m := range hostConfig.Mounts {
+				if m.BindOptions != nil {
+					// ReadOnlyNonRecursive can be safely ignored when API < 1.44
+					if m.BindOptions.ReadOnlyForceRecursive {
+						return response, errors.New("bind-recursive=readonly requires API v1.44 or later")
+					}
+					if m.BindOptions.NonRecursive && versions.LessThan(cli.ClientVersion(), "1.40") {
+						return response, errors.New("bind-recursive=disabled requires API v1.40 or later")
+					}
+				}
+			}
+		}
 
 		hostConfig.CapAdd = normalizeCapabilities(hostConfig.CapAdd)
 		hostConfig.CapDrop = normalizeCapabilities(hostConfig.CapDrop)
diff --git a/vendor/github.com/docker/docker/client/container_diff.go b/vendor/github.com/docker/docker/client/container_diff.go
index 52401898..3848e311 100644
--- a/vendor/github.com/docker/docker/client/container_diff.go
+++ b/vendor/github.com/docker/docker/client/container_diff.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_exec.go b/vendor/github.com/docker/docker/client/container_exec.go
index a39ec717..8abbf892 100644
--- a/vendor/github.com/docker/docker/client/container_exec.go
+++ b/vendor/github.com/docker/docker/client/container_exec.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_export.go b/vendor/github.com/docker/docker/client/container_export.go
index 360d5276..3fc4d570 100644
--- a/vendor/github.com/docker/docker/client/container_export.go
+++ b/vendor/github.com/docker/docker/client/container_export.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_inspect.go b/vendor/github.com/docker/docker/client/container_inspect.go
index 60003186..18ccdf23 100644
--- a/vendor/github.com/docker/docker/client/container_inspect.go
+++ b/vendor/github.com/docker/docker/client/container_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/container_kill.go b/vendor/github.com/docker/docker/client/container_kill.go
index 22767ae6..251ae479 100644
--- a/vendor/github.com/docker/docker/client/container_kill.go
+++ b/vendor/github.com/docker/docker/client/container_kill.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_list.go b/vendor/github.com/docker/docker/client/container_list.go
index 510bcdf6..e17b14ac 100644
--- a/vendor/github.com/docker/docker/client/container_list.go
+++ b/vendor/github.com/docker/docker/client/container_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_logs.go b/vendor/github.com/docker/docker/client/container_logs.go
index ae30f8d1..3ea1f68d 100644
--- a/vendor/github.com/docker/docker/client/container_logs.go
+++ b/vendor/github.com/docker/docker/client/container_logs.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_pause.go b/vendor/github.com/docker/docker/client/container_pause.go
index 5cc29840..59b3e2d8 100644
--- a/vendor/github.com/docker/docker/client/container_pause.go
+++ b/vendor/github.com/docker/docker/client/container_pause.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/container_prune.go b/vendor/github.com/docker/docker/client/container_prune.go
index 3176be59..84fb6bc2 100644
--- a/vendor/github.com/docker/docker/client/container_prune.go
+++ b/vendor/github.com/docker/docker/client/container_prune.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_remove.go b/vendor/github.com/docker/docker/client/container_remove.go
index 6661351a..b1a2ce6b 100644
--- a/vendor/github.com/docker/docker/client/container_remove.go
+++ b/vendor/github.com/docker/docker/client/container_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_rename.go b/vendor/github.com/docker/docker/client/container_rename.go
index 0a092310..4c030228 100644
--- a/vendor/github.com/docker/docker/client/container_rename.go
+++ b/vendor/github.com/docker/docker/client/container_rename.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_resize.go b/vendor/github.com/docker/docker/client/container_resize.go
index 725c08ad..56b7368b 100644
--- a/vendor/github.com/docker/docker/client/container_resize.go
+++ b/vendor/github.com/docker/docker/client/container_resize.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_restart.go b/vendor/github.com/docker/docker/client/container_restart.go
index 50559ba6..5af07bfc 100644
--- a/vendor/github.com/docker/docker/client/container_restart.go
+++ b/vendor/github.com/docker/docker/client/container_restart.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_start.go b/vendor/github.com/docker/docker/client/container_start.go
index b81ed3eb..c7206e32 100644
--- a/vendor/github.com/docker/docker/client/container_start.go
+++ b/vendor/github.com/docker/docker/client/container_start.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -15,10 +15,10 @@ func (cli *Client) ContainerStart(ctx context.Context, containerID string, optio
 	}
 
 	query := url.Values{}
-	if len(options.CheckpointID) != 0 {
+	if options.CheckpointID != "" {
 		query.Set("checkpoint", options.CheckpointID)
 	}
-	if len(options.CheckpointDir) != 0 {
+	if options.CheckpointDir != "" {
 		query.Set("checkpoint-dir", options.CheckpointDir)
 	}
 
diff --git a/vendor/github.com/docker/docker/client/container_stats.go b/vendor/github.com/docker/docker/client/container_stats.go
index a66b90cb..2244e0f4 100644
--- a/vendor/github.com/docker/docker/client/container_stats.go
+++ b/vendor/github.com/docker/docker/client/container_stats.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_stop.go b/vendor/github.com/docker/docker/client/container_stop.go
index eb0129ce..175b9c8b 100644
--- a/vendor/github.com/docker/docker/client/container_stop.go
+++ b/vendor/github.com/docker/docker/client/container_stop.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_top.go b/vendor/github.com/docker/docker/client/container_top.go
index 12c8b78f..5770f9d4 100644
--- a/vendor/github.com/docker/docker/client/container_top.go
+++ b/vendor/github.com/docker/docker/client/container_top.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_unpause.go b/vendor/github.com/docker/docker/client/container_unpause.go
index f602549b..c95f6e3a 100644
--- a/vendor/github.com/docker/docker/client/container_unpause.go
+++ b/vendor/github.com/docker/docker/client/container_unpause.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/container_update.go b/vendor/github.com/docker/docker/client/container_update.go
index 7f0cf627..10e966d0 100644
--- a/vendor/github.com/docker/docker/client/container_update.go
+++ b/vendor/github.com/docker/docker/client/container_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/container_wait.go b/vendor/github.com/docker/docker/client/container_wait.go
index bda4a9ee..75c03a12 100644
--- a/vendor/github.com/docker/docker/client/container_wait.go
+++ b/vendor/github.com/docker/docker/client/container_wait.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/disk_usage.go b/vendor/github.com/docker/docker/client/disk_usage.go
index ed788125..729e1057 100644
--- a/vendor/github.com/docker/docker/client/disk_usage.go
+++ b/vendor/github.com/docker/docker/client/disk_usage.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/distribution_inspect.go b/vendor/github.com/docker/docker/client/distribution_inspect.go
index b8654b24..693c4121 100644
--- a/vendor/github.com/docker/docker/client/distribution_inspect.go
+++ b/vendor/github.com/docker/docker/client/distribution_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/envvars.go b/vendor/github.com/docker/docker/client/envvars.go
index 61dd45c1..abe122d1 100644
--- a/vendor/github.com/docker/docker/client/envvars.go
+++ b/vendor/github.com/docker/docker/client/envvars.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 const (
 	// EnvOverrideHost is the name of the environment variable that can be used
diff --git a/vendor/github.com/docker/docker/client/errors.go b/vendor/github.com/docker/docker/client/errors.go
index 609f92ce..9e3a2538 100644
--- a/vendor/github.com/docker/docker/client/errors.go
+++ b/vendor/github.com/docker/docker/client/errors.go
@@ -1,12 +1,14 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 
+	cerrdefs "github.com/containerd/errdefs"
+	"github.com/containerd/errdefs/pkg/errhttp"
 	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
 )
 
 // errConnectionFailed implements an error returned when connection failed.
@@ -48,9 +50,11 @@ func connectionFailed(host string) error {
 }
 
 // IsErrNotFound returns true if the error is a NotFound error, which is returned
-// by the API when some object is not found. It is an alias for [errdefs.IsNotFound].
+// by the API when some object is not found. It is an alias for [cerrdefs.IsNotFound].
+//
+// Deprecated: use [cerrdefs.IsNotFound] instead.
 func IsErrNotFound(err error) bool {
-	return errdefs.IsNotFound(err)
+	return cerrdefs.IsNotFound(err)
 }
 
 type objectNotFoundError struct {
@@ -83,3 +87,43 @@ func (cli *Client) NewVersionError(ctx context.Context, APIrequired, feature str
 	}
 	return nil
 }
+
+type httpError struct {
+	err    error
+	errdef error
+}
+
+func (e *httpError) Error() string {
+	return e.err.Error()
+}
+
+func (e *httpError) Unwrap() error {
+	return e.err
+}
+
+func (e *httpError) Is(target error) bool {
+	return errors.Is(e.errdef, target)
+}
+
+// httpErrorFromStatusCode creates an errdef error, based on the provided HTTP status-code
+func httpErrorFromStatusCode(err error, statusCode int) error {
+	if err == nil {
+		return nil
+	}
+	base := errhttp.ToNative(statusCode)
+	if base != nil {
+		return &httpError{err: err, errdef: base}
+	}
+
+	switch {
+	case statusCode >= http.StatusOK && statusCode < http.StatusBadRequest:
+		// it's a client error
+		return err
+	case statusCode >= http.StatusBadRequest && statusCode < http.StatusInternalServerError:
+		return &httpError{err: err, errdef: cerrdefs.ErrInvalidArgument}
+	case statusCode >= http.StatusInternalServerError && statusCode < 600:
+		return &httpError{err: err, errdef: cerrdefs.ErrInternal}
+	default:
+		return &httpError{err: err, errdef: cerrdefs.ErrUnknown}
+	}
+}
diff --git a/vendor/github.com/docker/docker/client/events.go b/vendor/github.com/docker/docker/client/events.go
index c71d2a08..498fe463 100644
--- a/vendor/github.com/docker/docker/client/events.go
+++ b/vendor/github.com/docker/docker/client/events.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
index 2c78fad0..01d121a6 100644
--- a/vendor/github.com/docker/docker/client/hijack.go
+++ b/vendor/github.com/docker/docker/client/hijack.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bufio"
@@ -40,7 +40,7 @@ func (cli *Client) postHijacked(ctx context.Context, path string, query url.Valu
 
 // DialHijack returns a hijacked connection with negotiated protocol proto.
 func (cli *Client) DialHijack(ctx context.Context, url, proto string, meta map[string][]string) (net.Conn, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, http.NoBody)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/docker/docker/client/image_build.go b/vendor/github.com/docker/docker/client/image_build.go
index 6e2a4068..66ca75e4 100644
--- a/vendor/github.com/docker/docker/client/image_build.go
+++ b/vendor/github.com/docker/docker/client/image_build.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -10,7 +10,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
 )
@@ -18,15 +18,15 @@ import (
 // ImageBuild sends a request to the daemon to build images.
 // The Body in the response implements an io.ReadCloser and it's up to the caller to
 // close it.
-func (cli *Client) ImageBuild(ctx context.Context, buildContext io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
+func (cli *Client) ImageBuild(ctx context.Context, buildContext io.Reader, options build.ImageBuildOptions) (build.ImageBuildResponse, error) {
 	query, err := cli.imageBuildOptionsToQuery(ctx, options)
 	if err != nil {
-		return types.ImageBuildResponse{}, err
+		return build.ImageBuildResponse{}, err
 	}
 
 	buf, err := json.Marshal(options.AuthConfigs)
 	if err != nil {
-		return types.ImageBuildResponse{}, err
+		return build.ImageBuildResponse{}, err
 	}
 
 	headers := http.Header{}
@@ -35,16 +35,16 @@ func (cli *Client) ImageBuild(ctx context.Context, buildContext io.Reader, optio
 
 	resp, err := cli.postRaw(ctx, "/build", query, buildContext, headers)
 	if err != nil {
-		return types.ImageBuildResponse{}, err
+		return build.ImageBuildResponse{}, err
 	}
 
-	return types.ImageBuildResponse{
+	return build.ImageBuildResponse{
 		Body:   resp.Body,
 		OSType: getDockerOS(resp.Header.Get("Server")),
 	}, nil
 }
 
-func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options types.ImageBuildOptions) (url.Values, error) {
+func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options build.ImageBuildOptions) (url.Values, error) {
 	query := url.Values{}
 	if len(options.Tags) > 0 {
 		query["t"] = options.Tags
diff --git a/vendor/github.com/docker/docker/client/image_create.go b/vendor/github.com/docker/docker/client/image_create.go
index 0357051e..1e044d77 100644
--- a/vendor/github.com/docker/docker/client/image_create.go
+++ b/vendor/github.com/docker/docker/client/image_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -21,7 +21,7 @@ func (cli *Client) ImageCreate(ctx context.Context, parentReference string, opti
 	}
 
 	query := url.Values{}
-	query.Set("fromImage", reference.FamiliarName(ref))
+	query.Set("fromImage", ref.Name())
 	query.Set("tag", getAPITagFromNamedRef(ref))
 	if options.Platform != "" {
 		query.Set("platform", strings.ToLower(options.Platform))
diff --git a/vendor/github.com/docker/docker/client/image_history.go b/vendor/github.com/docker/docker/client/image_history.go
index 49381fb8..fce8b80e 100644
--- a/vendor/github.com/docker/docker/client/image_history.go
+++ b/vendor/github.com/docker/docker/client/image_history.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_import.go b/vendor/github.com/docker/docker/client/image_import.go
index 5849d85b..5236dbc6 100644
--- a/vendor/github.com/docker/docker/client/image_import.go
+++ b/vendor/github.com/docker/docker/client/image_import.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_inspect.go b/vendor/github.com/docker/docker/client/image_inspect.go
index 11611954..4c350031 100644
--- a/vendor/github.com/docker/docker/client/image_inspect.go
+++ b/vendor/github.com/docker/docker/client/image_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
@@ -32,6 +32,17 @@ func (cli *Client) ImageInspect(ctx context.Context, imageID string, inspectOpts
 		query.Set("manifests", "1")
 	}
 
+	if opts.apiOptions.Platform != nil {
+		if err := cli.NewVersionError(ctx, "1.49", "platform"); err != nil {
+			return image.InspectResponse{}, err
+		}
+		platform, err := encodePlatform(opts.apiOptions.Platform)
+		if err != nil {
+			return image.InspectResponse{}, err
+		}
+		query.Set("platform", platform)
+	}
+
 	resp, err := cli.get(ctx, "/images/"+imageID+"/json", query, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
diff --git a/vendor/github.com/docker/docker/client/image_inspect_opts.go b/vendor/github.com/docker/docker/client/image_inspect_opts.go
index 2607f367..655cbf0b 100644
--- a/vendor/github.com/docker/docker/client/image_inspect_opts.go
+++ b/vendor/github.com/docker/docker/client/image_inspect_opts.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 
 	"github.com/docker/docker/api/types/image"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // ImageInspectOption is a type representing functional options for the image inspect operation.
@@ -36,6 +37,17 @@ func ImageInspectWithManifests(manifests bool) ImageInspectOption {
 	})
 }
 
+// ImageInspectWithPlatform sets platform API option for the image inspect operation.
+// This option is only available for API version 1.49 and up.
+// With this option set, the image inspect operation will return information for the
+// specified platform variant of the multi-platform image.
+func ImageInspectWithPlatform(platform *ocispec.Platform) ImageInspectOption {
+	return imageInspectOptionFunc(func(clientOpts *imageInspectOpts) error {
+		clientOpts.apiOptions.Platform = platform
+		return nil
+	})
+}
+
 // ImageInspectWithAPIOpts sets the API options for the image inspect operation.
 func ImageInspectWithAPIOpts(opts image.InspectOptions) ImageInspectOption {
 	return imageInspectOptionFunc(func(clientOpts *imageInspectOpts) error {
diff --git a/vendor/github.com/docker/docker/client/image_list.go b/vendor/github.com/docker/docker/client/image_list.go
index e1911eb7..ec0a2ad5 100644
--- a/vendor/github.com/docker/docker/client/image_list.go
+++ b/vendor/github.com/docker/docker/client/image_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_load.go b/vendor/github.com/docker/docker/client/image_load.go
index d83877d4..079002e9 100644
--- a/vendor/github.com/docker/docker/client/image_load.go
+++ b/vendor/github.com/docker/docker/client/image_load.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_prune.go b/vendor/github.com/docker/docker/client/image_prune.go
index 7c354d7b..52e8bcf5 100644
--- a/vendor/github.com/docker/docker/client/image_prune.go
+++ b/vendor/github.com/docker/docker/client/image_prune.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_pull.go b/vendor/github.com/docker/docker/client/image_pull.go
index 4286942b..ab7606b4 100644
--- a/vendor/github.com/docker/docker/client/image_pull.go
+++ b/vendor/github.com/docker/docker/client/image_pull.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -6,9 +6,9 @@ import (
 	"net/url"
 	"strings"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/errdefs"
 )
 
 // ImagePull requests the docker host to pull an image from a remote registry.
@@ -26,7 +26,7 @@ func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.P
 	}
 
 	query := url.Values{}
-	query.Set("fromImage", reference.FamiliarName(ref))
+	query.Set("fromImage", ref.Name())
 	if !options.All {
 		query.Set("tag", getAPITagFromNamedRef(ref))
 	}
@@ -35,7 +35,7 @@ func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.P
 	}
 
 	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
-	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
+	if cerrdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
diff --git a/vendor/github.com/docker/docker/client/image_push.go b/vendor/github.com/docker/docker/client/image_push.go
index b340bc4f..8dbe0b1e 100644
--- a/vendor/github.com/docker/docker/client/image_push.go
+++ b/vendor/github.com/docker/docker/client/image_push.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -9,10 +9,10 @@ import (
 	"net/http"
 	"net/url"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
 )
 
 // ImagePush requests the docker host to push an image to a remote registry.
@@ -29,7 +29,6 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options image.Pu
 		return nil, errors.New("cannot push a digest reference")
 	}
 
-	name := reference.FamiliarName(ref)
 	query := url.Values{}
 	if !options.All {
 		ref = reference.TagNameOnly(ref)
@@ -52,13 +51,13 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options image.Pu
 		query.Set("platform", string(pJson))
 	}
 
-	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)
-	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
+	resp, err := cli.tryImagePush(ctx, ref.Name(), query, options.RegistryAuth)
+	if cerrdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
 		}
-		resp, err = cli.tryImagePush(ctx, name, query, newAuthHeader)
+		resp, err = cli.tryImagePush(ctx, ref.Name(), query, newAuthHeader)
 	}
 	if err != nil {
 		return nil, err
@@ -67,7 +66,16 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options image.Pu
 }
 
 func (cli *Client) tryImagePush(ctx context.Context, imageID string, query url.Values, registryAuth string) (*http.Response, error) {
-	return cli.post(ctx, "/images/"+imageID+"/push", query, nil, http.Header{
+	// Always send a body (which may be an empty JSON document ("{}")) to prevent
+	// EOF errors on older daemons which had faulty fallback code for handling
+	// authentication in the body when no auth-header was set, resulting in;
+	//
+	//	Error response from daemon: bad parameters and missing X-Registry-Auth: invalid X-Registry-Auth header: EOF
+	//
+	// We use [http.NoBody], which gets marshaled to an empty JSON document.
+	//
+	// see: https://github.com/moby/moby/commit/ea29dffaa541289591aa44fa85d2a596ce860e16
+	return cli.post(ctx, "/images/"+imageID+"/push", query, http.NoBody, http.Header{
 		registry.AuthHeader: {registryAuth},
 	})
 }
diff --git a/vendor/github.com/docker/docker/client/image_remove.go b/vendor/github.com/docker/docker/client/image_remove.go
index b0c87ca0..8f357c72 100644
--- a/vendor/github.com/docker/docker/client/image_remove.go
+++ b/vendor/github.com/docker/docker/client/image_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -19,6 +19,14 @@ func (cli *Client) ImageRemove(ctx context.Context, imageID string, options imag
 		query.Set("noprune", "1")
 	}
 
+	if len(options.Platforms) > 0 {
+		p, err := encodePlatforms(options.Platforms...)
+		if err != nil {
+			return nil, err
+		}
+		query["platforms"] = p
+	}
+
 	resp, err := cli.delete(ctx, "/images/"+imageID, query, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
diff --git a/vendor/github.com/docker/docker/client/image_save.go b/vendor/github.com/docker/docker/client/image_save.go
index 0aa7177d..d2102bec 100644
--- a/vendor/github.com/docker/docker/client/image_save.go
+++ b/vendor/github.com/docker/docker/client/image_save.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/image_search.go b/vendor/github.com/docker/docker/client/image_search.go
index 0a7b5ec2..8f5343b9 100644
--- a/vendor/github.com/docker/docker/client/image_search.go
+++ b/vendor/github.com/docker/docker/client/image_search.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -7,9 +7,9 @@ import (
 	"net/url"
 	"strconv"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
 )
 
 // ImageSearch makes the docker host search by a term in a remote registry.
@@ -32,7 +32,7 @@ func (cli *Client) ImageSearch(ctx context.Context, term string, options registr
 
 	resp, err := cli.tryImageSearch(ctx, query, options.RegistryAuth)
 	defer ensureReaderClosed(resp)
-	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
+	if cerrdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return results, privilegeErr
diff --git a/vendor/github.com/docker/docker/client/image_tag.go b/vendor/github.com/docker/docker/client/image_tag.go
index ea6b4a1e..2bfafc51 100644
--- a/vendor/github.com/docker/docker/client/image_tag.go
+++ b/vendor/github.com/docker/docker/client/image_tag.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -26,7 +26,7 @@ func (cli *Client) ImageTag(ctx context.Context, source, target string) error {
 	ref = reference.TagNameOnly(ref)
 
 	query := url.Values{}
-	query.Set("repo", reference.FamiliarName(ref))
+	query.Set("repo", ref.Name())
 	if tagged, ok := ref.(reference.Tagged); ok {
 		query.Set("tag", tagged.Tag())
 	}
diff --git a/vendor/github.com/docker/docker/client/info.go b/vendor/github.com/docker/docker/client/info.go
index 6396f4b6..ed85d7f8 100644
--- a/vendor/github.com/docker/docker/client/info.go
+++ b/vendor/github.com/docker/docker/client/info.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/login.go b/vendor/github.com/docker/docker/client/login.go
index d3572c1b..2d7f1790 100644
--- a/vendor/github.com/docker/docker/client/login.go
+++ b/vendor/github.com/docker/docker/client/login.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_connect.go b/vendor/github.com/docker/docker/client/network_connect.go
index fa7cc34f..f7526c5d 100644
--- a/vendor/github.com/docker/docker/client/network_connect.go
+++ b/vendor/github.com/docker/docker/client/network_connect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_create.go b/vendor/github.com/docker/docker/client/network_create.go
index eef95144..6a7f2ea5 100644
--- a/vendor/github.com/docker/docker/client/network_create.go
+++ b/vendor/github.com/docker/docker/client/network_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_disconnect.go b/vendor/github.com/docker/docker/client/network_disconnect.go
index d8051df2..55f9b6a2 100644
--- a/vendor/github.com/docker/docker/client/network_disconnect.go
+++ b/vendor/github.com/docker/docker/client/network_disconnect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_inspect.go b/vendor/github.com/docker/docker/client/network_inspect.go
index 1387c080..734ec102 100644
--- a/vendor/github.com/docker/docker/client/network_inspect.go
+++ b/vendor/github.com/docker/docker/client/network_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/network_list.go b/vendor/github.com/docker/docker/client/network_list.go
index e1b4fca7..8d933619 100644
--- a/vendor/github.com/docker/docker/client/network_list.go
+++ b/vendor/github.com/docker/docker/client/network_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_prune.go b/vendor/github.com/docker/docker/client/network_prune.go
index 90d3679f..7835fe90 100644
--- a/vendor/github.com/docker/docker/client/network_prune.go
+++ b/vendor/github.com/docker/docker/client/network_prune.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/network_remove.go b/vendor/github.com/docker/docker/client/network_remove.go
index 89fdaaf3..9b164d3e 100644
--- a/vendor/github.com/docker/docker/client/network_remove.go
+++ b/vendor/github.com/docker/docker/client/network_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/node_inspect.go b/vendor/github.com/docker/docker/client/node_inspect.go
index 5d3343dc..dd1f1f8a 100644
--- a/vendor/github.com/docker/docker/client/node_inspect.go
+++ b/vendor/github.com/docker/docker/client/node_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/node_list.go b/vendor/github.com/docker/docker/client/node_list.go
index 2534f4ae..3b393ffe 100644
--- a/vendor/github.com/docker/docker/client/node_list.go
+++ b/vendor/github.com/docker/docker/client/node_list.go
@@ -1,17 +1,16 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // NodeList returns the list of nodes.
-func (cli *Client) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+func (cli *Client) NodeList(ctx context.Context, options swarm.NodeListOptions) ([]swarm.Node, error) {
 	query := url.Values{}
 
 	if options.Filters.Len() > 0 {
diff --git a/vendor/github.com/docker/docker/client/node_remove.go b/vendor/github.com/docker/docker/client/node_remove.go
index 81f8fed6..644fe138 100644
--- a/vendor/github.com/docker/docker/client/node_remove.go
+++ b/vendor/github.com/docker/docker/client/node_remove.go
@@ -1,14 +1,14 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 )
 
 // NodeRemove removes a Node.
-func (cli *Client) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
+func (cli *Client) NodeRemove(ctx context.Context, nodeID string, options swarm.NodeRemoveOptions) error {
 	nodeID, err := trimID("node", nodeID)
 	if err != nil {
 		return err
diff --git a/vendor/github.com/docker/docker/client/node_update.go b/vendor/github.com/docker/docker/client/node_update.go
index 10e21866..62af964c 100644
--- a/vendor/github.com/docker/docker/client/node_update.go
+++ b/vendor/github.com/docker/docker/client/node_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/ping.go b/vendor/github.com/docker/docker/client/ping.go
index c7645e56..385fdf05 100644
--- a/vendor/github.com/docker/docker/client/ping.go
+++ b/vendor/github.com/docker/docker/client/ping.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/build"
 	"github.com/docker/docker/api/types/swarm"
 )
 
@@ -67,7 +68,7 @@ func parsePingResponse(cli *Client, resp *http.Response) (types.Ping, error) {
 		ping.Experimental = true
 	}
 	if bv := resp.Header.Get("Builder-Version"); bv != "" {
-		ping.BuilderVersion = types.BuilderVersion(bv)
+		ping.BuilderVersion = build.BuilderVersion(bv)
 	}
 	if si := resp.Header.Get("Swarm"); si != "" {
 		state, role, _ := strings.Cut(si, "/")
diff --git a/vendor/github.com/docker/docker/client/plugin_create.go b/vendor/github.com/docker/docker/client/plugin_create.go
index b95dbaf6..eaba7ee6 100644
--- a/vendor/github.com/docker/docker/client/plugin_create.go
+++ b/vendor/github.com/docker/docker/client/plugin_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_disable.go b/vendor/github.com/docker/docker/client/plugin_disable.go
index 9fabe77b..4049b1b6 100644
--- a/vendor/github.com/docker/docker/client/plugin_disable.go
+++ b/vendor/github.com/docker/docker/client/plugin_disable.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_enable.go b/vendor/github.com/docker/docker/client/plugin_enable.go
index 492d0bcf..61185693 100644
--- a/vendor/github.com/docker/docker/client/plugin_enable.go
+++ b/vendor/github.com/docker/docker/client/plugin_enable.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_inspect.go b/vendor/github.com/docker/docker/client/plugin_inspect.go
index 8f107a76..eaedeb8a 100644
--- a/vendor/github.com/docker/docker/client/plugin_inspect.go
+++ b/vendor/github.com/docker/docker/client/plugin_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/plugin_install.go b/vendor/github.com/docker/docker/client/plugin_install.go
index b04dcf9a..5fd2ff21 100644
--- a/vendor/github.com/docker/docker/client/plugin_install.go
+++ b/vendor/github.com/docker/docker/client/plugin_install.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -7,15 +7,15 @@ import (
 	"net/http"
 	"net/url"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 )
 
 // PluginInstall installs a plugin
-func (cli *Client) PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (rc io.ReadCloser, err error) {
+func (cli *Client) PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (_ io.ReadCloser, retErr error) {
 	query := url.Values{}
 	if _, err := reference.ParseNormalizedNamed(options.RemoteRef); err != nil {
 		return nil, errors.Wrap(err, "invalid remote reference")
@@ -45,7 +45,7 @@ func (cli *Client) PluginInstall(ctx context.Context, name string, options types
 			return
 		}
 		defer func() {
-			if err != nil {
+			if retErr != nil {
 				delResp, _ := cli.delete(ctx, "/plugins/"+name, nil, nil)
 				ensureReaderClosed(delResp)
 			}
@@ -82,7 +82,7 @@ func (cli *Client) tryPluginPull(ctx context.Context, query url.Values, privileg
 
 func (cli *Client) checkPluginPermissions(ctx context.Context, query url.Values, options types.PluginInstallOptions) (types.PluginPrivileges, error) {
 	resp, err := cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
-	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
+	if cerrdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		// todo: do inspect before to check existing name before checking privileges
 		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
diff --git a/vendor/github.com/docker/docker/client/plugin_list.go b/vendor/github.com/docker/docker/client/plugin_list.go
index 03bcf762..f314e17f 100644
--- a/vendor/github.com/docker/docker/client/plugin_list.go
+++ b/vendor/github.com/docker/docker/client/plugin_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_push.go b/vendor/github.com/docker/docker/client/plugin_push.go
index da15e449..4574dcdd 100644
--- a/vendor/github.com/docker/docker/client/plugin_push.go
+++ b/vendor/github.com/docker/docker/client/plugin_push.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_remove.go b/vendor/github.com/docker/docker/client/plugin_remove.go
index 6ee107e3..2ba0a8cc 100644
--- a/vendor/github.com/docker/docker/client/plugin_remove.go
+++ b/vendor/github.com/docker/docker/client/plugin_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_set.go b/vendor/github.com/docker/docker/client/plugin_set.go
index e2a79838..f0e4a0c3 100644
--- a/vendor/github.com/docker/docker/client/plugin_set.go
+++ b/vendor/github.com/docker/docker/client/plugin_set.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/plugin_upgrade.go b/vendor/github.com/docker/docker/client/plugin_upgrade.go
index 4abb29cf..cd0cf4d2 100644
--- a/vendor/github.com/docker/docker/client/plugin_upgrade.go
+++ b/vendor/github.com/docker/docker/client/plugin_upgrade.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
index 2b913aab..254138fc 100644
--- a/vendor/github.com/docker/docker/client/request.go
+++ b/vendor/github.com/docker/docker/client/request.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
@@ -15,7 +15,6 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/versions"
-	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 )
 
@@ -116,10 +115,8 @@ func (cli *Client) sendRequest(ctx context.Context, method, path string, query u
 
 	resp, err := cli.doRequest(req)
 	switch {
-	case errors.Is(err, context.Canceled):
-		return nil, errdefs.Cancelled(err)
-	case errors.Is(err, context.DeadlineExceeded):
-		return nil, errdefs.Deadline(err)
+	case errors.Is(err, context.Canceled), errors.Is(err, context.DeadlineExceeded):
+		return nil, err
 	case err == nil:
 		return resp, cli.checkResponseErr(resp)
 	default:
@@ -195,11 +192,11 @@ func (cli *Client) checkResponseErr(serverResp *http.Response) (retErr error) {
 	if serverResp == nil {
 		return nil
 	}
-	if serverResp.StatusCode >= 200 && serverResp.StatusCode < 400 {
+	if serverResp.StatusCode >= http.StatusOK && serverResp.StatusCode < http.StatusBadRequest {
 		return nil
 	}
 	defer func() {
-		retErr = errdefs.FromStatusCode(retErr, serverResp.StatusCode)
+		retErr = httpErrorFromStatusCode(retErr, serverResp.StatusCode)
 	}()
 
 	var body []byte
@@ -237,7 +234,7 @@ func (cli *Client) checkResponseErr(serverResp *http.Response) (retErr error) {
 	}
 
 	var daemonErr error
-	if serverResp.Header.Get("Content-Type") == "application/json" && (cli.version == "" || versions.GreaterThan(cli.version, "1.23")) {
+	if serverResp.Header.Get("Content-Type") == "application/json" {
 		var errorResponse types.ErrorResponse
 		if err := json.Unmarshal(body, &errorResponse); err != nil {
 			return errors.Wrap(err, "Error reading JSON")
diff --git a/vendor/github.com/docker/docker/client/secret_create.go b/vendor/github.com/docker/docker/client/secret_create.go
index bbd11918..be4a1da4 100644
--- a/vendor/github.com/docker/docker/client/secret_create.go
+++ b/vendor/github.com/docker/docker/client/secret_create.go
@@ -1,25 +1,24 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // SecretCreate creates a new secret.
-func (cli *Client) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
+func (cli *Client) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (swarm.SecretCreateResponse, error) {
 	if err := cli.NewVersionError(ctx, "1.25", "secret create"); err != nil {
-		return types.SecretCreateResponse{}, err
+		return swarm.SecretCreateResponse{}, err
 	}
 	resp, err := cli.post(ctx, "/secrets/create", nil, secret, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
-		return types.SecretCreateResponse{}, err
+		return swarm.SecretCreateResponse{}, err
 	}
 
-	var response types.SecretCreateResponse
+	var response swarm.SecretCreateResponse
 	err = json.NewDecoder(resp.Body).Decode(&response)
 	return response, err
 }
diff --git a/vendor/github.com/docker/docker/client/secret_inspect.go b/vendor/github.com/docker/docker/client/secret_inspect.go
index fdabc197..f44c00e7 100644
--- a/vendor/github.com/docker/docker/client/secret_inspect.go
+++ b/vendor/github.com/docker/docker/client/secret_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/secret_list.go b/vendor/github.com/docker/docker/client/secret_list.go
index e3b7dbdb..2e37bda2 100644
--- a/vendor/github.com/docker/docker/client/secret_list.go
+++ b/vendor/github.com/docker/docker/client/secret_list.go
@@ -1,17 +1,16 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // SecretList returns the list of secrets.
-func (cli *Client) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+func (cli *Client) SecretList(ctx context.Context, options swarm.SecretListOptions) ([]swarm.Secret, error) {
 	if err := cli.NewVersionError(ctx, "1.25", "secret list"); err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/docker/docker/client/secret_remove.go b/vendor/github.com/docker/docker/client/secret_remove.go
index 7ea2acbf..d1044aaf 100644
--- a/vendor/github.com/docker/docker/client/secret_remove.go
+++ b/vendor/github.com/docker/docker/client/secret_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/secret_update.go b/vendor/github.com/docker/docker/client/secret_update.go
index 60d21a6f..a0aff7cb 100644
--- a/vendor/github.com/docker/docker/client/secret_update.go
+++ b/vendor/github.com/docker/docker/client/secret_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/service_create.go b/vendor/github.com/docker/docker/client/service_create.go
index fb12dd5b..db7566a8 100644
--- a/vendor/github.com/docker/docker/client/service_create.go
+++ b/vendor/github.com/docker/docker/client/service_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
@@ -17,7 +16,7 @@ import (
 )
 
 // ServiceCreate creates a new service.
-func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (swarm.ServiceCreateResponse, error) {
+func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options swarm.ServiceCreateOptions) (swarm.ServiceCreateResponse, error) {
 	var response swarm.ServiceCreateResponse
 
 	// Make sure we negotiated (if the client is configured to do so),
@@ -37,6 +36,11 @@ func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec,
 	if err := validateServiceSpec(service); err != nil {
 		return response, err
 	}
+	if versions.LessThan(cli.version, "1.30") {
+		if err := validateAPIVersion(service, cli.version); err != nil {
+			return response, err
+		}
+	}
 
 	// ensure that the image is tagged
 	var resolveWarning string
@@ -191,3 +195,18 @@ func validateServiceSpec(s swarm.ServiceSpec) error {
 	}
 	return nil
 }
+
+func validateAPIVersion(c swarm.ServiceSpec, apiVersion string) error {
+	for _, m := range c.TaskTemplate.ContainerSpec.Mounts {
+		if m.BindOptions != nil {
+			if m.BindOptions.NonRecursive && versions.LessThan(apiVersion, "1.40") {
+				return errors.Errorf("bind-recursive=disabled requires API v1.40 or later")
+			}
+			// ReadOnlyNonRecursive can be safely ignored when API < 1.44
+			if m.BindOptions.ReadOnlyForceRecursive && versions.LessThan(apiVersion, "1.44") {
+				return errors.Errorf("bind-recursive=readonly requires API v1.44 or later")
+			}
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/docker/docker/client/service_inspect.go b/vendor/github.com/docker/docker/client/service_inspect.go
index 77b4402d..cb25ade1 100644
--- a/vendor/github.com/docker/docker/client/service_inspect.go
+++ b/vendor/github.com/docker/docker/client/service_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
@@ -8,12 +8,11 @@ import (
 	"io"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // ServiceInspectWithRaw returns the service information and the raw data.
-func (cli *Client) ServiceInspectWithRaw(ctx context.Context, serviceID string, opts types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+func (cli *Client) ServiceInspectWithRaw(ctx context.Context, serviceID string, opts swarm.ServiceInspectOptions) (swarm.Service, []byte, error) {
 	serviceID, err := trimID("service", serviceID)
 	if err != nil {
 		return swarm.Service{}, nil, err
diff --git a/vendor/github.com/docker/docker/client/service_list.go b/vendor/github.com/docker/docker/client/service_list.go
index f589a842..26b25ff0 100644
--- a/vendor/github.com/docker/docker/client/service_list.go
+++ b/vendor/github.com/docker/docker/client/service_list.go
@@ -1,17 +1,16 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // ServiceList returns the list of services.
-func (cli *Client) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+func (cli *Client) ServiceList(ctx context.Context, options swarm.ServiceListOptions) ([]swarm.Service, error) {
 	query := url.Values{}
 
 	if options.Filters.Len() > 0 {
diff --git a/vendor/github.com/docker/docker/client/service_logs.go b/vendor/github.com/docker/docker/client/service_logs.go
index 6e0cbee4..8bf04082 100644
--- a/vendor/github.com/docker/docker/client/service_logs.go
+++ b/vendor/github.com/docker/docker/client/service_logs.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/service_remove.go b/vendor/github.com/docker/docker/client/service_remove.go
index 93c949e4..0c7cc571 100644
--- a/vendor/github.com/docker/docker/client/service_remove.go
+++ b/vendor/github.com/docker/docker/client/service_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import "context"
 
diff --git a/vendor/github.com/docker/docker/client/service_update.go b/vendor/github.com/docker/docker/client/service_update.go
index ecb98f46..278e305d 100644
--- a/vendor/github.com/docker/docker/client/service_update.go
+++ b/vendor/github.com/docker/docker/client/service_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
@@ -15,7 +14,7 @@ import (
 // ServiceUpdate updates a Service. The version number is required to avoid conflicting writes.
 // It should be the value as set *before* the update. You can find this value in the Meta field
 // of swarm.Service, which can be found using ServiceInspectWithRaw.
-func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (swarm.ServiceUpdateResponse, error) {
+func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options swarm.ServiceUpdateOptions) (swarm.ServiceUpdateResponse, error) {
 	serviceID, err := trimID("service", serviceID)
 	if err != nil {
 		return swarm.ServiceUpdateResponse{}, err
diff --git a/vendor/github.com/docker/docker/client/swarm_get_unlock_key.go b/vendor/github.com/docker/docker/client/swarm_get_unlock_key.go
index 271fc08c..41151f6c 100644
--- a/vendor/github.com/docker/docker/client/swarm_get_unlock_key.go
+++ b/vendor/github.com/docker/docker/client/swarm_get_unlock_key.go
@@ -1,21 +1,21 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 )
 
 // SwarmGetUnlockKey retrieves the swarm's unlock key.
-func (cli *Client) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
+func (cli *Client) SwarmGetUnlockKey(ctx context.Context) (swarm.UnlockKeyResponse, error) {
 	resp, err := cli.get(ctx, "/swarm/unlockkey", nil, nil)
 	defer ensureReaderClosed(resp)
 	if err != nil {
-		return types.SwarmUnlockKeyResponse{}, err
+		return swarm.UnlockKeyResponse{}, err
 	}
 
-	var response types.SwarmUnlockKeyResponse
+	var response swarm.UnlockKeyResponse
 	err = json.NewDecoder(resp.Body).Decode(&response)
 	return response, err
 }
diff --git a/vendor/github.com/docker/docker/client/swarm_init.go b/vendor/github.com/docker/docker/client/swarm_init.go
index 3dcb2a5b..7f291654 100644
--- a/vendor/github.com/docker/docker/client/swarm_init.go
+++ b/vendor/github.com/docker/docker/client/swarm_init.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/swarm_inspect.go b/vendor/github.com/docker/docker/client/swarm_inspect.go
index 3d5a8a04..597693bd 100644
--- a/vendor/github.com/docker/docker/client/swarm_inspect.go
+++ b/vendor/github.com/docker/docker/client/swarm_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/swarm_join.go b/vendor/github.com/docker/docker/client/swarm_join.go
index a1cf0455..446d4d04 100644
--- a/vendor/github.com/docker/docker/client/swarm_join.go
+++ b/vendor/github.com/docker/docker/client/swarm_join.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/swarm_leave.go b/vendor/github.com/docker/docker/client/swarm_leave.go
index 90ca84b3..709e5adb 100644
--- a/vendor/github.com/docker/docker/client/swarm_leave.go
+++ b/vendor/github.com/docker/docker/client/swarm_leave.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/swarm_unlock.go b/vendor/github.com/docker/docker/client/swarm_unlock.go
index 745d64d5..e3c756b6 100644
--- a/vendor/github.com/docker/docker/client/swarm_unlock.go
+++ b/vendor/github.com/docker/docker/client/swarm_unlock.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/swarm_update.go b/vendor/github.com/docker/docker/client/swarm_update.go
index 9fde7d75..309ab194 100644
--- a/vendor/github.com/docker/docker/client/swarm_update.go
+++ b/vendor/github.com/docker/docker/client/swarm_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/task_inspect.go b/vendor/github.com/docker/docker/client/task_inspect.go
index 37668bd2..ca3924fc 100644
--- a/vendor/github.com/docker/docker/client/task_inspect.go
+++ b/vendor/github.com/docker/docker/client/task_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/task_list.go b/vendor/github.com/docker/docker/client/task_list.go
index aba7f61e..de743e99 100644
--- a/vendor/github.com/docker/docker/client/task_list.go
+++ b/vendor/github.com/docker/docker/client/task_list.go
@@ -1,17 +1,16 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
 	"encoding/json"
 	"net/url"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 )
 
 // TaskList returns the list of tasks.
-func (cli *Client) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+func (cli *Client) TaskList(ctx context.Context, options swarm.TaskListOptions) ([]swarm.Task, error) {
 	query := url.Values{}
 
 	if options.Filters.Len() > 0 {
diff --git a/vendor/github.com/docker/docker/client/task_logs.go b/vendor/github.com/docker/docker/client/task_logs.go
index 9dcb977b..baa55528 100644
--- a/vendor/github.com/docker/docker/client/task_logs.go
+++ b/vendor/github.com/docker/docker/client/task_logs.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/utils.go b/vendor/github.com/docker/docker/client/utils.go
index 925d4d8d..67e1e693 100644
--- a/vendor/github.com/docker/docker/client/utils.go
+++ b/vendor/github.com/docker/docker/client/utils.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"encoding/json"
@@ -6,8 +6,8 @@ import (
 	"net/url"
 	"strings"
 
+	cerrdefs "github.com/containerd/errdefs"
 	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/lazyregexp"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -25,7 +25,7 @@ func (e emptyIDError) Error() string {
 // trimID trims the given object-ID / name, returning an error if it's empty.
 func trimID(objType, id string) (string, error) {
 	id = strings.TrimSpace(id)
-	if len(id) == 0 {
+	if id == "" {
 		return "", emptyIDError(objType)
 	}
 	return id, nil
@@ -90,7 +90,7 @@ func encodePlatforms(platform ...ocispec.Platform) ([]string, error) {
 func encodePlatform(platform *ocispec.Platform) (string, error) {
 	p, err := json.Marshal(platform)
 	if err != nil {
-		return "", errdefs.InvalidParameter(fmt.Errorf("invalid platform: %v", err))
+		return "", fmt.Errorf("%w: invalid platform: %v", cerrdefs.ErrInvalidArgument, err)
 	}
 	return string(p), nil
 }
diff --git a/vendor/github.com/docker/docker/client/version.go b/vendor/github.com/docker/docker/client/version.go
index 4566fd98..046af16c 100644
--- a/vendor/github.com/docker/docker/client/version.go
+++ b/vendor/github.com/docker/docker/client/version.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/volume_create.go b/vendor/github.com/docker/docker/client/volume_create.go
index bedb3abb..1aad3f47 100644
--- a/vendor/github.com/docker/docker/client/volume_create.go
+++ b/vendor/github.com/docker/docker/client/volume_create.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/volume_inspect.go b/vendor/github.com/docker/docker/client/volume_inspect.go
index ce32bbbb..389a4a71 100644
--- a/vendor/github.com/docker/docker/client/volume_inspect.go
+++ b/vendor/github.com/docker/docker/client/volume_inspect.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"bytes"
diff --git a/vendor/github.com/docker/docker/client/volume_list.go b/vendor/github.com/docker/docker/client/volume_list.go
index de6ce23a..61ed518c 100644
--- a/vendor/github.com/docker/docker/client/volume_list.go
+++ b/vendor/github.com/docker/docker/client/volume_list.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/volume_prune.go b/vendor/github.com/docker/docker/client/volume_prune.go
index 7da148fe..e22f0072 100644
--- a/vendor/github.com/docker/docker/client/volume_prune.go
+++ b/vendor/github.com/docker/docker/client/volume_prune.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/volume_remove.go b/vendor/github.com/docker/docker/client/volume_remove.go
index eefd9ce4..e2a53fa9 100644
--- a/vendor/github.com/docker/docker/client/volume_remove.go
+++ b/vendor/github.com/docker/docker/client/volume_remove.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/client/volume_update.go b/vendor/github.com/docker/docker/client/volume_update.go
index c91d5e98..879932f0 100644
--- a/vendor/github.com/docker/docker/client/volume_update.go
+++ b/vendor/github.com/docker/docker/client/volume_update.go
@@ -1,4 +1,4 @@
-package client // import "github.com/docker/docker/client"
+package client
 
 import (
 	"context"
diff --git a/vendor/github.com/docker/docker/errdefs/doc.go b/vendor/github.com/docker/docker/errdefs/doc.go
index c211f174..efbe8ba9 100644
--- a/vendor/github.com/docker/docker/errdefs/doc.go
+++ b/vendor/github.com/docker/docker/errdefs/doc.go
@@ -4,5 +4,5 @@
 // Packages should not reference these interfaces directly, only implement them.
 // To check if a particular error implements one of these interfaces, there are helper
 // functions provided (e.g. `Is<SomeError>`) which can be used rather than asserting the interfaces directly.
-// If you must assert on these interfaces, be sure to check the causal chain (`err.Cause()`).
-package errdefs // import "github.com/docker/docker/errdefs"
+// If you must assert on these interfaces, be sure to check the causal chain (`err.Unwrap()`).
+package errdefs
diff --git a/vendor/github.com/docker/docker/errdefs/helpers.go b/vendor/github.com/docker/docker/errdefs/helpers.go
index ab76e627..2a9f7ffd 100644
--- a/vendor/github.com/docker/docker/errdefs/helpers.go
+++ b/vendor/github.com/docker/docker/errdefs/helpers.go
@@ -1,6 +1,10 @@
 package errdefs
 
-import "context"
+import (
+	"context"
+
+	cerrdefs "github.com/containerd/errdefs"
+)
 
 type errNotFound struct{ error }
 
@@ -18,7 +22,7 @@ func (e errNotFound) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrNotFound],
 func NotFound(err error) error {
-	if err == nil || IsNotFound(err) {
+	if err == nil || cerrdefs.IsNotFound(err) {
 		return err
 	}
 	return errNotFound{err}
@@ -40,7 +44,7 @@ func (e errInvalidParameter) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrInvalidParameter],
 func InvalidParameter(err error) error {
-	if err == nil || IsInvalidParameter(err) {
+	if err == nil || cerrdefs.IsInvalidArgument(err) {
 		return err
 	}
 	return errInvalidParameter{err}
@@ -62,7 +66,7 @@ func (e errConflict) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrConflict],
 func Conflict(err error) error {
-	if err == nil || IsConflict(err) {
+	if err == nil || cerrdefs.IsConflict(err) {
 		return err
 	}
 	return errConflict{err}
@@ -84,7 +88,7 @@ func (e errUnauthorized) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrUnauthorized],
 func Unauthorized(err error) error {
-	if err == nil || IsUnauthorized(err) {
+	if err == nil || cerrdefs.IsUnauthorized(err) {
 		return err
 	}
 	return errUnauthorized{err}
@@ -106,7 +110,7 @@ func (e errUnavailable) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrUnavailable],
 func Unavailable(err error) error {
-	if err == nil || IsUnavailable(err) {
+	if err == nil || cerrdefs.IsUnavailable(err) {
 		return err
 	}
 	return errUnavailable{err}
@@ -128,7 +132,7 @@ func (e errForbidden) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrForbidden],
 func Forbidden(err error) error {
-	if err == nil || IsForbidden(err) {
+	if err == nil || cerrdefs.IsPermissionDenied(err) {
 		return err
 	}
 	return errForbidden{err}
@@ -150,7 +154,7 @@ func (e errSystem) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrSystem],
 func System(err error) error {
-	if err == nil || IsSystem(err) {
+	if err == nil || cerrdefs.IsInternal(err) {
 		return err
 	}
 	return errSystem{err}
@@ -172,7 +176,7 @@ func (e errNotModified) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [NotModified],
 func NotModified(err error) error {
-	if err == nil || IsNotModified(err) {
+	if err == nil || cerrdefs.IsNotModified(err) {
 		return err
 	}
 	return errNotModified{err}
@@ -194,7 +198,7 @@ func (e errNotImplemented) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrNotImplemented],
 func NotImplemented(err error) error {
-	if err == nil || IsNotImplemented(err) {
+	if err == nil || cerrdefs.IsNotImplemented(err) {
 		return err
 	}
 	return errNotImplemented{err}
@@ -216,7 +220,7 @@ func (e errUnknown) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrUnknown],
 func Unknown(err error) error {
-	if err == nil || IsUnknown(err) {
+	if err == nil || cerrdefs.IsUnknown(err) {
 		return err
 	}
 	return errUnknown{err}
@@ -238,7 +242,7 @@ func (e errCancelled) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrCancelled],
 func Cancelled(err error) error {
-	if err == nil || IsCancelled(err) {
+	if err == nil || cerrdefs.IsCanceled(err) {
 		return err
 	}
 	return errCancelled{err}
@@ -260,7 +264,7 @@ func (e errDeadline) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrDeadline],
 func Deadline(err error) error {
-	if err == nil || IsDeadline(err) {
+	if err == nil || cerrdefs.IsDeadlineExceeded(err) {
 		return err
 	}
 	return errDeadline{err}
@@ -282,7 +286,7 @@ func (e errDataLoss) Unwrap() error {
 // It returns the error as-is if it is either nil (no error) or already implements
 // [ErrDataLoss],
 func DataLoss(err error) error {
-	if err == nil || IsDataLoss(err) {
+	if err == nil || cerrdefs.IsDataLoss(err) {
 		return err
 	}
 	return errDataLoss{err}
diff --git a/vendor/github.com/docker/docker/errdefs/http_helpers.go b/vendor/github.com/docker/docker/errdefs/http_helpers.go
index 0a8fadd4..823ff2d9 100644
--- a/vendor/github.com/docker/docker/errdefs/http_helpers.go
+++ b/vendor/github.com/docker/docker/errdefs/http_helpers.go
@@ -5,6 +5,8 @@ import (
 )
 
 // FromStatusCode creates an errdef error, based on the provided HTTP status-code
+//
+// Deprecated: Use [cerrdefs.ToNative] instead
 func FromStatusCode(err error, statusCode int) error {
 	if err == nil {
 		return nil
@@ -33,12 +35,12 @@ func FromStatusCode(err error, statusCode int) error {
 		return System(err)
 	default:
 		switch {
-		case statusCode >= 200 && statusCode < 400:
+		case statusCode >= http.StatusOK && statusCode < http.StatusBadRequest:
 			// it's a client error
 			return err
-		case statusCode >= 400 && statusCode < 500:
+		case statusCode >= http.StatusBadRequest && statusCode < http.StatusInternalServerError:
 			return InvalidParameter(err)
-		case statusCode >= 500 && statusCode < 600:
+		case statusCode >= http.StatusInternalServerError && statusCode < 600:
 			return System(err)
 		default:
 			return Unknown(err)
diff --git a/vendor/github.com/docker/docker/errdefs/is.go b/vendor/github.com/docker/docker/errdefs/is.go
index 30ea7e6f..ceb754a9 100644
--- a/vendor/github.com/docker/docker/errdefs/is.go
+++ b/vendor/github.com/docker/docker/errdefs/is.go
@@ -3,119 +3,74 @@ package errdefs
 import (
 	"context"
 	"errors"
+
+	cerrdefs "github.com/containerd/errdefs"
 )
 
-type causer interface {
-	Cause() error
-}
-
-type wrapErr interface {
-	Unwrap() error
-}
-
-func getImplementer(err error) error {
-	switch e := err.(type) {
-	case
-		ErrNotFound,
-		ErrInvalidParameter,
-		ErrConflict,
-		ErrUnauthorized,
-		ErrUnavailable,
-		ErrForbidden,
-		ErrSystem,
-		ErrNotModified,
-		ErrNotImplemented,
-		ErrCancelled,
-		ErrDeadline,
-		ErrDataLoss,
-		ErrUnknown:
-		return err
-	case causer:
-		return getImplementer(e.Cause())
-	case wrapErr:
-		return getImplementer(e.Unwrap())
-	default:
-		return err
-	}
-}
-
 // IsNotFound returns if the passed in error is an [ErrNotFound],
-func IsNotFound(err error) bool {
-	_, ok := getImplementer(err).(ErrNotFound)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsNotFound]
+var IsNotFound = cerrdefs.IsNotFound
 
 // IsInvalidParameter returns if the passed in error is an [ErrInvalidParameter].
-func IsInvalidParameter(err error) bool {
-	_, ok := getImplementer(err).(ErrInvalidParameter)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsInvalidArgument]
+var IsInvalidParameter = cerrdefs.IsInvalidArgument
 
 // IsConflict returns if the passed in error is an [ErrConflict].
-func IsConflict(err error) bool {
-	_, ok := getImplementer(err).(ErrConflict)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsConflict]
+var IsConflict = cerrdefs.IsConflict
 
 // IsUnauthorized returns if the passed in error is an [ErrUnauthorized].
-func IsUnauthorized(err error) bool {
-	_, ok := getImplementer(err).(ErrUnauthorized)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsUnauthorized]
+var IsUnauthorized = cerrdefs.IsUnauthorized
 
 // IsUnavailable returns if the passed in error is an [ErrUnavailable].
-func IsUnavailable(err error) bool {
-	_, ok := getImplementer(err).(ErrUnavailable)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsUnavailable]
+var IsUnavailable = cerrdefs.IsUnavailable
 
 // IsForbidden returns if the passed in error is an [ErrForbidden].
-func IsForbidden(err error) bool {
-	_, ok := getImplementer(err).(ErrForbidden)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsPermissionDenied]
+var IsForbidden = cerrdefs.IsPermissionDenied
 
 // IsSystem returns if the passed in error is an [ErrSystem].
-func IsSystem(err error) bool {
-	_, ok := getImplementer(err).(ErrSystem)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsInternal]
+var IsSystem = cerrdefs.IsInternal
 
 // IsNotModified returns if the passed in error is an [ErrNotModified].
-func IsNotModified(err error) bool {
-	_, ok := getImplementer(err).(ErrNotModified)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsNotModified]
+var IsNotModified = cerrdefs.IsNotModified
 
 // IsNotImplemented returns if the passed in error is an [ErrNotImplemented].
-func IsNotImplemented(err error) bool {
-	_, ok := getImplementer(err).(ErrNotImplemented)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsNotImplemented]
+var IsNotImplemented = cerrdefs.IsNotImplemented
 
 // IsUnknown returns if the passed in error is an [ErrUnknown].
-func IsUnknown(err error) bool {
-	_, ok := getImplementer(err).(ErrUnknown)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsUnknown]
+var IsUnknown = cerrdefs.IsUnknown
 
 // IsCancelled returns if the passed in error is an [ErrCancelled].
-func IsCancelled(err error) bool {
-	_, ok := getImplementer(err).(ErrCancelled)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsCanceled]
+var IsCancelled = cerrdefs.IsCanceled
 
 // IsDeadline returns if the passed in error is an [ErrDeadline].
-func IsDeadline(err error) bool {
-	_, ok := getImplementer(err).(ErrDeadline)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsDeadlineExceeded]
+var IsDeadline = cerrdefs.IsDeadlineExceeded
 
 // IsDataLoss returns if the passed in error is an [ErrDataLoss].
-func IsDataLoss(err error) bool {
-	_, ok := getImplementer(err).(ErrDataLoss)
-	return ok
-}
+//
+// Deprecated: use containerd [cerrdefs.IsDataLoss]
+var IsDataLoss = cerrdefs.IsDataLoss
 
 // IsContext returns if the passed in error is due to context cancellation or deadline exceeded.
 func IsContext(err error) bool {
diff --git a/vendor/github.com/docker/docker/internal/multierror/multierror.go b/vendor/github.com/docker/docker/internal/multierror/multierror.go
index cf4d6a59..e899f4de 100644
--- a/vendor/github.com/docker/docker/internal/multierror/multierror.go
+++ b/vendor/github.com/docker/docker/internal/multierror/multierror.go
@@ -36,7 +36,7 @@ func (e *joinError) Error() string {
 	}
 	stringErrs := make([]string, 0, len(e.errs))
 	for _, subErr := range e.errs {
-		stringErrs = append(stringErrs, strings.Replace(subErr.Error(), "\n", "\n\t", -1))
+		stringErrs = append(stringErrs, strings.ReplaceAll(subErr.Error(), "\n", "\n\t"))
 	}
 	return "* " + strings.Join(stringErrs, "\n* ")
 }
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/archive_deprecated.go
new file mode 100644
index 00000000..5bdbdef2
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_deprecated.go
@@ -0,0 +1,259 @@
+// Package archive provides helper functions for dealing with archive files.
+package archive
+
+import (
+	"archive/tar"
+	"io"
+	"os"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
+	"github.com/moby/go-archive/tarheader"
+)
+
+// ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
+// tar, but that do not have their own header entry.
+//
+// Deprecated: use [archive.ImpliedDirectoryMode] instead.
+const ImpliedDirectoryMode = archive.ImpliedDirectoryMode
+
+type (
+	// Compression is the state represents if compressed or not.
+	//
+	// Deprecated: use [compression.Compression] instead.
+	Compression = compression.Compression
+	// WhiteoutFormat is the format of whiteouts unpacked
+	//
+	// Deprecated: use [archive.WhiteoutFormat] instead.
+	WhiteoutFormat = archive.WhiteoutFormat
+
+	// TarOptions wraps the tar options.
+	//
+	// Deprecated: use [archive.TarOptions] instead.
+	TarOptions struct {
+		IncludeFiles     []string
+		ExcludePatterns  []string
+		Compression      compression.Compression
+		NoLchown         bool
+		IDMap            idtools.IdentityMapping
+		ChownOpts        *idtools.Identity
+		IncludeSourceDir bool
+		// WhiteoutFormat is the expected on disk format for whiteout files.
+		// This format will be converted to the standard format on pack
+		// and from the standard format on unpack.
+		WhiteoutFormat archive.WhiteoutFormat
+		// When unpacking, specifies whether overwriting a directory with a
+		// non-directory is allowed and vice versa.
+		NoOverwriteDirNonDir bool
+		// For each include when creating an archive, the included name will be
+		// replaced with the matching name from this map.
+		RebaseNames map[string]string
+		InUserNS    bool
+		// Allow unpacking to succeed in spite of failures to set extended
+		// attributes on the unpacked files due to the destination filesystem
+		// not supporting them or a lack of permissions. Extended attributes
+		// were probably in the archive for a reason, so set this option at
+		// your own peril.
+		BestEffortXattrs bool
+	}
+)
+
+// Archiver implements the Archiver interface and allows the reuse of most utility functions of
+// this package with a pluggable Untar function. Also, to facilitate the passing of specific id
+// mappings for untar, an Archiver can be created with maps which will then be passed to Untar operations.
+//
+// Deprecated: use [archive.Archiver] instead.
+type Archiver struct {
+	Untar     func(io.Reader, string, *TarOptions) error
+	IDMapping idtools.IdentityMapping
+}
+
+// NewDefaultArchiver returns a new Archiver without any IdentityMapping
+//
+// Deprecated: use [archive.NewDefaultArchiver] instead.
+func NewDefaultArchiver() *Archiver {
+	return &Archiver{Untar: Untar}
+}
+
+const (
+	Uncompressed = compression.None  // Deprecated: use [compression.None] instead.
+	Bzip2        = compression.Bzip2 // Deprecated: use [compression.Bzip2] instead.
+	Gzip         = compression.Gzip  // Deprecated: use [compression.Gzip] instead.
+	Xz           = compression.Xz    // Deprecated: use [compression.Xz] instead.
+	Zstd         = compression.Zstd  // Deprecated: use [compression.Zstd] instead.
+)
+
+const (
+	AUFSWhiteoutFormat    = archive.AUFSWhiteoutFormat    // Deprecated: use [archive.AUFSWhiteoutFormat] instead.
+	OverlayWhiteoutFormat = archive.OverlayWhiteoutFormat // Deprecated: use [archive.OverlayWhiteoutFormat] instead.
+)
+
+// IsArchivePath checks if the (possibly compressed) file at the given path
+// starts with a tar file header.
+//
+// Deprecated: use [archive.IsArchivePath] instead.
+func IsArchivePath(path string) bool {
+	return archive.IsArchivePath(path)
+}
+
+// DetectCompression detects the compression algorithm of the source.
+//
+// Deprecated: use [compression.Detect] instead.
+func DetectCompression(source []byte) archive.Compression {
+	return compression.Detect(source)
+}
+
+// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
+//
+// Deprecated: use [compression.DecompressStream] instead.
+func DecompressStream(arch io.Reader) (io.ReadCloser, error) {
+	return compression.DecompressStream(arch)
+}
+
+// CompressStream compresses the dest with specified compression algorithm.
+//
+// Deprecated: use [compression.CompressStream] instead.
+func CompressStream(dest io.Writer, comp compression.Compression) (io.WriteCloser, error) {
+	return compression.CompressStream(dest, comp)
+}
+
+// TarModifierFunc is a function that can be passed to ReplaceFileTarWrapper.
+//
+// Deprecated: use [archive.TarModifierFunc] instead.
+type TarModifierFunc = archive.TarModifierFunc
+
+// ReplaceFileTarWrapper converts inputTarStream to a new tar stream.
+//
+// Deprecated: use [archive.ReplaceFileTarWrapper] instead.
+func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]archive.TarModifierFunc) io.ReadCloser {
+	return archive.ReplaceFileTarWrapper(inputTarStream, mods)
+}
+
+// FileInfoHeaderNoLookups creates a partially-populated tar.Header from fi.
+//
+// Deprecated: use [tarheader.FileInfoHeaderNoLookups] instead.
+func FileInfoHeaderNoLookups(fi os.FileInfo, link string) (*tar.Header, error) {
+	return tarheader.FileInfoHeaderNoLookups(fi, link)
+}
+
+// FileInfoHeader creates a populated Header from fi.
+//
+// Deprecated: use [archive.FileInfoHeader] instead.
+func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, error) {
+	return archive.FileInfoHeader(name, fi, link)
+}
+
+// ReadSecurityXattrToTarHeader reads security.capability xattr from filesystem
+// to a tar header
+//
+// Deprecated: use [archive.ReadSecurityXattrToTarHeader] instead.
+func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
+	return archive.ReadSecurityXattrToTarHeader(path, hdr)
+}
+
+// Tar creates an archive from the directory at `path`, and returns it as a
+// stream of bytes.
+//
+// Deprecated: use [archive.Tar] instead.
+func Tar(path string, compression archive.Compression) (io.ReadCloser, error) {
+	return archive.TarWithOptions(path, &archive.TarOptions{Compression: compression})
+}
+
+// TarWithOptions creates an archive with the given options.
+//
+// Deprecated: use [archive.TarWithOptions] instead.
+func TarWithOptions(srcPath string, options *TarOptions) (io.ReadCloser, error) {
+	return archive.TarWithOptions(srcPath, toArchiveOpt(options))
+}
+
+// Tarballer is a lower-level interface to TarWithOptions.
+//
+// Deprecated: use [archive.Tarballer] instead.
+type Tarballer = archive.Tarballer
+
+// NewTarballer constructs a new tarballer using TarWithOptions.
+//
+// Deprecated: use [archive.Tarballer] instead.
+func NewTarballer(srcPath string, options *TarOptions) (*archive.Tarballer, error) {
+	return archive.NewTarballer(srcPath, toArchiveOpt(options))
+}
+
+// Unpack unpacks the decompressedArchive to dest with options.
+//
+// Deprecated: use [archive.Unpack] instead.
+func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) error {
+	return archive.Unpack(decompressedArchive, dest, toArchiveOpt(options))
+}
+
+// Untar reads a stream of bytes from `archive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+//
+// Deprecated: use [archive.Untar] instead.
+func Untar(tarArchive io.Reader, dest string, options *TarOptions) error {
+	return archive.Untar(tarArchive, dest, toArchiveOpt(options))
+}
+
+// UntarUncompressed reads a stream of bytes from `tarArchive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+// The archive must be an uncompressed stream.
+//
+// Deprecated: use [archive.UntarUncompressed] instead.
+func UntarUncompressed(tarArchive io.Reader, dest string, options *TarOptions) error {
+	return archive.UntarUncompressed(tarArchive, dest, toArchiveOpt(options))
+}
+
+// TarUntar is a convenience function which calls Tar and Untar, with the output of one piped into the other.
+// If either Tar or Untar fails, TarUntar aborts and returns the error.
+func (archiver *Archiver) TarUntar(src, dst string) error {
+	return (&archive.Archiver{
+		Untar: func(reader io.Reader, s string, options *archive.TarOptions) error {
+			return archiver.Untar(reader, s, &TarOptions{
+				IDMap: archiver.IDMapping,
+			})
+		},
+		IDMapping: idtools.ToUserIdentityMapping(archiver.IDMapping),
+	}).TarUntar(src, dst)
+}
+
+// UntarPath untar a file from path to a destination, src is the source tar file path.
+func (archiver *Archiver) UntarPath(src, dst string) error {
+	return (&archive.Archiver{
+		Untar: func(reader io.Reader, s string, options *archive.TarOptions) error {
+			return archiver.Untar(reader, s, &TarOptions{
+				IDMap: archiver.IDMapping,
+			})
+		},
+		IDMapping: idtools.ToUserIdentityMapping(archiver.IDMapping),
+	}).UntarPath(src, dst)
+}
+
+// CopyWithTar creates a tar archive of filesystem path `src`, and
+// unpacks it at filesystem path `dst`.
+// The archive is streamed directly with fixed buffering and no
+// intermediary disk IO.
+func (archiver *Archiver) CopyWithTar(src, dst string) error {
+	return (&archive.Archiver{
+		Untar: func(reader io.Reader, s string, options *archive.TarOptions) error {
+			return archiver.Untar(reader, s, nil)
+		},
+		IDMapping: idtools.ToUserIdentityMapping(archiver.IDMapping),
+	}).CopyWithTar(src, dst)
+}
+
+// CopyFileWithTar emulates the behavior of the 'cp' command-line
+// for a single file. It copies a regular file from path `src` to
+// path `dst`, and preserves all its metadata.
+func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
+	return (&archive.Archiver{
+		Untar: func(reader io.Reader, s string, options *archive.TarOptions) error {
+			return archiver.Untar(reader, s, nil)
+		},
+		IDMapping: idtools.ToUserIdentityMapping(archiver.IDMapping),
+	}).CopyFileWithTar(src, dst)
+}
+
+// IdentityMapping returns the IdentityMapping of the archiver.
+func (archiver *Archiver) IdentityMapping() idtools.IdentityMapping {
+	return archiver.IDMapping
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/changes_deprecated.go
new file mode 100644
index 00000000..48c75235
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_deprecated.go
@@ -0,0 +1,56 @@
+package archive
+
+import (
+	"io"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
+)
+
+// ChangeType represents the change
+//
+// Deprecated: use [archive.ChangeType] instead.
+type ChangeType = archive.ChangeType
+
+const (
+	ChangeModify = archive.ChangeModify // Deprecated: use [archive.ChangeModify] instead.
+	ChangeAdd    = archive.ChangeAdd    // Deprecated: use [archive.ChangeAdd] instead.
+	ChangeDelete = archive.ChangeDelete // Deprecated: use [archive.ChangeDelete] instead.
+)
+
+// Change represents a change.
+//
+// Deprecated: use [archive.Change] instead.
+type Change = archive.Change
+
+// Changes walks the path rw and determines changes for the files in the path,
+// with respect to the parent layers
+//
+// Deprecated: use [archive.Changes] instead.
+func Changes(layers []string, rw string) ([]archive.Change, error) {
+	return archive.Changes(layers, rw)
+}
+
+// FileInfo describes the information of a file.
+//
+// Deprecated: use [archive.FileInfo] instead.
+type FileInfo = archive.FileInfo
+
+// ChangesDirs compares two directories and generates an array of Change objects describing the changes.
+//
+// Deprecated: use [archive.ChangesDirs] instead.
+func ChangesDirs(newDir, oldDir string) ([]archive.Change, error) {
+	return archive.ChangesDirs(newDir, oldDir)
+}
+
+// ChangesSize calculates the size in bytes of the provided changes, based on newDir.
+//
+// Deprecated: use [archive.ChangesSize] instead.
+func ChangesSize(newDir string, changes []archive.Change) int64 {
+	return archive.ChangesSize(newDir, changes)
+}
+
+// ExportChanges produces an Archive from the provided changes, relative to dir.
+func ExportChanges(dir string, changes []archive.Change, idMap idtools.IdentityMapping) (io.ReadCloser, error) {
+	return archive.ExportChanges(dir, changes, idtools.ToUserIdentityMapping(idMap))
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/copy_deprecated.go
new file mode 100644
index 00000000..1901e55c
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/copy_deprecated.go
@@ -0,0 +1,130 @@
+package archive
+
+import (
+	"io"
+
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
+)
+
+var (
+	ErrNotDirectory      = archive.ErrNotDirectory      // Deprecated: use [archive.ErrNotDirectory] instead.
+	ErrDirNotExists      = archive.ErrDirNotExists      // Deprecated: use [archive.ErrDirNotExists] instead.
+	ErrCannotCopyDir     = archive.ErrCannotCopyDir     // Deprecated: use [archive.ErrCannotCopyDir] instead.
+	ErrInvalidCopySource = archive.ErrInvalidCopySource // Deprecated: use [archive.ErrInvalidCopySource] instead.
+)
+
+// PreserveTrailingDotOrSeparator returns the given cleaned path.
+//
+// Deprecated: use [archive.PreserveTrailingDotOrSeparator] instead.
+func PreserveTrailingDotOrSeparator(cleanedPath string, originalPath string) string {
+	return archive.PreserveTrailingDotOrSeparator(cleanedPath, originalPath)
+}
+
+// SplitPathDirEntry splits the given path between its directory name and its
+// basename.
+//
+// Deprecated: use [archive.SplitPathDirEntry] instead.
+func SplitPathDirEntry(path string) (dir, base string) {
+	return archive.SplitPathDirEntry(path)
+}
+
+// TarResource archives the resource described by the given CopyInfo to a Tar
+// archive.
+//
+// Deprecated: use [archive.TarResource] instead.
+func TarResource(sourceInfo archive.CopyInfo) (content io.ReadCloser, err error) {
+	return archive.TarResource(sourceInfo)
+}
+
+// TarResourceRebase is like TarResource but renames the first path element of
+// items in the resulting tar archive to match the given rebaseName if not "".
+//
+// Deprecated: use [archive.TarResourceRebase] instead.
+func TarResourceRebase(sourcePath, rebaseName string) (content io.ReadCloser, _ error) {
+	return archive.TarResourceRebase(sourcePath, rebaseName)
+}
+
+// TarResourceRebaseOpts does not preform the Tar, but instead just creates the rebase
+// parameters to be sent to TarWithOptions.
+//
+// Deprecated: use [archive.TarResourceRebaseOpts] instead.
+func TarResourceRebaseOpts(sourceBase string, rebaseName string) *TarOptions {
+	filter := []string{sourceBase}
+	return &TarOptions{
+		Compression:      compression.None,
+		IncludeFiles:     filter,
+		IncludeSourceDir: true,
+		RebaseNames: map[string]string{
+			sourceBase: rebaseName,
+		},
+	}
+}
+
+// CopyInfo holds basic info about the source or destination path of a copy operation.
+//
+// Deprecated: use [archive.CopyInfo] instead.
+type CopyInfo = archive.CopyInfo
+
+// CopyInfoSourcePath stats the given path to create a CopyInfo struct.
+// struct representing that resource for the source of an archive copy
+// operation.
+//
+// Deprecated: use [archive.CopyInfoSourcePath] instead.
+func CopyInfoSourcePath(path string, followLink bool) (archive.CopyInfo, error) {
+	return archive.CopyInfoSourcePath(path, followLink)
+}
+
+// CopyInfoDestinationPath stats the given path to create a CopyInfo
+// struct representing that resource for the destination of an archive copy
+// operation.
+//
+// Deprecated: use [archive.CopyInfoDestinationPath] instead.
+func CopyInfoDestinationPath(path string) (info archive.CopyInfo, err error) {
+	return archive.CopyInfoDestinationPath(path)
+}
+
+// PrepareArchiveCopy prepares the given srcContent archive.
+//
+// Deprecated: use [archive.PrepareArchiveCopy] instead.
+func PrepareArchiveCopy(srcContent io.Reader, srcInfo, dstInfo archive.CopyInfo) (dstDir string, content io.ReadCloser, err error) {
+	return archive.PrepareArchiveCopy(srcContent, srcInfo, dstInfo)
+}
+
+// RebaseArchiveEntries rewrites the given srcContent archive replacing
+// an occurrence of oldBase with newBase at the beginning of entry names.
+//
+// Deprecated: use [archive.RebaseArchiveEntries] instead.
+func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.ReadCloser {
+	return archive.RebaseArchiveEntries(srcContent, oldBase, newBase)
+}
+
+// CopyResource performs an archive copy from the given source path to the
+// given destination path.
+//
+// Deprecated: use [archive.CopyResource] instead.
+func CopyResource(srcPath, dstPath string, followLink bool) error {
+	return archive.CopyResource(srcPath, dstPath, followLink)
+}
+
+// CopyTo handles extracting the given content whose
+// entries should be sourced from srcInfo to dstPath.
+//
+// Deprecated: use [archive.CopyTo] instead.
+func CopyTo(content io.Reader, srcInfo archive.CopyInfo, dstPath string) error {
+	return archive.CopyTo(content, srcInfo, dstPath)
+}
+
+// ResolveHostSourcePath decides real path need to be copied.
+//
+// Deprecated: use [archive.ResolveHostSourcePath] instead.
+func ResolveHostSourcePath(path string, followLink bool) (resolvedPath, rebaseName string, _ error) {
+	return archive.ResolveHostSourcePath(path, followLink)
+}
+
+// GetRebaseName normalizes and compares path and resolvedPath.
+//
+// Deprecated: use [archive.GetRebaseName] instead.
+func GetRebaseName(path, resolvedPath string) (string, string) {
+	return archive.GetRebaseName(path, resolvedPath)
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go b/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
deleted file mode 100644
index aa8e2915..00000000
--- a/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
+++ /dev/null
@@ -1,7 +0,0 @@
-//go:build freebsd
-
-package archive
-
-import "golang.org/x/sys/unix"
-
-var mknod = unix.Mknod
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/diff_deprecated.go
new file mode 100644
index 00000000..dd5e0d5e
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/diff_deprecated.go
@@ -0,0 +1,37 @@
+package archive
+
+import (
+	"io"
+
+	"github.com/moby/go-archive"
+)
+
+// UnpackLayer unpack `layer` to a `dest`.
+//
+// Deprecated: use [archive.UnpackLayer] instead.
+func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64, err error) {
+	return archive.UnpackLayer(dest, layer, toArchiveOpt(options))
+}
+
+// ApplyLayer parses a diff in the standard layer format from `layer`,
+// and applies it to the directory `dest`.
+//
+// Deprecated: use [archive.ApplyLayer] instead.
+func ApplyLayer(dest string, layer io.Reader) (int64, error) {
+	return archive.ApplyLayer(dest, layer)
+}
+
+// ApplyUncompressedLayer parses a diff in the standard layer format from
+// `layer`, and applies it to the directory `dest`.
+//
+// Deprecated: use [archive.ApplyUncompressedLayer] instead.
+func ApplyUncompressedLayer(dest string, layer io.Reader, options *TarOptions) (int64, error) {
+	return archive.ApplyUncompressedLayer(dest, layer, toArchiveOpt(options))
+}
+
+// IsEmpty checks if the tar archive is empty (doesn't contain any entries).
+//
+// Deprecated: use [archive.IsEmpty] instead.
+func IsEmpty(rd io.Reader) (bool, error) {
+	return archive.IsEmpty(rd)
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/path_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/path_deprecated.go
new file mode 100644
index 00000000..0fa74de6
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/path_deprecated.go
@@ -0,0 +1,10 @@
+package archive
+
+import "github.com/moby/go-archive"
+
+// CheckSystemDriveAndRemoveDriveLetter verifies that a path is the system drive.
+//
+// Deprecated: use [archive.CheckSystemDriveAndRemoveDriveLetter] instead.
+func CheckSystemDriveAndRemoveDriveLetter(path string) (string, error) {
+	return archive.CheckSystemDriveAndRemoveDriveLetter(path)
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/utils.go b/vendor/github.com/docker/docker/pkg/archive/utils.go
new file mode 100644
index 00000000..692cf160
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/utils.go
@@ -0,0 +1,42 @@
+package archive
+
+import (
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/go-archive"
+)
+
+// ToArchiveOpt converts an [TarOptions] to a [archive.TarOptions].
+//
+// Deprecated: use [archive.TarOptions] instead, this utility is for internal use to transition to the [github.com/moby/go-archive] module.
+func ToArchiveOpt(options *TarOptions) *archive.TarOptions {
+	return toArchiveOpt(options)
+}
+
+func toArchiveOpt(options *TarOptions) *archive.TarOptions {
+	if options == nil {
+		return nil
+	}
+
+	var chownOpts *archive.ChownOpts
+	if options.ChownOpts != nil {
+		chownOpts = &archive.ChownOpts{
+			UID: options.ChownOpts.UID,
+			GID: options.ChownOpts.GID,
+		}
+	}
+
+	return &archive.TarOptions{
+		IncludeFiles:         options.IncludeFiles,
+		ExcludePatterns:      options.ExcludePatterns,
+		Compression:          options.Compression,
+		NoLchown:             options.NoLchown,
+		IDMap:                idtools.ToUserIdentityMapping(options.IDMap),
+		ChownOpts:            chownOpts,
+		IncludeSourceDir:     options.IncludeSourceDir,
+		WhiteoutFormat:       options.WhiteoutFormat,
+		NoOverwriteDirNonDir: options.NoOverwriteDirNonDir,
+		RebaseNames:          options.RebaseNames,
+		InUserNS:             options.InUserNS,
+		BestEffortXattrs:     options.BestEffortXattrs,
+	}
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/whiteouts_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/whiteouts_deprecated.go
new file mode 100644
index 00000000..0ab8590b
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/whiteouts_deprecated.go
@@ -0,0 +1,10 @@
+package archive
+
+import "github.com/moby/go-archive"
+
+const (
+	WhiteoutPrefix     = archive.WhiteoutPrefix     // Deprecated: use [archive.WhiteoutPrefix] instead.
+	WhiteoutMetaPrefix = archive.WhiteoutMetaPrefix // Deprecated: use [archive.WhiteoutMetaPrefix] instead.
+	WhiteoutLinkDir    = archive.WhiteoutLinkDir    // Deprecated: use [archive.WhiteoutLinkDir] instead.
+	WhiteoutOpaqueDir  = archive.WhiteoutOpaqueDir  // Deprecated: use [archive.WhiteoutOpaqueDir] instead.
+)
diff --git a/vendor/github.com/docker/docker/pkg/archive/wrap_deprecated.go b/vendor/github.com/docker/docker/pkg/archive/wrap_deprecated.go
new file mode 100644
index 00000000..e5d3fa9a
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/wrap_deprecated.go
@@ -0,0 +1,14 @@
+package archive
+
+import (
+	"io"
+
+	"github.com/moby/go-archive"
+)
+
+// Generate generates a new archive from the content provided as input.
+//
+// Deprecated: use [archive.Generate] instead.
+func Generate(input ...string) (io.Reader, error) {
+	return archive.Generate(input...)
+}
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
index ded1c7c8..469395f1 100644
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
+++ b/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
@@ -1,4 +1,4 @@
-package homedir // import "github.com/docker/docker/pkg/homedir"
+package homedir
 
 import (
 	"errors"
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go
index 4eeb26b5..1e41e6aa 100644
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go
+++ b/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go
@@ -1,6 +1,6 @@
 //go:build !linux
 
-package homedir // import "github.com/docker/docker/pkg/homedir"
+package homedir
 
 import (
 	"errors"
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools.go b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
index d2fbd943..982f81d4 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
@@ -3,11 +3,15 @@ package idtools
 import (
 	"fmt"
 	"os"
+
+	"github.com/moby/sys/user"
 )
 
 // IDMap contains a single entry for user namespace range remapping. An array
 // of IDMap entries represents the structure that will be provided to the Linux
 // kernel for creating a user namespace.
+//
+// Deprecated: use [user.IDMap] instead.
 type IDMap struct {
 	ContainerID int `json:"container_id"`
 	HostID      int `json:"host_id"`
@@ -17,28 +21,42 @@ type IDMap struct {
 // MkdirAllAndChown creates a directory (include any along the path) and then modifies
 // ownership to the requested uid/gid.  If the directory already exists, this
 // function will still change ownership and permissions.
+//
+// Deprecated: use [user.MkdirAllAndChown] instead.
 func MkdirAllAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, true)
+	return user.MkdirAllAndChown(path, mode, owner.UID, owner.GID)
 }
 
 // MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
 // If the directory already exists, this function still changes ownership and permissions.
 // Note that unlike os.Mkdir(), this function does not return IsExist error
 // in case path already exists.
+//
+// Deprecated: use [user.MkdirAndChown] instead.
 func MkdirAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, false, true)
+	return user.MkdirAndChown(path, mode, owner.UID, owner.GID)
 }
 
 // MkdirAllAndChownNew creates a directory (include any along the path) and then modifies
 // ownership ONLY of newly created directories to the requested uid/gid. If the
 // directories along the path exist, no change of ownership or permissions will be performed
+//
+// Deprecated: use [user.MkdirAllAndChown] with the [user.WithOnlyNew] option instead.
 func MkdirAllAndChownNew(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, false)
+	return user.MkdirAllAndChown(path, mode, owner.UID, owner.GID, user.WithOnlyNew)
 }
 
 // GetRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
 // If the maps are empty, then the root uid/gid will default to "real" 0/0
+//
+// Deprecated: use [(user.IdentityMapping).RootPair] instead.
 func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+	return getRootUIDGID(uidMap, gidMap)
+}
+
+// getRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
+// If the maps are empty, then the root uid/gid will default to "real" 0/0
+func getRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
 	uid, err := toHost(0, uidMap)
 	if err != nil {
 		return -1, -1, err
@@ -90,22 +108,76 @@ type Identity struct {
 }
 
 // Chown changes the numeric uid and gid of the named file to id.UID and id.GID.
+//
+// Deprecated: this method is deprecated and will be removed in the next release.
 func (id Identity) Chown(name string) error {
 	return os.Chown(name, id.UID, id.GID)
 }
 
 // IdentityMapping contains a mappings of UIDs and GIDs.
 // The zero value represents an empty mapping.
+//
+// Deprecated: this type is deprecated and will be removed in the next release.
 type IdentityMapping struct {
 	UIDMaps []IDMap `json:"UIDMaps"`
 	GIDMaps []IDMap `json:"GIDMaps"`
 }
 
+// FromUserIdentityMapping converts a [user.IdentityMapping] to an [idtools.IdentityMapping].
+//
+// Deprecated: use [user.IdentityMapping] directly, this is transitioning to user package.
+func FromUserIdentityMapping(u user.IdentityMapping) IdentityMapping {
+	return IdentityMapping{
+		UIDMaps: fromUserIDMap(u.UIDMaps),
+		GIDMaps: fromUserIDMap(u.GIDMaps),
+	}
+}
+
+func fromUserIDMap(u []user.IDMap) []IDMap {
+	if u == nil {
+		return nil
+	}
+	m := make([]IDMap, len(u))
+	for i := range u {
+		m[i] = IDMap{
+			ContainerID: int(u[i].ID),
+			HostID:      int(u[i].ParentID),
+			Size:        int(u[i].Count),
+		}
+	}
+	return m
+}
+
+// ToUserIdentityMapping converts an [idtools.IdentityMapping] to a [user.IdentityMapping].
+//
+// Deprecated: use [user.IdentityMapping] directly, this is transitioning to user package.
+func ToUserIdentityMapping(u IdentityMapping) user.IdentityMapping {
+	return user.IdentityMapping{
+		UIDMaps: toUserIDMap(u.UIDMaps),
+		GIDMaps: toUserIDMap(u.GIDMaps),
+	}
+}
+
+func toUserIDMap(u []IDMap) []user.IDMap {
+	if u == nil {
+		return nil
+	}
+	m := make([]user.IDMap, len(u))
+	for i := range u {
+		m[i] = user.IDMap{
+			ID:       int64(u[i].ContainerID),
+			ParentID: int64(u[i].HostID),
+			Count:    int64(u[i].Size),
+		}
+	}
+	return m
+}
+
 // RootPair returns a uid and gid pair for the root user. The error is ignored
 // because a root user always exists, and the defaults are correct when the uid
 // and gid maps are empty.
 func (i IdentityMapping) RootPair() Identity {
-	uid, gid, _ := GetRootUIDGID(i.UIDMaps, i.GIDMaps)
+	uid, gid, _ := getRootUIDGID(i.UIDMaps, i.GIDMaps)
 	return Identity{UID: uid, GID: gid}
 }
 
@@ -144,6 +216,8 @@ func (i IdentityMapping) Empty() bool {
 }
 
 // CurrentIdentity returns the identity of the current process
+//
+// Deprecated: use [os.Getuid] and [os.Getegid] instead.
 func CurrentIdentity() Identity {
 	return Identity{UID: os.Getuid(), GID: os.Getegid()}
 }
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
index a12b1404..f83f59f3 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
@@ -1,9 +1,5 @@
 package idtools
 
-import (
-	"os"
-)
-
 const (
 	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
 )
@@ -14,11 +10,3 @@ const (
 
 	ContainerUserSidString = "S-1-5-93-2-2"
 )
-
-// This is currently a wrapper around [os.MkdirAll] since currently
-// permissions aren't set through this path, the identity isn't utilized.
-// Ownership is handled elsewhere, but in the future could be support here
-// too.
-func mkdirAs(path string, _ os.FileMode, _ Identity, _, _ bool) error {
-	return os.MkdirAll(path, 0)
-}
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/fswriters_deprecated.go b/vendor/github.com/docker/docker/pkg/ioutils/fswriters_deprecated.go
index c3cee16d..f34e0691 100644
--- a/vendor/github.com/docker/docker/pkg/ioutils/fswriters_deprecated.go
+++ b/vendor/github.com/docker/docker/pkg/ioutils/fswriters_deprecated.go
@@ -4,7 +4,7 @@ import (
 	"io"
 	"os"
 
-	"github.com/docker/docker/pkg/atomicwriter"
+	"github.com/moby/sys/atomicwriter"
 )
 
 // NewAtomicFileWriter returns WriteCloser so that writing to it writes to a
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/readers.go b/vendor/github.com/docker/docker/pkg/ioutils/readers.go
index 9ddba246..21c7a2f6 100644
--- a/vendor/github.com/docker/docker/pkg/ioutils/readers.go
+++ b/vendor/github.com/docker/docker/pkg/ioutils/readers.go
@@ -1,4 +1,4 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
+package ioutils
 
 import (
 	"context"
@@ -88,14 +88,14 @@ func NewCancelReadCloser(ctx context.Context, in io.ReadCloser) io.ReadCloser {
 
 // Read wraps the Read method of the pipe that provides data from the wrapped
 // ReadCloser.
-func (p *cancelReadCloser) Read(buf []byte) (n int, err error) {
+func (p *cancelReadCloser) Read(buf []byte) (int, error) {
 	return p.pR.Read(buf)
 }
 
 // closeWithError closes the wrapper and its underlying reader. It will
 // cause future calls to Read to return err.
 func (p *cancelReadCloser) closeWithError(err error) {
-	p.pW.CloseWithError(err)
+	_ = p.pW.CloseWithError(err)
 	p.cancel()
 }
 
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go b/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go
index 010db59f..8d60ef2f 100644
--- a/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go
+++ b/vendor/github.com/docker/docker/pkg/ioutils/writeflusher.go
@@ -1,4 +1,4 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
+package ioutils
 
 import (
 	"io"
@@ -21,14 +21,14 @@ type flusher interface {
 	Flush()
 }
 
-func (wf *WriteFlusher) Write(b []byte) (n int, err error) {
+func (wf *WriteFlusher) Write(b []byte) (int, error) {
 	select {
 	case <-wf.closed:
 		return 0, io.EOF
 	default:
 	}
 
-	n, err = wf.w.Write(b)
+	n, err := wf.w.Write(b)
 	wf.Flush() // every write is a flush.
 	return n, err
 }
diff --git a/vendor/github.com/docker/docker/pkg/ioutils/writers.go b/vendor/github.com/docker/docker/pkg/ioutils/writers.go
index 9c2d5d3b..4cf2d4de 100644
--- a/vendor/github.com/docker/docker/pkg/ioutils/writers.go
+++ b/vendor/github.com/docker/docker/pkg/ioutils/writers.go
@@ -1,4 +1,4 @@
-package ioutils // import "github.com/docker/docker/pkg/ioutils"
+package ioutils
 
 import (
 	"io"
diff --git a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
index 1a05de4d..3d072808 100644
--- a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
+++ b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
@@ -1,4 +1,4 @@
-package jsonmessage // import "github.com/docker/docker/pkg/jsonmessage"
+package jsonmessage
 
 import (
 	"encoding/json"
diff --git a/vendor/github.com/docker/docker/pkg/progress/progress.go b/vendor/github.com/docker/docker/pkg/progress/progress.go
index 32300914..3f9887c5 100644
--- a/vendor/github.com/docker/docker/pkg/progress/progress.go
+++ b/vendor/github.com/docker/docker/pkg/progress/progress.go
@@ -1,4 +1,4 @@
-package progress // import "github.com/docker/docker/pkg/progress"
+package progress
 
 import (
 	"fmt"
diff --git a/vendor/github.com/docker/docker/pkg/progress/progressreader.go b/vendor/github.com/docker/docker/pkg/progress/progressreader.go
index 07450a2d..7a2954ec 100644
--- a/vendor/github.com/docker/docker/pkg/progress/progressreader.go
+++ b/vendor/github.com/docker/docker/pkg/progress/progressreader.go
@@ -1,4 +1,4 @@
-package progress // import "github.com/docker/docker/pkg/progress"
+package progress
 
 import (
 	"io"
@@ -31,7 +31,7 @@ func NewProgressReader(in io.ReadCloser, out Output, size int64, id, action stri
 	}
 }
 
-func (p *Reader) Read(buf []byte) (n int, err error) {
+func (p *Reader) Read(buf []byte) (int, error) {
 	read, err := p.in.Read(buf)
 	p.current += int64(read)
 	updateEvery := int64(1024 * 512) // 512kB
diff --git a/vendor/github.com/docker/docker/pkg/stdcopy/stdcopy.go b/vendor/github.com/docker/docker/pkg/stdcopy/stdcopy.go
index 8f6e0a73..611432a6 100644
--- a/vendor/github.com/docker/docker/pkg/stdcopy/stdcopy.go
+++ b/vendor/github.com/docker/docker/pkg/stdcopy/stdcopy.go
@@ -1,4 +1,4 @@
-package stdcopy // import "github.com/docker/docker/pkg/stdcopy"
+package stdcopy
 
 import (
 	"bytes"
@@ -43,9 +43,9 @@ type stdWriter struct {
 // It inserts the prefix header before the buffer,
 // so stdcopy.StdCopy knows where to multiplex the output.
 // It makes stdWriter to implement io.Writer.
-func (w *stdWriter) Write(p []byte) (n int, err error) {
+func (w *stdWriter) Write(p []byte) (int, error) {
 	if w == nil || w.Writer == nil {
-		return 0, errors.New("Writer not instantiated")
+		return 0, errors.New("writer not instantiated")
 	}
 	if p == nil {
 		return 0, nil
@@ -57,7 +57,7 @@ func (w *stdWriter) Write(p []byte) (n int, err error) {
 	buf.Write(header[:])
 	buf.Write(p)
 
-	n, err = w.Writer.Write(buf.Bytes())
+	n, err := w.Writer.Write(buf.Bytes())
 	n -= stdWriterPrefixLen
 	if n < 0 {
 		n = 0
@@ -65,7 +65,7 @@ func (w *stdWriter) Write(p []byte) (n int, err error) {
 
 	buf.Reset()
 	bufPool.Put(buf)
-	return
+	return n, err
 }
 
 // NewStdWriter instantiates a new Writer.
@@ -91,12 +91,12 @@ func NewStdWriter(w io.Writer, t StdType) io.Writer {
 // In other words: if `err` is non nil, it indicates a real underlying error.
 //
 // `written` will hold the total number of bytes written to `dstout` and `dsterr`.
-func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error) {
+func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, _ error) {
 	var (
 		buf       = make([]byte, startingBufLen)
 		bufLen    = len(buf)
 		nr, nw    int
-		er, ew    error
+		err       error
 		out       io.Writer
 		frameSize int
 	)
@@ -105,16 +105,16 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error)
 		// Make sure we have at least a full header
 		for nr < stdWriterPrefixLen {
 			var nr2 int
-			nr2, er = src.Read(buf[nr:])
+			nr2, err = src.Read(buf[nr:])
 			nr += nr2
-			if er == io.EOF {
+			if errors.Is(err, io.EOF) {
 				if nr < stdWriterPrefixLen {
 					return written, nil
 				}
 				break
 			}
-			if er != nil {
-				return 0, er
+			if err != nil {
+				return 0, err
 			}
 		}
 
@@ -151,16 +151,16 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error)
 		// While the amount of bytes read is less than the size of the frame + header, we keep reading
 		for nr < frameSize+stdWriterPrefixLen {
 			var nr2 int
-			nr2, er = src.Read(buf[nr:])
+			nr2, err = src.Read(buf[nr:])
 			nr += nr2
-			if er == io.EOF {
+			if errors.Is(err, io.EOF) {
 				if nr < frameSize+stdWriterPrefixLen {
 					return written, nil
 				}
 				break
 			}
-			if er != nil {
-				return 0, er
+			if err != nil {
+				return 0, err
 			}
 		}
 
@@ -171,9 +171,9 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error)
 		}
 
 		// Write the retrieved frame (without header)
-		nw, ew = out.Write(buf[stdWriterPrefixLen : frameSize+stdWriterPrefixLen])
-		if ew != nil {
-			return 0, ew
+		nw, err = out.Write(buf[stdWriterPrefixLen : frameSize+stdWriterPrefixLen])
+		if err != nil {
+			return 0, err
 		}
 
 		// If the frame has not been fully written: error
diff --git a/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go b/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go
index 098df6b5..24e1b45f 100644
--- a/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go
+++ b/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go
@@ -1,5 +1,5 @@
 // Package streamformatter provides helper functions to format a stream.
-package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+package streamformatter
 
 import (
 	"encoding/json"
diff --git a/vendor/github.com/docker/docker/pkg/streamformatter/streamwriter.go b/vendor/github.com/docker/docker/pkg/streamformatter/streamwriter.go
index 1473ed97..141d12e2 100644
--- a/vendor/github.com/docker/docker/pkg/streamformatter/streamwriter.go
+++ b/vendor/github.com/docker/docker/pkg/streamformatter/streamwriter.go
@@ -1,4 +1,4 @@
-package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+package streamformatter
 
 import (
 	"encoding/json"
diff --git a/vendor/github.com/docker/docker/pkg/stringid/stringid.go b/vendor/github.com/docker/docker/pkg/stringid/stringid.go
deleted file mode 100644
index a79c9672..00000000
--- a/vendor/github.com/docker/docker/pkg/stringid/stringid.go
+++ /dev/null
@@ -1,63 +0,0 @@
-// Package stringid provides helper functions for dealing with string identifiers
-package stringid // import "github.com/docker/docker/pkg/stringid"
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"strings"
-)
-
-const (
-	shortLen = 12
-	fullLen  = 64
-)
-
-// TruncateID returns a shorthand version of a string identifier for convenience.
-// A collision with other shorthands is very unlikely, but possible.
-// In case of a collision a lookup with TruncIndex.Get() will fail, and the caller
-// will need to use a longer prefix, or the full-length Id.
-func TruncateID(id string) string {
-	if i := strings.IndexRune(id, ':'); i >= 0 {
-		id = id[i+1:]
-	}
-	if len(id) > shortLen {
-		id = id[:shortLen]
-	}
-	return id
-}
-
-// GenerateRandomID returns a unique, 64-character ID consisting of a-z, 0-9.
-// It guarantees that the ID, when truncated ([TruncateID]) does not consist
-// of numbers only, so that the truncated ID can be used as hostname for
-// containers.
-func GenerateRandomID() string {
-	b := make([]byte, 32)
-	for {
-		if _, err := rand.Read(b); err != nil {
-			panic(err) // This shouldn't happen
-		}
-		id := hex.EncodeToString(b)
-
-		// make sure that the truncated ID does not consist of only numeric
-		// characters, as it's used as default hostname for containers.
-		//
-		// See:
-		// - https://github.com/moby/moby/issues/3869
-		// - https://bugzilla.redhat.com/show_bug.cgi?id=1059122
-		if allNum(id[:shortLen]) {
-			// all numbers; try again
-			continue
-		}
-		return id
-	}
-}
-
-// allNum checks whether id consists of only numbers (0-9).
-func allNum(id string) bool {
-	for _, c := range []byte(id) {
-		if c > '9' || c < '0' {
-			return false
-		}
-	}
-	return true
-}
diff --git a/vendor/github.com/docker/docker/registry/auth.go b/vendor/github.com/docker/docker/registry/auth.go
deleted file mode 100644
index 8c62b83c..00000000
--- a/vendor/github.com/docker/docker/registry/auth.go
+++ /dev/null
@@ -1,202 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"context"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-
-	"github.com/containerd/log"
-	"github.com/docker/distribution/registry/client/auth"
-	"github.com/docker/distribution/registry/client/auth/challenge"
-	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/pkg/errors"
-)
-
-// AuthClientID is used the ClientID used for the token server
-const AuthClientID = "docker"
-
-type loginCredentialStore struct {
-	authConfig *registry.AuthConfig
-}
-
-func (lcs loginCredentialStore) Basic(*url.URL) (string, string) {
-	return lcs.authConfig.Username, lcs.authConfig.Password
-}
-
-func (lcs loginCredentialStore) RefreshToken(*url.URL, string) string {
-	return lcs.authConfig.IdentityToken
-}
-
-func (lcs loginCredentialStore) SetRefreshToken(u *url.URL, service, token string) {
-	lcs.authConfig.IdentityToken = token
-}
-
-type staticCredentialStore struct {
-	auth *registry.AuthConfig
-}
-
-// NewStaticCredentialStore returns a credential store
-// which always returns the same credential values.
-func NewStaticCredentialStore(auth *registry.AuthConfig) auth.CredentialStore {
-	return staticCredentialStore{
-		auth: auth,
-	}
-}
-
-func (scs staticCredentialStore) Basic(*url.URL) (string, string) {
-	if scs.auth == nil {
-		return "", ""
-	}
-	return scs.auth.Username, scs.auth.Password
-}
-
-func (scs staticCredentialStore) RefreshToken(*url.URL, string) string {
-	if scs.auth == nil {
-		return ""
-	}
-	return scs.auth.IdentityToken
-}
-
-func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
-}
-
-// loginV2 tries to login to the v2 registry server. The given registry
-// endpoint will be pinged to get authorization challenges. These challenges
-// will be used to authenticate against the registry to validate credentials.
-func loginV2(authConfig *registry.AuthConfig, endpoint APIEndpoint, userAgent string) (status string, token string, _ error) {
-	endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
-	log.G(context.TODO()).Debugf("attempting v2 login to registry endpoint %s", endpointStr)
-
-	req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
-	if err != nil {
-		return "", "", err
-	}
-
-	var (
-		modifiers            = Headers(userAgent, nil)
-		authTrans            = transport.NewTransport(newTransport(endpoint.TLSConfig), modifiers...)
-		credentialAuthConfig = *authConfig
-		creds                = loginCredentialStore{authConfig: &credentialAuthConfig}
-	)
-
-	loginClient, err := v2AuthHTTPClient(endpoint.URL, authTrans, modifiers, creds, nil)
-	if err != nil {
-		return "", "", err
-	}
-
-	resp, err := loginClient.Do(req)
-	if err != nil {
-		err = translateV2AuthError(err)
-		return "", "", err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		return "Login Succeeded", credentialAuthConfig.IdentityToken, nil
-	}
-
-	// TODO(dmcgowan): Attempt to further interpret result, status code and error code string
-	return "", "", errors.Errorf("login attempt to %s failed with status: %d %s", endpointStr, resp.StatusCode, http.StatusText(resp.StatusCode))
-}
-
-func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifiers []transport.RequestModifier, creds auth.CredentialStore, scopes []auth.Scope) (*http.Client, error) {
-	challengeManager, err := PingV2Registry(endpoint, authTransport)
-	if err != nil {
-		return nil, err
-	}
-
-	authHandlers := []auth.AuthenticationHandler{
-		auth.NewTokenHandlerWithOptions(auth.TokenHandlerOptions{
-			Transport:     authTransport,
-			Credentials:   creds,
-			OfflineAccess: true,
-			ClientID:      AuthClientID,
-			Scopes:        scopes,
-		}),
-		auth.NewBasicHandler(creds),
-	}
-
-	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, authHandlers...))
-
-	return &http.Client{
-		Transport: transport.NewTransport(authTransport, modifiers...),
-		Timeout:   15 * time.Second,
-	}, nil
-}
-
-// ConvertToHostname normalizes a registry URL which has http|https prepended
-// to just its hostname. It is used to match credentials, which may be either
-// stored as hostname or as hostname including scheme (in legacy configuration
-// files).
-func ConvertToHostname(url string) string {
-	stripped := url
-	if strings.HasPrefix(stripped, "http://") {
-		stripped = strings.TrimPrefix(stripped, "http://")
-	} else if strings.HasPrefix(stripped, "https://") {
-		stripped = strings.TrimPrefix(stripped, "https://")
-	}
-	stripped, _, _ = strings.Cut(stripped, "/")
-	return stripped
-}
-
-// ResolveAuthConfig matches an auth configuration to a server address or a URL
-func ResolveAuthConfig(authConfigs map[string]registry.AuthConfig, index *registry.IndexInfo) registry.AuthConfig {
-	configKey := GetAuthConfigKey(index)
-	// First try the happy case
-	if c, found := authConfigs[configKey]; found || index.Official {
-		return c
-	}
-
-	// Maybe they have a legacy config file, we will iterate the keys converting
-	// them to the new format and testing
-	for registryURL, ac := range authConfigs {
-		if configKey == ConvertToHostname(registryURL) {
-			return ac
-		}
-	}
-
-	// When all else fails, return an empty auth config
-	return registry.AuthConfig{}
-}
-
-// PingResponseError is used when the response from a ping
-// was received but invalid.
-type PingResponseError struct {
-	Err error
-}
-
-func (err PingResponseError) Error() string {
-	return err.Err.Error()
-}
-
-// PingV2Registry attempts to ping a v2 registry and on success return a
-// challenge manager for the supported authentication types.
-// If a response is received but cannot be interpreted, a PingResponseError will be returned.
-func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, error) {
-	pingClient := &http.Client{
-		Transport: transport,
-		Timeout:   15 * time.Second,
-	}
-	endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/"
-	req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := pingClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	challengeManager := challenge.NewSimpleManager()
-	if err := challengeManager.AddResponse(resp); err != nil {
-		return nil, PingResponseError{
-			Err: err,
-		}
-	}
-
-	return challengeManager, nil
-}
diff --git a/vendor/github.com/docker/docker/registry/config.go b/vendor/github.com/docker/docker/registry/config.go
deleted file mode 100644
index f8d94ce8..00000000
--- a/vendor/github.com/docker/docker/registry/config.go
+++ /dev/null
@@ -1,381 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"context"
-	"net"
-	"net/url"
-	"strconv"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/internal/lazyregexp"
-)
-
-// ServiceOptions holds command line options.
-type ServiceOptions struct {
-	AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
-
-	Mirrors            []string `json:"registry-mirrors,omitempty"`
-	InsecureRegistries []string `json:"insecure-registries,omitempty"`
-}
-
-// serviceConfig holds daemon configuration for the registry service.
-type serviceConfig registry.ServiceConfig
-
-// TODO(thaJeztah) both the "index.docker.io" and "registry-1.docker.io" domains
-// are here for historic reasons and backward-compatibility. These domains
-// are still supported by Docker Hub (and will continue to be supported), but
-// there are new domains already in use, and plans to consolidate all legacy
-// domains to new "canonical" domains. Once those domains are decided on, we
-// should update these consts (but making sure to preserve compatibility with
-// existing installs, clients, and user configuration).
-const (
-	// DefaultNamespace is the default namespace
-	DefaultNamespace = "docker.io"
-	// DefaultRegistryHost is the hostname for the default (Docker Hub) registry
-	// used for pushing and pulling images. This hostname is hard-coded to handle
-	// the conversion from image references without registry name (e.g. "ubuntu",
-	// or "ubuntu:latest"), as well as references using the "docker.io" domain
-	// name, which is used as canonical reference for images on Docker Hub, but
-	// does not match the domain-name of Docker Hub's registry.
-	DefaultRegistryHost = "registry-1.docker.io"
-	// IndexHostname is the index hostname, used for authentication and image search.
-	IndexHostname = "index.docker.io"
-	// IndexServer is used for user auth and image search
-	IndexServer = "https://" + IndexHostname + "/v1/"
-	// IndexName is the name of the index
-	IndexName = "docker.io"
-)
-
-var (
-	// DefaultV2Registry is the URI of the default (Docker Hub) registry.
-	DefaultV2Registry = &url.URL{
-		Scheme: "https",
-		Host:   DefaultRegistryHost,
-	}
-
-	emptyServiceConfig, _ = newServiceConfig(ServiceOptions{})
-	validHostPortRegex    = lazyregexp.New(`^` + reference.DomainRegexp.String() + `$`)
-
-	// certsDir is used to override defaultCertsDir.
-	certsDir string
-)
-
-// SetCertsDir allows the default certs directory to be changed. This function
-// is used at daemon startup to set the correct location when running in
-// rootless mode.
-func SetCertsDir(path string) {
-	certsDir = path
-}
-
-// CertsDir is the directory where certificates are stored.
-func CertsDir() string {
-	if certsDir != "" {
-		return certsDir
-	}
-	return defaultCertsDir
-}
-
-// newServiceConfig returns a new instance of ServiceConfig
-func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
-	config := &serviceConfig{}
-	if err := config.loadMirrors(options.Mirrors); err != nil {
-		return nil, err
-	}
-	if err := config.loadInsecureRegistries(options.InsecureRegistries); err != nil {
-		return nil, err
-	}
-
-	return config, nil
-}
-
-// copy constructs a new ServiceConfig with a copy of the configuration in config.
-func (config *serviceConfig) copy() *registry.ServiceConfig {
-	ic := make(map[string]*registry.IndexInfo)
-	for key, value := range config.IndexConfigs {
-		ic[key] = value
-	}
-	return &registry.ServiceConfig{
-		InsecureRegistryCIDRs: append([]*registry.NetIPNet(nil), config.InsecureRegistryCIDRs...),
-		IndexConfigs:          ic,
-		Mirrors:               append([]string(nil), config.Mirrors...),
-	}
-}
-
-// loadMirrors loads mirrors to config, after removing duplicates.
-// Returns an error if mirrors contains an invalid mirror.
-func (config *serviceConfig) loadMirrors(mirrors []string) error {
-	mMap := map[string]struct{}{}
-	unique := []string{}
-
-	for _, mirror := range mirrors {
-		m, err := ValidateMirror(mirror)
-		if err != nil {
-			return err
-		}
-		if _, exist := mMap[m]; !exist {
-			mMap[m] = struct{}{}
-			unique = append(unique, m)
-		}
-	}
-
-	config.Mirrors = unique
-
-	// Configure public registry since mirrors may have changed.
-	config.IndexConfigs = map[string]*registry.IndexInfo{
-		IndexName: {
-			Name:     IndexName,
-			Mirrors:  unique,
-			Secure:   true,
-			Official: true,
-		},
-	}
-
-	return nil
-}
-
-// loadInsecureRegistries loads insecure registries to config
-func (config *serviceConfig) loadInsecureRegistries(registries []string) error {
-	// Localhost is by default considered as an insecure registry. This is a
-	// stop-gap for people who are running a private registry on localhost.
-	registries = append(registries, "::1/128", "127.0.0.0/8")
-
-	var (
-		insecureRegistryCIDRs = make([]*registry.NetIPNet, 0)
-		indexConfigs          = make(map[string]*registry.IndexInfo)
-	)
-
-skip:
-	for _, r := range registries {
-		// validate insecure registry
-		if _, err := ValidateIndexName(r); err != nil {
-			return err
-		}
-		if strings.HasPrefix(strings.ToLower(r), "http://") {
-			log.G(context.TODO()).Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r)
-			r = r[7:]
-		} else if strings.HasPrefix(strings.ToLower(r), "https://") {
-			log.G(context.TODO()).Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r)
-			r = r[8:]
-		} else if hasScheme(r) {
-			return invalidParamf("insecure registry %s should not contain '://'", r)
-		}
-		// Check if CIDR was passed to --insecure-registry
-		_, ipnet, err := net.ParseCIDR(r)
-		if err == nil {
-			// Valid CIDR. If ipnet is already in config.InsecureRegistryCIDRs, skip.
-			data := (*registry.NetIPNet)(ipnet)
-			for _, value := range insecureRegistryCIDRs {
-				if value.IP.String() == data.IP.String() && value.Mask.String() == data.Mask.String() {
-					continue skip
-				}
-			}
-			// ipnet is not found, add it in config.InsecureRegistryCIDRs
-			insecureRegistryCIDRs = append(insecureRegistryCIDRs, data)
-		} else {
-			if err := validateHostPort(r); err != nil {
-				return invalidParamWrapf(err, "insecure registry %s is not valid", r)
-			}
-			// Assume `host:port` if not CIDR.
-			indexConfigs[r] = &registry.IndexInfo{
-				Name:     r,
-				Mirrors:  make([]string, 0),
-				Secure:   false,
-				Official: false,
-			}
-		}
-	}
-
-	// Configure public registry.
-	indexConfigs[IndexName] = &registry.IndexInfo{
-		Name:     IndexName,
-		Mirrors:  config.Mirrors,
-		Secure:   true,
-		Official: true,
-	}
-	config.InsecureRegistryCIDRs = insecureRegistryCIDRs
-	config.IndexConfigs = indexConfigs
-
-	return nil
-}
-
-// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
-// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
-//
-// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
-// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
-// insecure.
-//
-// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
-// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
-// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
-// of insecureRegistries.
-func (config *serviceConfig) isSecureIndex(indexName string) bool {
-	// Check for configured index, first.  This is needed in case isSecureIndex
-	// is called from anything besides newIndexInfo, in order to honor per-index configurations.
-	if index, ok := config.IndexConfigs[indexName]; ok {
-		return index.Secure
-	}
-
-	return !isCIDRMatch(config.InsecureRegistryCIDRs, indexName)
-}
-
-// for mocking in unit tests.
-var lookupIP = net.LookupIP
-
-// isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`)
-// where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be
-// resolved to IP addresses for matching. If resolution fails, false is returned.
-func isCIDRMatch(cidrs []*registry.NetIPNet, URLHost string) bool {
-	if len(cidrs) == 0 {
-		return false
-	}
-
-	host, _, err := net.SplitHostPort(URLHost)
-	if err != nil {
-		// Assume URLHost is a host without port and go on.
-		host = URLHost
-	}
-
-	var addresses []net.IP
-	if ip := net.ParseIP(host); ip != nil {
-		// Host is an IP-address.
-		addresses = append(addresses, ip)
-	} else {
-		// Try to resolve the host's IP-address.
-		addresses, err = lookupIP(host)
-		if err != nil {
-			// We failed to resolve the host; assume there's no match.
-			return false
-		}
-	}
-
-	for _, addr := range addresses {
-		for _, ipnet := range cidrs {
-			// check if the addr falls in the subnet
-			if (*net.IPNet)(ipnet).Contains(addr) {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
-// ValidateMirror validates an HTTP(S) registry mirror. It is used by the daemon
-// to validate the daemon configuration.
-func ValidateMirror(val string) (string, error) {
-	uri, err := url.Parse(val)
-	if err != nil {
-		return "", invalidParamWrapf(err, "invalid mirror: %q is not a valid URI", val)
-	}
-	if uri.Scheme != "http" && uri.Scheme != "https" {
-		return "", invalidParamf("invalid mirror: unsupported scheme %q in %q", uri.Scheme, uri)
-	}
-	if uri.RawQuery != "" || uri.Fragment != "" {
-		return "", invalidParamf("invalid mirror: query or fragment at end of the URI %q", uri)
-	}
-	if uri.User != nil {
-		// strip password from output
-		uri.User = url.UserPassword(uri.User.Username(), "xxxxx")
-		return "", invalidParamf("invalid mirror: username/password not allowed in URI %q", uri)
-	}
-	return strings.TrimSuffix(val, "/") + "/", nil
-}
-
-// ValidateIndexName validates an index name. It is used by the daemon to
-// validate the daemon configuration.
-func ValidateIndexName(val string) (string, error) {
-	// TODO: upstream this to check to reference package
-	if val == "index.docker.io" {
-		val = "docker.io"
-	}
-	if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
-		return "", invalidParamf("invalid index name (%s). Cannot begin or end with a hyphen", val)
-	}
-	return val, nil
-}
-
-func hasScheme(reposName string) bool {
-	return strings.Contains(reposName, "://")
-}
-
-func validateHostPort(s string) error {
-	// Split host and port, and in case s can not be split, assume host only
-	host, port, err := net.SplitHostPort(s)
-	if err != nil {
-		host = s
-		port = ""
-	}
-	// If match against the `host:port` pattern fails,
-	// it might be `IPv6:port`, which will be captured by net.ParseIP(host)
-	if !validHostPortRegex.MatchString(s) && net.ParseIP(host) == nil {
-		return invalidParamf("invalid host %q", host)
-	}
-	if port != "" {
-		v, err := strconv.Atoi(port)
-		if err != nil {
-			return err
-		}
-		if v < 0 || v > 65535 {
-			return invalidParamf("invalid port %q", port)
-		}
-	}
-	return nil
-}
-
-// newIndexInfo returns IndexInfo configuration from indexName
-func newIndexInfo(config *serviceConfig, indexName string) (*registry.IndexInfo, error) {
-	var err error
-	indexName, err = ValidateIndexName(indexName)
-	if err != nil {
-		return nil, err
-	}
-
-	// Return any configured index info, first.
-	if index, ok := config.IndexConfigs[indexName]; ok {
-		return index, nil
-	}
-
-	// Construct a non-configured index info.
-	return &registry.IndexInfo{
-		Name:     indexName,
-		Mirrors:  make([]string, 0),
-		Secure:   config.isSecureIndex(indexName),
-		Official: false,
-	}, nil
-}
-
-// GetAuthConfigKey special-cases using the full index address of the official
-// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
-func GetAuthConfigKey(index *registry.IndexInfo) string {
-	if index.Official {
-		return IndexServer
-	}
-	return index.Name
-}
-
-// newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
-func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) {
-	index, err := newIndexInfo(config, reference.Domain(name))
-	if err != nil {
-		return nil, err
-	}
-	official := !strings.ContainsRune(reference.FamiliarName(name), '/')
-
-	return &RepositoryInfo{
-		Name:     reference.TrimNamed(name),
-		Index:    index,
-		Official: official,
-	}, nil
-}
-
-// ParseRepositoryInfo performs the breakdown of a repository name into a
-// [RepositoryInfo], but lacks registry configuration.
-//
-// It is used by the Docker cli to interact with registry-related endpoints.
-func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) {
-	return newRepositoryInfo(emptyServiceConfig, reposName)
-}
diff --git a/vendor/github.com/docker/docker/registry/config_unix.go b/vendor/github.com/docker/docker/registry/config_unix.go
deleted file mode 100644
index 21420493..00000000
--- a/vendor/github.com/docker/docker/registry/config_unix.go
+++ /dev/null
@@ -1,16 +0,0 @@
-//go:build !windows
-
-package registry // import "github.com/docker/docker/registry"
-
-// defaultCertsDir is the platform-specific default directory where certificates
-// are stored. On Linux, it may be overridden through certsDir, for example, when
-// running in rootless mode.
-const defaultCertsDir = "/etc/docker/certs.d"
-
-// cleanPath is used to ensure that a directory name is valid on the target
-// platform. It will be passed in something *similar* to a URL such as
-// https:/index.docker.io/v1. Not all platforms support directory names
-// which contain those characters (such as : on Windows)
-func cleanPath(s string) string {
-	return s
-}
diff --git a/vendor/github.com/docker/docker/registry/config_windows.go b/vendor/github.com/docker/docker/registry/config_windows.go
deleted file mode 100644
index 2674f281..00000000
--- a/vendor/github.com/docker/docker/registry/config_windows.go
+++ /dev/null
@@ -1,20 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// defaultCertsDir is the platform-specific default directory where certificates
-// are stored. On Linux, it may be overridden through certsDir, for example, when
-// running in rootless mode.
-var defaultCertsDir = os.Getenv("programdata") + `\docker\certs.d`
-
-// cleanPath is used to ensure that a directory name is valid on the target
-// platform. It will be passed in something *similar* to a URL such as
-// https:\index.docker.io\v1. Not all platforms support directory names
-// which contain those characters (such as : on Windows)
-func cleanPath(s string) string {
-	return filepath.FromSlash(strings.ReplaceAll(s, ":", ""))
-}
diff --git a/vendor/github.com/docker/docker/registry/errors.go b/vendor/github.com/docker/docker/registry/errors.go
deleted file mode 100644
index 7dc20ad8..00000000
--- a/vendor/github.com/docker/docker/registry/errors.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"net/url"
-
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
-)
-
-func translateV2AuthError(err error) error {
-	switch e := err.(type) {
-	case *url.Error:
-		switch e2 := e.Err.(type) {
-		case errcode.Error:
-			switch e2.Code {
-			case errcode.ErrorCodeUnauthorized:
-				return errdefs.Unauthorized(err)
-			}
-		}
-	}
-
-	return err
-}
-
-func invalidParam(err error) error {
-	return errdefs.InvalidParameter(err)
-}
-
-func invalidParamf(format string, args ...interface{}) error {
-	return errdefs.InvalidParameter(errors.Errorf(format, args...))
-}
-
-func invalidParamWrapf(err error, format string, args ...interface{}) error {
-	return errdefs.InvalidParameter(errors.Wrapf(err, format, args...))
-}
diff --git a/vendor/github.com/docker/docker/registry/registry.go b/vendor/github.com/docker/docker/registry/registry.go
deleted file mode 100644
index 6b079199..00000000
--- a/vendor/github.com/docker/docker/registry/registry.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// Package registry contains client primitives to interact with a remote Docker registry.
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/containerd/log"
-	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/go-connections/tlsconfig"
-	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
-)
-
-// HostCertsDir returns the config directory for a specific host.
-func HostCertsDir(hostname string) string {
-	return filepath.Join(CertsDir(), cleanPath(hostname))
-}
-
-// newTLSConfig constructs a client TLS configuration based on server defaults
-func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
-	// PreferredServerCipherSuites should have no effect
-	tlsConfig := tlsconfig.ServerDefault()
-
-	tlsConfig.InsecureSkipVerify = !isSecure
-
-	if isSecure && CertsDir() != "" {
-		hostDir := HostCertsDir(hostname)
-		log.G(context.TODO()).Debugf("hostDir: %s", hostDir)
-		if err := ReadCertsDirectory(tlsConfig, hostDir); err != nil {
-			return nil, err
-		}
-	}
-
-	return tlsConfig, nil
-}
-
-func hasFile(files []os.DirEntry, name string) bool {
-	for _, f := range files {
-		if f.Name() == name {
-			return true
-		}
-	}
-	return false
-}
-
-// ReadCertsDirectory reads the directory for TLS certificates
-// including roots and certificate pairs and updates the
-// provided TLS configuration.
-func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
-	fs, err := os.ReadDir(directory)
-	if err != nil && !os.IsNotExist(err) {
-		return invalidParam(err)
-	}
-
-	for _, f := range fs {
-		if strings.HasSuffix(f.Name(), ".crt") {
-			if tlsConfig.RootCAs == nil {
-				systemPool, err := tlsconfig.SystemCertPool()
-				if err != nil {
-					return invalidParamWrapf(err, "unable to get system cert pool")
-				}
-				tlsConfig.RootCAs = systemPool
-			}
-			log.G(context.TODO()).Debugf("crt: %s", filepath.Join(directory, f.Name()))
-			data, err := os.ReadFile(filepath.Join(directory, f.Name()))
-			if err != nil {
-				return err
-			}
-			tlsConfig.RootCAs.AppendCertsFromPEM(data)
-		}
-		if strings.HasSuffix(f.Name(), ".cert") {
-			certName := f.Name()
-			keyName := certName[:len(certName)-5] + ".key"
-			log.G(context.TODO()).Debugf("cert: %s", filepath.Join(directory, f.Name()))
-			if !hasFile(fs, keyName) {
-				return invalidParamf("missing key %s for client certificate %s. CA certificates must use the extension .crt", keyName, certName)
-			}
-			cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
-			if err != nil {
-				return err
-			}
-			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
-		}
-		if strings.HasSuffix(f.Name(), ".key") {
-			keyName := f.Name()
-			certName := keyName[:len(keyName)-4] + ".cert"
-			log.G(context.TODO()).Debugf("key: %s", filepath.Join(directory, f.Name()))
-			if !hasFile(fs, certName) {
-				return invalidParamf("missing client certificate %s for key %s", certName, keyName)
-			}
-		}
-	}
-
-	return nil
-}
-
-// Headers returns request modifiers with a User-Agent and metaHeaders
-func Headers(userAgent string, metaHeaders http.Header) []transport.RequestModifier {
-	modifiers := []transport.RequestModifier{}
-	if userAgent != "" {
-		modifiers = append(modifiers, transport.NewHeaderRequestModifier(http.Header{
-			"User-Agent": []string{userAgent},
-		}))
-	}
-	if metaHeaders != nil {
-		modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
-	}
-	return modifiers
-}
-
-// newTransport returns a new HTTP transport. If tlsConfig is nil, it uses the
-// default TLS configuration.
-func newTransport(tlsConfig *tls.Config) http.RoundTripper {
-	if tlsConfig == nil {
-		tlsConfig = tlsconfig.ServerDefault()
-	}
-
-	direct := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-	}
-
-	return otelhttp.NewTransport(
-		&http.Transport{
-			Proxy:               http.ProxyFromEnvironment,
-			DialContext:         direct.DialContext,
-			TLSHandshakeTimeout: 10 * time.Second,
-			TLSClientConfig:     tlsConfig,
-			// TODO(dmcgowan): Call close idle connections when complete and use keep alive
-			DisableKeepAlives: true,
-		},
-	)
-}
diff --git a/vendor/github.com/docker/docker/registry/search.go b/vendor/github.com/docker/docker/registry/search.go
deleted file mode 100644
index 4ce90f55..00000000
--- a/vendor/github.com/docker/docker/registry/search.go
+++ /dev/null
@@ -1,162 +0,0 @@
-package registry
-
-import (
-	"context"
-	"net/http"
-	"strconv"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/docker/distribution/registry/client/auth"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
-)
-
-var acceptedSearchFilterTags = map[string]bool{
-	"is-automated": true, // Deprecated: the "is_automated" field is deprecated and will always be false in the future.
-	"is-official":  true,
-	"stars":        true,
-}
-
-// Search queries the public registry for repositories matching the specified
-// search term and filters.
-func (s *Service) Search(ctx context.Context, searchFilters filters.Args, term string, limit int, authConfig *registry.AuthConfig, headers map[string][]string) ([]registry.SearchResult, error) {
-	if err := searchFilters.Validate(acceptedSearchFilterTags); err != nil {
-		return nil, err
-	}
-
-	isAutomated, err := searchFilters.GetBoolOrDefault("is-automated", false)
-	if err != nil {
-		return nil, err
-	}
-
-	// "is-automated" is deprecated and filtering for `true` will yield no results.
-	if isAutomated {
-		return []registry.SearchResult{}, nil
-	}
-
-	isOfficial, err := searchFilters.GetBoolOrDefault("is-official", false)
-	if err != nil {
-		return nil, err
-	}
-
-	hasStarFilter := 0
-	if searchFilters.Contains("stars") {
-		hasStars := searchFilters.Get("stars")
-		for _, hasStar := range hasStars {
-			iHasStar, err := strconv.Atoi(hasStar)
-			if err != nil {
-				return nil, errdefs.InvalidParameter(errors.Wrapf(err, "invalid filter 'stars=%s'", hasStar))
-			}
-			if iHasStar > hasStarFilter {
-				hasStarFilter = iHasStar
-			}
-		}
-	}
-
-	unfilteredResult, err := s.searchUnfiltered(ctx, term, limit, authConfig, headers)
-	if err != nil {
-		return nil, err
-	}
-
-	filteredResults := []registry.SearchResult{}
-	for _, result := range unfilteredResult.Results {
-		if searchFilters.Contains("is-official") {
-			if isOfficial != result.IsOfficial {
-				continue
-			}
-		}
-		if searchFilters.Contains("stars") {
-			if result.StarCount < hasStarFilter {
-				continue
-			}
-		}
-		// "is-automated" is deprecated and the value in Docker Hub search
-		// results is untrustworthy. Force it to false so as to not mislead our
-		// clients.
-		result.IsAutomated = false //nolint:staticcheck  // ignore SA1019 (field is deprecated)
-		filteredResults = append(filteredResults, result)
-	}
-
-	return filteredResults, nil
-}
-
-func (s *Service) searchUnfiltered(ctx context.Context, term string, limit int, authConfig *registry.AuthConfig, headers http.Header) (*registry.SearchResults, error) {
-	// TODO Use ctx when searching for repositories
-	if hasScheme(term) {
-		return nil, invalidParamf("invalid repository name: repository name (%s) should not have a scheme", term)
-	}
-
-	indexName, remoteName := splitReposSearchTerm(term)
-
-	// Search is a long-running operation, just lock s.config to avoid block others.
-	s.mu.RLock()
-	index, err := newIndexInfo(s.config, indexName)
-	s.mu.RUnlock()
-
-	if err != nil {
-		return nil, err
-	}
-	if index.Official {
-		// If pull "library/foo", it's stored locally under "foo"
-		remoteName = strings.TrimPrefix(remoteName, "library/")
-	}
-
-	endpoint, err := newV1Endpoint(index, headers)
-	if err != nil {
-		return nil, err
-	}
-
-	var client *http.Client
-	if authConfig != nil && authConfig.IdentityToken != "" && authConfig.Username != "" {
-		creds := NewStaticCredentialStore(authConfig)
-
-		// TODO(thaJeztah); is there a reason not to include other headers here? (originally added in 19d48f0b8ba59eea9f2cac4ad1c7977712a6b7ac)
-		modifiers := Headers(headers.Get("User-Agent"), nil)
-		v2Client, err := v2AuthHTTPClient(endpoint.URL, endpoint.client.Transport, modifiers, creds, []auth.Scope{
-			auth.RegistryScope{Name: "catalog", Actions: []string{"search"}},
-		})
-		if err != nil {
-			return nil, err
-		}
-		// Copy non transport http client features
-		v2Client.Timeout = endpoint.client.Timeout
-		v2Client.CheckRedirect = endpoint.client.CheckRedirect
-		v2Client.Jar = endpoint.client.Jar
-
-		log.G(ctx).Debugf("using v2 client for search to %s", endpoint.URL)
-		client = v2Client
-	} else {
-		client = endpoint.client
-		if err := authorizeClient(client, authConfig, endpoint); err != nil {
-			return nil, err
-		}
-	}
-
-	return newSession(client, endpoint).searchRepositories(remoteName, limit)
-}
-
-// splitReposSearchTerm breaks a search term into an index name and remote name
-func splitReposSearchTerm(reposName string) (string, string) {
-	nameParts := strings.SplitN(reposName, "/", 2)
-	if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
-		!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
-		// This is a Docker Hub repository (ex: samalba/hipache or ubuntu),
-		// use the default Docker Hub registry (docker.io)
-		return IndexName, reposName
-	}
-	return nameParts[0], nameParts[1]
-}
-
-// ParseSearchIndexInfo will use repository name to get back an indexInfo.
-//
-// TODO(thaJeztah) this function is only used by the CLI, and used to get
-// information of the registry (to provide credentials if needed). We should
-// move this function (or equivalent) to the CLI, as it's doing too much just
-// for that.
-func ParseSearchIndexInfo(reposName string) (*registry.IndexInfo, error) {
-	indexName, _ := splitReposSearchTerm(reposName)
-	return newIndexInfo(emptyServiceConfig, indexName)
-}
diff --git a/vendor/github.com/docker/docker/registry/search_endpoint_v1.go b/vendor/github.com/docker/docker/registry/search_endpoint_v1.go
deleted file mode 100644
index f6c369a9..00000000
--- a/vendor/github.com/docker/docker/registry/search_endpoint_v1.go
+++ /dev/null
@@ -1,200 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"net/http"
-	"net/url"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/docker/api/types/registry"
-)
-
-// v1PingResult contains the information returned when pinging a registry. It
-// indicates whether the registry claims to be a standalone registry.
-type v1PingResult struct {
-	// Standalone is set to true if the registry indicates it is a
-	// standalone registry in the X-Docker-Registry-Standalone
-	// header
-	Standalone bool `json:"standalone"`
-}
-
-// v1Endpoint stores basic information about a V1 registry endpoint.
-type v1Endpoint struct {
-	client   *http.Client
-	URL      *url.URL
-	IsSecure bool
-}
-
-// newV1Endpoint parses the given address to return a registry endpoint.
-// TODO: remove. This is only used by search.
-func newV1Endpoint(index *registry.IndexInfo, headers http.Header) (*v1Endpoint, error) {
-	tlsConfig, err := newTLSConfig(index.Name, index.Secure)
-	if err != nil {
-		return nil, err
-	}
-
-	endpoint, err := newV1EndpointFromStr(GetAuthConfigKey(index), tlsConfig, headers)
-	if err != nil {
-		return nil, err
-	}
-
-	if endpoint.String() == IndexServer {
-		// Skip the check, we know this one is valid
-		// (and we never want to fall back to http in case of error)
-		return endpoint, nil
-	}
-
-	// Try HTTPS ping to registry
-	endpoint.URL.Scheme = "https"
-	if _, err := endpoint.ping(); err != nil {
-		if endpoint.IsSecure {
-			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
-			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fall back to HTTP.
-			return nil, invalidParamf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
-		}
-
-		// registry is insecure and HTTPS failed, fallback to HTTP.
-		log.G(context.TODO()).WithError(err).Debugf("error from registry %q marked as insecure - insecurely falling back to HTTP", endpoint)
-		endpoint.URL.Scheme = "http"
-		if _, err2 := endpoint.ping(); err2 != nil {
-			return nil, invalidParamf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
-		}
-	}
-
-	return endpoint, nil
-}
-
-// trimV1Address trims the "v1" version suffix off the address and returns
-// the trimmed address. It returns an error on "v2" endpoints.
-func trimV1Address(address string) (string, error) {
-	trimmed := strings.TrimSuffix(address, "/")
-	if strings.HasSuffix(trimmed, "/v2") {
-		return "", invalidParamf("search is not supported on v2 endpoints: %s", address)
-	}
-	return strings.TrimSuffix(trimmed, "/v1"), nil
-}
-
-func newV1EndpointFromStr(address string, tlsConfig *tls.Config, headers http.Header) (*v1Endpoint, error) {
-	if !strings.HasPrefix(address, "http://") && !strings.HasPrefix(address, "https://") {
-		address = "https://" + address
-	}
-
-	address, err := trimV1Address(address)
-	if err != nil {
-		return nil, err
-	}
-
-	uri, err := url.Parse(address)
-	if err != nil {
-		return nil, invalidParam(err)
-	}
-
-	// TODO(tiborvass): make sure a ConnectTimeout transport is used
-	tr := newTransport(tlsConfig)
-
-	return &v1Endpoint{
-		IsSecure: tlsConfig == nil || !tlsConfig.InsecureSkipVerify,
-		URL:      uri,
-		client:   httpClient(transport.NewTransport(tr, Headers("", headers)...)),
-	}, nil
-}
-
-// Get the formatted URL for the root of this registry Endpoint
-func (e *v1Endpoint) String() string {
-	return e.URL.String() + "/v1/"
-}
-
-// ping returns a v1PingResult which indicates whether the registry is standalone or not.
-func (e *v1Endpoint) ping() (v1PingResult, error) {
-	if e.String() == IndexServer {
-		// Skip the check, we know this one is valid
-		// (and we never want to fallback to http in case of error)
-		return v1PingResult{}, nil
-	}
-
-	pingURL := e.String() + "_ping"
-	log.G(context.TODO()).WithField("url", pingURL).Debug("attempting v1 ping for registry endpoint")
-	req, err := http.NewRequest(http.MethodGet, pingURL, nil)
-	if err != nil {
-		return v1PingResult{}, invalidParam(err)
-	}
-
-	resp, err := e.client.Do(req)
-	if err != nil {
-		return v1PingResult{}, invalidParam(err)
-	}
-
-	defer resp.Body.Close()
-
-	if v := resp.Header.Get("X-Docker-Registry-Standalone"); v != "" {
-		info := v1PingResult{}
-		// Accepted values are "1", and "true" (case-insensitive).
-		if v == "1" || strings.EqualFold(v, "true") {
-			info.Standalone = true
-		}
-		log.G(context.TODO()).Debugf("v1PingResult.Standalone (from X-Docker-Registry-Standalone header): %t", info.Standalone)
-		return info, nil
-	}
-
-	// If the header is absent, we assume true for compatibility with earlier
-	// versions of the registry. default to true
-	info := v1PingResult{
-		Standalone: true,
-	}
-	if err := json.NewDecoder(resp.Body).Decode(&info); err != nil {
-		log.G(context.TODO()).WithError(err).Debug("error unmarshaling _ping response")
-		// don't stop here. Just assume sane defaults
-	}
-
-	log.G(context.TODO()).Debugf("v1PingResult.Standalone: %t", info.Standalone)
-	return info, nil
-}
-
-// httpClient returns an HTTP client structure which uses the given transport
-// and contains the necessary headers for redirected requests
-func httpClient(transport http.RoundTripper) *http.Client {
-	return &http.Client{
-		Transport:     transport,
-		CheckRedirect: addRequiredHeadersToRedirectedRequests,
-	}
-}
-
-func trustedLocation(req *http.Request) bool {
-	var (
-		trusteds = []string{"docker.com", "docker.io"}
-		hostname = strings.SplitN(req.Host, ":", 2)[0]
-	)
-	if req.URL.Scheme != "https" {
-		return false
-	}
-
-	for _, trusted := range trusteds {
-		if hostname == trusted || strings.HasSuffix(hostname, "."+trusted) {
-			return true
-		}
-	}
-	return false
-}
-
-// addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
-// for redirected requests
-func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
-	if len(via) != 0 && via[0] != nil {
-		if trustedLocation(req) && trustedLocation(via[0]) {
-			req.Header = via[0].Header
-			return nil
-		}
-		for k, v := range via[0].Header {
-			if k != "Authorization" {
-				for _, vv := range v {
-					req.Header.Add(k, vv)
-				}
-			}
-		}
-	}
-	return nil
-}
diff --git a/vendor/github.com/docker/docker/registry/search_session.go b/vendor/github.com/docker/docker/registry/search_session.go
deleted file mode 100644
index a0d25c80..00000000
--- a/vendor/github.com/docker/docker/registry/search_session.go
+++ /dev/null
@@ -1,247 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	// this is required for some certificates
-	"context"
-	_ "crypto/sha512"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/cookiejar"
-	"net/url"
-	"strings"
-	"sync"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
-	"github.com/pkg/errors"
-)
-
-// A session is used to communicate with a V1 registry
-type session struct {
-	indexEndpoint *v1Endpoint
-	client        *http.Client
-}
-
-type authTransport struct {
-	http.RoundTripper
-	*registry.AuthConfig
-
-	alwaysSetBasicAuth bool
-	token              []string
-
-	mu     sync.Mutex                      // guards modReq
-	modReq map[*http.Request]*http.Request // original -> modified
-}
-
-// newAuthTransport handles the auth layer when communicating with a v1 registry (private or official)
-//
-// For private v1 registries, set alwaysSetBasicAuth to true.
-//
-// For the official v1 registry, if there isn't already an Authorization header in the request,
-// but there is an X-Docker-Token header set to true, then Basic Auth will be used to set the Authorization header.
-// After sending the request with the provided base http.RoundTripper, if an X-Docker-Token header, representing
-// a token, is present in the response, then it gets cached and sent in the Authorization header of all subsequent
-// requests.
-//
-// If the server sends a token without the client having requested it, it is ignored.
-//
-// This RoundTripper also has a CancelRequest method important for correct timeout handling.
-func newAuthTransport(base http.RoundTripper, authConfig *registry.AuthConfig, alwaysSetBasicAuth bool) *authTransport {
-	if base == nil {
-		base = http.DefaultTransport
-	}
-	return &authTransport{
-		RoundTripper:       base,
-		AuthConfig:         authConfig,
-		alwaysSetBasicAuth: alwaysSetBasicAuth,
-		modReq:             make(map[*http.Request]*http.Request),
-	}
-}
-
-// cloneRequest returns a clone of the provided *http.Request.
-// The clone is a shallow copy of the struct and its Header map.
-func cloneRequest(r *http.Request) *http.Request {
-	// shallow copy of the struct
-	r2 := new(http.Request)
-	*r2 = *r
-	// deep copy of the Header
-	r2.Header = make(http.Header, len(r.Header))
-	for k, s := range r.Header {
-		r2.Header[k] = append([]string(nil), s...)
-	}
-
-	return r2
-}
-
-// onEOFReader wraps an io.ReadCloser and a function
-// the function will run at the end of file or close the file.
-type onEOFReader struct {
-	Rc io.ReadCloser
-	Fn func()
-}
-
-func (r *onEOFReader) Read(p []byte) (n int, err error) {
-	n, err = r.Rc.Read(p)
-	if err == io.EOF {
-		r.runFunc()
-	}
-	return
-}
-
-// Close closes the file and run the function.
-func (r *onEOFReader) Close() error {
-	err := r.Rc.Close()
-	r.runFunc()
-	return err
-}
-
-func (r *onEOFReader) runFunc() {
-	if fn := r.Fn; fn != nil {
-		fn()
-		r.Fn = nil
-	}
-}
-
-// RoundTrip changes an HTTP request's headers to add the necessary
-// authentication-related headers
-func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
-	// Authorization should not be set on 302 redirect for untrusted locations.
-	// This logic mirrors the behavior in addRequiredHeadersToRedirectedRequests.
-	// As the authorization logic is currently implemented in RoundTrip,
-	// a 302 redirect is detected by looking at the Referrer header as go http package adds said header.
-	// This is safe as Docker doesn't set Referrer in other scenarios.
-	if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
-		return tr.RoundTripper.RoundTrip(orig)
-	}
-
-	req := cloneRequest(orig)
-	tr.mu.Lock()
-	tr.modReq[orig] = req
-	tr.mu.Unlock()
-
-	if tr.alwaysSetBasicAuth {
-		if tr.AuthConfig == nil {
-			return nil, errors.New("unexpected error: empty auth config")
-		}
-		req.SetBasicAuth(tr.Username, tr.Password)
-		return tr.RoundTripper.RoundTrip(req)
-	}
-
-	// Don't override
-	if req.Header.Get("Authorization") == "" {
-		if req.Header.Get("X-Docker-Token") == "true" && tr.AuthConfig != nil && len(tr.Username) > 0 {
-			req.SetBasicAuth(tr.Username, tr.Password)
-		} else if len(tr.token) > 0 {
-			req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
-		}
-	}
-	resp, err := tr.RoundTripper.RoundTrip(req)
-	if err != nil {
-		tr.mu.Lock()
-		delete(tr.modReq, orig)
-		tr.mu.Unlock()
-		return nil, err
-	}
-	if len(resp.Header["X-Docker-Token"]) > 0 {
-		tr.token = resp.Header["X-Docker-Token"]
-	}
-	resp.Body = &onEOFReader{
-		Rc: resp.Body,
-		Fn: func() {
-			tr.mu.Lock()
-			delete(tr.modReq, orig)
-			tr.mu.Unlock()
-		},
-	}
-	return resp, nil
-}
-
-// CancelRequest cancels an in-flight request by closing its connection.
-func (tr *authTransport) CancelRequest(req *http.Request) {
-	type canceler interface {
-		CancelRequest(*http.Request)
-	}
-	if cr, ok := tr.RoundTripper.(canceler); ok {
-		tr.mu.Lock()
-		modReq := tr.modReq[req]
-		delete(tr.modReq, req)
-		tr.mu.Unlock()
-		cr.CancelRequest(modReq)
-	}
-}
-
-func authorizeClient(client *http.Client, authConfig *registry.AuthConfig, endpoint *v1Endpoint) error {
-	var alwaysSetBasicAuth bool
-
-	// If we're working with a standalone private registry over HTTPS, send Basic Auth headers
-	// alongside all our requests.
-	if endpoint.String() != IndexServer && endpoint.URL.Scheme == "https" {
-		info, err := endpoint.ping()
-		if err != nil {
-			return err
-		}
-		if info.Standalone && authConfig != nil {
-			log.G(context.TODO()).Debugf("Endpoint %s is eligible for private registry. Enabling decorator.", endpoint.String())
-			alwaysSetBasicAuth = true
-		}
-	}
-
-	// Annotate the transport unconditionally so that v2 can
-	// properly fallback on v1 when an image is not found.
-	client.Transport = newAuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
-
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		return errdefs.System(errors.New("cookiejar.New is not supposed to return an error"))
-	}
-	client.Jar = jar
-
-	return nil
-}
-
-func newSession(client *http.Client, endpoint *v1Endpoint) *session {
-	return &session{
-		client:        client,
-		indexEndpoint: endpoint,
-	}
-}
-
-// defaultSearchLimit is the default value for maximum number of returned search results.
-const defaultSearchLimit = 25
-
-// searchRepositories performs a search against the remote repository
-func (r *session) searchRepositories(term string, limit int) (*registry.SearchResults, error) {
-	if limit == 0 {
-		limit = defaultSearchLimit
-	}
-	if limit < 1 || limit > 100 {
-		return nil, invalidParamf("limit %d is outside the range of [1, 100]", limit)
-	}
-	u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(fmt.Sprintf("%d", limit))
-	log.G(context.TODO()).WithField("url", u).Debug("searchRepositories")
-
-	req, err := http.NewRequest(http.MethodGet, u, nil)
-	if err != nil {
-		return nil, invalidParamWrapf(err, "error building request")
-	}
-	// Have the AuthTransport send authentication, when logged in.
-	req.Header.Set("X-Docker-Token", "true")
-	res, err := r.client.Do(req)
-	if err != nil {
-		return nil, errdefs.System(err)
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		// TODO(thaJeztah): return upstream response body for errors (see https://github.com/moby/moby/issues/27286).
-		return nil, errdefs.Unknown(fmt.Errorf("Unexpected status code %d", res.StatusCode))
-	}
-	result := &registry.SearchResults{}
-	err = json.NewDecoder(res.Body).Decode(result)
-	if err != nil {
-		return nil, errdefs.System(errors.Wrap(err, "error decoding registry search results"))
-	}
-	return result, nil
-}
diff --git a/vendor/github.com/docker/docker/registry/service.go b/vendor/github.com/docker/docker/registry/service.go
deleted file mode 100644
index 4d66523c..00000000
--- a/vendor/github.com/docker/docker/registry/service.go
+++ /dev/null
@@ -1,137 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"context"
-	"crypto/tls"
-	"net/url"
-	"strings"
-	"sync"
-
-	"github.com/containerd/log"
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/registry"
-	"github.com/docker/docker/errdefs"
-)
-
-// Service is a registry service. It tracks configuration data such as a list
-// of mirrors.
-type Service struct {
-	config *serviceConfig
-	mu     sync.RWMutex
-}
-
-// NewService returns a new instance of [Service] ready to be installed into
-// an engine.
-func NewService(options ServiceOptions) (*Service, error) {
-	config, err := newServiceConfig(options)
-
-	return &Service{config: config}, err
-}
-
-// ServiceConfig returns a copy of the public registry service's configuration.
-func (s *Service) ServiceConfig() *registry.ServiceConfig {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	return s.config.copy()
-}
-
-// ReplaceConfig prepares a transaction which will atomically replace the
-// registry service's configuration when the returned commit function is called.
-func (s *Service) ReplaceConfig(options ServiceOptions) (commit func(), err error) {
-	config, err := newServiceConfig(options)
-	if err != nil {
-		return nil, err
-	}
-	return func() {
-		s.mu.Lock()
-		defer s.mu.Unlock()
-		s.config = config
-	}, nil
-}
-
-// Auth contacts the public registry with the provided credentials,
-// and returns OK if authentication was successful.
-// It can be used to verify the validity of a client's credentials.
-func (s *Service) Auth(ctx context.Context, authConfig *registry.AuthConfig, userAgent string) (status, token string, err error) {
-	// TODO Use ctx when searching for repositories
-	registryHostName := IndexHostname
-
-	if authConfig.ServerAddress != "" {
-		serverAddress := authConfig.ServerAddress
-		if !strings.HasPrefix(serverAddress, "https://") && !strings.HasPrefix(serverAddress, "http://") {
-			serverAddress = "https://" + serverAddress
-		}
-		u, err := url.Parse(serverAddress)
-		if err != nil {
-			return "", "", invalidParamWrapf(err, "unable to parse server address")
-		}
-		registryHostName = u.Host
-	}
-
-	// Lookup endpoints for authentication but exclude mirrors to prevent
-	// sending credentials of the upstream registry to a mirror.
-	s.mu.RLock()
-	endpoints, err := s.lookupV2Endpoints(registryHostName, false)
-	s.mu.RUnlock()
-	if err != nil {
-		return "", "", invalidParam(err)
-	}
-
-	for _, endpoint := range endpoints {
-		status, token, err = loginV2(authConfig, endpoint, userAgent)
-		if err == nil {
-			return
-		}
-		if errdefs.IsUnauthorized(err) {
-			// Failed to authenticate; don't continue with (non-TLS) endpoints.
-			return status, token, err
-		}
-		log.G(ctx).WithError(err).Infof("Error logging in to endpoint, trying next endpoint")
-	}
-
-	return "", "", err
-}
-
-// ResolveRepository splits a repository name into its components
-// and configuration of the associated registry.
-func (s *Service) ResolveRepository(name reference.Named) (*RepositoryInfo, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	return newRepositoryInfo(s.config, name)
-}
-
-// APIEndpoint represents a remote API endpoint
-type APIEndpoint struct {
-	Mirror                         bool
-	URL                            *url.URL
-	AllowNondistributableArtifacts bool // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
-	Official                       bool
-	TrimHostname                   bool // Deprecated: hostname is now trimmed unconditionally for remote names. This field will be removed in the next release.
-	TLSConfig                      *tls.Config
-}
-
-// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference.
-// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP.
-func (s *Service) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	return s.lookupV2Endpoints(hostname, true)
-}
-
-// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
-// It gives preference to HTTPS over plain HTTP. Mirrors are not included.
-func (s *Service) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	return s.lookupV2Endpoints(hostname, false)
-}
-
-// IsInsecureRegistry returns true if the registry at given host is configured as
-// insecure registry.
-func (s *Service) IsInsecureRegistry(host string) bool {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	return !s.config.isSecureIndex(host)
-}
diff --git a/vendor/github.com/docker/docker/registry/service_v2.go b/vendor/github.com/docker/docker/registry/service_v2.go
deleted file mode 100644
index 43754527..00000000
--- a/vendor/github.com/docker/docker/registry/service_v2.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"net/url"
-	"strings"
-
-	"github.com/docker/go-connections/tlsconfig"
-)
-
-func (s *Service) lookupV2Endpoints(hostname string, includeMirrors bool) ([]APIEndpoint, error) {
-	var endpoints []APIEndpoint
-	if hostname == DefaultNamespace || hostname == IndexHostname {
-		if includeMirrors {
-			for _, mirror := range s.config.Mirrors {
-				if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
-					mirror = "https://" + mirror
-				}
-				mirrorURL, err := url.Parse(mirror)
-				if err != nil {
-					return nil, invalidParam(err)
-				}
-				mirrorTLSConfig, err := newTLSConfig(mirrorURL.Host, s.config.isSecureIndex(mirrorURL.Host))
-				if err != nil {
-					return nil, err
-				}
-				endpoints = append(endpoints, APIEndpoint{
-					URL:       mirrorURL,
-					Mirror:    true,
-					TLSConfig: mirrorTLSConfig,
-				})
-			}
-		}
-		endpoints = append(endpoints, APIEndpoint{
-			URL:       DefaultV2Registry,
-			Official:  true,
-			TLSConfig: tlsconfig.ServerDefault(),
-		})
-
-		return endpoints, nil
-	}
-
-	tlsConfig, err := newTLSConfig(hostname, s.config.isSecureIndex(hostname))
-	if err != nil {
-		return nil, err
-	}
-
-	endpoints = []APIEndpoint{
-		{
-			URL: &url.URL{
-				Scheme: "https",
-				Host:   hostname,
-			},
-			TLSConfig: tlsConfig,
-		},
-	}
-
-	if tlsConfig.InsecureSkipVerify {
-		endpoints = append(endpoints, APIEndpoint{
-			URL: &url.URL{
-				Scheme: "http",
-				Host:   hostname,
-			},
-			// used to check if supposed to be secure via InsecureSkipVerify
-			TLSConfig: tlsConfig,
-		})
-	}
-
-	return endpoints, nil
-}
diff --git a/vendor/github.com/docker/docker/registry/types.go b/vendor/github.com/docker/docker/registry/types.go
deleted file mode 100644
index 02d7f4f3..00000000
--- a/vendor/github.com/docker/docker/registry/types.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package registry // import "github.com/docker/docker/registry"
-
-import (
-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/registry"
-)
-
-// RepositoryInfo describes a repository
-type RepositoryInfo struct {
-	Name reference.Named
-	// Index points to registry information
-	Index *registry.IndexInfo
-	// Official indicates whether the repository is considered official.
-	// If the registry is official, and the normalized name does not
-	// contain a '/' (e.g. "foo"), then it is considered an official repo.
-	Official bool
-	// Class represents the class of the repository, such as "plugin"
-	// or "image".
-	//
-	// Deprecated: this field is no longer used, and will be removed in the next release.
-	Class string
-}
diff --git a/vendor/github.com/docker/go-connections/nat/nat.go b/vendor/github.com/docker/go-connections/nat/nat.go
index 4049d780..1ffe0355 100644
--- a/vendor/github.com/docker/go-connections/nat/nat.go
+++ b/vendor/github.com/docker/go-connections/nat/nat.go
@@ -2,6 +2,7 @@
 package nat
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"strconv"
@@ -43,19 +44,19 @@ func NewPort(proto, port string) (Port, error) {
 
 // ParsePort parses the port number string and returns an int
 func ParsePort(rawPort string) (int, error) {
-	if len(rawPort) == 0 {
+	if rawPort == "" {
 		return 0, nil
 	}
 	port, err := strconv.ParseUint(rawPort, 10, 16)
 	if err != nil {
-		return 0, err
+		return 0, fmt.Errorf("invalid port '%s': %w", rawPort, errors.Unwrap(err))
 	}
 	return int(port), nil
 }
 
 // ParsePortRangeToInt parses the port range string and returns start/end ints
 func ParsePortRangeToInt(rawPort string) (int, int, error) {
-	if len(rawPort) == 0 {
+	if rawPort == "" {
 		return 0, 0, nil
 	}
 	start, end, err := ParsePortRange(rawPort)
@@ -91,29 +92,31 @@ func (p Port) Range() (int, int, error) {
 	return ParsePortRangeToInt(p.Port())
 }
 
-// SplitProtoPort splits a port in the format of proto/port
-func SplitProtoPort(rawPort string) (string, string) {
-	parts := strings.Split(rawPort, "/")
-	l := len(parts)
-	if len(rawPort) == 0 || l == 0 || len(parts[0]) == 0 {
+// SplitProtoPort splits a port(range) and protocol, formatted as "<portnum>/[<proto>]"
+// "<startport-endport>/[<proto>]". It returns an empty string for both if
+// no port(range) is provided. If a port(range) is provided, but no protocol,
+// the default ("tcp") protocol is returned.
+//
+// SplitProtoPort does not validate or normalize the returned values.
+func SplitProtoPort(rawPort string) (proto string, port string) {
+	port, proto, _ = strings.Cut(rawPort, "/")
+	if port == "" {
 		return "", ""
 	}
-	if l == 1 {
-		return "tcp", rawPort
+	if proto == "" {
+		proto = "tcp"
 	}
-	if len(parts[1]) == 0 {
-		return "tcp", parts[0]
-	}
-	return parts[1], parts[0]
+	return proto, port
 }
 
-func validateProto(proto string) bool {
-	for _, availableProto := range []string{"tcp", "udp", "sctp"} {
-		if availableProto == proto {
-			return true
-		}
+func validateProto(proto string) error {
+	switch proto {
+	case "tcp", "udp", "sctp":
+		// All good
+		return nil
+	default:
+		return errors.New("invalid proto: " + proto)
 	}
-	return false
 }
 
 // ParsePortSpecs receives port specs in the format of ip:public:private/proto and parses
@@ -123,22 +126,18 @@ func ParsePortSpecs(ports []string) (map[Port]struct{}, map[Port][]PortBinding,
 		exposedPorts = make(map[Port]struct{}, len(ports))
 		bindings     = make(map[Port][]PortBinding)
 	)
-	for _, rawPort := range ports {
-		portMappings, err := ParsePortSpec(rawPort)
+	for _, p := range ports {
+		portMappings, err := ParsePortSpec(p)
 		if err != nil {
 			return nil, nil, err
 		}
 
-		for _, portMapping := range portMappings {
-			port := portMapping.Port
-			if _, exists := exposedPorts[port]; !exists {
+		for _, pm := range portMappings {
+			port := pm.Port
+			if _, ok := exposedPorts[port]; !ok {
 				exposedPorts[port] = struct{}{}
 			}
-			bslice, exists := bindings[port]
-			if !exists {
-				bslice = []PortBinding{}
-			}
-			bindings[port] = append(bslice, portMapping.Binding)
+			bindings[port] = append(bindings[port], pm.Binding)
 		}
 	}
 	return exposedPorts, bindings, nil
@@ -150,28 +149,34 @@ type PortMapping struct {
 	Binding PortBinding
 }
 
-func splitParts(rawport string) (string, string, string) {
-	parts := strings.Split(rawport, ":")
-	n := len(parts)
-	containerPort := parts[n-1]
+func (p *PortMapping) String() string {
+	return net.JoinHostPort(p.Binding.HostIP, p.Binding.HostPort+":"+string(p.Port))
+}
 
-	switch n {
+func splitParts(rawport string) (hostIP, hostPort, containerPort string) {
+	parts := strings.Split(rawport, ":")
+
+	switch len(parts) {
 	case 1:
-		return "", "", containerPort
+		return "", "", parts[0]
 	case 2:
-		return "", parts[0], containerPort
+		return "", parts[0], parts[1]
 	case 3:
-		return parts[0], parts[1], containerPort
+		return parts[0], parts[1], parts[2]
 	default:
-		return strings.Join(parts[:n-2], ":"), parts[n-2], containerPort
+		n := len(parts)
+		return strings.Join(parts[:n-2], ":"), parts[n-2], parts[n-1]
 	}
 }
 
 // ParsePortSpec parses a port specification string into a slice of PortMappings
 func ParsePortSpec(rawPort string) ([]PortMapping, error) {
-	var proto string
 	ip, hostPort, containerPort := splitParts(rawPort)
-	proto, containerPort = SplitProtoPort(containerPort)
+	proto, containerPort := SplitProtoPort(containerPort)
+	proto = strings.ToLower(proto)
+	if err := validateProto(proto); err != nil {
+		return nil, err
+	}
 
 	if ip != "" && ip[0] == '[' {
 		// Strip [] from IPV6 addresses
@@ -182,7 +187,7 @@ func ParsePortSpec(rawPort string) ([]PortMapping, error) {
 		ip = rawIP
 	}
 	if ip != "" && net.ParseIP(ip) == nil {
-		return nil, fmt.Errorf("invalid IP address: %s", ip)
+		return nil, errors.New("invalid IP address: " + ip)
 	}
 	if containerPort == "" {
 		return nil, fmt.Errorf("no port specified: %s<empty>", rawPort)
@@ -190,51 +195,43 @@ func ParsePortSpec(rawPort string) ([]PortMapping, error) {
 
 	startPort, endPort, err := ParsePortRange(containerPort)
 	if err != nil {
-		return nil, fmt.Errorf("invalid containerPort: %s", containerPort)
+		return nil, errors.New("invalid containerPort: " + containerPort)
 	}
 
-	var startHostPort, endHostPort uint64 = 0, 0
-	if len(hostPort) > 0 {
+	var startHostPort, endHostPort uint64
+	if hostPort != "" {
 		startHostPort, endHostPort, err = ParsePortRange(hostPort)
 		if err != nil {
-			return nil, fmt.Errorf("invalid hostPort: %s", hostPort)
+			return nil, errors.New("invalid hostPort: " + hostPort)
+		}
+		if (endPort - startPort) != (endHostPort - startHostPort) {
+			// Allow host port range iff containerPort is not a range.
+			// In this case, use the host port range as the dynamic
+			// host port range to allocate into.
+			if endPort != startPort {
+				return nil, fmt.Errorf("invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
+			}
 		}
 	}
 
-	if hostPort != "" && (endPort-startPort) != (endHostPort-startHostPort) {
-		// Allow host port range iff containerPort is not a range.
-		// In this case, use the host port range as the dynamic
-		// host port range to allocate into.
-		if endPort != startPort {
-			return nil, fmt.Errorf("invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
-		}
-	}
+	count := endPort - startPort + 1
+	ports := make([]PortMapping, 0, count)
 
-	if !validateProto(strings.ToLower(proto)) {
-		return nil, fmt.Errorf("invalid proto: %s", proto)
-	}
-
-	ports := []PortMapping{}
-	for i := uint64(0); i <= (endPort - startPort); i++ {
-		containerPort = strconv.FormatUint(startPort+i, 10)
-		if len(hostPort) > 0 {
-			hostPort = strconv.FormatUint(startHostPort+i, 10)
+	for i := uint64(0); i < count; i++ {
+		cPort := Port(strconv.FormatUint(startPort+i, 10) + "/" + proto)
+		hPort := ""
+		if hostPort != "" {
+			hPort = strconv.FormatUint(startHostPort+i, 10)
+			// Set hostPort to a range only if there is a single container port
+			// and a dynamic host port.
+			if count == 1 && startHostPort != endHostPort {
+				hPort += "-" + strconv.FormatUint(endHostPort, 10)
+			}
 		}
-		// Set hostPort to a range only if there is a single container port
-		// and a dynamic host port.
-		if startPort == endPort && startHostPort != endHostPort {
-			hostPort = fmt.Sprintf("%s-%s", hostPort, strconv.FormatUint(endHostPort, 10))
-		}
-		port, err := NewPort(strings.ToLower(proto), containerPort)
-		if err != nil {
-			return nil, err
-		}
-
-		binding := PortBinding{
-			HostIP:   ip,
-			HostPort: hostPort,
-		}
-		ports = append(ports, PortMapping{Port: port, Binding: binding})
+		ports = append(ports, PortMapping{
+			Port:    cPort,
+			Binding: PortBinding{HostIP: ip, HostPort: hPort},
+		})
 	}
 	return ports, nil
 }
diff --git a/vendor/github.com/docker/go-connections/nat/parse.go b/vendor/github.com/docker/go-connections/nat/parse.go
index e4b53e8a..64affa2a 100644
--- a/vendor/github.com/docker/go-connections/nat/parse.go
+++ b/vendor/github.com/docker/go-connections/nat/parse.go
@@ -1,7 +1,7 @@
 package nat
 
 import (
-	"fmt"
+	"errors"
 	"strconv"
 	"strings"
 )
@@ -9,7 +9,7 @@ import (
 // ParsePortRange parses and validates the specified string as a port-range (8000-9000)
 func ParsePortRange(ports string) (uint64, uint64, error) {
 	if ports == "" {
-		return 0, 0, fmt.Errorf("empty string specified for ports")
+		return 0, 0, errors.New("empty string specified for ports")
 	}
 	if !strings.Contains(ports, "-") {
 		start, err := strconv.ParseUint(ports, 10, 16)
@@ -27,7 +27,7 @@ func ParsePortRange(ports string) (uint64, uint64, error) {
 		return 0, 0, err
 	}
 	if end < start {
-		return 0, 0, fmt.Errorf("invalid range specified for port: %s", ports)
+		return 0, 0, errors.New("invalid range specified for port: " + ports)
 	}
 	return start, end, nil
 }
diff --git a/vendor/github.com/docker/go-connections/sockets/README.md b/vendor/github.com/docker/go-connections/sockets/README.md
deleted file mode 100644
index e69de29b..00000000
diff --git a/vendor/github.com/docker/go-connections/sockets/proxy.go b/vendor/github.com/docker/go-connections/sockets/proxy.go
index c897cb02..f04980e4 100644
--- a/vendor/github.com/docker/go-connections/sockets/proxy.go
+++ b/vendor/github.com/docker/go-connections/sockets/proxy.go
@@ -9,6 +9,8 @@ import (
 // GetProxyEnv allows access to the uppercase and the lowercase forms of
 // proxy-related variables.  See the Go specification for details on these
 // variables. https://golang.org/pkg/net/http/
+//
+// Deprecated: this function was used as helper for [DialerFromEnvironment] and is no longer used. It will be removed in the next release.
 func GetProxyEnv(key string) string {
 	proxyValue := os.Getenv(strings.ToUpper(key))
 	if proxyValue == "" {
@@ -19,10 +21,11 @@ func GetProxyEnv(key string) string {
 
 // DialerFromEnvironment was previously used to configure a net.Dialer to route
 // connections through a SOCKS proxy.
-// DEPRECATED: SOCKS proxies are now supported by configuring only
+//
+// Deprecated: SOCKS proxies are now supported by configuring only
 // http.Transport.Proxy, and no longer require changing http.Transport.Dial.
-// Therefore, only sockets.ConfigureTransport() needs to be called, and any
-// sockets.DialerFromEnvironment() calls can be dropped.
+// Therefore, only [sockets.ConfigureTransport] needs to be called, and any
+// [sockets.DialerFromEnvironment] calls can be dropped.
 func DialerFromEnvironment(direct *net.Dialer) (*net.Dialer, error) {
 	return direct, nil
 }
diff --git a/vendor/github.com/docker/go-connections/sockets/sockets.go b/vendor/github.com/docker/go-connections/sockets/sockets.go
index b0eae239..61172978 100644
--- a/vendor/github.com/docker/go-connections/sockets/sockets.go
+++ b/vendor/github.com/docker/go-connections/sockets/sockets.go
@@ -2,13 +2,19 @@
 package sockets
 
 import (
+	"context"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
+	"syscall"
 	"time"
 )
 
-const defaultTimeout = 10 * time.Second
+const (
+	defaultTimeout        = 10 * time.Second
+	maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)
+)
 
 // ErrProtocolNotAvailable is returned when a given transport protocol is not provided by the operating system.
 var ErrProtocolNotAvailable = errors.New("protocol not available")
@@ -35,3 +41,26 @@ func ConfigureTransport(tr *http.Transport, proto, addr string) error {
 	}
 	return nil
 }
+
+// DialPipe connects to a Windows named pipe. It is not supported on
+// non-Windows platforms.
+//
+// Deprecated: use [github.com/Microsoft/go-winio.DialPipe] or [github.com/Microsoft/go-winio.DialPipeContext].
+func DialPipe(addr string, timeout time.Duration) (net.Conn, error) {
+	return dialPipe(addr, timeout)
+}
+
+func configureUnixTransport(tr *http.Transport, proto, addr string) error {
+	if len(addr) > maxUnixSocketPathSize {
+		return fmt.Errorf("unix socket path %q is too long", addr)
+	}
+	// No need for compression in local communications.
+	tr.DisableCompression = true
+	dialer := &net.Dialer{
+		Timeout: defaultTimeout,
+	}
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return dialer.DialContext(ctx, proto, addr)
+	}
+	return nil
+}
diff --git a/vendor/github.com/docker/go-connections/sockets/sockets_unix.go b/vendor/github.com/docker/go-connections/sockets/sockets_unix.go
index 78a34a98..913d2f00 100644
--- a/vendor/github.com/docker/go-connections/sockets/sockets_unix.go
+++ b/vendor/github.com/docker/go-connections/sockets/sockets_unix.go
@@ -3,37 +3,16 @@
 package sockets
 
 import (
-	"context"
-	"fmt"
 	"net"
 	"net/http"
 	"syscall"
 	"time"
 )
 
-const maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)
-
-func configureUnixTransport(tr *http.Transport, proto, addr string) error {
-	if len(addr) > maxUnixSocketPathSize {
-		return fmt.Errorf("unix socket path %q is too long", addr)
-	}
-	// No need for compression in local communications.
-	tr.DisableCompression = true
-	dialer := &net.Dialer{
-		Timeout: defaultTimeout,
-	}
-	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
-		return dialer.DialContext(ctx, proto, addr)
-	}
-	return nil
-}
-
 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {
 	return ErrProtocolNotAvailable
 }
 
-// DialPipe connects to a Windows named pipe.
-// This is not supported on other OSes.
-func DialPipe(_ string, _ time.Duration) (net.Conn, error) {
+func dialPipe(_ string, _ time.Duration) (net.Conn, error) {
 	return nil, syscall.EAFNOSUPPORT
 }
diff --git a/vendor/github.com/docker/go-connections/sockets/sockets_windows.go b/vendor/github.com/docker/go-connections/sockets/sockets_windows.go
index 7acafc5a..6d6beb38 100644
--- a/vendor/github.com/docker/go-connections/sockets/sockets_windows.go
+++ b/vendor/github.com/docker/go-connections/sockets/sockets_windows.go
@@ -9,10 +9,6 @@ import (
 	"github.com/Microsoft/go-winio"
 )
 
-func configureUnixTransport(tr *http.Transport, proto, addr string) error {
-	return ErrProtocolNotAvailable
-}
-
 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {
 	// No need for compression in local communications.
 	tr.DisableCompression = true
@@ -22,7 +18,6 @@ func configureNpipeTransport(tr *http.Transport, proto, addr string) error {
 	return nil
 }
 
-// DialPipe connects to a Windows named pipe.
-func DialPipe(addr string, timeout time.Duration) (net.Conn, error) {
+func dialPipe(addr string, timeout time.Duration) (net.Conn, error) {
 	return winio.DialPipe(addr, &timeout)
 }
diff --git a/vendor/github.com/docker/go-connections/sockets/unix_socket.go b/vendor/github.com/docker/go-connections/sockets/unix_socket.go
index b9233521..e736f71d 100644
--- a/vendor/github.com/docker/go-connections/sockets/unix_socket.go
+++ b/vendor/github.com/docker/go-connections/sockets/unix_socket.go
@@ -1,5 +1,3 @@
-//go:build !windows
-
 /*
 Package sockets is a simple unix domain socket wrapper.
 
@@ -57,26 +55,6 @@ import (
 // SockOption sets up socket file's creating option
 type SockOption func(string) error
 
-// WithChown modifies the socket file's uid and gid
-func WithChown(uid, gid int) SockOption {
-	return func(path string) error {
-		if err := os.Chown(path, uid, gid); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// WithChmod modifies socket file's access mode.
-func WithChmod(mask os.FileMode) SockOption {
-	return func(path string) error {
-		if err := os.Chmod(path, mask); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
 // NewUnixSocketWithOpts creates a unix socket with the specified options.
 // By default, socket permissions are 0000 (i.e.: no access for anyone); pass
 // WithChmod() and WithChown() to set the desired ownership and permissions.
@@ -90,22 +68,7 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error
 		return nil, err
 	}
 
-	// net.Listen does not allow for permissions to be set. As a result, when
-	// specifying custom permissions ("WithChmod()"), there is a short time
-	// between creating the socket and applying the permissions, during which
-	// the socket permissions are Less restrictive than desired.
-	//
-	// To work around this limitation of net.Listen(), we temporarily set the
-	// umask to 0777, which forces the socket to be created with 000 permissions
-	// (i.e.: no access for anyone). After that, WithChmod() must be used to set
-	// the desired permissions.
-	//
-	// We don't use "defer" here, to reset the umask to its original value as soon
-	// as possible. Ideally we'd be able to detect if WithChmod() was passed as
-	// an option, and skip changing umask if default permissions are used.
-	origUmask := syscall.Umask(0o777)
-	l, err := net.Listen("unix", path)
-	syscall.Umask(origUmask)
+	l, err := listenUnix(path)
 	if err != nil {
 		return nil, err
 	}
@@ -119,8 +82,3 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error
 
 	return l, nil
 }
-
-// NewUnixSocket creates a unix socket with the specified path and group.
-func NewUnixSocket(path string, gid int) (net.Listener, error) {
-	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))
-}
diff --git a/vendor/github.com/docker/go-connections/sockets/unix_socket_unix.go b/vendor/github.com/docker/go-connections/sockets/unix_socket_unix.go
new file mode 100644
index 00000000..a41a7165
--- /dev/null
+++ b/vendor/github.com/docker/go-connections/sockets/unix_socket_unix.go
@@ -0,0 +1,54 @@
+//go:build !windows
+
+package sockets
+
+import (
+	"net"
+	"os"
+	"syscall"
+)
+
+// WithChown modifies the socket file's uid and gid
+func WithChown(uid, gid int) SockOption {
+	return func(path string) error {
+		if err := os.Chown(path, uid, gid); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// WithChmod modifies socket file's access mode.
+func WithChmod(mask os.FileMode) SockOption {
+	return func(path string) error {
+		if err := os.Chmod(path, mask); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// NewUnixSocket creates a unix socket with the specified path and group.
+func NewUnixSocket(path string, gid int) (net.Listener, error) {
+	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))
+}
+
+func listenUnix(path string) (net.Listener, error) {
+	// net.Listen does not allow for permissions to be set. As a result, when
+	// specifying custom permissions ("WithChmod()"), there is a short time
+	// between creating the socket and applying the permissions, during which
+	// the socket permissions are Less restrictive than desired.
+	//
+	// To work around this limitation of net.Listen(), we temporarily set the
+	// umask to 0777, which forces the socket to be created with 000 permissions
+	// (i.e.: no access for anyone). After that, WithChmod() must be used to set
+	// the desired permissions.
+	//
+	// We don't use "defer" here, to reset the umask to its original value as soon
+	// as possible. Ideally we'd be able to detect if WithChmod() was passed as
+	// an option, and skip changing umask if default permissions are used.
+	origUmask := syscall.Umask(0o777)
+	l, err := net.Listen("unix", path)
+	syscall.Umask(origUmask)
+	return l, err
+}
diff --git a/vendor/github.com/docker/go-connections/sockets/unix_socket_windows.go b/vendor/github.com/docker/go-connections/sockets/unix_socket_windows.go
new file mode 100644
index 00000000..5ec29e05
--- /dev/null
+++ b/vendor/github.com/docker/go-connections/sockets/unix_socket_windows.go
@@ -0,0 +1,7 @@
+package sockets
+
+import "net"
+
+func listenUnix(path string) (net.Listener, error) {
+	return net.Listen("unix", path)
+}
diff --git a/vendor/github.com/docker/go-connections/tlsconfig/config.go b/vendor/github.com/docker/go-connections/tlsconfig/config.go
index 606c98a3..8b0264f6 100644
--- a/vendor/github.com/docker/go-connections/tlsconfig/config.go
+++ b/vendor/github.com/docker/go-connections/tlsconfig/config.go
@@ -34,51 +34,37 @@ type Options struct {
 	// the system pool will be used.
 	ExclusiveRootPools bool
 	MinVersion         uint16
-	// If Passphrase is set, it will be used to decrypt a TLS private key
-	// if the key is encrypted.
-	//
-	// Deprecated: Use of encrypted TLS private keys has been deprecated, and
-	// will be removed in a future release. Golang has deprecated support for
-	// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
-	// design (see https://go-review.googlesource.com/c/go/+/264159).
-	Passphrase string
-}
-
-// Extra (server-side) accepted CBC cipher suites - will phase out in the future
-var acceptedCBCCiphers = []uint16{
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 }
 
 // DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls
 // options struct but wants to use a commonly accepted set of TLS cipher suites, with
 // known weak algorithms removed.
-var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
+var DefaultServerAcceptedCiphers = defaultCipherSuites
+
+// defaultCipherSuites is shared by both client and server as the default set.
+var defaultCipherSuites = []uint16{
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+}
 
 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
 func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
-	tlsConfig := &tls.Config{
-		// Avoid fallback by default to SSL protocols < TLS1.2
-		MinVersion:               tls.VersionTLS12,
-		PreferServerCipherSuites: true,
-		CipherSuites:             DefaultServerAcceptedCiphers,
-	}
-
-	for _, op := range ops {
-		op(tlsConfig)
-	}
-
-	return tlsConfig
+	return defaultConfig(ops...)
 }
 
 // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
 func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
+	return defaultConfig(ops...)
+}
+
+// defaultConfig is the default config used by both client and server TLS configuration.
+func defaultConfig(ops ...func(*tls.Config)) *tls.Config {
 	tlsConfig := &tls.Config{
-		// Prefer TLS1.2 as the client minimum
+		// Avoid fallback by default to SSL protocols < TLS1.2
 		MinVersion:   tls.VersionTLS12,
-		CipherSuites: clientCipherSuites,
+		CipherSuites: defaultCipherSuites,
 	}
 
 	for _, op := range ops {
@@ -92,13 +78,13 @@ func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
 func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	// If we should verify the server, we need to load a trusted ca
 	var (
-		certPool *x509.CertPool
-		err      error
+		pool *x509.CertPool
+		err  error
 	)
 	if exclusivePool {
-		certPool = x509.NewCertPool()
+		pool = x509.NewCertPool()
 	} else {
-		certPool, err = SystemCertPool()
+		pool, err = SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
@@ -107,10 +93,10 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	if err != nil {
 		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
 	}
-	if !certPool.AppendCertsFromPEM(pemData) {
+	if !pool.AppendCertsFromPEM(pemData) {
 		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
 	}
-	return certPool, nil
+	return pool, nil
 }
 
 // allTLSVersions lists all the TLS versions and is used by the code that validates
@@ -144,34 +130,32 @@ func adjustMinVersion(options Options, config *tls.Config) error {
 	return nil
 }
 
-// IsErrEncryptedKey returns true if the 'err' is an error of incorrect
-// password when trying to decrypt a TLS private key.
+// errEncryptedKeyDeprecated is produced when we encounter an encrypted
+// (password-protected) key. From https://go-review.googlesource.com/c/go/+/264159;
 //
-// Deprecated: Use of encrypted TLS private keys has been deprecated, and
-// will be removed in a future release. Golang has deprecated support for
-// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
-// design (see https://go-review.googlesource.com/c/go/+/264159).
-func IsErrEncryptedKey(err error) bool {
-	return errors.Is(err, x509.IncorrectPasswordError)
-}
+// > Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
+// > it does not authenticate the ciphertext, it is vulnerable to padding oracle
+// > attacks that can let an attacker recover the plaintext
+// >
+// > It's unfortunate that we don't implement PKCS#8 encryption so we can't
+// > recommend an alternative but PEM encryption is so broken that it's worth
+// > deprecating outright.
+//
+// Also see https://docs.docker.com/go/deprecated/
+var errEncryptedKeyDeprecated = errors.New("private key is encrypted; encrypted private keys are obsolete, and not supported")
 
 // getPrivateKey returns the private key in 'keyBytes', in PEM-encoded format.
-// If the private key is encrypted, 'passphrase' is used to decrypted the
-// private key.
-func getPrivateKey(keyBytes []byte, passphrase string) ([]byte, error) {
+// It returns an error if the file could not be decoded or was protected by
+// a passphrase.
+func getPrivateKey(keyBytes []byte) ([]byte, error) {
 	// this section makes some small changes to code from notary/tuf/utils/x509.go
 	pemBlock, _ := pem.Decode(keyBytes)
 	if pemBlock == nil {
 		return nil, fmt.Errorf("no valid private key found")
 	}
 
-	var err error
 	if x509.IsEncryptedPEMBlock(pemBlock) { //nolint:staticcheck // Ignore SA1019 (IsEncryptedPEMBlock is deprecated)
-		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase)) //nolint:staticcheck // Ignore SA1019 (DecryptPEMBlock is deprecated)
-		if err != nil {
-			return nil, fmt.Errorf("private key is encrypted, but could not decrypt it: %w", err)
-		}
-		keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})
+		return nil, errEncryptedKeyDeprecated
 	}
 
 	return keyBytes, nil
@@ -195,7 +179,7 @@ func getCert(options Options) ([]tls.Certificate, error) {
 		return nil, err
 	}
 
-	prKeyBytes, err = getPrivateKey(prKeyBytes, options.Passphrase)
+	prKeyBytes, err = getPrivateKey(prKeyBytes)
 	if err != nil {
 		return nil, err
 	}
@@ -210,7 +194,7 @@ func getCert(options Options) ([]tls.Certificate, error) {
 
 // Client returns a TLS configuration meant to be used by a client.
 func Client(options Options) (*tls.Config, error) {
-	tlsConfig := ClientDefault()
+	tlsConfig := defaultConfig()
 	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
 	if !options.InsecureSkipVerify && options.CAFile != "" {
 		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
@@ -235,7 +219,7 @@ func Client(options Options) (*tls.Config, error) {
 
 // Server returns a TLS configuration meant to be used by a server.
 func Server(options Options) (*tls.Config, error) {
-	tlsConfig := ServerDefault()
+	tlsConfig := defaultConfig()
 	tlsConfig.ClientAuth = options.ClientAuth
 	tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)
 	if err != nil {
diff --git a/vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go b/vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go
deleted file mode 100644
index a82f9fa5..00000000
--- a/vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go
+++ /dev/null
@@ -1,14 +0,0 @@
-// Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
-package tlsconfig
-
-import (
-	"crypto/tls"
-)
-
-// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)
-var clientCipherSuites = []uint16{
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-}
diff --git a/vendor/github.com/docker/go/LICENSE b/vendor/github.com/docker/go/LICENSE
deleted file mode 100644
index 74487567..00000000
--- a/vendor/github.com/docker/go/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/docker/go/canonical/json/decode.go b/vendor/github.com/docker/go/canonical/json/decode.go
deleted file mode 100644
index 72b981c5..00000000
--- a/vendor/github.com/docker/go/canonical/json/decode.go
+++ /dev/null
@@ -1,1168 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Represents JSON data structure using native Go types: booleans, floats,
-// strings, arrays, and maps.
-
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"reflect"
-	"runtime"
-	"strconv"
-	"unicode"
-	"unicode/utf16"
-	"unicode/utf8"
-)
-
-// Unmarshal parses the JSON-encoded data and stores the result
-// in the value pointed to by v.
-//
-// Unmarshal uses the inverse of the encodings that
-// Marshal uses, allocating maps, slices, and pointers as necessary,
-// with the following additional rules:
-//
-// To unmarshal JSON into a pointer, Unmarshal first handles the case of
-// the JSON being the JSON literal null.  In that case, Unmarshal sets
-// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
-// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
-// allocates a new value for it to point to.
-//
-// To unmarshal JSON into a struct, Unmarshal matches incoming object
-// keys to the keys used by Marshal (either the struct field name or its tag),
-// preferring an exact match but also accepting a case-insensitive match.
-// Unmarshal will only set exported fields of the struct.
-//
-// To unmarshal JSON into an interface value,
-// Unmarshal stores one of these in the interface value:
-//
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	string, for JSON strings
-//	[]interface{}, for JSON arrays
-//	map[string]interface{}, for JSON objects
-//	nil for JSON null
-//
-// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
-// to zero and then appends each element to the slice.
-// As a special case, to unmarshal an empty JSON array into a slice,
-// Unmarshal replaces the slice with a new empty slice.
-//
-// To unmarshal a JSON array into a Go array, Unmarshal decodes
-// JSON array elements into corresponding Go array elements.
-// If the Go array is smaller than the JSON array,
-// the additional JSON array elements are discarded.
-// If the JSON array is smaller than the Go array,
-// the additional Go array elements are set to zero values.
-//
-// To unmarshal a JSON object into a string-keyed map, Unmarshal first
-// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
-// Otherwise Unmarshal reuses the existing map, keeping existing entries.
-// Unmarshal then stores key-value pairs from the JSON object into the map.
-//
-// If a JSON value is not appropriate for a given target type,
-// or if a JSON number overflows the target type, Unmarshal
-// skips that field and completes the unmarshaling as best it can.
-// If no more serious errors are encountered, Unmarshal returns
-// an UnmarshalTypeError describing the earliest such error.
-//
-// The JSON null value unmarshals into an interface, map, pointer, or slice
-// by setting that Go value to nil. Because null is often used in JSON to mean
-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
-// on the value and produces no error.
-//
-// When unmarshaling quoted strings, invalid UTF-8 or
-// invalid UTF-16 surrogate pairs are not treated as an error.
-// Instead, they are replaced by the Unicode replacement
-// character U+FFFD.
-//
-func Unmarshal(data []byte, v interface{}) error {
-	// Check for well-formedness.
-	// Avoids filling out half a data structure
-	// before discovering a JSON syntax error.
-	var d decodeState
-	err := checkValid(data, &d.scan)
-	if err != nil {
-		return err
-	}
-
-	d.init(data)
-	return d.unmarshal(v)
-}
-
-// Unmarshaler is the interface implemented by objects
-// that can unmarshal a JSON description of themselves.
-// The input can be assumed to be a valid encoding of
-// a JSON value. UnmarshalJSON must copy the JSON data
-// if it wishes to retain the data after returning.
-type Unmarshaler interface {
-	UnmarshalJSON([]byte) error
-}
-
-// An UnmarshalTypeError describes a JSON value that was
-// not appropriate for a value of a specific Go type.
-type UnmarshalTypeError struct {
-	Value  string       // description of JSON value - "bool", "array", "number -5"
-	Type   reflect.Type // type of Go value it could not be assigned to
-	Offset int64        // error occurred after reading Offset bytes
-}
-
-func (e *UnmarshalTypeError) Error() string {
-	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
-}
-
-// An UnmarshalFieldError describes a JSON object key that
-// led to an unexported (and therefore unwritable) struct field.
-// (No longer used; kept for compatibility.)
-type UnmarshalFieldError struct {
-	Key   string
-	Type  reflect.Type
-	Field reflect.StructField
-}
-
-func (e *UnmarshalFieldError) Error() string {
-	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
-}
-
-// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
-// (The argument to Unmarshal must be a non-nil pointer.)
-type InvalidUnmarshalError struct {
-	Type reflect.Type
-}
-
-func (e *InvalidUnmarshalError) Error() string {
-	if e.Type == nil {
-		return "json: Unmarshal(nil)"
-	}
-
-	if e.Type.Kind() != reflect.Ptr {
-		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
-	}
-	return "json: Unmarshal(nil " + e.Type.String() + ")"
-}
-
-func (d *decodeState) unmarshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			err = r.(error)
-		}
-	}()
-
-	rv := reflect.ValueOf(v)
-	if rv.Kind() != reflect.Ptr || rv.IsNil() {
-		return &InvalidUnmarshalError{reflect.TypeOf(v)}
-	}
-
-	d.scan.reset()
-	// We decode rv not rv.Elem because the Unmarshaler interface
-	// test must be applied at the top level of the value.
-	d.value(rv)
-	return d.savedError
-}
-
-// A Number represents a JSON number literal.
-type Number string
-
-// String returns the literal text of the number.
-func (n Number) String() string { return string(n) }
-
-// Float64 returns the number as a float64.
-func (n Number) Float64() (float64, error) {
-	return strconv.ParseFloat(string(n), 64)
-}
-
-// Int64 returns the number as an int64.
-func (n Number) Int64() (int64, error) {
-	return strconv.ParseInt(string(n), 10, 64)
-}
-
-// isValidNumber reports whether s is a valid JSON number literal.
-func isValidNumber(s string) bool {
-	// This function implements the JSON numbers grammar.
-	// See https://tools.ietf.org/html/rfc7159#section-6
-	// and http://json.org/number.gif
-
-	if s == "" {
-		return false
-	}
-
-	// Optional -
-	if s[0] == '-' {
-		s = s[1:]
-		if s == "" {
-			return false
-		}
-	}
-
-	// Digits
-	switch {
-	default:
-		return false
-
-	case s[0] == '0':
-		s = s[1:]
-
-	case '1' <= s[0] && s[0] <= '9':
-		s = s[1:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// . followed by 1 or more digits.
-	if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
-		s = s[2:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// e or E followed by an optional - or + and
-	// 1 or more digits.
-	if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
-		s = s[1:]
-		if s[0] == '+' || s[0] == '-' {
-			s = s[1:]
-			if s == "" {
-				return false
-			}
-		}
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// Make sure we are at the end.
-	return s == ""
-}
-
-// decodeState represents the state while decoding a JSON value.
-type decodeState struct {
-	data       []byte
-	off        int // read offset in data
-	scan       scanner
-	nextscan   scanner // for calls to nextValue
-	savedError error
-	useNumber  bool
-	canonical  bool
-}
-
-// errPhase is used for errors that should not happen unless
-// there is a bug in the JSON decoder or something is editing
-// the data slice while the decoder executes.
-var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
-
-func (d *decodeState) init(data []byte) *decodeState {
-	d.data = data
-	d.off = 0
-	d.savedError = nil
-	return d
-}
-
-// error aborts the decoding by panicking with err.
-func (d *decodeState) error(err error) {
-	panic(err)
-}
-
-// saveError saves the first err it is called with,
-// for reporting at the end of the unmarshal.
-func (d *decodeState) saveError(err error) {
-	if d.savedError == nil {
-		d.savedError = err
-	}
-}
-
-// next cuts off and returns the next full JSON value in d.data[d.off:].
-// The next value is known to be an object or array, not a literal.
-func (d *decodeState) next() []byte {
-	c := d.data[d.off]
-	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-	if err != nil {
-		d.error(err)
-	}
-	d.off = len(d.data) - len(rest)
-
-	// Our scanner has seen the opening brace/bracket
-	// and thinks we're still in the middle of the object.
-	// invent a closing brace/bracket to get it out.
-	if c == '{' {
-		d.scan.step(&d.scan, '}')
-	} else {
-		d.scan.step(&d.scan, ']')
-	}
-
-	return item
-}
-
-// scanWhile processes bytes in d.data[d.off:] until it
-// receives a scan code not equal to op.
-// It updates d.off and returns the new scan code.
-func (d *decodeState) scanWhile(op int) int {
-	var newOp int
-	for {
-		if d.off >= len(d.data) {
-			newOp = d.scan.eof()
-			d.off = len(d.data) + 1 // mark processed EOF with len+1
-		} else {
-			c := d.data[d.off]
-			d.off++
-			newOp = d.scan.step(&d.scan, c)
-		}
-		if newOp != op {
-			break
-		}
-	}
-	return newOp
-}
-
-// value decodes a JSON value from d.data[d.off:] into the value.
-// it updates d.off to point past the decoded value.
-func (d *decodeState) value(v reflect.Value) {
-	if !v.IsValid() {
-		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-		if err != nil {
-			d.error(err)
-		}
-		d.off = len(d.data) - len(rest)
-
-		// d.scan thinks we're still at the beginning of the item.
-		// Feed in an empty string - the shortest, simplest value -
-		// so that it knows we got to the end of the value.
-		if d.scan.redo {
-			// rewind.
-			d.scan.redo = false
-			d.scan.step = stateBeginValue
-		}
-		d.scan.step(&d.scan, '"')
-		d.scan.step(&d.scan, '"')
-
-		n := len(d.scan.parseState)
-		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
-			// d.scan thinks we just read an object key; finish the object
-			d.scan.step(&d.scan, ':')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '}')
-		}
-
-		return
-	}
-
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(v)
-
-	case scanBeginObject:
-		d.object(v)
-
-	case scanBeginLiteral:
-		d.literal(v)
-	}
-}
-
-type unquotedValue struct{}
-
-// valueQuoted is like value but decodes a
-// quoted string literal or literal null into an interface value.
-// If it finds anything other than a quoted string literal or null,
-// valueQuoted returns unquotedValue{}.
-func (d *decodeState) valueQuoted() interface{} {
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(reflect.Value{})
-
-	case scanBeginObject:
-		d.object(reflect.Value{})
-
-	case scanBeginLiteral:
-		switch v := d.literalInterface().(type) {
-		case nil, string:
-			return v
-		}
-	}
-	return unquotedValue{}
-}
-
-// indirect walks down v allocating pointers as needed,
-// until it gets to a non-pointer.
-// if it encounters an Unmarshaler, indirect stops and returns that.
-// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
-func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
-	// If v is a named type and is addressable,
-	// start with its address, so that if the type has pointer methods,
-	// we find them.
-	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
-		v = v.Addr()
-	}
-	for {
-		// Load value from interface, but only if the result will be
-		// usefully addressable.
-		if v.Kind() == reflect.Interface && !v.IsNil() {
-			e := v.Elem()
-			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
-				v = e
-				continue
-			}
-		}
-
-		if v.Kind() != reflect.Ptr {
-			break
-		}
-
-		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
-			break
-		}
-		if v.IsNil() {
-			v.Set(reflect.New(v.Type().Elem()))
-		}
-		if v.Type().NumMethod() > 0 {
-			if u, ok := v.Interface().(Unmarshaler); ok {
-				return u, nil, reflect.Value{}
-			}
-			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
-				return nil, u, reflect.Value{}
-			}
-		}
-		v = v.Elem()
-	}
-	return nil, nil, v
-}
-
-// array consumes an array from d.data[d.off-1:], decoding into the value v.
-// the first byte of the array ('[') has been read already.
-func (d *decodeState) array(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	}
-
-	v = pv
-
-	// Check type of target.
-	switch v.Kind() {
-	case reflect.Interface:
-		if v.NumMethod() == 0 {
-			// Decoding into nil interface?  Switch to non-reflect code.
-			v.Set(reflect.ValueOf(d.arrayInterface()))
-			return
-		}
-		// Otherwise it's invalid.
-		fallthrough
-	default:
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	case reflect.Array:
-	case reflect.Slice:
-		break
-	}
-
-	i := 0
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		// Get element of array, growing if necessary.
-		if v.Kind() == reflect.Slice {
-			// Grow slice if necessary
-			if i >= v.Cap() {
-				newcap := v.Cap() + v.Cap()/2
-				if newcap < 4 {
-					newcap = 4
-				}
-				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
-				reflect.Copy(newv, v)
-				v.Set(newv)
-			}
-			if i >= v.Len() {
-				v.SetLen(i + 1)
-			}
-		}
-
-		if i < v.Len() {
-			// Decode into element.
-			d.value(v.Index(i))
-		} else {
-			// Ran out of fixed array: skip.
-			d.value(reflect.Value{})
-		}
-		i++
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-
-	if i < v.Len() {
-		if v.Kind() == reflect.Array {
-			// Array.  Zero the rest.
-			z := reflect.Zero(v.Type().Elem())
-			for ; i < v.Len(); i++ {
-				v.Index(i).Set(z)
-			}
-		} else {
-			v.SetLen(i)
-		}
-	}
-	if i == 0 && v.Kind() == reflect.Slice {
-		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
-	}
-}
-
-var nullLiteral = []byte("null")
-
-// object consumes an object from d.data[d.off-1:], decoding into the value v.
-// the first byte ('{') of the object has been read already.
-func (d *decodeState) object(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-	v = pv
-
-	// Decoding into nil interface?  Switch to non-reflect code.
-	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
-		v.Set(reflect.ValueOf(d.objectInterface()))
-		return
-	}
-
-	// Check type of target: struct or map[string]T
-	switch v.Kind() {
-	case reflect.Map:
-		// map must have string kind
-		t := v.Type()
-		if t.Key().Kind() != reflect.String {
-			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-			d.off--
-			d.next() // skip over { } in input
-			return
-		}
-		if v.IsNil() {
-			v.Set(reflect.MakeMap(t))
-		}
-	case reflect.Struct:
-
-	default:
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-
-	var mapElem reflect.Value
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquoteBytes(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Figure out field corresponding to key.
-		var subv reflect.Value
-		destring := false // whether the value is wrapped in a string to be decoded first
-
-		if v.Kind() == reflect.Map {
-			elemType := v.Type().Elem()
-			if !mapElem.IsValid() {
-				mapElem = reflect.New(elemType).Elem()
-			} else {
-				mapElem.Set(reflect.Zero(elemType))
-			}
-			subv = mapElem
-		} else {
-			var f *field
-			fields := cachedTypeFields(v.Type(), false)
-			for i := range fields {
-				ff := &fields[i]
-				if bytes.Equal(ff.nameBytes, key) {
-					f = ff
-					break
-				}
-				if f == nil && ff.equalFold(ff.nameBytes, key) {
-					f = ff
-				}
-			}
-			if f != nil {
-				subv = v
-				destring = f.quoted
-				for _, i := range f.index {
-					if subv.Kind() == reflect.Ptr {
-						if subv.IsNil() {
-							subv.Set(reflect.New(subv.Type().Elem()))
-						}
-						subv = subv.Elem()
-					}
-					subv = subv.Field(i)
-				}
-			}
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		if destring {
-			switch qv := d.valueQuoted().(type) {
-			case nil:
-				d.literalStore(nullLiteral, subv, false)
-			case string:
-				d.literalStore([]byte(qv), subv, true)
-			default:
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
-			}
-		} else {
-			d.value(subv)
-		}
-
-		// Write value back to map;
-		// if using struct, subv points into struct already.
-		if v.Kind() == reflect.Map {
-			kv := reflect.ValueOf(key).Convert(v.Type().Key())
-			v.SetMapIndex(kv, subv)
-		}
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-}
-
-// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
-// The first byte of the literal has been read already
-// (that's how the caller knows it's a literal).
-func (d *decodeState) literal(v reflect.Value) {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-
-	d.literalStore(d.data[start:d.off], v, false)
-}
-
-// convertNumber converts the number literal s to a float64 or a Number
-// depending on the setting of d.useNumber.
-func (d *decodeState) convertNumber(s string) (interface{}, error) {
-	if d.useNumber {
-		return Number(s), nil
-	}
-	f, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-	}
-	return f, nil
-}
-
-var numberType = reflect.TypeOf(Number(""))
-
-// literalStore decodes a literal stored in item into v.
-//
-// fromQuoted indicates whether this literal came from unwrapping a
-// string from the ",string" struct tag option. this is used only to
-// produce more helpful error messages.
-func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
-	// Check for unmarshaler.
-	if len(item) == 0 {
-		//Empty string given
-		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-		return
-	}
-	wantptr := item[0] == 'n' // null
-	u, ut, pv := d.indirect(v, wantptr)
-	if u != nil {
-		err := u.UnmarshalJSON(item)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		if item[0] != '"' {
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-			return
-		}
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		err := ut.UnmarshalText(s)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-
-	v = pv
-
-	switch c := item[0]; c {
-	case 'n': // null
-		switch v.Kind() {
-		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
-			v.Set(reflect.Zero(v.Type()))
-			// otherwise, ignore null for primitives/string
-		}
-	case 't', 'f': // true, false
-		value := c == 't'
-		switch v.Kind() {
-		default:
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		case reflect.Bool:
-			v.SetBool(value)
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(value))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		}
-
-	case '"': // string
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		switch v.Kind() {
-		default:
-			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-		case reflect.Slice:
-			if v.Type().Elem().Kind() != reflect.Uint8 {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-				break
-			}
-			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
-			n, err := base64.StdEncoding.Decode(b, s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			v.SetBytes(b[:n])
-		case reflect.String:
-			v.SetString(string(s))
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(string(s)))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-		}
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		s := string(item)
-		switch v.Kind() {
-		default:
-			if v.Kind() == reflect.String && v.Type() == numberType {
-				v.SetString(s)
-				if !isValidNumber(s) {
-					d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
-				}
-				break
-			}
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-			}
-		case reflect.Interface:
-			n, err := d.convertNumber(s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			if v.NumMethod() != 0 {
-				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-				break
-			}
-			v.Set(reflect.ValueOf(n))
-
-		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-			n, err := strconv.ParseInt(s, 10, 64)
-			if err != nil || v.OverflowInt(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetInt(n)
-
-		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-			n, err := strconv.ParseUint(s, 10, 64)
-			if err != nil || v.OverflowUint(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetUint(n)
-
-		case reflect.Float32, reflect.Float64:
-			n, err := strconv.ParseFloat(s, v.Type().Bits())
-			if err != nil || v.OverflowFloat(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetFloat(n)
-		}
-	}
-}
-
-// The xxxInterface routines build up a value to be stored
-// in an empty interface.  They are not strictly necessary,
-// but they avoid the weight of reflection in this common case.
-
-// valueInterface is like value but returns interface{}
-func (d *decodeState) valueInterface() interface{} {
-	switch d.scanWhile(scanSkipSpace) {
-	default:
-		d.error(errPhase)
-		panic("unreachable")
-	case scanBeginArray:
-		return d.arrayInterface()
-	case scanBeginObject:
-		return d.objectInterface()
-	case scanBeginLiteral:
-		return d.literalInterface()
-	}
-}
-
-// arrayInterface is like array but returns []interface{}.
-func (d *decodeState) arrayInterface() []interface{} {
-	var v = make([]interface{}, 0)
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		v = append(v, d.valueInterface())
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-	return v
-}
-
-// objectInterface is like object but returns map[string]interface{}.
-func (d *decodeState) objectInterface() map[string]interface{} {
-	m := make(map[string]interface{})
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read string key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		m[key] = d.valueInterface()
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-	return m
-}
-
-// literalInterface is like literal but returns an interface value.
-func (d *decodeState) literalInterface() interface{} {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-	item := d.data[start:d.off]
-
-	switch c := item[0]; c {
-	case 'n': // null
-		return nil
-
-	case 't', 'f': // true, false
-		return c == 't'
-
-	case '"': // string
-		s, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-		return s
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			d.error(errPhase)
-		}
-		n, err := d.convertNumber(string(item))
-		if err != nil {
-			d.saveError(err)
-		}
-		return n
-	}
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
-	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
-		return -1
-	}
-	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
-	if err != nil {
-		return -1
-	}
-	return rune(r)
-}
-
-// unquote converts a quoted JSON string literal s into an actual string t.
-// The rules are different than for Go, so cannot use strconv.Unquote.
-func unquote(s []byte) (t string, ok bool) {
-	s, ok = unquoteBytes(s)
-	t = string(s)
-	return
-}
-
-func unquoteBytes(s []byte) (t []byte, ok bool) {
-	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
-		return
-	}
-	s = s[1 : len(s)-1]
-
-	// Check for unusual characters. If there are none,
-	// then no unquoting is needed, so return a slice of the
-	// original bytes.
-	r := 0
-	for r < len(s) {
-		c := s[r]
-		if c == '\\' || c == '"' || c < ' ' {
-			break
-		}
-		if c < utf8.RuneSelf {
-			r++
-			continue
-		}
-		rr, size := utf8.DecodeRune(s[r:])
-		if rr == utf8.RuneError && size == 1 {
-			break
-		}
-		r += size
-	}
-	if r == len(s) {
-		return s, true
-	}
-
-	b := make([]byte, len(s)+2*utf8.UTFMax)
-	w := copy(b, s[0:r])
-	for r < len(s) {
-		// Out of room?  Can only happen if s is full of
-		// malformed UTF-8 and we're replacing each
-		// byte with RuneError.
-		if w >= len(b)-2*utf8.UTFMax {
-			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
-			copy(nb, b[0:w])
-			b = nb
-		}
-		switch c := s[r]; {
-		case c == '\\':
-			r++
-			if r >= len(s) {
-				return
-			}
-			switch s[r] {
-			default:
-				return
-			case '"', '\\', '/', '\'':
-				b[w] = s[r]
-				r++
-				w++
-			case 'b':
-				b[w] = '\b'
-				r++
-				w++
-			case 'f':
-				b[w] = '\f'
-				r++
-				w++
-			case 'n':
-				b[w] = '\n'
-				r++
-				w++
-			case 'r':
-				b[w] = '\r'
-				r++
-				w++
-			case 't':
-				b[w] = '\t'
-				r++
-				w++
-			case 'u':
-				r--
-				rr := getu4(s[r:])
-				if rr < 0 {
-					return
-				}
-				r += 6
-				if utf16.IsSurrogate(rr) {
-					rr1 := getu4(s[r:])
-					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
-						// A valid pair; consume.
-						r += 6
-						w += utf8.EncodeRune(b[w:], dec)
-						break
-					}
-					// Invalid surrogate; fall back to replacement rune.
-					rr = unicode.ReplacementChar
-				}
-				w += utf8.EncodeRune(b[w:], rr)
-			}
-
-		// Quote, control characters are invalid.
-		case c == '"', c < ' ':
-			return
-
-		// ASCII
-		case c < utf8.RuneSelf:
-			b[w] = c
-			r++
-			w++
-
-		// Coerce to well-formed UTF-8.
-		default:
-			rr, size := utf8.DecodeRune(s[r:])
-			r += size
-			w += utf8.EncodeRune(b[w:], rr)
-		}
-	}
-	return b[0:w], true
-}
diff --git a/vendor/github.com/docker/go/canonical/json/encode.go b/vendor/github.com/docker/go/canonical/json/encode.go
deleted file mode 100644
index f3491b16..00000000
--- a/vendor/github.com/docker/go/canonical/json/encode.go
+++ /dev/null
@@ -1,1250 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package json implements encoding and decoding of JSON objects as defined in
-// RFC 4627. The mapping between JSON objects and Go values is described
-// in the documentation for the Marshal and Unmarshal functions.
-//
-// See "JSON and Go" for an introduction to this package:
-// https://golang.org/doc/articles/json_and_go.html
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"fmt"
-	"math"
-	"reflect"
-	"runtime"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"unicode"
-	"unicode/utf8"
-)
-
-// Marshal returns the JSON encoding of v.
-//
-// Marshal traverses the value v recursively.
-// If an encountered value implements the Marshaler interface
-// and is not a nil pointer, Marshal calls its MarshalJSON method
-// to produce JSON. If no MarshalJSON method is present but the
-// value implements encoding.TextMarshaler instead, Marshal calls
-// its MarshalText method.
-// The nil pointer exception is not strictly necessary
-// but mimics a similar, necessary exception in the behavior of
-// UnmarshalJSON.
-//
-// Otherwise, Marshal uses the following type-dependent default encodings:
-//
-// Boolean values encode as JSON booleans.
-//
-// Floating point, integer, and Number values encode as JSON numbers.
-//
-// String values encode as JSON strings coerced to valid UTF-8,
-// replacing invalid bytes with the Unicode replacement rune.
-// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
-// to keep some browsers from misinterpreting JSON output as HTML.
-// Ampersand "&" is also escaped to "\u0026" for the same reason.
-//
-// Array and slice values encode as JSON arrays, except that
-// []byte encodes as a base64-encoded string, and a nil slice
-// encodes as the null JSON object.
-//
-// Struct values encode as JSON objects. Each exported struct field
-// becomes a member of the object unless
-//   - the field's tag is "-", or
-//   - the field is empty and its tag specifies the "omitempty" option.
-// The empty values are false, 0, any
-// nil pointer or interface value, and any array, slice, map, or string of
-// length zero. The object's default key string is the struct field name
-// but can be specified in the struct field's tag value. The "json" key in
-// the struct field's tag value is the key name, followed by an optional comma
-// and options. Examples:
-//
-//   // Field is ignored by this package.
-//   Field int `json:"-"`
-//
-//   // Field appears in JSON as key "myName".
-//   Field int `json:"myName"`
-//
-//   // Field appears in JSON as key "myName" and
-//   // the field is omitted from the object if its value is empty,
-//   // as defined above.
-//   Field int `json:"myName,omitempty"`
-//
-//   // Field appears in JSON as key "Field" (the default), but
-//   // the field is skipped if empty.
-//   // Note the leading comma.
-//   Field int `json:",omitempty"`
-//
-// The "string" option signals that a field is stored as JSON inside a
-// JSON-encoded string. It applies only to fields of string, floating point,
-// integer, or boolean types. This extra level of encoding is sometimes used
-// when communicating with JavaScript programs:
-//
-//    Int64String int64 `json:",string"`
-//
-// The key name will be used if it's a non-empty string consisting of
-// only Unicode letters, digits, dollar signs, percent signs, hyphens,
-// underscores and slashes.
-//
-// Anonymous struct fields are usually marshaled as if their inner exported fields
-// were fields in the outer struct, subject to the usual Go visibility rules amended
-// as described in the next paragraph.
-// An anonymous struct field with a name given in its JSON tag is treated as
-// having that name, rather than being anonymous.
-// An anonymous struct field of interface type is treated the same as having
-// that type as its name, rather than being anonymous.
-//
-// The Go visibility rules for struct fields are amended for JSON when
-// deciding which field to marshal or unmarshal. If there are
-// multiple fields at the same level, and that level is the least
-// nested (and would therefore be the nesting level selected by the
-// usual Go rules), the following extra rules apply:
-//
-// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
-// even if there are multiple untagged fields that would otherwise conflict.
-// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
-// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
-//
-// Handling of anonymous struct fields is new in Go 1.1.
-// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
-// an anonymous struct field in both current and earlier versions, give the field
-// a JSON tag of "-".
-//
-// Map values encode as JSON objects.
-// The map's key type must be string; the map keys are used as JSON object
-// keys, subject to the UTF-8 coercion described for string values above.
-//
-// Pointer values encode as the value pointed to.
-// A nil pointer encodes as the null JSON object.
-//
-// Interface values encode as the value contained in the interface.
-// A nil interface value encodes as the null JSON object.
-//
-// Channel, complex, and function values cannot be encoded in JSON.
-// Attempting to encode such a value causes Marshal to return
-// an UnsupportedTypeError.
-//
-// JSON cannot represent cyclic data structures and Marshal does not
-// handle them.  Passing cyclic structures to Marshal will result in
-// an infinite recursion.
-//
-func Marshal(v interface{}) ([]byte, error) {
-	return marshal(v, false)
-}
-
-// MarshalIndent is like Marshal but applies Indent to format the output.
-func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
-	b, err := Marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	var buf bytes.Buffer
-	err = Indent(&buf, b, prefix, indent)
-	if err != nil {
-		return nil, err
-	}
-	return buf.Bytes(), nil
-}
-
-// MarshalCanonical is like Marshal but encodes into Canonical JSON.
-// Read more at: http://wiki.laptop.org/go/Canonical_JSON
-func MarshalCanonical(v interface{}) ([]byte, error) {
-	return marshal(v, true)
-}
-
-func marshal(v interface{}, canonical bool) ([]byte, error) {
-	e := &encodeState{canonical: canonical}
-	err := e.marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	return e.Bytes(), nil
-}
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must
-// be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-}
-
-// Marshaler is the interface implemented by objects that
-// can marshal themselves into valid JSON.
-type Marshaler interface {
-	MarshalJSON() ([]byte, error)
-}
-
-// An UnsupportedTypeError is returned by Marshal when attempting
-// to encode an unsupported value type.
-type UnsupportedTypeError struct {
-	Type reflect.Type
-}
-
-func (e *UnsupportedTypeError) Error() string {
-	return "json: unsupported type: " + e.Type.String()
-}
-
-type UnsupportedValueError struct {
-	Value reflect.Value
-	Str   string
-}
-
-func (e *UnsupportedValueError) Error() string {
-	return "json: unsupported value: " + e.Str
-}
-
-// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
-// attempting to encode a string value with invalid UTF-8 sequences.
-// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
-// replacing invalid bytes with the Unicode replacement rune U+FFFD.
-// This error is no longer generated but is kept for backwards compatibility
-// with programs that might mention it.
-type InvalidUTF8Error struct {
-	S string // the whole string value that caused the error
-}
-
-func (e *InvalidUTF8Error) Error() string {
-	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
-}
-
-type MarshalerError struct {
-	Type reflect.Type
-	Err  error
-}
-
-func (e *MarshalerError) Error() string {
-	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
-}
-
-var hex = "0123456789abcdef"
-
-// An encodeState encodes JSON into a bytes.Buffer.
-type encodeState struct {
-	bytes.Buffer // accumulated output
-	scratch      [64]byte
-	canonical    bool
-}
-
-var encodeStatePool sync.Pool
-
-func newEncodeState(canonical bool) *encodeState {
-	if v := encodeStatePool.Get(); v != nil {
-		e := v.(*encodeState)
-		e.Reset()
-		e.canonical = canonical
-		return e
-	}
-	return &encodeState{canonical: canonical}
-}
-
-func (e *encodeState) marshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			if s, ok := r.(string); ok {
-				panic(s)
-			}
-			err = r.(error)
-		}
-	}()
-	e.reflectValue(reflect.ValueOf(v))
-	return nil
-}
-
-func (e *encodeState) error(err error) {
-	panic(err)
-}
-
-func isEmptyValue(v reflect.Value) bool {
-	switch v.Kind() {
-	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
-		return v.Len() == 0
-	case reflect.Bool:
-		return !v.Bool()
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return v.Int() == 0
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return v.Uint() == 0
-	case reflect.Float32, reflect.Float64:
-		return v.Float() == 0
-	case reflect.Interface, reflect.Ptr:
-		return v.IsNil()
-	}
-	return false
-}
-
-func (e *encodeState) reflectValue(v reflect.Value) {
-	e.valueEncoder(v)(e, v, false)
-}
-
-type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
-
-var encoderCache struct {
-	sync.RWMutex
-	m map[reflect.Type]encoderFunc
-}
-
-func (e *encodeState) valueEncoder(v reflect.Value) encoderFunc {
-	if !v.IsValid() {
-		return invalidValueEncoder
-	}
-	return e.typeEncoder(v.Type())
-}
-
-func (e *encodeState) typeEncoder(t reflect.Type) encoderFunc {
-	encoderCache.RLock()
-	f := encoderCache.m[t]
-	encoderCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// To deal with recursive types, populate the map with an
-	// indirect func before we build it. This type waits on the
-	// real func (f) to be ready and then calls it.  This indirect
-	// func is only used for recursive types.
-	encoderCache.Lock()
-	if encoderCache.m == nil {
-		encoderCache.m = make(map[reflect.Type]encoderFunc)
-	}
-	var wg sync.WaitGroup
-	wg.Add(1)
-	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
-		wg.Wait()
-		f(e, v, quoted)
-	}
-	encoderCache.Unlock()
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = e.newTypeEncoder(t, true)
-	wg.Done()
-	encoderCache.Lock()
-	encoderCache.m[t] = f
-	encoderCache.Unlock()
-	return f
-}
-
-var (
-	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
-	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
-)
-
-// newTypeEncoder constructs an encoderFunc for a type.
-// The returned encoder only checks CanAddr when allowAddr is true.
-func (e *encodeState) newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
-	if t.Implements(marshalerType) {
-		return marshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(marshalerType) {
-			return newCondAddrEncoder(addrMarshalerEncoder, e.newTypeEncoder(t, false))
-		}
-	}
-
-	if t.Implements(textMarshalerType) {
-		return textMarshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(textMarshalerType) {
-			return newCondAddrEncoder(addrTextMarshalerEncoder, e.newTypeEncoder(t, false))
-		}
-	}
-
-	switch t.Kind() {
-	case reflect.Bool:
-		return boolEncoder
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return intEncoder
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return uintEncoder
-	case reflect.Float32:
-		return float32Encoder
-	case reflect.Float64:
-		return float64Encoder
-	case reflect.String:
-		return stringEncoder
-	case reflect.Interface:
-		return interfaceEncoder
-	case reflect.Struct:
-		return e.newStructEncoder(t)
-	case reflect.Map:
-		return e.newMapEncoder(t)
-	case reflect.Slice:
-		return e.newSliceEncoder(t)
-	case reflect.Array:
-		return e.newArrayEncoder(t)
-	case reflect.Ptr:
-		return e.newPtrEncoder(t)
-	default:
-		return unsupportedTypeEncoder
-	}
-}
-
-func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteString("null")
-}
-
-func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if quoted {
-		e.WriteByte('"')
-	}
-	if v.Bool() {
-		e.WriteString("true")
-	} else {
-		e.WriteString("false")
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-type floatEncoder int // number of bits
-
-func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	f := v.Float()
-	if math.IsInf(f, 0) || math.IsNaN(f) || (e.canonical && math.Floor(f) != f) {
-		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
-	}
-
-	var b []byte
-	if e.canonical {
-		b = strconv.AppendInt(e.scratch[:0], int64(f), 10)
-	} else {
-		b = strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-var (
-	float32Encoder = (floatEncoder(32)).encode
-	float64Encoder = (floatEncoder(64)).encode
-)
-
-func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Type() == numberType {
-		numStr := v.String()
-		// In Go1.5 the empty string encodes to "0", while this is not a valid number literal
-		// we keep compatibility so check validity after this.
-		if numStr == "" {
-			numStr = "0" // Number's zero-val
-		}
-		if !isValidNumber(numStr) {
-			e.error(fmt.Errorf("json: invalid number literal %q", numStr))
-		}
-		e.WriteString(numStr)
-		return
-	}
-	if quoted {
-		sb, err := Marshal(v.String())
-		if err != nil {
-			e.error(err)
-		}
-		e.string(string(sb))
-	} else {
-		e.string(v.String())
-	}
-}
-
-func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.reflectValue(v.Elem())
-}
-
-func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.error(&UnsupportedTypeError{v.Type()})
-}
-
-type structEncoder struct {
-	fields    []field
-	fieldEncs []encoderFunc
-}
-
-func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteByte('{')
-	first := true
-	for i, f := range se.fields {
-		fv := fieldByIndex(v, f.index)
-		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
-			continue
-		}
-		if first {
-			first = false
-		} else {
-			e.WriteByte(',')
-		}
-		e.string(f.name)
-		e.WriteByte(':')
-		se.fieldEncs[i](e, fv, f.quoted)
-	}
-	e.WriteByte('}')
-}
-
-func (e *encodeState) newStructEncoder(t reflect.Type) encoderFunc {
-	fields := cachedTypeFields(t, e.canonical)
-	se := &structEncoder{
-		fields:    fields,
-		fieldEncs: make([]encoderFunc, len(fields)),
-	}
-	for i, f := range fields {
-		se.fieldEncs[i] = e.typeEncoder(typeByIndex(t, f.index))
-	}
-	return se.encode
-}
-
-type mapEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.WriteByte('{')
-	var sv stringValues = v.MapKeys()
-	sort.Sort(sv)
-	for i, k := range sv {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		e.string(k.String())
-		e.WriteByte(':')
-		me.elemEnc(e, v.MapIndex(k), false)
-	}
-	e.WriteByte('}')
-}
-
-func (e *encodeState) newMapEncoder(t reflect.Type) encoderFunc {
-	if t.Key().Kind() != reflect.String {
-		return unsupportedTypeEncoder
-	}
-	me := &mapEncoder{e.typeEncoder(t.Elem())}
-	return me.encode
-}
-
-func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	s := v.Bytes()
-	e.WriteByte('"')
-	if len(s) < 1024 {
-		// for small buffers, using Encode directly is much faster.
-		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
-		base64.StdEncoding.Encode(dst, s)
-		e.Write(dst)
-	} else {
-		// for large buffers, avoid unnecessary extra temporary
-		// buffer space.
-		enc := base64.NewEncoder(base64.StdEncoding, e)
-		enc.Write(s)
-		enc.Close()
-	}
-	e.WriteByte('"')
-}
-
-// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
-type sliceEncoder struct {
-	arrayEnc encoderFunc
-}
-
-func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	se.arrayEnc(e, v, false)
-}
-
-func (e *encodeState) newSliceEncoder(t reflect.Type) encoderFunc {
-	// Byte slices get special treatment; arrays don't.
-	if t.Elem().Kind() == reflect.Uint8 {
-		return encodeByteSlice
-	}
-	enc := &sliceEncoder{e.newArrayEncoder(t)}
-	return enc.encode
-}
-
-type arrayEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	e.WriteByte('[')
-	n := v.Len()
-	for i := 0; i < n; i++ {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		ae.elemEnc(e, v.Index(i), false)
-	}
-	e.WriteByte(']')
-}
-
-func (e *encodeState) newArrayEncoder(t reflect.Type) encoderFunc {
-	enc := &arrayEncoder{e.typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type ptrEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	pe.elemEnc(e, v.Elem(), quoted)
-}
-
-func (e *encodeState) newPtrEncoder(t reflect.Type) encoderFunc {
-	enc := &ptrEncoder{e.typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type condAddrEncoder struct {
-	canAddrEnc, elseEnc encoderFunc
-}
-
-func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.CanAddr() {
-		ce.canAddrEnc(e, v, quoted)
-	} else {
-		ce.elseEnc(e, v, quoted)
-	}
-}
-
-// newCondAddrEncoder returns an encoder that checks whether its value
-// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
-func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
-	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
-	return enc.encode
-}
-
-func isValidTag(s string) bool {
-	if s == "" {
-		return false
-	}
-	for _, c := range s {
-		switch {
-		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
-			// Backslash and quote chars are reserved, but
-			// otherwise any punctuation chars are allowed
-			// in a tag name.
-		default:
-			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-				return false
-			}
-		}
-	}
-	return true
-}
-
-func fieldByIndex(v reflect.Value, index []int) reflect.Value {
-	for _, i := range index {
-		if v.Kind() == reflect.Ptr {
-			if v.IsNil() {
-				return reflect.Value{}
-			}
-			v = v.Elem()
-		}
-		v = v.Field(i)
-	}
-	return v
-}
-
-func typeByIndex(t reflect.Type, index []int) reflect.Type {
-	for _, i := range index {
-		if t.Kind() == reflect.Ptr {
-			t = t.Elem()
-		}
-		t = t.Field(i).Type
-	}
-	return t
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-func (sv stringValues) Len() int           { return len(sv) }
-func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
-func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
-func (sv stringValues) get(i int) string   { return sv[i].String() }
-
-// NOTE: keep in sync with stringBytes below.
-func (e *encodeState) string(s string) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if b != '\\' && b != '"' {
-				if e.canonical || (0x20 <= b && b != '<' && b != '>' && b != '&') {
-					i++
-					continue
-				}
-			}
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, > and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		if e.canonical {
-			i++
-			continue
-		}
-		c, size := utf8.DecodeRuneInString(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.WriteString(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// NOTE: keep in sync with string above.
-func (e *encodeState) stringBytes(s []byte) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if b != '\\' && b != '"' {
-				if e.canonical || (0x20 <= b && b != '<' && b != '>' && b != '&') {
-					i++
-					continue
-				}
-			}
-			if start < i {
-				e.Write(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, >, and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		if e.canonical {
-			i++
-			continue
-		}
-		c, size := utf8.DecodeRune(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.Write(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// A field represents a single field found in a struct.
-type field struct {
-	name      string
-	nameBytes []byte                 // []byte(name)
-	equalFold func(s, t []byte) bool // bytes.EqualFold or equivalent
-
-	tag       bool
-	index     []int
-	typ       reflect.Type
-	omitEmpty bool
-	quoted    bool
-}
-
-func fillField(f field) field {
-	f.nameBytes = []byte(f.name)
-	f.equalFold = foldFunc(f.nameBytes)
-	return f
-}
-
-// byName sorts field by name, breaking ties with depth,
-// then breaking ties with "name came from json tag", then
-// breaking ties with index sequence.
-type byName []field
-
-func (x byName) Len() int { return len(x) }
-
-func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byName) Less(i, j int) bool {
-	if x[i].name != x[j].name {
-		return x[i].name < x[j].name
-	}
-	if len(x[i].index) != len(x[j].index) {
-		return len(x[i].index) < len(x[j].index)
-	}
-	if x[i].tag != x[j].tag {
-		return x[i].tag
-	}
-	return byIndex(x).Less(i, j)
-}
-
-// byIndex sorts field by index sequence.
-type byIndex []field
-
-func (x byIndex) Len() int { return len(x) }
-
-func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byIndex) Less(i, j int) bool {
-	for k, xik := range x[i].index {
-		if k >= len(x[j].index) {
-			return false
-		}
-		if xik != x[j].index[k] {
-			return xik < x[j].index[k]
-		}
-	}
-	return len(x[i].index) < len(x[j].index)
-}
-
-// typeFields returns a list of fields that JSON should recognize for the given type.
-// The algorithm is breadth-first search over the set of structs to include - the top struct
-// and then any reachable anonymous structs.
-func typeFields(t reflect.Type) []field {
-	// Anonymous fields to explore at the current level and the next.
-	current := []field{}
-	next := []field{{typ: t}}
-
-	// Count of queued names for current level and the next.
-	count := map[reflect.Type]int{}
-	nextCount := map[reflect.Type]int{}
-
-	// Types already visited at an earlier level.
-	visited := map[reflect.Type]bool{}
-
-	// Fields found.
-	var fields []field
-
-	for len(next) > 0 {
-		current, next = next, current[:0]
-		count, nextCount = nextCount, map[reflect.Type]int{}
-
-		for _, f := range current {
-			if visited[f.typ] {
-				continue
-			}
-			visited[f.typ] = true
-
-			// Scan f.typ for fields to include.
-			for i := 0; i < f.typ.NumField(); i++ {
-				sf := f.typ.Field(i)
-				if sf.PkgPath != "" && !sf.Anonymous { // unexported
-					continue
-				}
-				tag := sf.Tag.Get("json")
-				if tag == "-" {
-					continue
-				}
-				name, opts := parseTag(tag)
-				if !isValidTag(name) {
-					name = ""
-				}
-				index := make([]int, len(f.index)+1)
-				copy(index, f.index)
-				index[len(f.index)] = i
-
-				ft := sf.Type
-				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
-					// Follow pointer.
-					ft = ft.Elem()
-				}
-
-				// Only strings, floats, integers, and booleans can be quoted.
-				quoted := false
-				if opts.Contains("string") {
-					switch ft.Kind() {
-					case reflect.Bool,
-						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
-						reflect.Float32, reflect.Float64,
-						reflect.String:
-						quoted = true
-					}
-				}
-
-				// Record found field and index sequence.
-				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
-					tagged := name != ""
-					if name == "" {
-						name = sf.Name
-					}
-					fields = append(fields, fillField(field{
-						name:      name,
-						tag:       tagged,
-						index:     index,
-						typ:       ft,
-						omitEmpty: opts.Contains("omitempty"),
-						quoted:    quoted,
-					}))
-					if count[f.typ] > 1 {
-						// If there were multiple instances, add a second,
-						// so that the annihilation code will see a duplicate.
-						// It only cares about the distinction between 1 or 2,
-						// so don't bother generating any more copies.
-						fields = append(fields, fields[len(fields)-1])
-					}
-					continue
-				}
-
-				// Record new anonymous struct to explore in next round.
-				nextCount[ft]++
-				if nextCount[ft] == 1 {
-					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
-				}
-			}
-		}
-	}
-
-	sort.Sort(byName(fields))
-
-	// Delete all fields that are hidden by the Go rules for embedded fields,
-	// except that fields with JSON tags are promoted.
-
-	// The fields are sorted in primary order of name, secondary order
-	// of field index length. Loop over names; for each name, delete
-	// hidden fields by choosing the one dominant field that survives.
-	out := fields[:0]
-	for advance, i := 0, 0; i < len(fields); i += advance {
-		// One iteration per name.
-		// Find the sequence of fields with the name of this first field.
-		fi := fields[i]
-		name := fi.name
-		for advance = 1; i+advance < len(fields); advance++ {
-			fj := fields[i+advance]
-			if fj.name != name {
-				break
-			}
-		}
-		if advance == 1 { // Only one field with this name
-			out = append(out, fi)
-			continue
-		}
-		dominant, ok := dominantField(fields[i : i+advance])
-		if ok {
-			out = append(out, dominant)
-		}
-	}
-
-	return out
-}
-
-// dominantField looks through the fields, all of which are known to
-// have the same name, to find the single field that dominates the
-// others using Go's embedding rules, modified by the presence of
-// JSON tags. If there are multiple top-level fields, the boolean
-// will be false: This condition is an error in Go and we skip all
-// the fields.
-func dominantField(fields []field) (field, bool) {
-	// The fields are sorted in increasing index-length order. The winner
-	// must therefore be one with the shortest index length. Drop all
-	// longer entries, which is easy: just truncate the slice.
-	length := len(fields[0].index)
-	tagged := -1 // Index of first tagged field.
-	for i, f := range fields {
-		if len(f.index) > length {
-			fields = fields[:i]
-			break
-		}
-		if f.tag {
-			if tagged >= 0 {
-				// Multiple tagged fields at the same level: conflict.
-				// Return no field.
-				return field{}, false
-			}
-			tagged = i
-		}
-	}
-	if tagged >= 0 {
-		return fields[tagged], true
-	}
-	// All remaining fields have the same length. If there's more than one,
-	// we have a conflict (two fields named "X" at the same level) and we
-	// return no field.
-	if len(fields) > 1 {
-		return field{}, false
-	}
-	return fields[0], true
-}
-
-type fields struct {
-	byName  []field
-	byIndex []field
-}
-
-var fieldCache struct {
-	sync.RWMutex
-	m map[reflect.Type]*fields
-}
-
-// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
-func cachedTypeFields(t reflect.Type, canonical bool) []field {
-	fieldCache.RLock()
-	x := fieldCache.m[t]
-	fieldCache.RUnlock()
-
-	var f []field
-	if x != nil {
-		if canonical {
-			f = x.byName
-		}
-		f = x.byIndex
-	}
-	if f != nil {
-		return f
-	}
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = typeFields(t)
-	if f == nil {
-		f = []field{}
-	}
-	if !canonical {
-		sort.Sort(byIndex(f))
-	}
-
-	fieldCache.Lock()
-	if fieldCache.m == nil {
-		fieldCache.m = map[reflect.Type]*fields{}
-	}
-	x = fieldCache.m[t]
-	fieldCache.Unlock()
-	if x == nil {
-		x = new(fields)
-	}
-	if canonical {
-		x.byName = f
-	} else {
-		x.byIndex = f
-	}
-	return f
-}
diff --git a/vendor/github.com/docker/go/canonical/json/fold.go b/vendor/github.com/docker/go/canonical/json/fold.go
deleted file mode 100644
index 9e170127..00000000
--- a/vendor/github.com/docker/go/canonical/json/fold.go
+++ /dev/null
@@ -1,143 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"unicode/utf8"
-)
-
-const (
-	caseMask     = ^byte(0x20) // Mask to ignore case in ASCII.
-	kelvin       = '\u212a'
-	smallLongEss = '\u017f'
-)
-
-// foldFunc returns one of four different case folding equivalence
-// functions, from most general (and slow) to fastest:
-//
-// 1) bytes.EqualFold, if the key s contains any non-ASCII UTF-8
-// 2) equalFoldRight, if s contains special folding ASCII ('k', 'K', 's', 'S')
-// 3) asciiEqualFold, no special, but includes non-letters (including _)
-// 4) simpleLetterEqualFold, no specials, no non-letters.
-//
-// The letters S and K are special because they map to 3 runes, not just 2:
-//  * S maps to s and to U+017F 'ſ' Latin small letter long s
-//  * k maps to K and to U+212A 'K' Kelvin sign
-// See https://play.golang.org/p/tTxjOc0OGo
-//
-// The returned function is specialized for matching against s and
-// should only be given s. It's not curried for performance reasons.
-func foldFunc(s []byte) func(s, t []byte) bool {
-	nonLetter := false
-	special := false // special letter
-	for _, b := range s {
-		if b >= utf8.RuneSelf {
-			return bytes.EqualFold
-		}
-		upper := b & caseMask
-		if upper < 'A' || upper > 'Z' {
-			nonLetter = true
-		} else if upper == 'K' || upper == 'S' {
-			// See above for why these letters are special.
-			special = true
-		}
-	}
-	if special {
-		return equalFoldRight
-	}
-	if nonLetter {
-		return asciiEqualFold
-	}
-	return simpleLetterEqualFold
-}
-
-// equalFoldRight is a specialization of bytes.EqualFold when s is
-// known to be all ASCII (including punctuation), but contains an 's',
-// 'S', 'k', or 'K', requiring a Unicode fold on the bytes in t.
-// See comments on foldFunc.
-func equalFoldRight(s, t []byte) bool {
-	for _, sb := range s {
-		if len(t) == 0 {
-			return false
-		}
-		tb := t[0]
-		if tb < utf8.RuneSelf {
-			if sb != tb {
-				sbUpper := sb & caseMask
-				if 'A' <= sbUpper && sbUpper <= 'Z' {
-					if sbUpper != tb&caseMask {
-						return false
-					}
-				} else {
-					return false
-				}
-			}
-			t = t[1:]
-			continue
-		}
-		// sb is ASCII and t is not. t must be either kelvin
-		// sign or long s; sb must be s, S, k, or K.
-		tr, size := utf8.DecodeRune(t)
-		switch sb {
-		case 's', 'S':
-			if tr != smallLongEss {
-				return false
-			}
-		case 'k', 'K':
-			if tr != kelvin {
-				return false
-			}
-		default:
-			return false
-		}
-		t = t[size:]
-
-	}
-	if len(t) > 0 {
-		return false
-	}
-	return true
-}
-
-// asciiEqualFold is a specialization of bytes.EqualFold for use when
-// s is all ASCII (but may contain non-letters) and contains no
-// special-folding letters.
-// See comments on foldFunc.
-func asciiEqualFold(s, t []byte) bool {
-	if len(s) != len(t) {
-		return false
-	}
-	for i, sb := range s {
-		tb := t[i]
-		if sb == tb {
-			continue
-		}
-		if ('a' <= sb && sb <= 'z') || ('A' <= sb && sb <= 'Z') {
-			if sb&caseMask != tb&caseMask {
-				return false
-			}
-		} else {
-			return false
-		}
-	}
-	return true
-}
-
-// simpleLetterEqualFold is a specialization of bytes.EqualFold for
-// use when s is all ASCII letters (no underscores, etc) and also
-// doesn't contain 'k', 'K', 's', or 'S'.
-// See comments on foldFunc.
-func simpleLetterEqualFold(s, t []byte) bool {
-	if len(s) != len(t) {
-		return false
-	}
-	for i, b := range s {
-		if b&caseMask != t[i]&caseMask {
-			return false
-		}
-	}
-	return true
-}
diff --git a/vendor/github.com/docker/go/canonical/json/indent.go b/vendor/github.com/docker/go/canonical/json/indent.go
deleted file mode 100644
index 7cd9f4db..00000000
--- a/vendor/github.com/docker/go/canonical/json/indent.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	return compact(dst, src, false)
-}
-
-func compact(dst *bytes.Buffer, src []byte, escape bool) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-		v := scan.step(&scan, c)
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-	return nil
-}
-
-func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
-	dst.WriteByte('\n')
-	dst.WriteString(prefix)
-	for i := 0; i < depth; i++ {
-		dst.WriteString(indent)
-	}
-}
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(&scan, c)
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			newline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst.WriteByte(c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst.WriteByte(c)
-
-		case ',':
-			dst.WriteByte(c)
-			newline(dst, prefix, indent, depth)
-
-		case ':':
-			dst.WriteByte(c)
-			dst.WriteByte(' ')
-
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				newline(dst, prefix, indent, depth)
-			}
-			dst.WriteByte(c)
-
-		default:
-			dst.WriteByte(c)
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	return nil
-}
diff --git a/vendor/github.com/docker/go/canonical/json/scanner.go b/vendor/github.com/docker/go/canonical/json/scanner.go
deleted file mode 100644
index ee6622e8..00000000
--- a/vendor/github.com/docker/go/canonical/json/scanner.go
+++ /dev/null
@@ -1,623 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, nextValue, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import "strconv"
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, c) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// nextValue splits data after the next whole JSON value,
-// returning that value and the bytes that follow it as separate slices.
-// scan is passed in for use by nextValue to avoid an allocation.
-func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
-	scan.reset()
-	for i, c := range data {
-		v := scan.step(scan, c)
-		if v >= scanEndObject {
-			switch v {
-			// probe the scanner with a space to determine whether we will
-			// get scanEnd on the next character. Otherwise, if the next character
-			// is not a space, scanEndTop allocates a needless error.
-			case scanEndObject, scanEndArray:
-				if scan.step(scan, ' ') == scanEnd {
-					return data[:i+1], data[i+1:], nil
-				}
-			case scanError:
-				return nil, nil, scan.err
-			case scanEnd:
-				return data[:i], data[i:], nil
-			}
-		}
-	}
-	if scan.eof() == scanError {
-		return nil, nil, scan.err
-	}
-	return data, nil, nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset() and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, byte) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// 1-byte redo (see undo method)
-	redo      bool
-	redoCode  int
-	redoState func(*scanner, byte) int
-
-	// total bytes consumed, updated by decoder.Decode
-	bytes int64
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned.  If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.redo = false
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-func (s *scanner) pushParseState(p int) {
-	s.parseState = append(s.parseState, p)
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	s.redo = false
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c byte) bool {
-	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		s.pushParseState(parseObjectKey)
-		return scanBeginObject
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		s.pushParseState(parseArrayValue)
-		return scanBeginArray
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if c <= ' ' && isSpace(c) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
-	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	case 'u':
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
-	if c == '+' || c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal
-func quoteChar(c byte) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
-
-// undo causes the scanner to return scanCode from the next state transition.
-// This gives callers a simple 1-byte undo mechanism.
-func (s *scanner) undo(scanCode int) {
-	if s.redo {
-		panic("json: invalid use of scanner")
-	}
-	s.redoCode = scanCode
-	s.redoState = s.step
-	s.step = stateRedo
-	s.redo = true
-}
-
-// stateRedo helps implement the scanner's 1-byte undo.
-func stateRedo(s *scanner, c byte) int {
-	s.redo = false
-	s.step = s.redoState
-	return s.redoCode
-}
diff --git a/vendor/github.com/docker/go/canonical/json/stream.go b/vendor/github.com/docker/go/canonical/json/stream.go
deleted file mode 100644
index dc0f28e3..00000000
--- a/vendor/github.com/docker/go/canonical/json/stream.go
+++ /dev/null
@@ -1,487 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON objects from an input stream.
-type Decoder struct {
-	r     io.Reader
-	buf   []byte
-	d     decodeState
-	scanp int // start of unread data in buf
-	scan  scanner
-	err   error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v interface{}) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value"}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	for {
-		// Look in the buffer for a new value.
-		for i, c := range dec.buf[scanp:] {
-			dec.scan.bytes++
-			v := dec.scan.step(&dec.scan, c)
-			if v == scanEnd {
-				scanp += i
-				break Input
-			}
-			// scanEnd is delayed one byte.
-			// We might block trying to get that byte from src,
-			// so instead invent a space byte.
-			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
-				scanp += i + 1
-				break Input
-			}
-			if v == scanError {
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-		scanp = len(dec.buf)
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read.  Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(c) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON objects to an output stream.
-type Encoder struct {
-	w         io.Writer
-	err       error
-	canonical bool
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w}
-}
-
-// Canonical causes the encoder to switch to Canonical JSON mode.
-// Read more at: http://wiki.laptop.org/go/Canonical_JSON
-func (enc *Encoder) Canonical() { enc.canonical = true }
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v interface{}) error {
-	if enc.err != nil {
-		return enc.err
-	}
-	e := newEncodeState(enc.canonical)
-	err := e.marshal(v)
-	if err != nil {
-		return err
-	}
-
-	if !enc.canonical {
-		// Terminate each value with a newline.
-		// This makes the output look a little nicer
-		// when debugging, and some kind of space
-		// is required if the encoded value was a number,
-		// so that the reader knows there aren't more
-		// digits coming.
-		e.WriteByte('\n')
-	}
-
-	if _, err = enc.w.Write(e.Bytes()); err != nil {
-		enc.err = err
-	}
-	encodeStatePool.Put(e)
-	return err
-}
-
-// RawMessage is a raw encoded JSON object.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns *m as the JSON encoding of m.
-func (m *RawMessage) MarshalJSON() ([]byte, error) {
-	return *m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var _ Marshaler = (*RawMessage)(nil)
-var _ Unmarshaler = (*RawMessage)(nil)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-//
-type Token interface{}
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					clearOffset(err)
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x interface{}
-			if err := dec.Decode(&x); err != nil {
-				clearOffset(err)
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func clearOffset(err error) {
-	if s, ok := err.(*SyntaxError); ok {
-		s.Offset = 0
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(c) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-/*
-TODO
-
-// EncodeToken writes the given JSON token to the stream.
-// It returns an error if the delimiters [ ] { } are not properly used.
-//
-// EncodeToken does not call Flush, because usually it is part of
-// a larger operation such as Encode, and those will call Flush when finished.
-// Callers that create an Encoder and then invoke EncodeToken directly,
-// without using Encode, need to call Flush when finished to ensure that
-// the JSON is written to the underlying writer.
-func (e *Encoder) EncodeToken(t Token) error  {
-	...
-}
-
-*/
diff --git a/vendor/github.com/docker/go/canonical/json/tags.go b/vendor/github.com/docker/go/canonical/json/tags.go
deleted file mode 100644
index c38fd510..00000000
--- a/vendor/github.com/docker/go/canonical/json/tags.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	if idx := strings.Index(tag, ","); idx != -1 {
-		return tag[:idx], tagOptions(tag[idx+1:])
-	}
-	return tag, tagOptions("")
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var next string
-		i := strings.Index(s, ",")
-		if i >= 0 {
-			s, next = s[:i], s[i+1:]
-		}
-		if s == optionName {
-			return true
-		}
-		s = next
-	}
-	return false
-}
diff --git a/vendor/github.com/go-git/go-git/v5/options.go b/vendor/github.com/go-git/go-git/v5/options.go
index 3cd0f952..e2c77edc 100644
--- a/vendor/github.com/go-git/go-git/v5/options.go
+++ b/vendor/github.com/go-git/go-git/v5/options.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/ProtonMail/go-crypto/openpgp"
+
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	formatcfg "github.com/go-git/go-git/v5/plumbing/format/config"
@@ -72,9 +73,16 @@ type CloneOptions struct {
 	// Tags describe how the tags will be fetched from the remote repository,
 	// by default is AllTags.
 	Tags TagMode
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CABundle specify additional ca bundle with system cert pool
+	// ClientCert is the client certificate to use for mutual TLS authentication
+	// over the HTTPS protocol.
+	ClientCert []byte
+	// ClientKey is the client key to use for mutual TLS authentication over
+	// the HTTPS protocol.
+	ClientKey []byte
+	// CABundle specifies an additional CA bundle to use together with the
+	// system cert pool.
 	CABundle []byte
 	// ProxyOptions provides info required for connecting to a proxy.
 	ProxyOptions transport.ProxyOptions
@@ -153,9 +161,16 @@ type PullOptions struct {
 	// Force allows the pull to update a local branch even when the remote
 	// branch does not descend from it.
 	Force bool
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CABundle specify additional ca bundle with system cert pool
+	// ClientCert is the client certificate to use for mutual TLS authentication
+	// over the HTTPS protocol.
+	ClientCert []byte
+	// ClientKey is the client key to use for mutual TLS authentication over
+	// the HTTPS protocol.
+	ClientKey []byte
+	// CABundle specifies an additional CA bundle to use together with the
+	// system cert pool.
 	CABundle []byte
 	// ProxyOptions provides info required for connecting to a proxy.
 	ProxyOptions transport.ProxyOptions
@@ -211,9 +226,16 @@ type FetchOptions struct {
 	// Force allows the fetch to update a local branch even when the remote
 	// branch does not descend from it.
 	Force bool
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CABundle specify additional ca bundle with system cert pool
+	// ClientCert is the client certificate to use for mutual TLS authentication
+	// over the HTTPS protocol.
+	ClientCert []byte
+	// ClientKey is the client key to use for mutual TLS authentication over
+	// the HTTPS protocol.
+	ClientKey []byte
+	// CABundle specifies an additional CA bundle to use together with the
+	// system cert pool.
 	CABundle []byte
 	// ProxyOptions provides info required for connecting to a proxy.
 	ProxyOptions transport.ProxyOptions
@@ -267,9 +289,16 @@ type PushOptions struct {
 	// Force allows the push to update a remote branch even when the local
 	// branch does not descend from it.
 	Force bool
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CABundle specify additional ca bundle with system cert pool
+	// ClientCert is the client certificate to use for mutual TLS authentication
+	// over the HTTPS protocol.
+	ClientCert []byte
+	// ClientKey is the client key to use for mutual TLS authentication over
+	// the HTTPS protocol.
+	ClientKey []byte
+	// CABundle specifies an additional CA bundle to use together with the
+	// system cert pool.
 	CABundle []byte
 	// RequireRemoteRefs only allows a remote ref to be updated if its current
 	// value is the one specified here.
@@ -693,9 +722,16 @@ func (o *CreateTagOptions) loadConfigTagger(r *Repository) error {
 type ListOptions struct {
 	// Auth credentials, if required, to use with the remote repository.
 	Auth transport.AuthMethod
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CABundle specify additional ca bundle with system cert pool
+	// ClientCert is the client certificate to use for mutual TLS authentication
+	// over the HTTPS protocol.
+	ClientCert []byte
+	// ClientKey is the client key to use for mutual TLS authentication over
+	// the HTTPS protocol.
+	ClientKey []byte
+	// CABundle specifies an additional CA bundle to use together with the
+	// system cert pool.
 	CABundle []byte
 	// PeelingOption defines how peeled objects are handled during a
 	// remote list.
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/common.go
index fae1aa98..b4c5e98b 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/common.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/common.go
@@ -113,9 +113,17 @@ type Endpoint struct {
 	Port int
 	// Path is the repository path.
 	Path string
-	// InsecureSkipTLS skips ssl verify if protocol is https
+	// InsecureSkipTLS skips SSL verification if Protocol is HTTPS.
 	InsecureSkipTLS bool
-	// CaBundle specify additional ca bundle with system cert pool
+	// ClientCert specifies an optional client certificate to use for mutual
+	// TLS authentication if Protocol is HTTPS.
+	ClientCert []byte
+	// ClientKey specifies an optional client key to use for mutual TLS
+	// authentication if Protocol is HTTPS.
+	ClientKey []byte
+	// CaBundle specifies an optional CA bundle to use for SSL verification
+	// if Protocol is HTTPS. The bundle is added in addition to the system
+	// CA bundle.
 	CaBundle []byte
 	// Proxy provides info required for connecting to a proxy.
 	Proxy ProxyOptions
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
index df01890b..5dd2e311 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
@@ -15,12 +15,13 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/golang/groupcache/lru"
+
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/protocol/packp"
 	"github.com/go-git/go-git/v5/plumbing/protocol/packp/capability"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/utils/ioutil"
-	"github.com/golang/groupcache/lru"
 )
 
 // it requires a bytes.Buffer, because we need to know the length
@@ -185,6 +186,18 @@ func transportWithInsecureTLS(transport *http.Transport) {
 	transport.TLSClientConfig.InsecureSkipVerify = true
 }
 
+func transportWithClientCert(transport *http.Transport, cert, key []byte) error {
+	keyPair, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return err
+	}
+	if transport.TLSClientConfig == nil {
+		transport.TLSClientConfig = &tls.Config{}
+	}
+	transport.TLSClientConfig.Certificates = []tls.Certificate{keyPair}
+	return nil
+}
+
 func transportWithCABundle(transport *http.Transport, caBundle []byte) error {
 	rootCAs, err := x509.SystemCertPool()
 	if err != nil {
@@ -206,6 +219,11 @@ func transportWithProxy(transport *http.Transport, proxyURL *url.URL) {
 }
 
 func configureTransport(transport *http.Transport, ep *transport.Endpoint) error {
+	if len(ep.ClientCert) > 0 && len(ep.ClientKey) > 0 {
+		if err := transportWithClientCert(transport, ep.ClientCert, ep.ClientKey); err != nil {
+			return err
+		}
+	}
 	if len(ep.CaBundle) > 0 {
 		if err := transportWithCABundle(transport, ep.CaBundle); err != nil {
 			return err
@@ -230,7 +248,7 @@ func newSession(c *client, ep *transport.Endpoint, auth transport.AuthMethod) (*
 
 	// We need to configure the http transport if there are transport specific
 	// options present in the endpoint.
-	if len(ep.CaBundle) > 0 || ep.InsecureSkipTLS || ep.Proxy.URL != "" {
+	if len(ep.ClientKey) > 0 || len(ep.ClientCert) > 0 || len(ep.CaBundle) > 0 || ep.InsecureSkipTLS || ep.Proxy.URL != "" {
 		var transport *http.Transport
 		// if the client wasn't configured to have a cache for transports then just configure
 		// the transport and use it directly, otherwise try to use the cache.
@@ -242,9 +260,13 @@ func newSession(c *client, ep *transport.Endpoint, auth transport.AuthMethod) (*
 			}
 
 			transport = tr.Clone()
-			configureTransport(transport, ep)
+			if err := configureTransport(transport, ep); err != nil {
+				return nil, err
+			}
 		} else {
 			transportOpts := transportOptions{
+				clientCert:      string(ep.ClientCert),
+				clientKey:       string(ep.ClientKey),
 				caBundle:        string(ep.CaBundle),
 				insecureSkipTLS: ep.InsecureSkipTLS,
 			}
@@ -260,7 +282,9 @@ func newSession(c *client, ep *transport.Endpoint, auth transport.AuthMethod) (*
 
 			if !found {
 				transport = c.client.Transport.(*http.Transport).Clone()
-				configureTransport(transport, ep)
+				if err := configureTransport(transport, ep); err != nil {
+					return nil, err
+				}
 				c.addTransport(transportOpts, transport)
 			}
 		}
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/transport.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/transport.go
index c8db3892..1991d051 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/transport.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/transport.go
@@ -9,8 +9,10 @@ import (
 type transportOptions struct {
 	insecureSkipTLS bool
 	// []byte is not comparable.
-	caBundle string
-	proxyURL url.URL
+	clientCert string
+	clientKey  string
+	caBundle   string
+	proxyURL   url.URL
 }
 
 func (c *client) addTransport(opts transportOptions, transport *http.Transport) {
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
index ac4e3583..a6161060 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
@@ -54,7 +54,7 @@ func (a *KeyboardInteractive) String() string {
 }
 
 func (a *KeyboardInteractive) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{
 			a.Challenge,
@@ -78,7 +78,7 @@ func (a *Password) String() string {
 }
 
 func (a *Password) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.Password(a.Password)},
 	})
@@ -101,7 +101,7 @@ func (a *PasswordCallback) String() string {
 }
 
 func (a *PasswordCallback) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PasswordCallback(a.Callback)},
 	})
@@ -150,7 +150,7 @@ func (a *PublicKeys) String() string {
 }
 
 func (a *PublicKeys) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)},
 	})
@@ -211,7 +211,7 @@ func (a *PublicKeysCallback) String() string {
 }
 
 func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(a.Callback)},
 	})
@@ -230,11 +230,26 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
 //	~/.ssh/known_hosts
 //	/etc/ssh/ssh_known_hosts
 func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
-	kh, err := newKnownHosts(files...)
-	return ssh.HostKeyCallback(kh), err
+	kh, err := NewKnownHostsDb(files...)
+	if err != nil {
+		return nil, err
+	}
+	return kh.HostKeyCallback(), nil
 }
 
-func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
+// NewKnownHostsDb returns knownhosts.HostKeyDB based on a file based on a
+// known_hosts file. http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT
+//
+// If list of files is empty, then it will be read from the SSH_KNOWN_HOSTS
+// environment variable, example:
+//
+//	/home/foo/custom_known_hosts_file:/etc/custom_known/hosts_file
+//
+// If SSH_KNOWN_HOSTS is not set the following file locations will be used:
+//
+//	~/.ssh/known_hosts
+//	/etc/ssh/ssh_known_hosts
+func NewKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
 	var err error
 
 	if len(files) == 0 {
@@ -247,7 +262,7 @@ func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
 		return nil, err
 	}
 
-	return knownhosts.New(files...)
+	return knownhosts.NewDB(files...)
 }
 
 func getDefaultKnownHostsFiles() ([]string, error) {
@@ -289,25 +304,50 @@ func filterKnownHostsFiles(files ...string) ([]string, error) {
 }
 
 // HostKeyCallbackHelper is a helper that provides common functionality to
-// configure HostKeyCallback into a ssh.ClientConfig.
+// configure HostKeyCallback and HostKeyAlgorithms into a ssh.ClientConfig.
 type HostKeyCallbackHelper struct {
 	// HostKeyCallback is the function type used for verifying server keys.
-	// If nil default callback will be create using NewKnownHostsCallback
+	// If nil, a default callback will be created using NewKnownHostsDb
 	// without argument.
 	HostKeyCallback ssh.HostKeyCallback
+
+	// HostKeyAlgorithms is a list of supported host key algorithms that will
+	// be used for host key verification.
+	HostKeyAlgorithms []string
+
+	// fallback allows for injecting the fallback call, which is called
+	// when a HostKeyCallback is not set.
+	fallback func(files ...string) (ssh.HostKeyCallback, error)
 }
 
-// SetHostKeyCallback sets the field HostKeyCallback in the given cfg. If
-// HostKeyCallback is empty a default callback is created using
-// NewKnownHostsCallback.
-func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
-	var err error
+// SetHostKeyCallbackAndAlgorithms sets the field HostKeyCallback and HostKeyAlgorithms in the given cfg.
+// If the host key callback or algorithms is empty it is left empty. It will be handled by the dial method,
+// falling back to knownhosts.
+func (m *HostKeyCallbackHelper) SetHostKeyCallbackAndAlgorithms(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
+	if cfg == nil {
+		cfg = &ssh.ClientConfig{}
+	}
+
 	if m.HostKeyCallback == nil {
-		if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
-			return cfg, err
+		if m.fallback == nil {
+			m.fallback = NewKnownHostsCallback
 		}
+
+		hkcb, err := m.fallback()
+		if err != nil {
+			return nil, fmt.Errorf("cannot create known hosts callback: %w", err)
+		}
+
+		cfg.HostKeyCallback = hkcb
+		cfg.HostKeyAlgorithms = m.HostKeyAlgorithms
+		return cfg, err
 	}
 
 	cfg.HostKeyCallback = m.HostKeyCallback
+	cfg.HostKeyAlgorithms = m.HostKeyAlgorithms
 	return cfg, nil
 }
+
+func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
+	return m.SetHostKeyCallbackAndAlgorithms(cfg)
+}
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
index 05dea448..ae6f2174 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
-	"github.com/skeema/knownhosts"
 
 	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
@@ -127,17 +126,17 @@ func (c *command) connect() error {
 	}
 	hostWithPort := c.getHostWithPort()
 	if config.HostKeyCallback == nil {
-		kh, err := newKnownHosts()
+		db, err := NewKnownHostsDb()
 		if err != nil {
 			return err
 		}
-		config.HostKeyCallback = kh.HostKeyCallback()
-		config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
-	} else if len(config.HostKeyAlgorithms) == 0 {
-		// Set the HostKeyAlgorithms based on HostKeyCallback.
-		// For background see https://github.com/go-git/go-git/issues/411 as well as
-		// https://github.com/golang/go/issues/29286 for root cause.
-		config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
+		config.HostKeyCallback = db.HostKeyCallback()
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
+	} else {
+		// If the user gave a custom HostKeyCallback, we do not try to detect host key algorithms
+		// based on knownhosts functionality, as the user may be requesting a FixedKey or using a
+		// different key approval strategy. In that case, the user is responsible for populating
+		// HostKeyAlgorithms appropriately
 	}
 
 	overrideConfig(c.config, config)
diff --git a/vendor/github.com/go-git/go-git/v5/remote.go b/vendor/github.com/go-git/go-git/v5/remote.go
index e2c734e7..73081279 100644
--- a/vendor/github.com/go-git/go-git/v5/remote.go
+++ b/vendor/github.com/go-git/go-git/v5/remote.go
@@ -114,7 +114,7 @@ func (r *Remote) PushContext(ctx context.Context, o *PushOptions) (err error) {
 		o.RemoteURL = r.c.URLs[len(r.c.URLs)-1]
 	}
 
-	s, err := newSendPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions)
+	s, err := newSendPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions)
 	if err != nil {
 		return err
 	}
@@ -416,7 +416,7 @@ func (r *Remote) fetch(ctx context.Context, o *FetchOptions) (sto storer.Referen
 		o.RemoteURL = r.c.URLs[0]
 	}
 
-	s, err := newUploadPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions)
+	s, err := newUploadPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -532,8 +532,8 @@ func depthChanged(before []plumbing.Hash, s storage.Storer) (bool, error) {
 	return false, nil
 }
 
-func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.UploadPackSession, error) {
-	c, ep, err := newClient(url, insecure, cabundle, proxyOpts)
+func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.UploadPackSession, error) {
+	c, ep, err := newClient(url, insecure, clientCert, clientKey, caBundle, proxyOpts)
 	if err != nil {
 		return nil, err
 	}
@@ -541,8 +541,8 @@ func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool,
 	return c.NewUploadPackSession(ep, auth)
 }
 
-func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.ReceivePackSession, error) {
-	c, ep, err := newClient(url, insecure, cabundle, proxyOpts)
+func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.ReceivePackSession, error) {
+	c, ep, err := newClient(url, insecure, clientCert, clientKey, caBundle, proxyOpts)
 	if err != nil {
 		return nil, err
 	}
@@ -550,13 +550,15 @@ func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, ca
 	return c.NewReceivePackSession(ep, auth)
 }
 
-func newClient(url string, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.Transport, *transport.Endpoint, error) {
+func newClient(url string, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.Transport, *transport.Endpoint, error) {
 	ep, err := transport.NewEndpoint(url)
 	if err != nil {
 		return nil, nil, err
 	}
 	ep.InsecureSkipTLS = insecure
-	ep.CaBundle = cabundle
+	ep.ClientCert = clientCert
+	ep.ClientKey = clientKey
+	ep.CaBundle = caBundle
 	ep.Proxy = proxyOpts
 
 	c, err := client.NewClient(ep)
@@ -1356,7 +1358,7 @@ func (r *Remote) list(ctx context.Context, o *ListOptions) (rfs []*plumbing.Refe
 		return nil, ErrEmptyUrls
 	}
 
-	s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions)
+	s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/go-git/go-git/v5/repository.go b/vendor/github.com/go-git/go-git/v5/repository.go
index 200098e7..40159054 100644
--- a/vendor/github.com/go-git/go-git/v5/repository.go
+++ b/vendor/github.com/go-git/go-git/v5/repository.go
@@ -19,6 +19,7 @@ import (
 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-billy/v5/util"
+
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/internal/path_util"
 	"github.com/go-git/go-git/v5/internal/revision"
@@ -930,6 +931,8 @@ func (r *Repository) clone(ctx context.Context, o *CloneOptions) error {
 		Tags:            o.Tags,
 		RemoteName:      o.RemoteName,
 		InsecureSkipTLS: o.InsecureSkipTLS,
+		ClientCert:      o.ClientCert,
+		ClientKey:       o.ClientKey,
 		CABundle:        o.CABundle,
 		ProxyOptions:    o.ProxyOptions,
 	}, o.ReferenceName)
diff --git a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/change.go b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/change.go
index 450feb4b..d32b5a7d 100644
--- a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/change.go
+++ b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/change.go
@@ -131,7 +131,9 @@ func (l *Changes) addRecursive(root noder.Path, ctor noderToChangeFn) error {
 	}
 
 	if !root.IsDir() {
-		l.Add(ctor(root))
+		if !root.Skip() {
+			l.Add(ctor(root))
+		}
 		return nil
 	}
 
@@ -148,7 +150,7 @@ func (l *Changes) addRecursive(root noder.Path, ctor noderToChangeFn) error {
 			}
 			return err
 		}
-		if current.IsDir() {
+		if current.IsDir() || current.Skip() {
 			continue
 		}
 		l.Add(ctor(current))
diff --git a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/difftree.go b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/difftree.go
index 4ef2d990..7fc8d02d 100644
--- a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/difftree.go
+++ b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/difftree.go
@@ -297,18 +297,16 @@ func DiffTreeContext(ctx context.Context, fromTree, toTree noder.Noder,
 		case noMoreNoders:
 			return ret, nil
 		case onlyFromRemains:
-			if err = ret.AddRecursiveDelete(from); err != nil {
-				return nil, err
+			if !from.Skip() {
+				if err = ret.AddRecursiveDelete(from); err != nil {
+					return nil, err
+				}
 			}
 			if err = ii.nextFrom(); err != nil {
 				return nil, err
 			}
 		case onlyToRemains:
-			if to.Skip() {
-				if err = ret.AddRecursiveDelete(to); err != nil {
-					return nil, err
-				}
-			} else {
+			if !to.Skip() {
 				if err = ret.AddRecursiveInsert(to); err != nil {
 					return nil, err
 				}
@@ -317,26 +315,25 @@ func DiffTreeContext(ctx context.Context, fromTree, toTree noder.Noder,
 				return nil, err
 			}
 		case bothHaveNodes:
-			if from.Skip() {
-				if err = ret.AddRecursiveDelete(from); err != nil {
-					return nil, err
+			var err error
+			switch {
+			case from.Skip():
+				if from.Name() == to.Name() {
+					err = ii.nextBoth()
+				} else {
+					err = ii.nextFrom()
 				}
-				if err := ii.nextBoth(); err != nil {
-					return nil, err
+			case to.Skip():
+				if from.Name() == to.Name() {
+					err = ii.nextBoth()
+				} else {
+					err = ii.nextTo()
 				}
-				break
-			}
-			if to.Skip() {
-				if err = ret.AddRecursiveDelete(to); err != nil {
-					return nil, err
-				}
-				if err := ii.nextBoth(); err != nil {
-					return nil, err
-				}
-				break
+			default:
+				err = diffNodes(&ret, ii)
 			}
 
-			if err = diffNodes(&ret, ii); err != nil {
+			if err != nil {
 				return nil, err
 			}
 		default:
diff --git a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/index/node.go b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/index/node.go
index c1809f7e..5bc63f8b 100644
--- a/vendor/github.com/go-git/go-git/v5/utils/merkletrie/index/node.go
+++ b/vendor/github.com/go-git/go-git/v5/utils/merkletrie/index/node.go
@@ -36,7 +36,15 @@ func NewRootNode(idx *index.Index) noder.Noder {
 			parent := fullpath
 			fullpath = path.Join(fullpath, part)
 
-			if _, ok := m[fullpath]; ok {
+			// It's possible that the first occurrence of subdirectory is skipped.
+			// The parent node can be created with SkipWorktree set to true, but
+			// if any future children do not skip their subtree, the entire lineage
+			// of the tree needs to have this value set to false so that subdirectories
+			// are not ignored.
+			if parentNode, ok := m[fullpath]; ok {
+				if e.SkipWorktree == false {
+					parentNode.skip = false
+				}
 				continue
 			}
 
diff --git a/vendor/github.com/go-git/go-git/v5/worktree.go b/vendor/github.com/go-git/go-git/v5/worktree.go
index dded08e9..479904e0 100644
--- a/vendor/github.com/go-git/go-git/v5/worktree.go
+++ b/vendor/github.com/go-git/go-git/v5/worktree.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-billy/v5/util"
+
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
@@ -79,6 +80,8 @@ func (w *Worktree) PullContext(ctx context.Context, o *PullOptions) error {
 		Progress:        o.Progress,
 		Force:           o.Force,
 		InsecureSkipTLS: o.InsecureSkipTLS,
+		ClientCert:      o.ClientCert,
+		ClientKey:       o.ClientKey,
 		CABundle:        o.CABundle,
 		ProxyOptions:    o.ProxyOptions,
 	})
diff --git a/vendor/github.com/go-logr/logr/.golangci.yaml b/vendor/github.com/go-logr/logr/.golangci.yaml
index 0cffafa7..0ed62c1a 100644
--- a/vendor/github.com/go-logr/logr/.golangci.yaml
+++ b/vendor/github.com/go-logr/logr/.golangci.yaml
@@ -1,26 +1,28 @@
+version: "2"
+
 run:
   timeout: 1m
   tests: true
 
 linters:
-  disable-all: true
-  enable:
+  default: none
+  enable: # please keep this alphabetized
+    - asasalint
     - asciicheck
+    - copyloopvar
+    - dupl
     - errcheck
     - forcetypeassert
+    - goconst
     - gocritic
-    - gofmt
-    - goimports
-    - gosimple
     - govet
     - ineffassign
     - misspell
+    - musttag
     - revive
     - staticcheck
-    - typecheck
     - unused
 
 issues:
-  exclude-use-default: false
   max-issues-per-linter: 0
   max-same-issues: 10
diff --git a/vendor/github.com/go-logr/logr/funcr/funcr.go b/vendor/github.com/go-logr/logr/funcr/funcr.go
index 30568e76..b22c57d7 100644
--- a/vendor/github.com/go-logr/logr/funcr/funcr.go
+++ b/vendor/github.com/go-logr/logr/funcr/funcr.go
@@ -77,7 +77,7 @@ func newSink(fn func(prefix, args string), formatter Formatter) logr.LogSink {
 		write:     fn,
 	}
 	// For skipping fnlogger.Info and fnlogger.Error.
-	l.Formatter.AddCallDepth(1)
+	l.AddCallDepth(1) // via Formatter
 	return l
 }
 
@@ -164,17 +164,17 @@ type fnlogger struct {
 }
 
 func (l fnlogger) WithName(name string) logr.LogSink {
-	l.Formatter.AddName(name)
+	l.AddName(name) // via Formatter
 	return &l
 }
 
 func (l fnlogger) WithValues(kvList ...any) logr.LogSink {
-	l.Formatter.AddValues(kvList)
+	l.AddValues(kvList) // via Formatter
 	return &l
 }
 
 func (l fnlogger) WithCallDepth(depth int) logr.LogSink {
-	l.Formatter.AddCallDepth(depth)
+	l.AddCallDepth(depth) // via Formatter
 	return &l
 }
 
diff --git a/vendor/github.com/go-viper/mapstructure/v2/.editorconfig b/vendor/github.com/go-viper/mapstructure/v2/.editorconfig
index 1f664d13..faef0c91 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/.editorconfig
+++ b/vendor/github.com/go-viper/mapstructure/v2/.editorconfig
@@ -16,3 +16,6 @@ indent_style = tab
 
 [*.nix]
 indent_size = 2
+
+[.golangci.yaml]
+indent_size = 2
diff --git a/vendor/github.com/go-viper/mapstructure/v2/.golangci.yaml b/vendor/github.com/go-viper/mapstructure/v2/.golangci.yaml
index 763143aa..bda96256 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/.golangci.yaml
+++ b/vendor/github.com/go-viper/mapstructure/v2/.golangci.yaml
@@ -1,23 +1,48 @@
-run:
-  timeout: 5m
+version: "2"
 
-linters-settings:
-  gci:
-    sections:
-      - standard
-      - default
-      - prefix(github.com/go-viper/mapstructure)
-  golint:
-    min-confidence: 0
-  goimports:
-    local-prefixes: github.com/go-viper/maptstructure
+run:
+  timeout: 10m
 
 linters:
-  disable-all: true
+  enable:
+    - govet
+    - ineffassign
+    # - misspell
+    - nolintlint
+    # - revive
+
+  disable:
+    - errcheck
+    - staticcheck
+    - unused
+
+  settings:
+    misspell:
+      locale: US
+    nolintlint:
+      allow-unused: false # report any unused nolint directives
+      require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+
+formatters:
   enable:
     - gci
     - gofmt
     - gofumpt
     - goimports
-    - staticcheck
-    # - stylecheck
+    # - golines
+
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule
+    gofmt:
+      simplify: true
+      rewrite-rules:
+        - pattern: interface{}
+          replacement: any
+
+  exclusions:
+    paths:
+      - internal/
diff --git a/vendor/github.com/go-viper/mapstructure/v2/README.md b/vendor/github.com/go-viper/mapstructure/v2/README.md
index dd5ec69d..45db7197 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/README.md
+++ b/vendor/github.com/go-viper/mapstructure/v2/README.md
@@ -1,8 +1,9 @@
 # mapstructure
 
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/go-viper/mapstructure/ci.yaml?branch=main&style=flat-square)](https://github.com/go-viper/mapstructure/actions?query=workflow%3ACI)
+[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/go-viper/mapstructure/ci.yaml?style=flat-square)](https://github.com/go-viper/mapstructure/actions/workflows/ci.yaml)
 [![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/go-viper/mapstructure/v2)
-![Go Version](https://img.shields.io/badge/go%20version-%3E=1.18-61CFDD.svg?style=flat-square)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/go-viper/mapstructure?style=flat-square&color=61CFDD)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/go-viper/mapstructure/badge?style=flat-square)](https://deps.dev/go/github.com%252Fgo-viper%252Fmapstructure%252Fv2)
 
 mapstructure is a Go library for decoding generic map values to structures
 and vice versa, while providing helpful error handling.
@@ -29,7 +30,7 @@ The API is the same, so you don't need to change anything else.
 Here is a script that can help you with the migration:
 
 ```shell
-sed -i 's/github.com\/mitchellh\/mapstructure/github.com\/go-viper\/mapstructure\/v2/g' $(find . -type f -name '*.go')
+sed -i 's|github.com/mitchellh/mapstructure|github.com/go-viper/mapstructure/v2|g' $(find . -type f -name '*.go')
 ```
 
 If you need more time to migrate your code, that is absolutely fine.
diff --git a/vendor/github.com/go-viper/mapstructure/v2/decode_hooks.go b/vendor/github.com/go-viper/mapstructure/v2/decode_hooks.go
index 1f3c69d4..a852a0a0 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/decode_hooks.go
+++ b/vendor/github.com/go-viper/mapstructure/v2/decode_hooks.go
@@ -13,7 +13,7 @@ import (
 	"time"
 )
 
-// typedDecodeHook takes a raw DecodeHookFunc (an interface{}) and turns
+// typedDecodeHook takes a raw DecodeHookFunc (an any) and turns
 // it into the proper DecodeHookFunc type, such as DecodeHookFuncType.
 func typedDecodeHook(h DecodeHookFunc) DecodeHookFunc {
 	// Create variables here so we can reference them with the reflect pkg
@@ -23,7 +23,7 @@ func typedDecodeHook(h DecodeHookFunc) DecodeHookFunc {
 
 	// Fill in the variables into this interface and the rest is done
 	// automatically using the reflect package.
-	potential := []interface{}{f1, f2, f3}
+	potential := []any{f1, f2, f3}
 
 	v := reflect.ValueOf(h)
 	vt := v.Type()
@@ -37,25 +37,25 @@ func typedDecodeHook(h DecodeHookFunc) DecodeHookFunc {
 	return nil
 }
 
-// cachedDecodeHook takes a raw DecodeHookFunc (an interface{}) and turns
+// cachedDecodeHook takes a raw DecodeHookFunc (an any) and turns
 // it into a closure to be used directly
 // if the type fails to convert we return a closure always erroring to keep the previous behaviour
-func cachedDecodeHook(raw DecodeHookFunc) func(from reflect.Value, to reflect.Value) (interface{}, error) {
+func cachedDecodeHook(raw DecodeHookFunc) func(from reflect.Value, to reflect.Value) (any, error) {
 	switch f := typedDecodeHook(raw).(type) {
 	case DecodeHookFuncType:
-		return func(from reflect.Value, to reflect.Value) (interface{}, error) {
+		return func(from reflect.Value, to reflect.Value) (any, error) {
 			return f(from.Type(), to.Type(), from.Interface())
 		}
 	case DecodeHookFuncKind:
-		return func(from reflect.Value, to reflect.Value) (interface{}, error) {
+		return func(from reflect.Value, to reflect.Value) (any, error) {
 			return f(from.Kind(), to.Kind(), from.Interface())
 		}
 	case DecodeHookFuncValue:
-		return func(from reflect.Value, to reflect.Value) (interface{}, error) {
+		return func(from reflect.Value, to reflect.Value) (any, error) {
 			return f(from, to)
 		}
 	default:
-		return func(from reflect.Value, to reflect.Value) (interface{}, error) {
+		return func(from reflect.Value, to reflect.Value) (any, error) {
 			return nil, errors.New("invalid decode hook signature")
 		}
 	}
@@ -67,7 +67,7 @@ func cachedDecodeHook(raw DecodeHookFunc) func(from reflect.Value, to reflect.Va
 func DecodeHookExec(
 	raw DecodeHookFunc,
 	from reflect.Value, to reflect.Value,
-) (interface{}, error) {
+) (any, error) {
 	switch f := typedDecodeHook(raw).(type) {
 	case DecodeHookFuncType:
 		return f(from.Type(), to.Type(), from.Interface())
@@ -86,11 +86,11 @@ func DecodeHookExec(
 // The composed funcs are called in order, with the result of the
 // previous transformation.
 func ComposeDecodeHookFunc(fs ...DecodeHookFunc) DecodeHookFunc {
-	cached := make([]func(from reflect.Value, to reflect.Value) (interface{}, error), 0, len(fs))
+	cached := make([]func(from reflect.Value, to reflect.Value) (any, error), 0, len(fs))
 	for _, f := range fs {
 		cached = append(cached, cachedDecodeHook(f))
 	}
-	return func(f reflect.Value, t reflect.Value) (interface{}, error) {
+	return func(f reflect.Value, t reflect.Value) (any, error) {
 		var err error
 		data := f.Interface()
 
@@ -100,7 +100,11 @@ func ComposeDecodeHookFunc(fs ...DecodeHookFunc) DecodeHookFunc {
 			if err != nil {
 				return nil, err
 			}
-			newFrom = reflect.ValueOf(data)
+			if v, ok := data.(reflect.Value); ok {
+				newFrom = v
+			} else {
+				newFrom = reflect.ValueOf(data)
+			}
 		}
 
 		return data, nil
@@ -110,13 +114,13 @@ func ComposeDecodeHookFunc(fs ...DecodeHookFunc) DecodeHookFunc {
 // OrComposeDecodeHookFunc executes all input hook functions until one of them returns no error. In that case its value is returned.
 // If all hooks return an error, OrComposeDecodeHookFunc returns an error concatenating all error messages.
 func OrComposeDecodeHookFunc(ff ...DecodeHookFunc) DecodeHookFunc {
-	cached := make([]func(from reflect.Value, to reflect.Value) (interface{}, error), 0, len(ff))
+	cached := make([]func(from reflect.Value, to reflect.Value) (any, error), 0, len(ff))
 	for _, f := range ff {
 		cached = append(cached, cachedDecodeHook(f))
 	}
-	return func(a, b reflect.Value) (interface{}, error) {
+	return func(a, b reflect.Value) (any, error) {
 		var allErrs string
-		var out interface{}
+		var out any
 		var err error
 
 		for _, c := range cached {
@@ -139,8 +143,8 @@ func StringToSliceHookFunc(sep string) DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -157,14 +161,37 @@ func StringToSliceHookFunc(sep string) DecodeHookFunc {
 	}
 }
 
+// StringToWeakSliceHookFunc brings back the old (pre-v2) behavior of [StringToSliceHookFunc].
+//
+// As of mapstructure v2.0.0 [StringToSliceHookFunc] checks if the return type is a string slice.
+// This function removes that check.
+func StringToWeakSliceHookFunc(sep string) DecodeHookFunc {
+	return func(
+		f reflect.Type,
+		t reflect.Type,
+		data any,
+	) (any, error) {
+		if f.Kind() != reflect.String || t.Kind() != reflect.Slice {
+			return data, nil
+		}
+
+		raw := data.(string)
+		if raw == "" {
+			return []string{}, nil
+		}
+
+		return strings.Split(raw, sep), nil
+	}
+}
+
 // StringToTimeDurationHookFunc returns a DecodeHookFunc that converts
 // strings to time.Duration.
 func StringToTimeDurationHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -173,7 +200,29 @@ func StringToTimeDurationHookFunc() DecodeHookFunc {
 		}
 
 		// Convert it by parsing
-		return time.ParseDuration(data.(string))
+		d, err := time.ParseDuration(data.(string))
+
+		return d, wrapTimeParseDurationError(err)
+	}
+}
+
+// StringToTimeLocationHookFunc returns a DecodeHookFunc that converts
+// strings to *time.Location.
+func StringToTimeLocationHookFunc() DecodeHookFunc {
+	return func(
+		f reflect.Type,
+		t reflect.Type,
+		data any,
+	) (any, error) {
+		if f.Kind() != reflect.String {
+			return data, nil
+		}
+		if t != reflect.TypeOf(time.Local) {
+			return data, nil
+		}
+		d, err := time.LoadLocation(data.(string))
+
+		return d, wrapTimeParseLocationError(err)
 	}
 }
 
@@ -183,8 +232,8 @@ func StringToURLHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -193,7 +242,9 @@ func StringToURLHookFunc() DecodeHookFunc {
 		}
 
 		// Convert it by parsing
-		return url.Parse(data.(string))
+		u, err := url.Parse(data.(string))
+
+		return u, wrapUrlError(err)
 	}
 }
 
@@ -203,8 +254,8 @@ func StringToIPHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -215,7 +266,7 @@ func StringToIPHookFunc() DecodeHookFunc {
 		// Convert it by parsing
 		ip := net.ParseIP(data.(string))
 		if ip == nil {
-			return net.IP{}, fmt.Errorf("failed parsing ip %v", data)
+			return net.IP{}, fmt.Errorf("failed parsing ip")
 		}
 
 		return ip, nil
@@ -228,8 +279,8 @@ func StringToIPNetHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -239,7 +290,7 @@ func StringToIPNetHookFunc() DecodeHookFunc {
 
 		// Convert it by parsing
 		_, net, err := net.ParseCIDR(data.(string))
-		return net, err
+		return net, wrapNetParseError(err)
 	}
 }
 
@@ -249,8 +300,8 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -259,7 +310,9 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
 		}
 
 		// Convert it by parsing
-		return time.Parse(layout, data.(string))
+		ti, err := time.Parse(layout, data.(string))
+
+		return ti, wrapTimeParseError(err)
 	}
 }
 
@@ -271,8 +324,8 @@ func StringToTimeHookFunc(layout string) DecodeHookFunc {
 func WeaklyTypedHook(
 	f reflect.Kind,
 	t reflect.Kind,
-	data interface{},
-) (interface{}, error) {
+	data any,
+) (any, error) {
 	dataVal := reflect.ValueOf(data)
 	switch t {
 	case reflect.String:
@@ -301,17 +354,17 @@ func WeaklyTypedHook(
 }
 
 func RecursiveStructToMapHookFunc() DecodeHookFunc {
-	return func(f reflect.Value, t reflect.Value) (interface{}, error) {
+	return func(f reflect.Value, t reflect.Value) (any, error) {
 		if f.Kind() != reflect.Struct {
 			return f.Interface(), nil
 		}
 
-		var i interface{} = struct{}{}
+		var i any = struct{}{}
 		if t.Type() != reflect.TypeOf(&i).Elem() {
 			return f.Interface(), nil
 		}
 
-		m := make(map[string]interface{})
+		m := make(map[string]any)
 		t.Set(reflect.ValueOf(m))
 
 		return f.Interface(), nil
@@ -325,8 +378,8 @@ func TextUnmarshallerHookFunc() DecodeHookFuncType {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -352,8 +405,8 @@ func StringToNetIPAddrHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -362,7 +415,9 @@ func StringToNetIPAddrHookFunc() DecodeHookFunc {
 		}
 
 		// Convert it by parsing
-		return netip.ParseAddr(data.(string))
+		addr, err := netip.ParseAddr(data.(string))
+
+		return addr, wrapNetIPParseAddrError(err)
 	}
 }
 
@@ -372,8 +427,8 @@ func StringToNetIPAddrPortHookFunc() DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{},
-	) (interface{}, error) {
+		data any,
+	) (any, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -382,7 +437,31 @@ func StringToNetIPAddrPortHookFunc() DecodeHookFunc {
 		}
 
 		// Convert it by parsing
-		return netip.ParseAddrPort(data.(string))
+		addrPort, err := netip.ParseAddrPort(data.(string))
+
+		return addrPort, wrapNetIPParseAddrPortError(err)
+	}
+}
+
+// StringToNetIPPrefixHookFunc returns a DecodeHookFunc that converts
+// strings to netip.Prefix.
+func StringToNetIPPrefixHookFunc() DecodeHookFunc {
+	return func(
+		f reflect.Type,
+		t reflect.Type,
+		data any,
+	) (any, error) {
+		if f.Kind() != reflect.String {
+			return data, nil
+		}
+		if t != reflect.TypeOf(netip.Prefix{}) {
+			return data, nil
+		}
+
+		// Convert it by parsing
+		prefix, err := netip.ParsePrefix(data.(string))
+
+		return prefix, wrapNetIPParsePrefixError(err)
 	}
 }
 
@@ -415,178 +494,182 @@ func StringToBasicTypeHookFunc() DecodeHookFunc {
 // StringToInt8HookFunc returns a DecodeHookFunc that converts
 // strings to int8.
 func StringToInt8HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Int8 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		i64, err := strconv.ParseInt(data.(string), 0, 8)
-		return int8(i64), err
+		return int8(i64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToUint8HookFunc returns a DecodeHookFunc that converts
 // strings to uint8.
 func StringToUint8HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Uint8 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		u64, err := strconv.ParseUint(data.(string), 0, 8)
-		return uint8(u64), err
+		return uint8(u64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToInt16HookFunc returns a DecodeHookFunc that converts
 // strings to int16.
 func StringToInt16HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Int16 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		i64, err := strconv.ParseInt(data.(string), 0, 16)
-		return int16(i64), err
+		return int16(i64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToUint16HookFunc returns a DecodeHookFunc that converts
 // strings to uint16.
 func StringToUint16HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Uint16 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		u64, err := strconv.ParseUint(data.(string), 0, 16)
-		return uint16(u64), err
+		return uint16(u64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToInt32HookFunc returns a DecodeHookFunc that converts
 // strings to int32.
 func StringToInt32HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Int32 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		i64, err := strconv.ParseInt(data.(string), 0, 32)
-		return int32(i64), err
+		return int32(i64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToUint32HookFunc returns a DecodeHookFunc that converts
 // strings to uint32.
 func StringToUint32HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Uint32 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		u64, err := strconv.ParseUint(data.(string), 0, 32)
-		return uint32(u64), err
+		return uint32(u64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToInt64HookFunc returns a DecodeHookFunc that converts
 // strings to int64.
 func StringToInt64HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Int64 {
 			return data, nil
 		}
 
 		// Convert it by parsing
-		return strconv.ParseInt(data.(string), 0, 64)
+		i64, err := strconv.ParseInt(data.(string), 0, 64)
+		return int64(i64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToUint64HookFunc returns a DecodeHookFunc that converts
 // strings to uint64.
 func StringToUint64HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Uint64 {
 			return data, nil
 		}
 
 		// Convert it by parsing
-		return strconv.ParseUint(data.(string), 0, 64)
+		u64, err := strconv.ParseUint(data.(string), 0, 64)
+		return uint64(u64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToIntHookFunc returns a DecodeHookFunc that converts
 // strings to int.
 func StringToIntHookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Int {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		i64, err := strconv.ParseInt(data.(string), 0, 0)
-		return int(i64), err
+		return int(i64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToUintHookFunc returns a DecodeHookFunc that converts
 // strings to uint.
 func StringToUintHookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Uint {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		u64, err := strconv.ParseUint(data.(string), 0, 0)
-		return uint(u64), err
+		return uint(u64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToFloat32HookFunc returns a DecodeHookFunc that converts
 // strings to float32.
 func StringToFloat32HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Float32 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		f64, err := strconv.ParseFloat(data.(string), 32)
-		return float32(f64), err
+		return float32(f64), wrapStrconvNumError(err)
 	}
 }
 
 // StringToFloat64HookFunc returns a DecodeHookFunc that converts
 // strings to float64.
 func StringToFloat64HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Float64 {
 			return data, nil
 		}
 
 		// Convert it by parsing
-		return strconv.ParseFloat(data.(string), 64)
+		f64, err := strconv.ParseFloat(data.(string), 64)
+		return f64, wrapStrconvNumError(err)
 	}
 }
 
 // StringToBoolHookFunc returns a DecodeHookFunc that converts
 // strings to bool.
 func StringToBoolHookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Bool {
 			return data, nil
 		}
 
 		// Convert it by parsing
-		return strconv.ParseBool(data.(string))
+		b, err := strconv.ParseBool(data.(string))
+		return b, wrapStrconvNumError(err)
 	}
 }
 
@@ -605,26 +688,27 @@ func StringToRuneHookFunc() DecodeHookFunc {
 // StringToComplex64HookFunc returns a DecodeHookFunc that converts
 // strings to complex64.
 func StringToComplex64HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Complex64 {
 			return data, nil
 		}
 
 		// Convert it by parsing
 		c128, err := strconv.ParseComplex(data.(string), 64)
-		return complex64(c128), err
+		return complex64(c128), wrapStrconvNumError(err)
 	}
 }
 
 // StringToComplex128HookFunc returns a DecodeHookFunc that converts
 // strings to complex128.
 func StringToComplex128HookFunc() DecodeHookFunc {
-	return func(f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) {
+	return func(f reflect.Type, t reflect.Type, data any) (any, error) {
 		if f.Kind() != reflect.String || t.Kind() != reflect.Complex128 {
 			return data, nil
 		}
 
 		// Convert it by parsing
-		return strconv.ParseComplex(data.(string), 128)
+		c128, err := strconv.ParseComplex(data.(string), 128)
+		return c128, wrapStrconvNumError(err)
 	}
 }
diff --git a/vendor/github.com/go-viper/mapstructure/v2/errors.go b/vendor/github.com/go-viper/mapstructure/v2/errors.go
new file mode 100644
index 00000000..07d31c22
--- /dev/null
+++ b/vendor/github.com/go-viper/mapstructure/v2/errors.go
@@ -0,0 +1,244 @@
+package mapstructure
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Error interface is implemented by all errors emitted by mapstructure.
+//
+// Use [errors.As] to check if an error implements this interface.
+type Error interface {
+	error
+
+	mapstructure()
+}
+
+// DecodeError is a generic error type that holds information about
+// a decoding error together with the name of the field that caused the error.
+type DecodeError struct {
+	name string
+	err  error
+}
+
+func newDecodeError(name string, err error) *DecodeError {
+	return &DecodeError{
+		name: name,
+		err:  err,
+	}
+}
+
+func (e *DecodeError) Name() string {
+	return e.name
+}
+
+func (e *DecodeError) Unwrap() error {
+	return e.err
+}
+
+func (e *DecodeError) Error() string {
+	return fmt.Sprintf("'%s' %s", e.name, e.err)
+}
+
+func (*DecodeError) mapstructure() {}
+
+// ParseError is an error type that indicates a value could not be parsed
+// into the expected type.
+type ParseError struct {
+	Expected reflect.Value
+	Value    any
+	Err      error
+}
+
+func (e *ParseError) Error() string {
+	return fmt.Sprintf("cannot parse value as '%s': %s", e.Expected.Type(), e.Err)
+}
+
+func (*ParseError) mapstructure() {}
+
+// UnconvertibleTypeError is an error type that indicates a value could not be
+// converted to the expected type.
+type UnconvertibleTypeError struct {
+	Expected reflect.Value
+	Value    any
+}
+
+func (e *UnconvertibleTypeError) Error() string {
+	return fmt.Sprintf(
+		"expected type '%s', got unconvertible type '%s'",
+		e.Expected.Type(),
+		reflect.TypeOf(e.Value),
+	)
+}
+
+func (*UnconvertibleTypeError) mapstructure() {}
+
+func wrapStrconvNumError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if err, ok := err.(*strconv.NumError); ok {
+		return &strconvNumError{Err: err}
+	}
+
+	return err
+}
+
+type strconvNumError struct {
+	Err *strconv.NumError
+}
+
+func (e *strconvNumError) Error() string {
+	return "strconv." + e.Err.Func + ": " + e.Err.Err.Error()
+}
+
+func (e *strconvNumError) Unwrap() error { return e.Err }
+
+func wrapUrlError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if err, ok := err.(*url.Error); ok {
+		return &urlError{Err: err}
+	}
+
+	return err
+}
+
+type urlError struct {
+	Err *url.Error
+}
+
+func (e *urlError) Error() string {
+	return fmt.Sprintf("%s", e.Err.Err)
+}
+
+func (e *urlError) Unwrap() error { return e.Err }
+
+func wrapNetParseError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if err, ok := err.(*net.ParseError); ok {
+		return &netParseError{Err: err}
+	}
+
+	return err
+}
+
+type netParseError struct {
+	Err *net.ParseError
+}
+
+func (e *netParseError) Error() string {
+	return "invalid " + e.Err.Type
+}
+
+func (e *netParseError) Unwrap() error { return e.Err }
+
+func wrapTimeParseError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if err, ok := err.(*time.ParseError); ok {
+		return &timeParseError{Err: err}
+	}
+
+	return err
+}
+
+type timeParseError struct {
+	Err *time.ParseError
+}
+
+func (e *timeParseError) Error() string {
+	if e.Err.Message == "" {
+		return fmt.Sprintf("parsing time as %q: cannot parse as %q", e.Err.Layout, e.Err.LayoutElem)
+	}
+
+	return "parsing time " + e.Err.Message
+}
+
+func (e *timeParseError) Unwrap() error { return e.Err }
+
+func wrapNetIPParseAddrError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if errMsg := err.Error(); strings.HasPrefix(errMsg, "ParseAddr") {
+		errPieces := strings.Split(errMsg, ": ")
+
+		return fmt.Errorf("ParseAddr: %s", errPieces[len(errPieces)-1])
+	}
+
+	return err
+}
+
+func wrapNetIPParseAddrPortError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	errMsg := err.Error()
+	if strings.HasPrefix(errMsg, "invalid port ") {
+		return errors.New("invalid port")
+	} else if strings.HasPrefix(errMsg, "invalid ip:port ") {
+		return errors.New("invalid ip:port")
+	}
+
+	return err
+}
+
+func wrapNetIPParsePrefixError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if errMsg := err.Error(); strings.HasPrefix(errMsg, "netip.ParsePrefix") {
+		errPieces := strings.Split(errMsg, ": ")
+
+		return fmt.Errorf("netip.ParsePrefix: %s", errPieces[len(errPieces)-1])
+	}
+
+	return err
+}
+
+func wrapTimeParseDurationError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	errMsg := err.Error()
+	if strings.HasPrefix(errMsg, "time: unknown unit ") {
+		return errors.New("time: unknown unit")
+	} else if strings.HasPrefix(errMsg, "time: ") {
+		idx := strings.LastIndex(errMsg, " ")
+
+		return errors.New(errMsg[:idx])
+	}
+
+	return err
+}
+
+func wrapTimeParseLocationError(err error) error {
+	if err == nil {
+		return nil
+	}
+	errMsg := err.Error()
+	if strings.Contains(errMsg, "unknown time zone") || strings.HasPrefix(errMsg, "time: unknown format") {
+		return fmt.Errorf("invalid time zone format: %w", err)
+	}
+
+	return err
+}
diff --git a/vendor/github.com/go-viper/mapstructure/v2/flake.lock b/vendor/github.com/go-viper/mapstructure/v2/flake.lock
index 4bea8154..5e67bdd6 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/flake.lock
+++ b/vendor/github.com/go-viper/mapstructure/v2/flake.lock
@@ -2,30 +2,28 @@
   "nodes": {
     "cachix": {
       "inputs": {
-        "devenv": "devenv_2",
+        "devenv": [
+          "devenv"
+        ],
         "flake-compat": [
-          "devenv",
-          "flake-compat"
+          "devenv"
         ],
-        "nixpkgs": [
-          "devenv",
-          "nixpkgs"
+        "git-hooks": [
+          "devenv"
         ],
-        "pre-commit-hooks": [
-          "devenv",
-          "pre-commit-hooks"
-        ]
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1712055811,
-        "narHash": "sha256-7FcfMm5A/f02yyzuavJe06zLa9hcMHsagE28ADcmQvk=",
+        "lastModified": 1742042642,
+        "narHash": "sha256-D0gP8srrX0qj+wNYNPdtVJsQuFzIng3q43thnHXQ/es=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "02e38da89851ec7fec3356a5c04bc8349cae0e30",
+        "rev": "a624d3eaf4b1d225f918de8543ed739f2f574203",
         "type": "github"
       },
       "original": {
         "owner": "cachix",
+        "ref": "latest",
         "repo": "cachix",
         "type": "github"
       }
@@ -33,52 +31,21 @@
     "devenv": {
       "inputs": {
         "cachix": "cachix",
-        "flake-compat": "flake-compat_2",
-        "nix": "nix_2",
-        "nixpkgs": "nixpkgs_2",
-        "pre-commit-hooks": "pre-commit-hooks"
-      },
-      "locked": {
-        "lastModified": 1717245169,
-        "narHash": "sha256-+mW3rTBjGU8p1THJN0lX/Dd/8FbnF+3dB+mJuSaxewE=",
-        "owner": "cachix",
-        "repo": "devenv",
-        "rev": "c3f9f053c077c6f88a3de5276d9178c62baa3fc3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "devenv",
-        "type": "github"
-      }
-    },
-    "devenv_2": {
-      "inputs": {
-        "flake-compat": [
-          "devenv",
-          "cachix",
-          "flake-compat"
-        ],
+        "flake-compat": "flake-compat",
+        "git-hooks": "git-hooks",
         "nix": "nix",
-        "nixpkgs": "nixpkgs",
-        "poetry2nix": "poetry2nix",
-        "pre-commit-hooks": [
-          "devenv",
-          "cachix",
-          "pre-commit-hooks"
-        ]
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1708704632,
-        "narHash": "sha256-w+dOIW60FKMaHI1q5714CSibk99JfYxm0CzTinYWr+Q=",
+        "lastModified": 1744876578,
+        "narHash": "sha256-8MTBj2REB8t29sIBLpxbR0+AEGJ7f+RkzZPAGsFd40c=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "2ee4450b0f4b95a1b90f2eb5ffea98b90e48c196",
+        "rev": "7ff7c351bba20d0615be25ecdcbcf79b57b85fe1",
         "type": "github"
       },
       "original": {
         "owner": "cachix",
-        "ref": "python-rewrite",
         "repo": "devenv",
         "type": "github"
       }
@@ -86,27 +53,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -116,15 +67,37 @@
       }
     },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "devenv",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1717285511,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
         "type": "github"
       },
       "original": {
@@ -133,39 +106,28 @@
         "type": "github"
       }
     },
-    "flake-utils": {
+    "git-hooks": {
       "inputs": {
-        "systems": "systems"
+        "flake-compat": [
+          "devenv"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
         "type": "github"
       }
     },
@@ -173,7 +135,7 @@
       "inputs": {
         "nixpkgs": [
           "devenv",
-          "pre-commit-hooks",
+          "git-hooks",
           "nixpkgs"
         ]
       },
@@ -191,166 +153,109 @@
         "type": "github"
       }
     },
-    "nix": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "devenv",
-          "cachix",
-          "devenv",
-          "nixpkgs"
-        ],
-        "nixpkgs-regression": "nixpkgs-regression"
-      },
+    "libgit2": {
+      "flake": false,
       "locked": {
-        "lastModified": 1712911606,
-        "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=",
-        "owner": "domenkozar",
-        "repo": "nix",
-        "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12",
+        "lastModified": 1697646580,
+        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
+        "owner": "libgit2",
+        "repo": "libgit2",
+        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
         "type": "github"
       },
       "original": {
-        "owner": "domenkozar",
-        "ref": "devenv-2.21",
-        "repo": "nix",
+        "owner": "libgit2",
+        "repo": "libgit2",
         "type": "github"
       }
     },
-    "nix-github-actions": {
+    "nix": {
       "inputs": {
-        "nixpkgs": [
-          "devenv",
-          "cachix",
-          "devenv",
-          "poetry2nix",
-          "nixpkgs"
+        "flake-compat": [
+          "devenv"
+        ],
+        "flake-parts": "flake-parts",
+        "libgit2": "libgit2",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-23-11": [
+          "devenv"
+        ],
+        "nixpkgs-regression": [
+          "devenv"
+        ],
+        "pre-commit-hooks": [
+          "devenv"
         ]
       },
       "locked": {
-        "lastModified": 1688870561,
-        "narHash": "sha256-4UYkifnPEw1nAzqqPOTL2MvWtm3sNGw1UTYTalkTcGY=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "165b1650b753316aa7f1787f3005a8d2da0f5301",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
-    "nix_2": {
-      "inputs": {
-        "flake-compat": [
-          "devenv",
-          "flake-compat"
-        ],
-        "nixpkgs": [
-          "devenv",
-          "nixpkgs"
-        ],
-        "nixpkgs-regression": "nixpkgs-regression_2"
-      },
-      "locked": {
-        "lastModified": 1712911606,
-        "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=",
+        "lastModified": 1741798497,
+        "narHash": "sha256-E3j+3MoY8Y96mG1dUIiLFm2tZmNbRvSiyN7CrSKuAVg=",
         "owner": "domenkozar",
         "repo": "nix",
-        "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12",
+        "rev": "f3f44b2baaf6c4c6e179de8cbb1cc6db031083cd",
         "type": "github"
       },
       "original": {
         "owner": "domenkozar",
-        "ref": "devenv-2.21",
+        "ref": "devenv-2.24",
         "repo": "nix",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1692808169,
-        "narHash": "sha256-x9Opq06rIiwdwGeK2Ykj69dNc2IvUH1fY55Wm7atwrE=",
+        "lastModified": 1733212471,
+        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9201b5ff357e781bf014d0330d18555695df7ba8",
+        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1717284937,
-        "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
-      }
-    },
-    "nixpkgs-regression": {
-      "locked": {
-        "lastModified": 1643052045,
-        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "lastModified": 1743296961,
+        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
-        "type": "github"
-      }
-    },
-    "nixpkgs-regression_2": {
-      "locked": {
-        "lastModified": 1643052045,
-        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1710695816,
-        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1713361204,
-        "narHash": "sha256-TA6EDunWTkc5FvDCqU3W2T3SFn0gRZqh6D/hJnM02MM=",
+        "lastModified": 1717432640,
+        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1733477122,
+        "narHash": "sha256-qamMCz5mNpQmgBwc8SB5tVMlD5sbwVIToVZtSxMph9s=",
         "owner": "cachix",
         "repo": "devenv-nixpkgs",
-        "rev": "285676e87ad9f0ca23d8714a6ab61e7e027020c6",
+        "rev": "7bd9e84d0452f6d2e63b6e6da29fe73fac951857",
         "type": "github"
       },
       "original": {
@@ -360,13 +265,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
-        "lastModified": 1717112898,
-        "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=",
+        "lastModified": 1744536153,
+        "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0",
+        "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11",
         "type": "github"
       },
       "original": {
@@ -376,94 +281,11 @@
         "type": "github"
       }
     },
-    "poetry2nix": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "devenv",
-          "cachix",
-          "devenv",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1692876271,
-        "narHash": "sha256-IXfZEkI0Mal5y1jr6IRWMqK8GW2/f28xJenZIPQqkY0=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "d5006be9c2c2417dafb2e2e5034d83fabd207ee3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "devenv",
-          "flake-compat"
-        ],
-        "flake-utils": "flake-utils_2",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "devenv",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1713775815,
-        "narHash": "sha256-Wu9cdYTnGQQwtT20QQMg7jzkANKQjwBD9iccfGKkfls=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "2ac4dcbf55ed43f3be0bae15e181f08a57af24a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "devenv": "devenv",
-        "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_3"
-      }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": "nixpkgs_4"
       }
     }
   },
diff --git a/vendor/github.com/go-viper/mapstructure/v2/flake.nix b/vendor/github.com/go-viper/mapstructure/v2/flake.nix
index 4ed0f533..3b116f42 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/flake.nix
+++ b/vendor/github.com/go-viper/mapstructure/v2/flake.nix
@@ -5,35 +5,42 @@
     devenv.url = "github:cachix/devenv";
   };
 
-  outputs = inputs@{ flake-parts, ... }:
+  outputs =
+    inputs@{ flake-parts, ... }:
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [
         inputs.devenv.flakeModule
       ];
 
-      systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-darwin" ];
+      systems = [
+        "x86_64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
 
-      perSystem = { config, self', inputs', pkgs, system, ... }: rec {
-        devenv.shells = {
-          default = {
-            languages = {
-              go.enable = true;
+      perSystem =
+        { pkgs, ... }:
+        rec {
+          devenv.shells = {
+            default = {
+              languages = {
+                go.enable = true;
+              };
+
+              pre-commit.hooks = {
+                nixpkgs-fmt.enable = true;
+              };
+
+              packages = with pkgs; [
+                golangci-lint
+              ];
+
+              # https://github.com/cachix/devenv/issues/528#issuecomment-1556108767
+              containers = pkgs.lib.mkForce { };
             };
 
-            pre-commit.hooks = {
-              nixpkgs-fmt.enable = true;
-            };
-
-            packages = with pkgs; [
-              golangci-lint
-            ];
-
-            # https://github.com/cachix/devenv/issues/528#issuecomment-1556108767
-            containers = pkgs.lib.mkForce { };
+            ci = devenv.shells.default;
           };
-
-          ci = devenv.shells.default;
         };
-      };
     };
 }
diff --git a/vendor/github.com/go-viper/mapstructure/v2/mapstructure.go b/vendor/github.com/go-viper/mapstructure/v2/mapstructure.go
index e77e63ba..7c35bce0 100644
--- a/vendor/github.com/go-viper/mapstructure/v2/mapstructure.go
+++ b/vendor/github.com/go-viper/mapstructure/v2/mapstructure.go
@@ -1,5 +1,5 @@
 // Package mapstructure exposes functionality to convert one arbitrary
-// Go type into another, typically to convert a map[string]interface{}
+// Go type into another, typically to convert a map[string]any
 // into a native Go structure.
 //
 // The Go structure can be arbitrarily complex, containing slices,
@@ -54,8 +54,8 @@
 //
 // This would require an input that looks like below:
 //
-//	map[string]interface{}{
-//	    "person": map[string]interface{}{"name": "alice"},
+//	map[string]any{
+//	    "person": map[string]any{"name": "alice"},
 //	}
 //
 // If your "person" value is NOT nested, then you can append ",squash" to
@@ -68,7 +68,7 @@
 //
 // Now the following input would be accepted:
 //
-//	map[string]interface{}{
+//	map[string]any{
 //	    "name": "alice",
 //	}
 //
@@ -79,7 +79,7 @@
 //
 // Will be decoded into a map:
 //
-//	map[string]interface{}{
+//	map[string]any{
 //	    "name": "alice",
 //	}
 //
@@ -95,18 +95,18 @@
 //
 // You can also use the ",remain" suffix on your tag to collect all unused
 // values in a map. The field with this tag MUST be a map type and should
-// probably be a "map[string]interface{}" or "map[interface{}]interface{}".
+// probably be a "map[string]any" or "map[any]any".
 // See example below:
 //
 //	type Friend struct {
 //	    Name  string
-//	    Other map[string]interface{} `mapstructure:",remain"`
+//	    Other map[string]any `mapstructure:",remain"`
 //	}
 //
 // Given the input below, Other would be populated with the other
 // values that weren't used (everything but "name"):
 //
-//	map[string]interface{}{
+//	map[string]any{
 //	    "name":    "bob",
 //	    "address": "123 Maple St.",
 //	}
@@ -115,15 +115,36 @@
 //
 // When decoding from a struct to any other value, you may use the
 // ",omitempty" suffix on your tag to omit that value if it equates to
-// the zero value. The zero value of all types is specified in the Go
-// specification.
+// the zero value, or a zero-length element. The zero value of all types is
+// specified in the Go specification.
 //
 // For example, the zero type of a numeric type is zero ("0"). If the struct
 // field value is zero and a numeric type, the field is empty, and it won't
-// be encoded into the destination type.
+// be encoded into the destination type. And likewise for the URLs field, if the
+// slice is nil or empty, it won't be encoded into the destination type.
 //
 //	type Source struct {
-//	    Age int `mapstructure:",omitempty"`
+//	    Age  int      `mapstructure:",omitempty"`
+//	    URLs []string `mapstructure:",omitempty"`
+//	}
+//
+// # Omit Zero Values
+//
+// When decoding from a struct to any other value, you may use the
+// ",omitzero" suffix on your tag to omit that value if it equates to the zero
+// value. The zero value of all types is specified in the Go specification.
+//
+// For example, the zero type of a numeric type is zero ("0"). If the struct
+// field value is zero and a numeric type, the field is empty, and it won't
+// be encoded into the destination type. And likewise for the URLs field, if the
+// slice is nil, it won't be encoded into the destination type.
+//
+// Note that if the field is a slice, and it is empty but not nil, it will
+// still be encoded into the destination type.
+//
+//	type Source struct {
+//	    Age  int      `mapstructure:",omitzero"`
+//	    URLs []string `mapstructure:",omitzero"`
 //	}
 //
 // # Unexported fields
@@ -140,7 +161,7 @@
 //
 // Using this map as input:
 //
-//	map[string]interface{}{
+//	map[string]any{
 //	    "private": "I will be ignored",
 //	    "Public":  "I made it through!",
 //	}
@@ -183,19 +204,19 @@ import (
 // we started with Kinds and then realized Types were the better solution,
 // but have a promise to not break backwards compat so we now support
 // both.
-type DecodeHookFunc interface{}
+type DecodeHookFunc any
 
 // DecodeHookFuncType is a DecodeHookFunc which has complete information about
 // the source and target types.
-type DecodeHookFuncType func(reflect.Type, reflect.Type, interface{}) (interface{}, error)
+type DecodeHookFuncType func(reflect.Type, reflect.Type, any) (any, error)
 
 // DecodeHookFuncKind is a DecodeHookFunc which knows only the Kinds of the
 // source and target types.
-type DecodeHookFuncKind func(reflect.Kind, reflect.Kind, interface{}) (interface{}, error)
+type DecodeHookFuncKind func(reflect.Kind, reflect.Kind, any) (any, error)
 
 // DecodeHookFuncValue is a DecodeHookFunc which has complete access to both the source and target
 // values.
-type DecodeHookFuncValue func(from reflect.Value, to reflect.Value) (interface{}, error)
+type DecodeHookFuncValue func(from reflect.Value, to reflect.Value) (any, error)
 
 // DecoderConfig is the configuration that is used to create a new decoder
 // and allows customization of various aspects of decoding.
@@ -222,6 +243,12 @@ type DecoderConfig struct {
 	// will affect all nested structs as well.
 	ErrorUnset bool
 
+	// AllowUnsetPointer, if set to true, will prevent fields with pointer types
+	// from being reported as unset, even if ErrorUnset is true and the field was
+	// not present in the input data. This allows pointer fields to be optional
+	// without triggering an error when they are missing.
+	AllowUnsetPointer bool
+
 	// ZeroFields, if set to true, will zero fields before writing them.
 	// For example, a map will be emptied before decoded values are put in
 	// it. If this is false, a map will be merged.
@@ -260,7 +287,7 @@ type DecoderConfig struct {
 
 	// Result is a pointer to the struct that will contain the decoded
 	// value.
-	Result interface{}
+	Result any
 
 	// The tag name that mapstructure reads for field names. This
 	// defaults to "mapstructure"
@@ -292,7 +319,7 @@ type DecoderConfig struct {
 // up the most basic Decoder.
 type Decoder struct {
 	config           *DecoderConfig
-	cachedDecodeHook func(from reflect.Value, to reflect.Value) (interface{}, error)
+	cachedDecodeHook func(from reflect.Value, to reflect.Value) (any, error)
 }
 
 // Metadata contains information about decoding a structure that
@@ -313,7 +340,7 @@ type Metadata struct {
 
 // Decode takes an input structure and uses reflection to translate it to
 // the output structure. output must be a pointer to a map or struct.
-func Decode(input interface{}, output interface{}) error {
+func Decode(input any, output any) error {
 	config := &DecoderConfig{
 		Metadata: nil,
 		Result:   output,
@@ -329,7 +356,7 @@ func Decode(input interface{}, output interface{}) error {
 
 // WeakDecode is the same as Decode but is shorthand to enable
 // WeaklyTypedInput. See DecoderConfig for more info.
-func WeakDecode(input, output interface{}) error {
+func WeakDecode(input, output any) error {
 	config := &DecoderConfig{
 		Metadata:         nil,
 		Result:           output,
@@ -346,7 +373,7 @@ func WeakDecode(input, output interface{}) error {
 
 // DecodeMetadata is the same as Decode, but is shorthand to
 // enable metadata collection. See DecoderConfig for more info.
-func DecodeMetadata(input interface{}, output interface{}, metadata *Metadata) error {
+func DecodeMetadata(input any, output any, metadata *Metadata) error {
 	config := &DecoderConfig{
 		Metadata: metadata,
 		Result:   output,
@@ -363,7 +390,7 @@ func DecodeMetadata(input interface{}, output interface{}, metadata *Metadata) e
 // WeakDecodeMetadata is the same as Decode, but is shorthand to
 // enable both WeaklyTypedInput and metadata collection. See
 // DecoderConfig for more info.
-func WeakDecodeMetadata(input interface{}, output interface{}, metadata *Metadata) error {
+func WeakDecodeMetadata(input any, output any, metadata *Metadata) error {
 	config := &DecoderConfig{
 		Metadata:         metadata,
 		Result:           output,
@@ -430,7 +457,7 @@ func NewDecoder(config *DecoderConfig) (*Decoder, error) {
 
 // Decode decodes the given raw interface to the target pointer specified
 // by the configuration.
-func (d *Decoder) Decode(input interface{}) error {
+func (d *Decoder) Decode(input any) error {
 	err := d.decode("", input, reflect.ValueOf(d.config.Result).Elem())
 
 	// Retain some of the original behavior when multiple errors ocurr
@@ -443,7 +470,7 @@ func (d *Decoder) Decode(input interface{}) error {
 }
 
 // isNil returns true if the input is nil or a typed nil pointer.
-func isNil(input interface{}) bool {
+func isNil(input any) bool {
 	if input == nil {
 		return true
 	}
@@ -452,7 +479,7 @@ func isNil(input interface{}) bool {
 }
 
 // Decodes an unknown data type into a specific reflection value.
-func (d *Decoder) decode(name string, input interface{}, outVal reflect.Value) error {
+func (d *Decoder) decode(name string, input any, outVal reflect.Value) error {
 	var (
 		inputVal   = reflect.ValueOf(input)
 		outputKind = getKind(outVal)
@@ -489,10 +516,10 @@ func (d *Decoder) decode(name string, input interface{}, outVal reflect.Value) e
 		// Hooks need a valid inputVal, so reset it to zero value of outVal type.
 		switch outputKind {
 		case reflect.Struct, reflect.Map:
-			var mapVal map[string]interface{}
+			var mapVal map[string]any
 			inputVal = reflect.ValueOf(mapVal) // create nil map pointer
 		case reflect.Slice, reflect.Array:
-			var sliceVal []interface{}
+			var sliceVal []any
 			inputVal = reflect.ValueOf(sliceVal) // create nil slice pointer
 		default:
 			inputVal = reflect.Zero(outVal.Type())
@@ -504,7 +531,7 @@ func (d *Decoder) decode(name string, input interface{}, outVal reflect.Value) e
 		var err error
 		input, err = d.cachedDecodeHook(inputVal, outVal)
 		if err != nil {
-			return fmt.Errorf("error decoding '%s': %w", name, err)
+			return newDecodeError(name, err)
 		}
 	}
 	if isNil(input) {
@@ -542,7 +569,7 @@ func (d *Decoder) decode(name string, input interface{}, outVal reflect.Value) e
 		err = d.decodeFunc(name, input, outVal)
 	default:
 		// If we reached this point then we weren't able to decode it
-		return fmt.Errorf("%s: unsupported type: %s", name, outputKind)
+		return newDecodeError(name, fmt.Errorf("unsupported type: %s", outputKind))
 	}
 
 	// If we reached here, then we successfully decoded SOMETHING, so
@@ -556,7 +583,7 @@ func (d *Decoder) decode(name string, input interface{}, outVal reflect.Value) e
 
 // This decodes a basic type (bool, int, string, etc.) and sets the
 // value to "data" of that type.
-func (d *Decoder) decodeBasic(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeBasic(name string, data any, val reflect.Value) error {
 	if val.IsValid() && val.Elem().IsValid() {
 		elem := val.Elem()
 
@@ -603,16 +630,17 @@ func (d *Decoder) decodeBasic(name string, data interface{}, val reflect.Value)
 
 	dataValType := dataVal.Type()
 	if !dataValType.AssignableTo(val.Type()) {
-		return fmt.Errorf(
-			"'%s' expected type '%s', got '%s'",
-			name, val.Type(), dataValType)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	val.Set(dataVal)
 	return nil
 }
 
-func (d *Decoder) decodeString(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeString(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 
@@ -656,15 +684,16 @@ func (d *Decoder) decodeString(name string, data interface{}, val reflect.Value)
 	}
 
 	if !converted {
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeInt(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 	dataType := dataVal.Type()
@@ -692,26 +721,34 @@ func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) er
 		if err == nil {
 			val.SetInt(i)
 		} else {
-			return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      wrapStrconvNumError(err),
+			})
 		}
 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
 		jn := data.(json.Number)
 		i, err := jn.Int64()
 		if err != nil {
-			return fmt.Errorf(
-				"error decoding json.Number into %s: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      err,
+			})
 		}
 		val.SetInt(i)
 	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeUint(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 	dataType := dataVal.Type()
@@ -720,8 +757,11 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
 	case dataKind == reflect.Int:
 		i := dataVal.Int()
 		if i < 0 && !d.config.WeaklyTypedInput {
-			return fmt.Errorf("cannot parse '%s', %d overflows uint",
-				name, i)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      fmt.Errorf("%d overflows uint", i),
+			})
 		}
 		val.SetUint(uint64(i))
 	case dataKind == reflect.Uint:
@@ -729,8 +769,11 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
 	case dataKind == reflect.Float32:
 		f := dataVal.Float()
 		if f < 0 && !d.config.WeaklyTypedInput {
-			return fmt.Errorf("cannot parse '%s', %f overflows uint",
-				name, f)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      fmt.Errorf("%f overflows uint", f),
+			})
 		}
 		val.SetUint(uint64(f))
 	case dataKind == reflect.Bool && d.config.WeaklyTypedInput:
@@ -749,26 +792,34 @@ func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) e
 		if err == nil {
 			val.SetUint(i)
 		} else {
-			return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      wrapStrconvNumError(err),
+			})
 		}
 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
 		jn := data.(json.Number)
 		i, err := strconv.ParseUint(string(jn), 0, 64)
 		if err != nil {
-			return fmt.Errorf(
-				"error decoding json.Number into %s: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      wrapStrconvNumError(err),
+			})
 		}
 		val.SetUint(i)
 	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeBool(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 
@@ -788,18 +839,23 @@ func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) e
 		} else if dataVal.String() == "" {
 			val.SetBool(false)
 		} else {
-			return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      wrapStrconvNumError(err),
+			})
 		}
 	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%#v', value: '%#v'",
-			name, val, dataVal, data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeFloat(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 	dataType := dataVal.Type()
@@ -827,26 +883,34 @@ func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value)
 		if err == nil {
 			val.SetFloat(f)
 		} else {
-			return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      wrapStrconvNumError(err),
+			})
 		}
 	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
 		jn := data.(json.Number)
 		i, err := jn.Float64()
 		if err != nil {
-			return fmt.Errorf(
-				"error decoding json.Number into %s: %s", name, err)
+			return newDecodeError(name, &ParseError{
+				Expected: val,
+				Value:    data,
+				Err:      err,
+			})
 		}
 		val.SetFloat(i)
 	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeComplex(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeComplex(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataKind := getKind(dataVal)
 
@@ -854,15 +918,16 @@ func (d *Decoder) decodeComplex(name string, data interface{}, val reflect.Value
 	case dataKind == reflect.Complex64:
 		val.SetComplex(dataVal.Complex())
 	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 
 	return nil
 }
 
-func (d *Decoder) decodeMap(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeMap(name string, data any, val reflect.Value) error {
 	valType := val.Type()
 	valKeyType := valType.Key()
 	valElemType := valType.Elem()
@@ -900,7 +965,10 @@ func (d *Decoder) decodeMap(name string, data interface{}, val reflect.Value) er
 		fallthrough
 
 	default:
-		return fmt.Errorf("'%s' expected a map, got '%s'", name, dataVal.Kind())
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 }
 
@@ -986,7 +1054,10 @@ func (d *Decoder) decodeMapFromStruct(name string, dataVal reflect.Value, val re
 		// to the map value.
 		v := dataVal.Field(i)
 		if !v.Type().AssignableTo(valMap.Type().Elem()) {
-			return fmt.Errorf("cannot assign type '%s' to map value field of type '%s'", v.Type(), valMap.Type().Elem())
+			return newDecodeError(
+				name+"."+f.Name,
+				fmt.Errorf("cannot assign type %q to map value field of type %q", v.Type(), valMap.Type().Elem()),
+			)
 		}
 
 		tagValue := f.Tag.Get(d.config.TagName)
@@ -1011,6 +1082,11 @@ func (d *Decoder) decodeMapFromStruct(name string, dataVal reflect.Value, val re
 				continue
 			}
 
+			// If "omitzero" is specified in the tag, it ignores zero values.
+			if strings.Index(tagValue[index+1:], "omitzero") != -1 && v.IsZero() {
+				continue
+			}
+
 			// If "squash" is specified in the tag, we squash the field down.
 			squash = squash || strings.Contains(tagValue[index+1:], d.config.SquashTagOption)
 			if squash {
@@ -1021,12 +1097,18 @@ func (d *Decoder) decodeMapFromStruct(name string, dataVal reflect.Value, val re
 
 				// The final type must be a struct
 				if v.Kind() != reflect.Struct {
-					return fmt.Errorf("cannot squash non-struct type '%s'", v.Type())
+					return newDecodeError(
+						name+"."+f.Name,
+						fmt.Errorf("cannot squash non-struct type %q", v.Type()),
+					)
 				}
 			} else {
 				if strings.Index(tagValue[index+1:], "remain") != -1 {
 					if v.Kind() != reflect.Map {
-						return fmt.Errorf("error remain-tag field with invalid type: '%s'", v.Type())
+						return newDecodeError(
+							name+"."+f.Name,
+							fmt.Errorf("error remain-tag field with invalid type: %q", v.Type()),
+						)
 					}
 
 					ptr := v.MapRange()
@@ -1094,7 +1176,7 @@ func (d *Decoder) decodeMapFromStruct(name string, dataVal reflect.Value, val re
 	return nil
 }
 
-func (d *Decoder) decodePtr(name string, data interface{}, val reflect.Value) (bool, error) {
+func (d *Decoder) decodePtr(name string, data any, val reflect.Value) (bool, error) {
 	// If the input data is nil, then we want to just set the output
 	// pointer to be nil as well.
 	isNil := data == nil
@@ -1141,20 +1223,21 @@ func (d *Decoder) decodePtr(name string, data interface{}, val reflect.Value) (b
 	return false, nil
 }
 
-func (d *Decoder) decodeFunc(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeFunc(name string, data any, val reflect.Value) error {
 	// Create an element of the concrete (non pointer) type and decode
 	// into that. Then set the value of the pointer to this type.
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	if val.Type() != dataVal.Type() {
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s', value: '%v'",
-			name, val.Type(), dataVal.Type(), data)
+		return newDecodeError(name, &UnconvertibleTypeError{
+			Expected: val,
+			Value:    data,
+		})
 	}
 	val.Set(dataVal)
 	return nil
 }
 
-func (d *Decoder) decodeSlice(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeSlice(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataValKind := dataVal.Kind()
 	valType := val.Type()
@@ -1176,7 +1259,7 @@ func (d *Decoder) decodeSlice(name string, data interface{}, val reflect.Value)
 					return nil
 				}
 				// Create slice of maps of other sizes
-				return d.decodeSlice(name, []interface{}{data}, val)
+				return d.decodeSlice(name, []any{data}, val)
 
 			case dataValKind == reflect.String && valElemType.Kind() == reflect.Uint8:
 				return d.decodeSlice(name, []byte(dataVal.String()), val)
@@ -1185,12 +1268,12 @@ func (d *Decoder) decodeSlice(name string, data interface{}, val reflect.Value)
 			// and "lift" it into it. i.e. a string becomes a string slice.
 			default:
 				// Just re-try this function with data as a slice.
-				return d.decodeSlice(name, []interface{}{data}, val)
+				return d.decodeSlice(name, []any{data}, val)
 			}
 		}
 
-		return fmt.Errorf(
-			"'%s': source data must be an array or slice, got %s", name, dataValKind)
+		return newDecodeError(name,
+			fmt.Errorf("source data must be an array or slice, got %s", dataValKind))
 	}
 
 	// If the input value is nil, then don't allocate since empty != nil
@@ -1228,7 +1311,7 @@ func (d *Decoder) decodeSlice(name string, data interface{}, val reflect.Value)
 	return errors.Join(errs...)
 }
 
-func (d *Decoder) decodeArray(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeArray(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 	dataValKind := dataVal.Kind()
 	valType := val.Type()
@@ -1253,17 +1336,17 @@ func (d *Decoder) decodeArray(name string, data interface{}, val reflect.Value)
 				// and "lift" it into it. i.e. a string becomes a string array.
 				default:
 					// Just re-try this function with data as a slice.
-					return d.decodeArray(name, []interface{}{data}, val)
+					return d.decodeArray(name, []any{data}, val)
 				}
 			}
 
-			return fmt.Errorf(
-				"'%s': source data must be an array or slice, got %s", name, dataValKind)
+			return newDecodeError(name,
+				fmt.Errorf("source data must be an array or slice, got %s", dataValKind))
 
 		}
 		if dataVal.Len() > arrayType.Len() {
-			return fmt.Errorf(
-				"'%s': expected source data to have length less or equal to %d, got %d", name, arrayType.Len(), dataVal.Len())
+			return newDecodeError(name,
+				fmt.Errorf("expected source data to have length less or equal to %d, got %d", arrayType.Len(), dataVal.Len()))
 		}
 
 		// Make a new array to hold our result, same size as the original data.
@@ -1289,7 +1372,7 @@ func (d *Decoder) decodeArray(name string, data interface{}, val reflect.Value)
 	return errors.Join(errs...)
 }
 
-func (d *Decoder) decodeStruct(name string, data interface{}, val reflect.Value) error {
+func (d *Decoder) decodeStruct(name string, data any, val reflect.Value) error {
 	dataVal := reflect.Indirect(reflect.ValueOf(data))
 
 	// If the type of the value to write to and the data match directly,
@@ -1310,7 +1393,7 @@ func (d *Decoder) decodeStruct(name string, data interface{}, val reflect.Value)
 		// as an intermediary.
 
 		// Make a new map to hold our result
-		mapType := reflect.TypeOf((map[string]interface{})(nil))
+		mapType := reflect.TypeOf((map[string]any)(nil))
 		mval := reflect.MakeMap(mapType)
 
 		// Creating a pointer to a map so that other methods can completely
@@ -1328,26 +1411,26 @@ func (d *Decoder) decodeStruct(name string, data interface{}, val reflect.Value)
 		return result
 
 	default:
-		return fmt.Errorf("'%s' expected a map, got '%s'", name, dataVal.Kind())
+		return newDecodeError(name,
+			fmt.Errorf("expected a map or struct, got %q", dataValKind))
 	}
 }
 
 func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) error {
 	dataValType := dataVal.Type()
 	if kind := dataValType.Key().Kind(); kind != reflect.String && kind != reflect.Interface {
-		return fmt.Errorf(
-			"'%s' needs a map with string keys, has '%s' keys",
-			name, dataValType.Key().Kind())
+		return newDecodeError(name,
+			fmt.Errorf("needs a map with string keys, has %q keys", kind))
 	}
 
 	dataValKeys := make(map[reflect.Value]struct{})
-	dataValKeysUnused := make(map[interface{}]struct{})
+	dataValKeysUnused := make(map[any]struct{})
 	for _, dataValKey := range dataVal.MapKeys() {
 		dataValKeys[dataValKey] = struct{}{}
 		dataValKeysUnused[dataValKey.Interface()] = struct{}{}
 	}
 
-	targetValKeysUnused := make(map[interface{}]struct{})
+	targetValKeysUnused := make(map[any]struct{})
 
 	var errs []error
 
@@ -1410,7 +1493,10 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 						structs = append(structs, fieldVal.Elem().Elem())
 					}
 				default:
-					errs = append(errs, fmt.Errorf("%s: unsupported type for squash: %s", fieldType.Name, fieldVal.Kind()))
+					errs = append(errs, newDecodeError(
+						name+"."+fieldType.Name,
+						fmt.Errorf("unsupported type for squash: %s", fieldVal.Kind()),
+					))
 				}
 				continue
 			}
@@ -1461,7 +1547,9 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 			if !rawMapVal.IsValid() {
 				// There was no matching key in the map for the value in
 				// the struct. Remember it for potential errors and metadata.
-				targetValKeysUnused[fieldName] = struct{}{}
+				if !(d.config.AllowUnsetPointer && fieldValue.Kind() == reflect.Ptr) {
+					targetValKeysUnused[fieldName] = struct{}{}
+				}
 				continue
 			}
 		}
@@ -1495,7 +1583,7 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 	// we put the unused keys directly into the remain field.
 	if remainField != nil && len(dataValKeysUnused) > 0 {
 		// Build a map of only the unused values
-		remain := map[interface{}]interface{}{}
+		remain := map[any]any{}
 		for key := range dataValKeysUnused {
 			remain[key] = dataVal.MapIndex(reflect.ValueOf(key)).Interface()
 		}
@@ -1517,8 +1605,10 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		}
 		sort.Strings(keys)
 
-		err := fmt.Errorf("'%s' has invalid keys: %s", name, strings.Join(keys, ", "))
-		errs = append(errs, err)
+		errs = append(errs, newDecodeError(
+			name,
+			fmt.Errorf("has invalid keys: %s", strings.Join(keys, ", ")),
+		))
 	}
 
 	if d.config.ErrorUnset && len(targetValKeysUnused) > 0 {
@@ -1528,8 +1618,10 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		}
 		sort.Strings(keys)
 
-		err := fmt.Errorf("'%s' has unset fields: %s", name, strings.Join(keys, ", "))
-		errs = append(errs, err)
+		errs = append(errs, newDecodeError(
+			name,
+			fmt.Errorf("has unset fields: %s", strings.Join(keys, ", ")),
+		))
 	}
 
 	if err := errors.Join(errs...); err != nil {
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/.go-version b/vendor/github.com/hashicorp/go-retryablehttp/.go-version
index 6fee2fed..a1b6e17d 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/.go-version
+++ b/vendor/github.com/hashicorp/go-retryablehttp/.go-version
@@ -1 +1 @@
-1.22.2
+1.23
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/.golangci.yml b/vendor/github.com/hashicorp/go-retryablehttp/.golangci.yml
new file mode 100644
index 00000000..4ff1a93b
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-retryablehttp/.golangci.yml
@@ -0,0 +1,11 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+linters:
+  disable-all: true
+  enable:
+    - errcheck
+    - staticcheck
+    - gosimple
+    - govet
+output_format: colored-line-number
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS b/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
index d6dd78a2..85b44a12 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
+++ b/vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
@@ -1 +1,13 @@
-* @hashicorp/go-retryablehttp-maintainers
+# Each line is a file pattern followed by one or more owners.
+# More on CODEOWNERS files: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+
+# Default owner
+* @hashicorp/team-ip-compliance @hashicorp/go-retryablehttp-maintainers
+
+# Add override rules below. Each line is a file/folder pattern followed by one or more owners.
+# Being an owner means those groups or individuals will be added as reviewers to PRs affecting
+# those areas of the code.
+# Examples:
+# /docs/  @docs-team
+# *.js    @js-team
+# *.go    @go-team
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/Makefile b/vendor/github.com/hashicorp/go-retryablehttp/Makefile
index 52552419..07b85a13 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/Makefile
+++ b/vendor/github.com/hashicorp/go-retryablehttp/Makefile
@@ -2,7 +2,7 @@ default: test
 
 test:
 	go vet ./...
-	go test -v -race ./...
+	go test -v -race ./... -coverprofile=coverage.out
 
 updatedeps:
 	go get -f -t -u ./...
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
index efee53c4..91059f7d 100644
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
@@ -638,6 +638,23 @@ func LinearJitterBackoff(min, max time.Duration, attemptNum int, resp *http.Resp
 	return time.Duration(jitterMin * int64(attemptNum))
 }
 
+// RateLimitLinearJitterBackoff wraps the retryablehttp.LinearJitterBackoff.
+// It first checks if the response status code is http.StatusTooManyRequests
+// (HTTP Code 429) or http.StatusServiceUnavailable (HTTP Code 503). If it is
+// and the response contains a Retry-After response header, it will wait the
+// amount of time specified by the header. Otherwise, this calls
+// LinearJitterBackoff.
+func RateLimitLinearJitterBackoff(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {
+	if resp != nil {
+		if resp.StatusCode == http.StatusTooManyRequests || resp.StatusCode == http.StatusServiceUnavailable {
+			if sleep, ok := parseRetryAfterHeader(resp.Header["Retry-After"]); ok {
+				return sleep
+			}
+		}
+	}
+	return LinearJitterBackoff(min, max, attemptNum, resp)
+}
+
 // PassthroughErrorHandler is an ErrorHandler that directly passes through the
 // values from the net/http library for the final request. The body is not
 // closed.
@@ -870,11 +887,13 @@ func (c *Client) Head(url string) (*http.Response, error) {
 }
 
 // Post is a shortcut for doing a POST request without making a new client.
+// The bodyType parameter sets the "Content-Type" header of the request.
 func Post(url, bodyType string, body interface{}) (*http.Response, error) {
 	return defaultClient.Post(url, bodyType, body)
 }
 
 // Post is a convenience method for doing simple POST requests.
+// The bodyType parameter sets the "Content-Type" header of the request.
 func (c *Client) Post(url, bodyType string, body interface{}) (*http.Response, error) {
 	req, err := NewRequest("POST", url, body)
 	if err != nil {
diff --git a/vendor/github.com/miekg/pkcs11/.gitignore b/vendor/github.com/miekg/pkcs11/.gitignore
deleted file mode 100644
index 5fde17f9..00000000
--- a/vendor/github.com/miekg/pkcs11/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-tags
-test_db/*/generation
-test_db/*/*.lock
diff --git a/vendor/github.com/miekg/pkcs11/Makefile.release b/vendor/github.com/miekg/pkcs11/Makefile.release
deleted file mode 100644
index 4f58165f..00000000
--- a/vendor/github.com/miekg/pkcs11/Makefile.release
+++ /dev/null
@@ -1,57 +0,0 @@
-# Makefile for releasing.
-#
-# The release is controlled from version.go. The version found there is
-# used to tag the git repo, we're not building any artifects so there is nothing
-# to upload to github.
-#
-# * Up the version in version.go
-# * Run: make -f Makefile.release release
-#   * will *commit* your change with 'Release $VERSION'
-#   * push to github
-#
-
-define GO
-//+build ignore
-
-package main
-
-import (
-	"fmt"
-
-	"github.com/miekg/pkcs11"
-)
-
-func main() {
-	fmt.Println(pkcs11.Release.String())
-}
-endef
-
-$(file > version_release.go,$(GO))
-VERSION:=$(shell go run -tags release version_release.go)
-TAG="v$(VERSION)"
-
-all:
-	rm -f version_release.go
-	@echo Use the \'release\' target to start a release $(VERSION)
-
-.PHONY: run
-run:
-	rm -f version_release.go
-	@echo $(VERSION)
-
-.PHONY: release
-release: commit push
-	@echo Released $(VERSION)
-
-.PHONY: commit
-commit:
-	rm -f version_release.go
-	@echo Committing release $(VERSION)
-	git commit -am"Release $(VERSION)"
-	git tag $(TAG)
-
-.PHONY: push
-push:
-	@echo Pushing release $(VERSION) to master
-	git push --tags
-	git push
diff --git a/vendor/github.com/miekg/pkcs11/README.md b/vendor/github.com/miekg/pkcs11/README.md
deleted file mode 100644
index 18a361a9..00000000
--- a/vendor/github.com/miekg/pkcs11/README.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# PKCS#11
-
-This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom where
-it makes sense. It has been tested with SoftHSM.
-
-## SoftHSM
-
- *  Make it use a custom configuration file `export SOFTHSM_CONF=$PWD/softhsm.conf`
-
- *  Then use `softhsm` to init it
-
-    ~~~
-    softhsm --init-token --slot 0 --label test --pin 1234
-    ~~~
-
- *  Then use `libsofthsm2.so` as the pkcs11 module:
-
-    ~~~ go
-    p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
-    ~~~
-
-## Examples
-
-A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
-
-~~~ go
-p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
-err := p.Initialize()
-if err != nil {
-    panic(err)
-}
-
-defer p.Destroy()
-defer p.Finalize()
-
-slots, err := p.GetSlotList(true)
-if err != nil {
-    panic(err)
-}
-
-session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
-if err != nil {
-    panic(err)
-}
-defer p.CloseSession(session)
-
-err = p.Login(session, pkcs11.CKU_USER, "1234")
-if err != nil {
-    panic(err)
-}
-defer p.Logout(session)
-
-p.DigestInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA_1, nil)})
-hash, err := p.Digest(session, []byte("this is a string"))
-if err != nil {
-    panic(err)
-}
-
-for _, d := range hash {
-        fmt.Printf("%x", d)
-}
-fmt.Println()
-~~~
-
-Further examples are included in the tests.
-
-To expose PKCS#11 keys using the [crypto.Signer interface](https://golang.org/pkg/crypto/#Signer),
-please see [github.com/thalesignite/crypto11](https://github.com/thalesignite/crypto11).
diff --git a/vendor/github.com/miekg/pkcs11/error.go b/vendor/github.com/miekg/pkcs11/error.go
deleted file mode 100644
index 7df0e93a..00000000
--- a/vendor/github.com/miekg/pkcs11/error.go
+++ /dev/null
@@ -1,98 +0,0 @@
-// Copyright 2013 Miek Gieben. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs11
-
-// awk '/#define CKR_/{ print $3":\""$2"\"," }' pkcs11t.h
-
-var strerror = map[uint]string{
-	0x00000000: "CKR_OK",
-	0x00000001: "CKR_CANCEL",
-	0x00000002: "CKR_HOST_MEMORY",
-	0x00000003: "CKR_SLOT_ID_INVALID",
-	0x00000005: "CKR_GENERAL_ERROR",
-	0x00000006: "CKR_FUNCTION_FAILED",
-	0x00000007: "CKR_ARGUMENTS_BAD",
-	0x00000008: "CKR_NO_EVENT",
-	0x00000009: "CKR_NEED_TO_CREATE_THREADS",
-	0x0000000A: "CKR_CANT_LOCK",
-	0x00000010: "CKR_ATTRIBUTE_READ_ONLY",
-	0x00000011: "CKR_ATTRIBUTE_SENSITIVE",
-	0x00000012: "CKR_ATTRIBUTE_TYPE_INVALID",
-	0x00000013: "CKR_ATTRIBUTE_VALUE_INVALID",
-	0x00000020: "CKR_DATA_INVALID",
-	0x00000021: "CKR_DATA_LEN_RANGE",
-	0x00000030: "CKR_DEVICE_ERROR",
-	0x00000031: "CKR_DEVICE_MEMORY",
-	0x00000032: "CKR_DEVICE_REMOVED",
-	0x00000040: "CKR_ENCRYPTED_DATA_INVALID",
-	0x00000041: "CKR_ENCRYPTED_DATA_LEN_RANGE",
-	0x00000050: "CKR_FUNCTION_CANCELED",
-	0x00000051: "CKR_FUNCTION_NOT_PARALLEL",
-	0x00000054: "CKR_FUNCTION_NOT_SUPPORTED",
-	0x00000060: "CKR_KEY_HANDLE_INVALID",
-	0x00000062: "CKR_KEY_SIZE_RANGE",
-	0x00000063: "CKR_KEY_TYPE_INCONSISTENT",
-	0x00000064: "CKR_KEY_NOT_NEEDED",
-	0x00000065: "CKR_KEY_CHANGED",
-	0x00000066: "CKR_KEY_NEEDED",
-	0x00000067: "CKR_KEY_INDIGESTIBLE",
-	0x00000068: "CKR_KEY_FUNCTION_NOT_PERMITTED",
-	0x00000069: "CKR_KEY_NOT_WRAPPABLE",
-	0x0000006A: "CKR_KEY_UNEXTRACTABLE",
-	0x00000070: "CKR_MECHANISM_INVALID",
-	0x00000071: "CKR_MECHANISM_PARAM_INVALID",
-	0x00000082: "CKR_OBJECT_HANDLE_INVALID",
-	0x00000090: "CKR_OPERATION_ACTIVE",
-	0x00000091: "CKR_OPERATION_NOT_INITIALIZED",
-	0x000000A0: "CKR_PIN_INCORRECT",
-	0x000000A1: "CKR_PIN_INVALID",
-	0x000000A2: "CKR_PIN_LEN_RANGE",
-	0x000000A3: "CKR_PIN_EXPIRED",
-	0x000000A4: "CKR_PIN_LOCKED",
-	0x000000B0: "CKR_SESSION_CLOSED",
-	0x000000B1: "CKR_SESSION_COUNT",
-	0x000000B3: "CKR_SESSION_HANDLE_INVALID",
-	0x000000B4: "CKR_SESSION_PARALLEL_NOT_SUPPORTED",
-	0x000000B5: "CKR_SESSION_READ_ONLY",
-	0x000000B6: "CKR_SESSION_EXISTS",
-	0x000000B7: "CKR_SESSION_READ_ONLY_EXISTS",
-	0x000000B8: "CKR_SESSION_READ_WRITE_SO_EXISTS",
-	0x000000C0: "CKR_SIGNATURE_INVALID",
-	0x000000C1: "CKR_SIGNATURE_LEN_RANGE",
-	0x000000D0: "CKR_TEMPLATE_INCOMPLETE",
-	0x000000D1: "CKR_TEMPLATE_INCONSISTENT",
-	0x000000E0: "CKR_TOKEN_NOT_PRESENT",
-	0x000000E1: "CKR_TOKEN_NOT_RECOGNIZED",
-	0x000000E2: "CKR_TOKEN_WRITE_PROTECTED",
-	0x000000F0: "CKR_UNWRAPPING_KEY_HANDLE_INVALID",
-	0x000000F1: "CKR_UNWRAPPING_KEY_SIZE_RANGE",
-	0x000000F2: "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT",
-	0x00000100: "CKR_USER_ALREADY_LOGGED_IN",
-	0x00000101: "CKR_USER_NOT_LOGGED_IN",
-	0x00000102: "CKR_USER_PIN_NOT_INITIALIZED",
-	0x00000103: "CKR_USER_TYPE_INVALID",
-	0x00000104: "CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
-	0x00000105: "CKR_USER_TOO_MANY_TYPES",
-	0x00000110: "CKR_WRAPPED_KEY_INVALID",
-	0x00000112: "CKR_WRAPPED_KEY_LEN_RANGE",
-	0x00000113: "CKR_WRAPPING_KEY_HANDLE_INVALID",
-	0x00000114: "CKR_WRAPPING_KEY_SIZE_RANGE",
-	0x00000115: "CKR_WRAPPING_KEY_TYPE_INCONSISTENT",
-	0x00000120: "CKR_RANDOM_SEED_NOT_SUPPORTED",
-	0x00000121: "CKR_RANDOM_NO_RNG",
-	0x00000130: "CKR_DOMAIN_PARAMS_INVALID",
-	0x00000150: "CKR_BUFFER_TOO_SMALL",
-	0x00000160: "CKR_SAVED_STATE_INVALID",
-	0x00000170: "CKR_INFORMATION_SENSITIVE",
-	0x00000180: "CKR_STATE_UNSAVEABLE",
-	0x00000190: "CKR_CRYPTOKI_NOT_INITIALIZED",
-	0x00000191: "CKR_CRYPTOKI_ALREADY_INITIALIZED",
-	0x000001A0: "CKR_MUTEX_BAD",
-	0x000001A1: "CKR_MUTEX_NOT_LOCKED",
-	0x000001B0: "CKR_NEW_PIN_MODE",
-	0x000001B1: "CKR_NEXT_OTP",
-	0x00000200: "CKR_FUNCTION_REJECTED",
-	0x80000000: "CKR_VENDOR_DEFINED",
-}
diff --git a/vendor/github.com/miekg/pkcs11/hsm.db b/vendor/github.com/miekg/pkcs11/hsm.db
deleted file mode 100644
index eb3f10da..00000000
Binary files a/vendor/github.com/miekg/pkcs11/hsm.db and /dev/null differ
diff --git a/vendor/github.com/miekg/pkcs11/params.go b/vendor/github.com/miekg/pkcs11/params.go
deleted file mode 100644
index 6d9ce96a..00000000
--- a/vendor/github.com/miekg/pkcs11/params.go
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright 2013 Miek Gieben. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs11
-
-/*
-#include <stdlib.h>
-#include <string.h>
-#include "pkcs11go.h"
-
-static inline void putOAEPParams(CK_RSA_PKCS_OAEP_PARAMS_PTR params, CK_VOID_PTR pSourceData, CK_ULONG ulSourceDataLen)
-{
-	params->pSourceData = pSourceData;
-	params->ulSourceDataLen = ulSourceDataLen;
-}
-
-static inline void putECDH1SharedParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pSharedData, CK_ULONG ulSharedDataLen)
-{
-	params->pSharedData = pSharedData;
-	params->ulSharedDataLen = ulSharedDataLen;
-}
-
-static inline void putECDH1PublicParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pPublicData, CK_ULONG ulPublicDataLen)
-{
-	params->pPublicData = pPublicData;
-	params->ulPublicDataLen = ulPublicDataLen;
-}
-*/
-import "C"
-import "unsafe"
-
-// GCMParams represents the parameters for the AES-GCM mechanism.
-type GCMParams struct {
-	arena
-	params  *C.CK_GCM_PARAMS
-	iv      []byte
-	aad     []byte
-	tagSize int
-}
-
-// NewGCMParams returns a pointer to AES-GCM parameters that can be used with the CKM_AES_GCM mechanism.
-// The Free() method must be called after the operation is complete.
-//
-// Note that some HSMs, like CloudHSM, will ignore the IV you pass in and write their
-// own. As a result, to support all libraries, memory is not freed
-// automatically, so that after the EncryptInit/Encrypt operation the HSM's IV
-// can be read back out. It is up to the caller to ensure that Free() is called
-// on the GCMParams object at an appropriate time, which is after
-//
-// Encrypt/Decrypt. As an example:
-//
-//    gcmParams := pkcs11.NewGCMParams(make([]byte, 12), nil, 128)
-//    p.ctx.EncryptInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_AES_GCM, gcmParams)},
-//			aesObjHandle)
-//    ct, _ := p.ctx.Encrypt(session, pt)
-//    iv := gcmParams.IV()
-//    gcmParams.Free()
-//
-func NewGCMParams(iv, aad []byte, tagSize int) *GCMParams {
-	return &GCMParams{
-		iv:      iv,
-		aad:     aad,
-		tagSize: tagSize,
-	}
-}
-
-func cGCMParams(p *GCMParams) []byte {
-	params := C.CK_GCM_PARAMS{
-		ulTagBits: C.CK_ULONG(p.tagSize),
-	}
-	var arena arena
-	if len(p.iv) > 0 {
-		iv, ivLen := arena.Allocate(p.iv)
-		params.pIv = C.CK_BYTE_PTR(iv)
-		params.ulIvLen = ivLen
-		params.ulIvBits = ivLen * 8
-	}
-	if len(p.aad) > 0 {
-		aad, aadLen := arena.Allocate(p.aad)
-		params.pAAD = C.CK_BYTE_PTR(aad)
-		params.ulAADLen = aadLen
-	}
-	p.Free()
-	p.arena = arena
-	p.params = &params
-	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params)))
-}
-
-// IV returns a copy of the actual IV used for the operation.
-//
-// Some HSMs may ignore the user-specified IV and write their own at the end of
-// the encryption operation; this method allows you to retrieve it.
-func (p *GCMParams) IV() []byte {
-	if p == nil || p.params == nil {
-		return nil
-	}
-	newIv := C.GoBytes(unsafe.Pointer(p.params.pIv), C.int(p.params.ulIvLen))
-	iv := make([]byte, len(newIv))
-	copy(iv, newIv)
-	return iv
-}
-
-// Free deallocates the memory reserved for the HSM to write back the actual IV.
-//
-// This must be called after the entire operation is complete, i.e. after
-// Encrypt or EncryptFinal. It is safe to call Free multiple times.
-func (p *GCMParams) Free() {
-	if p == nil || p.arena == nil {
-		return
-	}
-	p.arena.Free()
-	p.params = nil
-	p.arena = nil
-}
-
-// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism.
-func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
-	p := C.CK_RSA_PKCS_PSS_PARAMS{
-		hashAlg: C.CK_MECHANISM_TYPE(hashAlg),
-		mgf:     C.CK_RSA_PKCS_MGF_TYPE(mgf),
-		sLen:    C.CK_ULONG(saltLength),
-	}
-	return C.GoBytes(unsafe.Pointer(&p), C.int(unsafe.Sizeof(p)))
-}
-
-// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP.
-type OAEPParams struct {
-	HashAlg    uint
-	MGF        uint
-	SourceType uint
-	SourceData []byte
-}
-
-// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism.
-func NewOAEPParams(hashAlg, mgf, sourceType uint, sourceData []byte) *OAEPParams {
-	return &OAEPParams{
-		HashAlg:    hashAlg,
-		MGF:        mgf,
-		SourceType: sourceType,
-		SourceData: sourceData,
-	}
-}
-
-func cOAEPParams(p *OAEPParams, arena arena) ([]byte, arena) {
-	params := C.CK_RSA_PKCS_OAEP_PARAMS{
-		hashAlg: C.CK_MECHANISM_TYPE(p.HashAlg),
-		mgf:     C.CK_RSA_PKCS_MGF_TYPE(p.MGF),
-		source:  C.CK_RSA_PKCS_OAEP_SOURCE_TYPE(p.SourceType),
-	}
-	if len(p.SourceData) != 0 {
-		buf, len := arena.Allocate(p.SourceData)
-		// field is unaligned on windows so this has to call into C
-		C.putOAEPParams(&params, buf, len)
-	}
-	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
-}
-
-// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS.
-type ECDH1DeriveParams struct {
-	KDF           uint
-	SharedData    []byte
-	PublicKeyData []byte
-}
-
-// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism.
-func NewECDH1DeriveParams(kdf uint, sharedData []byte, publicKeyData []byte) *ECDH1DeriveParams {
-	return &ECDH1DeriveParams{
-		KDF:           kdf,
-		SharedData:    sharedData,
-		PublicKeyData: publicKeyData,
-	}
-}
-
-func cECDH1DeriveParams(p *ECDH1DeriveParams, arena arena) ([]byte, arena) {
-	params := C.CK_ECDH1_DERIVE_PARAMS{
-		kdf: C.CK_EC_KDF_TYPE(p.KDF),
-	}
-
-	// SharedData MUST be null if key derivation function (KDF) is CKD_NULL
-	if len(p.SharedData) != 0 {
-		sharedData, sharedDataLen := arena.Allocate(p.SharedData)
-		C.putECDH1SharedParams(&params, sharedData, sharedDataLen)
-	}
-
-	publicKeyData, publicKeyDataLen := arena.Allocate(p.PublicKeyData)
-	C.putECDH1PublicParams(&params, publicKeyData, publicKeyDataLen)
-
-	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
-}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.go b/vendor/github.com/miekg/pkcs11/pkcs11.go
deleted file mode 100644
index e1b5824e..00000000
--- a/vendor/github.com/miekg/pkcs11/pkcs11.go
+++ /dev/null
@@ -1,1609 +0,0 @@
-// Copyright 2013 Miek Gieben. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:generate go run const_generate.go
-
-// Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
-package pkcs11
-
-// It is *assumed*, that:
-//
-// * Go's uint size == PKCS11's CK_ULONG size
-// * CK_ULONG never overflows an Go int
-
-/*
-#cgo windows CFLAGS: -DPACKED_STRUCTURES
-#cgo linux LDFLAGS: -ldl
-#cgo darwin LDFLAGS: -ldl
-#cgo openbsd LDFLAGS:
-#cgo freebsd LDFLAGS: -ldl
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "pkcs11go.h"
-
-#ifdef _WIN32
-#include <windows.h>
-
-struct ctx {
-	HMODULE handle;
-	CK_FUNCTION_LIST_PTR sym;
-};
-
-// New initializes a ctx and fills the symbol table.
-struct ctx *New(const char *module)
-{
-	CK_C_GetFunctionList list;
-	struct ctx *c = calloc(1, sizeof(struct ctx));
-	c->handle = LoadLibrary(module);
-	if (c->handle == NULL) {
-		free(c);
-		return NULL;
-	}
-	list = (CK_C_GetFunctionList) GetProcAddress(c->handle, "C_GetFunctionList");
-	if (list == NULL) {
-		free(c);
-		return NULL;
-	}
-	list(&c->sym);
-	return c;
-}
-
-// Destroy cleans up a ctx.
-void Destroy(struct ctx *c)
-{
-	if (!c) {
-		return;
-	}
-	free(c);
-}
-#else
-#include <dlfcn.h>
-
-struct ctx {
-	void *handle;
-	CK_FUNCTION_LIST_PTR sym;
-};
-
-// New initializes a ctx and fills the symbol table.
-struct ctx *New(const char *module)
-{
-	CK_C_GetFunctionList list;
-	struct ctx *c = calloc(1, sizeof(struct ctx));
-	c->handle = dlopen(module, RTLD_LAZY);
-	if (c->handle == NULL) {
-		free(c);
-		return NULL;
-	}
-	list = (CK_C_GetFunctionList) dlsym(c->handle, "C_GetFunctionList");
-	if (list == NULL) {
-		free(c);
-		return NULL;
-	}
-	list(&c->sym);
-	return c;
-}
-
-// Destroy cleans up a ctx.
-void Destroy(struct ctx *c)
-{
-	if (!c) {
-		return;
-	}
-	if (c->handle == NULL) {
-		return;
-	}
-	if (dlclose(c->handle) < 0) {
-		return;
-	}
-	free(c);
-}
-#endif
-
-CK_RV Initialize(struct ctx * c)
-{
-	CK_C_INITIALIZE_ARGS args;
-	memset(&args, 0, sizeof(args));
-	args.flags = CKF_OS_LOCKING_OK;
-	return c->sym->C_Initialize(&args);
-}
-
-CK_RV Finalize(struct ctx * c)
-{
-	return c->sym->C_Finalize(NULL);
-}
-
-CK_RV GetInfo(struct ctx * c, ckInfoPtr info)
-{
-	CK_INFO p;
-	CK_RV e = c->sym->C_GetInfo(&p);
-	if (e != CKR_OK) {
-		return e;
-	}
-	info->cryptokiVersion = p.cryptokiVersion;
-	memcpy(info->manufacturerID, p.manufacturerID, sizeof(p.manufacturerID));
-	info->flags = p.flags;
-	memcpy(info->libraryDescription, p.libraryDescription, sizeof(p.libraryDescription));
-	info->libraryVersion = p.libraryVersion;
-	return e;
-}
-
-CK_RV GetSlotList(struct ctx * c, CK_BBOOL tokenPresent,
-		  CK_ULONG_PTR * slotList, CK_ULONG_PTR ulCount)
-{
-	CK_RV e = c->sym->C_GetSlotList(tokenPresent, NULL, ulCount);
-	if (e != CKR_OK) {
-		return e;
-	}
-	*slotList = calloc(*ulCount, sizeof(CK_SLOT_ID));
-	e = c->sym->C_GetSlotList(tokenPresent, *slotList, ulCount);
-	return e;
-}
-
-CK_RV GetSlotInfo(struct ctx * c, CK_ULONG slotID, CK_SLOT_INFO_PTR info)
-{
-	CK_RV e = c->sym->C_GetSlotInfo((CK_SLOT_ID) slotID, info);
-	return e;
-}
-
-CK_RV GetTokenInfo(struct ctx * c, CK_ULONG slotID, CK_TOKEN_INFO_PTR info)
-{
-	CK_RV e = c->sym->C_GetTokenInfo((CK_SLOT_ID) slotID, info);
-	return e;
-}
-
-CK_RV GetMechanismList(struct ctx * c, CK_ULONG slotID,
-		       CK_ULONG_PTR * mech, CK_ULONG_PTR mechlen)
-{
-	CK_RV e =
-	    c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, NULL, mechlen);
-	// Gemaltos PKCS11 implementation returns CKR_BUFFER_TOO_SMALL on a NULL ptr instad of CKR_OK as the spec states.
-	if (e != CKR_OK && e != CKR_BUFFER_TOO_SMALL) {
-		return e;
-	}
-	*mech = calloc(*mechlen, sizeof(CK_MECHANISM_TYPE));
-	e = c->sym->C_GetMechanismList((CK_SLOT_ID) slotID,
-				       (CK_MECHANISM_TYPE_PTR) * mech, mechlen);
-	return e;
-}
-
-CK_RV GetMechanismInfo(struct ctx * c, CK_ULONG slotID, CK_MECHANISM_TYPE mech,
-		       CK_MECHANISM_INFO_PTR info)
-{
-	CK_RV e = c->sym->C_GetMechanismInfo((CK_SLOT_ID) slotID, mech, info);
-	return e;
-}
-
-CK_RV InitToken(struct ctx * c, CK_ULONG slotID, char *pin, CK_ULONG pinlen,
-		char *label)
-{
-	CK_RV e =
-	    c->sym->C_InitToken((CK_SLOT_ID) slotID, (CK_UTF8CHAR_PTR) pin,
-				pinlen, (CK_UTF8CHAR_PTR) label);
-	return e;
-}
-
-CK_RV InitPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *pin, CK_ULONG pinlen)
-{
-	CK_RV e = c->sym->C_InitPIN(sh, (CK_UTF8CHAR_PTR) pin, pinlen);
-	return e;
-}
-
-CK_RV SetPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *oldpin,
-	     CK_ULONG oldpinlen, char *newpin, CK_ULONG newpinlen)
-{
-	CK_RV e = c->sym->C_SetPIN(sh, (CK_UTF8CHAR_PTR) oldpin, oldpinlen,
-				   (CK_UTF8CHAR_PTR) newpin, newpinlen);
-	return e;
-}
-
-CK_RV OpenSession(struct ctx * c, CK_ULONG slotID, CK_ULONG flags,
-		  CK_SESSION_HANDLE_PTR session)
-{
-	CK_RV e =
-	    c->sym->C_OpenSession((CK_SLOT_ID) slotID, (CK_FLAGS) flags, NULL,
-				  NULL, session);
-	return e;
-}
-
-CK_RV CloseSession(struct ctx * c, CK_SESSION_HANDLE session)
-{
-	CK_RV e = c->sym->C_CloseSession(session);
-	return e;
-}
-
-CK_RV CloseAllSessions(struct ctx * c, CK_ULONG slotID)
-{
-	CK_RV e = c->sym->C_CloseAllSessions(slotID);
-	return e;
-}
-
-CK_RV GetSessionInfo(struct ctx * c, CK_SESSION_HANDLE session,
-		     CK_SESSION_INFO_PTR info)
-{
-	CK_RV e = c->sym->C_GetSessionInfo(session, info);
-	return e;
-}
-
-CK_RV GetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_BYTE_PTR * state, CK_ULONG_PTR statelen)
-{
-	CK_RV rv = c->sym->C_GetOperationState(session, NULL, statelen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*state = calloc(*statelen, sizeof(CK_BYTE));
-	if (*state == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_GetOperationState(session, *state, statelen);
-	return rv;
-}
-
-CK_RV SetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_BYTE_PTR state, CK_ULONG statelen,
-			CK_OBJECT_HANDLE encryptkey, CK_OBJECT_HANDLE authkey)
-{
-	return c->sym->C_SetOperationState(session, state, statelen, encryptkey,
-					   authkey);
-}
-
-CK_RV Login(struct ctx *c, CK_SESSION_HANDLE session, CK_USER_TYPE userType,
-	    char *pin, CK_ULONG pinLen)
-{
-	if (pinLen == 0) {
-		pin = NULL;
-	}
-	CK_RV e =
-	    c->sym->C_Login(session, userType, (CK_UTF8CHAR_PTR) pin, pinLen);
-	return e;
-}
-
-CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session)
-{
-	CK_RV e = c->sym->C_Logout(session);
-	return e;
-}
-
-CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session,
-		   CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
-		   CK_OBJECT_HANDLE_PTR obj)
-{
-	return c->sym->C_CreateObject(session, temp, tempCount, obj);
-}
-
-CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
-		 CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
-		 CK_OBJECT_HANDLE_PTR obj)
-{
-	return c->sym->C_CopyObject(session, o, temp, tempCount, obj);
-}
-
-CK_RV DestroyObject(struct ctx * c, CK_SESSION_HANDLE session,
-		    CK_OBJECT_HANDLE object)
-{
-	CK_RV e = c->sym->C_DestroyObject(session, object);
-	return e;
-}
-
-CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session,
-		    CK_OBJECT_HANDLE object, CK_ULONG_PTR size)
-{
-	CK_RV e = c->sym->C_GetObjectSize(session, object, size);
-	return e;
-}
-
-CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
-			CK_ULONG templen)
-{
-	// Call for the first time, check the returned ulValue in the attributes, then
-	// allocate enough space and try again.
-	CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen);
-	if (e != CKR_OK) {
-		return e;
-	}
-	CK_ULONG i;
-	for (i = 0; i < templen; i++) {
-		if ((CK_LONG) temp[i].ulValueLen == -1) {
-			// either access denied or no such object
-			continue;
-		}
-		temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE));
-	}
-	return c->sym->C_GetAttributeValue(session, object, temp, templen);
-}
-
-CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
-			CK_ULONG templen)
-{
-	return c->sym->C_SetAttributeValue(session, object, temp, templen);
-}
-
-CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session,
-		      CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount)
-{
-	return c->sym->C_FindObjectsInit(session, temp, tempCount);
-}
-
-CK_RV FindObjects(struct ctx * c, CK_SESSION_HANDLE session,
-		  CK_OBJECT_HANDLE_PTR * obj, CK_ULONG max,
-		  CK_ULONG_PTR objCount)
-{
-	*obj = calloc(max, sizeof(CK_OBJECT_HANDLE));
-	CK_RV e = c->sym->C_FindObjects(session, *obj, max, objCount);
-	return e;
-}
-
-CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session)
-{
-	CK_RV e = c->sym->C_FindObjectsFinal(session);
-	return e;
-}
-
-CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session,
-		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_EncryptInit(session, mechanism, key);
-}
-
-CK_RV Encrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
-	      CK_ULONG mlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen)
-{
-	CK_RV rv = c->sym->C_Encrypt(session, message, mlen, NULL, enclen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*enc = calloc(*enclen, sizeof(CK_BYTE));
-	if (*enc == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_Encrypt(session, message, mlen, *enc, enclen);
-	return rv;
-}
-
-CK_RV EncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-		    CK_BYTE_PTR plain, CK_ULONG plainlen, CK_BYTE_PTR * cipher,
-		    CK_ULONG_PTR cipherlen)
-{
-	CK_RV rv =
-	    c->sym->C_EncryptUpdate(session, plain, plainlen, NULL, cipherlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*cipher = calloc(*cipherlen, sizeof(CK_BYTE));
-	if (*cipher == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_EncryptUpdate(session, plain, plainlen, *cipher,
-				     cipherlen);
-	return rv;
-}
-
-CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
-		   CK_BYTE_PTR * cipher, CK_ULONG_PTR cipherlen)
-{
-	CK_RV rv = c->sym->C_EncryptFinal(session, NULL, cipherlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*cipher = calloc(*cipherlen, sizeof(CK_BYTE));
-	if (*cipher == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_EncryptFinal(session, *cipher, cipherlen);
-	return rv;
-}
-
-CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session,
-		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_DecryptInit(session, mechanism, key);
-}
-
-CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher,
-	      CK_ULONG clen, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
-{
-	CK_RV e = c->sym->C_Decrypt(session, cipher, clen, NULL, plainlen);
-	if (e != CKR_OK) {
-		return e;
-	}
-	*plain = calloc(*plainlen, sizeof(CK_BYTE));
-	if (*plain == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	e = c->sym->C_Decrypt(session, cipher, clen, *plain, plainlen);
-	return e;
-}
-
-CK_RV DecryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-		    CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part,
-		    CK_ULONG_PTR partlen)
-{
-	CK_RV rv =
-	    c->sym->C_DecryptUpdate(session, cipher, cipherlen, NULL, partlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*part = calloc(*partlen, sizeof(CK_BYTE));
-	if (*part == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DecryptUpdate(session, cipher, cipherlen, *part,
-				     partlen);
-	return rv;
-}
-
-CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
-		   CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
-{
-	CK_RV rv = c->sym->C_DecryptFinal(session, NULL, plainlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*plain = calloc(*plainlen, sizeof(CK_BYTE));
-	if (*plain == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DecryptFinal(session, *plain, plainlen);
-	return rv;
-}
-
-CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session,
-		 CK_MECHANISM_PTR mechanism)
-{
-	return c->sym->C_DigestInit(session, mechanism);
-}
-
-CK_RV Digest(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
-	     CK_ULONG mlen, CK_BYTE_PTR * hash, CK_ULONG_PTR hashlen)
-{
-	CK_RV rv = c->sym->C_Digest(session, message, mlen, NULL, hashlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*hash = calloc(*hashlen, sizeof(CK_BYTE));
-	if (*hash == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_Digest(session, message, mlen, *hash, hashlen);
-	return rv;
-}
-
-CK_RV DigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-		   CK_BYTE_PTR message, CK_ULONG mlen)
-{
-	CK_RV rv = c->sym->C_DigestUpdate(session, message, mlen);
-	return rv;
-}
-
-CK_RV DigestKey(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key)
-{
-	CK_RV rv = c->sym->C_DigestKey(session, key);
-	return rv;
-}
-
-CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash,
-		  CK_ULONG_PTR hashlen)
-{
-	CK_RV rv = c->sym->C_DigestFinal(session, NULL, hashlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*hash = calloc(*hashlen, sizeof(CK_BYTE));
-	if (*hash == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DigestFinal(session, *hash, hashlen);
-	return rv;
-}
-
-CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session,
-	       CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_SignInit(session, mechanism, key);
-}
-
-CK_RV Sign(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
-	   CK_ULONG mlen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
-{
-	CK_RV rv = c->sym->C_Sign(session, message, mlen, NULL, siglen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*sig = calloc(*siglen, sizeof(CK_BYTE));
-	if (*sig == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_Sign(session, message, mlen, *sig, siglen);
-	return rv;
-}
-
-CK_RV SignUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-		 CK_BYTE_PTR message, CK_ULONG mlen)
-{
-	CK_RV rv = c->sym->C_SignUpdate(session, message, mlen);
-	return rv;
-}
-
-CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig,
-		CK_ULONG_PTR siglen)
-{
-	CK_RV rv = c->sym->C_SignFinal(session, NULL, siglen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*sig = calloc(*siglen, sizeof(CK_BYTE));
-	if (*sig == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_SignFinal(session, *sig, siglen);
-	return rv;
-}
-
-CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
-		      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_SignRecoverInit(session, mechanism, key);
-}
-
-CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
-		  CK_ULONG datalen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
-{
-	CK_RV rv = c->sym->C_SignRecover(session, data, datalen, NULL, siglen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*sig = calloc(*siglen, sizeof(CK_BYTE));
-	if (*sig == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_SignRecover(session, data, datalen, *sig, siglen);
-	return rv;
-}
-
-CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session,
-		 CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_VerifyInit(session, mechanism, key);
-}
-
-CK_RV Verify(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
-	     CK_ULONG mesglen, CK_BYTE_PTR sig, CK_ULONG siglen)
-{
-	CK_RV rv = c->sym->C_Verify(session, message, mesglen, sig, siglen);
-	return rv;
-}
-
-CK_RV VerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-		   CK_BYTE_PTR part, CK_ULONG partlen)
-{
-	CK_RV rv = c->sym->C_VerifyUpdate(session, part, partlen);
-	return rv;
-}
-
-CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
-		  CK_ULONG siglen)
-{
-	CK_RV rv = c->sym->C_VerifyFinal(session, sig, siglen);
-	return rv;
-}
-
-CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
-{
-	return c->sym->C_VerifyRecoverInit(session, mechanism, key);
-}
-
-CK_RV VerifyRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
-		    CK_ULONG siglen, CK_BYTE_PTR * data, CK_ULONG_PTR datalen)
-{
-	CK_RV rv = c->sym->C_VerifyRecover(session, sig, siglen, NULL, datalen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*data = calloc(*datalen, sizeof(CK_BYTE));
-	if (*data == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_VerifyRecover(session, sig, siglen, *data, datalen);
-	return rv;
-}
-
-CK_RV DigestEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-			  CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
-			  CK_ULONG_PTR enclen)
-{
-	CK_RV rv =
-	    c->sym->C_DigestEncryptUpdate(session, part, partlen, NULL, enclen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*enc = calloc(*enclen, sizeof(CK_BYTE));
-	if (*enc == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DigestEncryptUpdate(session, part, partlen, *enc,
-					   enclen);
-	return rv;
-}
-
-CK_RV DecryptDigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-			  CK_BYTE_PTR cipher, CK_ULONG cipherlen,
-			  CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
-{
-	CK_RV rv =
-	    c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, NULL,
-					  partlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*part = calloc(*partlen, sizeof(CK_BYTE));
-	if (*part == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, *part,
-					   partlen);
-	return rv;
-}
-
-CK_RV SignEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
-			CK_ULONG_PTR enclen)
-{
-	CK_RV rv =
-	    c->sym->C_SignEncryptUpdate(session, part, partlen, NULL, enclen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*enc = calloc(*enclen, sizeof(CK_BYTE));
-	if (*enc == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_SignEncryptUpdate(session, part, partlen, *enc, enclen);
-	return rv;
-}
-
-CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
-			  CK_BYTE_PTR cipher, CK_ULONG cipherlen,
-			  CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
-{
-	CK_RV rv =
-	    c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, NULL,
-					  partlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*part = calloc(*partlen, sizeof(CK_BYTE));
-	if (*part == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, *part,
-					   partlen);
-	return rv;
-}
-
-CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session,
-		  CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp,
-		  CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key)
-{
-	return c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key);
-}
-
-CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session,
-		      CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub,
-		      CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv,
-		      CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey,
-		      CK_OBJECT_HANDLE_PTR privkey)
-{
-	return c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount,
-		priv, privCount, pubkey, privkey);
-}
-
-CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
-	      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey,
-	      CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped,
-	      CK_ULONG_PTR wrappedlen)
-{
-	CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL,
-				     wrappedlen);
-	if (rv != CKR_OK) {
-		return rv;
-	}
-	*wrapped = calloc(*wrappedlen, sizeof(CK_BYTE));
-	if (*wrapped == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped,
-			       wrappedlen);
-	return rv;
-}
-
-CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session,
-		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE basekey,
-		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
-{
-	return c->sym->C_DeriveKey(session, mechanism, basekey, a, alen, key);
-}
-
-CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session,
-		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE unwrappingkey,
-		CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen,
-		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
-{
-	return c->sym->C_UnwrapKey(session, mechanism, unwrappingkey, wrappedkey,
-				      wrappedkeylen, a, alen, key);
-}
-
-CK_RV SeedRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR seed,
-		 CK_ULONG seedlen)
-{
-	CK_RV e = c->sym->C_SeedRandom(session, seed, seedlen);
-	return e;
-}
-
-CK_RV GenerateRandom(struct ctx * c, CK_SESSION_HANDLE session,
-		     CK_BYTE_PTR * rand, CK_ULONG length)
-{
-	*rand = calloc(length, sizeof(CK_BYTE));
-	if (*rand == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	CK_RV e = c->sym->C_GenerateRandom(session, *rand, length);
-	return e;
-}
-
-CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot)
-{
-	CK_RV e =
-	    c->sym->C_WaitForSlotEvent(flags, (CK_SLOT_ID_PTR) slot, NULL);
-	return e;
-}
-
-static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a)
-{
-	return a->pValue;
-}
-
-*/
-import "C"
-import (
-	"strings"
-	"unsafe"
-)
-
-// Ctx contains the current pkcs11 context.
-type Ctx struct {
-	ctx *C.struct_ctx
-}
-
-// New creates a new context and initializes the module/library for use.
-func New(module string) *Ctx {
-	c := new(Ctx)
-	mod := C.CString(module)
-	defer C.free(unsafe.Pointer(mod))
-	c.ctx = C.New(mod)
-	if c.ctx == nil {
-		return nil
-	}
-	return c
-}
-
-// Destroy unloads the module/library and frees any remaining memory.
-func (c *Ctx) Destroy() {
-	if c == nil || c.ctx == nil {
-		return
-	}
-	C.Destroy(c.ctx)
-	c.ctx = nil
-}
-
-// Initialize initializes the Cryptoki library.
-func (c *Ctx) Initialize() error {
-	e := C.Initialize(c.ctx)
-	return toError(e)
-}
-
-// Finalize indicates that an application is done with the Cryptoki library.
-func (c *Ctx) Finalize() error {
-	if c.ctx == nil {
-		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
-	}
-	e := C.Finalize(c.ctx)
-	return toError(e)
-}
-
-// GetInfo returns general information about Cryptoki.
-func (c *Ctx) GetInfo() (Info, error) {
-	var p C.ckInfo
-	e := C.GetInfo(c.ctx, &p)
-	i := Info{
-		CryptokiVersion:    toVersion(p.cryptokiVersion),
-		ManufacturerID:     strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.manufacturerID[0]), 32)), " "),
-		Flags:              uint(p.flags),
-		LibraryDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.libraryDescription[0]), 32)), " "),
-		LibraryVersion:     toVersion(p.libraryVersion),
-	}
-	return i, toError(e)
-}
-
-// GetSlotList obtains a list of slots in the system.
-func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) {
-	var (
-		slotList C.CK_ULONG_PTR
-		ulCount  C.CK_ULONG
-	)
-	e := C.GetSlotList(c.ctx, cBBool(tokenPresent), &slotList, &ulCount)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	l := toList(slotList, ulCount)
-	return l, nil
-}
-
-// GetSlotInfo obtains information about a particular slot in the system.
-func (c *Ctx) GetSlotInfo(slotID uint) (SlotInfo, error) {
-	var csi C.CK_SLOT_INFO
-	e := C.GetSlotInfo(c.ctx, C.CK_ULONG(slotID), &csi)
-	s := SlotInfo{
-		SlotDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.slotDescription[0]), 64)), " "),
-		ManufacturerID:  strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.manufacturerID[0]), 32)), " "),
-		Flags:           uint(csi.flags),
-		HardwareVersion: toVersion(csi.hardwareVersion),
-		FirmwareVersion: toVersion(csi.firmwareVersion),
-	}
-	return s, toError(e)
-}
-
-// GetTokenInfo obtains information about a particular token
-// in the system.
-func (c *Ctx) GetTokenInfo(slotID uint) (TokenInfo, error) {
-	var cti C.CK_TOKEN_INFO
-	e := C.GetTokenInfo(c.ctx, C.CK_ULONG(slotID), &cti)
-	s := TokenInfo{
-		Label:              strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.label[0]), 32)), " "),
-		ManufacturerID:     strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.manufacturerID[0]), 32)), " "),
-		Model:              strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.model[0]), 16)), " "),
-		SerialNumber:       strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.serialNumber[0]), 16)), " "),
-		Flags:              uint(cti.flags),
-		MaxSessionCount:    uint(cti.ulMaxSessionCount),
-		SessionCount:       uint(cti.ulSessionCount),
-		MaxRwSessionCount:  uint(cti.ulMaxRwSessionCount),
-		RwSessionCount:     uint(cti.ulRwSessionCount),
-		MaxPinLen:          uint(cti.ulMaxPinLen),
-		MinPinLen:          uint(cti.ulMinPinLen),
-		TotalPublicMemory:  uint(cti.ulTotalPublicMemory),
-		FreePublicMemory:   uint(cti.ulFreePublicMemory),
-		TotalPrivateMemory: uint(cti.ulTotalPrivateMemory),
-		FreePrivateMemory:  uint(cti.ulFreePrivateMemory),
-		HardwareVersion:    toVersion(cti.hardwareVersion),
-		FirmwareVersion:    toVersion(cti.firmwareVersion),
-		UTCTime:            strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.utcTime[0]), 16)), " "),
-	}
-	return s, toError(e)
-}
-
-// GetMechanismList obtains a list of mechanism types supported by a token.
-func (c *Ctx) GetMechanismList(slotID uint) ([]*Mechanism, error) {
-	var (
-		mech    C.CK_ULONG_PTR // in pkcs#11 we're all CK_ULONGs \o/
-		mechlen C.CK_ULONG
-	)
-	e := C.GetMechanismList(c.ctx, C.CK_ULONG(slotID), &mech, &mechlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	// Although the function returns only type, cast them back into real
-	// attributes as this is used in other functions.
-	m := make([]*Mechanism, int(mechlen))
-	for i, typ := range toList(mech, mechlen) {
-		m[i] = NewMechanism(typ, nil)
-	}
-	return m, nil
-}
-
-// GetMechanismInfo obtains information about a particular
-// mechanism possibly supported by a token.
-func (c *Ctx) GetMechanismInfo(slotID uint, m []*Mechanism) (MechanismInfo, error) {
-	var cm C.CK_MECHANISM_INFO
-	e := C.GetMechanismInfo(c.ctx, C.CK_ULONG(slotID), C.CK_MECHANISM_TYPE(m[0].Mechanism),
-		C.CK_MECHANISM_INFO_PTR(&cm))
-	mi := MechanismInfo{
-		MinKeySize: uint(cm.ulMinKeySize),
-		MaxKeySize: uint(cm.ulMaxKeySize),
-		Flags:      uint(cm.flags),
-	}
-	return mi, toError(e)
-}
-
-// InitToken initializes a token. The label must be 32 characters
-// long, it is blank padded if it is not. If it is longer it is capped
-// to 32 characters.
-func (c *Ctx) InitToken(slotID uint, pin string, label string) error {
-	p := C.CString(pin)
-	defer C.free(unsafe.Pointer(p))
-	ll := len(label)
-	for ll < 32 {
-		label += " "
-		ll++
-	}
-	l := C.CString(label[:32])
-	defer C.free(unsafe.Pointer(l))
-	e := C.InitToken(c.ctx, C.CK_ULONG(slotID), p, C.CK_ULONG(len(pin)), l)
-	return toError(e)
-}
-
-// InitPIN initializes the normal user's PIN.
-func (c *Ctx) InitPIN(sh SessionHandle, pin string) error {
-	p := C.CString(pin)
-	defer C.free(unsafe.Pointer(p))
-	e := C.InitPIN(c.ctx, C.CK_SESSION_HANDLE(sh), p, C.CK_ULONG(len(pin)))
-	return toError(e)
-}
-
-// SetPIN modifies the PIN of the user who is logged in.
-func (c *Ctx) SetPIN(sh SessionHandle, oldpin string, newpin string) error {
-	old := C.CString(oldpin)
-	defer C.free(unsafe.Pointer(old))
-	new := C.CString(newpin)
-	defer C.free(unsafe.Pointer(new))
-	e := C.SetPIN(c.ctx, C.CK_SESSION_HANDLE(sh), old, C.CK_ULONG(len(oldpin)), new, C.CK_ULONG(len(newpin)))
-	return toError(e)
-}
-
-// OpenSession opens a session between an application and a token.
-func (c *Ctx) OpenSession(slotID uint, flags uint) (SessionHandle, error) {
-	var s C.CK_SESSION_HANDLE
-	e := C.OpenSession(c.ctx, C.CK_ULONG(slotID), C.CK_ULONG(flags), C.CK_SESSION_HANDLE_PTR(&s))
-	return SessionHandle(s), toError(e)
-}
-
-// CloseSession closes a session between an application and a token.
-func (c *Ctx) CloseSession(sh SessionHandle) error {
-	if c.ctx == nil {
-		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
-	}
-	e := C.CloseSession(c.ctx, C.CK_SESSION_HANDLE(sh))
-	return toError(e)
-}
-
-// CloseAllSessions closes all sessions with a token.
-func (c *Ctx) CloseAllSessions(slotID uint) error {
-	if c.ctx == nil {
-		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
-	}
-	e := C.CloseAllSessions(c.ctx, C.CK_ULONG(slotID))
-	return toError(e)
-}
-
-// GetSessionInfo obtains information about the session.
-func (c *Ctx) GetSessionInfo(sh SessionHandle) (SessionInfo, error) {
-	var csi C.CK_SESSION_INFO
-	e := C.GetSessionInfo(c.ctx, C.CK_SESSION_HANDLE(sh), &csi)
-	s := SessionInfo{SlotID: uint(csi.slotID),
-		State:       uint(csi.state),
-		Flags:       uint(csi.flags),
-		DeviceError: uint(csi.ulDeviceError),
-	}
-	return s, toError(e)
-}
-
-// GetOperationState obtains the state of the cryptographic operation in a session.
-func (c *Ctx) GetOperationState(sh SessionHandle) ([]byte, error) {
-	var (
-		state    C.CK_BYTE_PTR
-		statelen C.CK_ULONG
-	)
-	e := C.GetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), &state, &statelen)
-	defer C.free(unsafe.Pointer(state))
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	b := C.GoBytes(unsafe.Pointer(state), C.int(statelen))
-	return b, nil
-}
-
-// SetOperationState restores the state of the cryptographic operation in a session.
-func (c *Ctx) SetOperationState(sh SessionHandle, state []byte, encryptKey, authKey ObjectHandle) error {
-	e := C.SetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&state[0])),
-		C.CK_ULONG(len(state)), C.CK_OBJECT_HANDLE(encryptKey), C.CK_OBJECT_HANDLE(authKey))
-	return toError(e)
-}
-
-// Login logs a user into a token.
-func (c *Ctx) Login(sh SessionHandle, userType uint, pin string) error {
-	p := C.CString(pin)
-	defer C.free(unsafe.Pointer(p))
-	e := C.Login(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_USER_TYPE(userType), p, C.CK_ULONG(len(pin)))
-	return toError(e)
-}
-
-// Logout logs a user out from a token.
-func (c *Ctx) Logout(sh SessionHandle) error {
-	if c.ctx == nil {
-		return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
-	}
-	e := C.Logout(c.ctx, C.CK_SESSION_HANDLE(sh))
-	return toError(e)
-}
-
-// CreateObject creates a new object.
-func (c *Ctx) CreateObject(sh SessionHandle, temp []*Attribute) (ObjectHandle, error) {
-	var obj C.CK_OBJECT_HANDLE
-	arena, t, tcount := cAttributeList(temp)
-	defer arena.Free()
-	e := C.CreateObject(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
-	e1 := toError(e)
-	if e1 == nil {
-		return ObjectHandle(obj), nil
-	}
-	return 0, e1
-}
-
-// CopyObject copies an object, creating a new object for the copy.
-func (c *Ctx) CopyObject(sh SessionHandle, o ObjectHandle, temp []*Attribute) (ObjectHandle, error) {
-	var obj C.CK_OBJECT_HANDLE
-	arena, t, tcount := cAttributeList(temp)
-	defer arena.Free()
-
-	e := C.CopyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
-	e1 := toError(e)
-	if e1 == nil {
-		return ObjectHandle(obj), nil
-	}
-	return 0, e1
-}
-
-// DestroyObject destroys an object.
-func (c *Ctx) DestroyObject(sh SessionHandle, oh ObjectHandle) error {
-	e := C.DestroyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh))
-	return toError(e)
-}
-
-// GetObjectSize gets the size of an object in bytes.
-func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) {
-	var size C.CK_ULONG
-	e := C.GetObjectSize(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh), &size)
-	return uint(size), toError(e)
-}
-
-// GetAttributeValue obtains the value of one or more object attributes.
-func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) {
-	// copy the attribute list and make all the values nil, so that
-	// the C function can (allocate) fill them in
-	pa := make([]C.CK_ATTRIBUTE, len(a))
-	for i := 0; i < len(a); i++ {
-		pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
-	}
-	e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), &pa[0], C.CK_ULONG(len(a)))
-	if err := toError(e); err != nil {
-		return nil, err
-	}
-	a1 := make([]*Attribute, len(a))
-	for i, c := range pa {
-		x := new(Attribute)
-		x.Type = uint(c._type)
-		if int(c.ulValueLen) != -1 {
-			buf := unsafe.Pointer(C.getAttributePval(&c))
-			x.Value = C.GoBytes(buf, C.int(c.ulValueLen))
-			C.free(buf)
-		}
-		a1[i] = x
-	}
-	return a1, nil
-}
-
-// SetAttributeValue modifies the value of one or more object attributes
-func (c *Ctx) SetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) error {
-	arena, pa, palen := cAttributeList(a)
-	defer arena.Free()
-	e := C.SetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), pa, palen)
-	return toError(e)
-}
-
-// FindObjectsInit initializes a search for token and session
-// objects that match a template.
-func (c *Ctx) FindObjectsInit(sh SessionHandle, temp []*Attribute) error {
-	arena, t, tcount := cAttributeList(temp)
-	defer arena.Free()
-	e := C.FindObjectsInit(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount)
-	return toError(e)
-}
-
-// FindObjects continues a search for token and session
-// objects that match a template, obtaining additional object
-// handles. Calling the function repeatedly may yield additional results until
-// an empty slice is returned.
-//
-// The returned boolean value is deprecated and should be ignored.
-func (c *Ctx) FindObjects(sh SessionHandle, max int) ([]ObjectHandle, bool, error) {
-	var (
-		objectList C.CK_OBJECT_HANDLE_PTR
-		ulCount    C.CK_ULONG
-	)
-	e := C.FindObjects(c.ctx, C.CK_SESSION_HANDLE(sh), &objectList, C.CK_ULONG(max), &ulCount)
-	if toError(e) != nil {
-		return nil, false, toError(e)
-	}
-	l := toList(C.CK_ULONG_PTR(unsafe.Pointer(objectList)), ulCount)
-	// Make again a new list of the correct type.
-	// This is copying data, but this is not an often used function.
-	o := make([]ObjectHandle, len(l))
-	for i, v := range l {
-		o[i] = ObjectHandle(v)
-	}
-	return o, ulCount > C.CK_ULONG(max), nil
-}
-
-// FindObjectsFinal finishes a search for token and session objects.
-func (c *Ctx) FindObjectsFinal(sh SessionHandle) error {
-	e := C.FindObjectsFinal(c.ctx, C.CK_SESSION_HANDLE(sh))
-	return toError(e)
-}
-
-// EncryptInit initializes an encryption operation.
-func (c *Ctx) EncryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.EncryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
-	return toError(e)
-}
-
-// Encrypt encrypts single-part data.
-func (c *Ctx) Encrypt(sh SessionHandle, message []byte) ([]byte, error) {
-	var (
-		enc    C.CK_BYTE_PTR
-		enclen C.CK_ULONG
-	)
-	e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &enc, &enclen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	s := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
-	C.free(unsafe.Pointer(enc))
-	return s, nil
-}
-
-// EncryptUpdate continues a multiple-part encryption operation.
-func (c *Ctx) EncryptUpdate(sh SessionHandle, plain []byte) ([]byte, error) {
-	var (
-		part    C.CK_BYTE_PTR
-		partlen C.CK_ULONG
-	)
-	e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(plain), C.CK_ULONG(len(plain)), &part, &partlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
-	C.free(unsafe.Pointer(part))
-	return h, nil
-}
-
-// EncryptFinal finishes a multiple-part encryption operation.
-func (c *Ctx) EncryptFinal(sh SessionHandle) ([]byte, error) {
-	var (
-		enc    C.CK_BYTE_PTR
-		enclen C.CK_ULONG
-	)
-	e := C.EncryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &enc, &enclen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
-	C.free(unsafe.Pointer(enc))
-	return h, nil
-}
-
-// DecryptInit initializes a decryption operation.
-func (c *Ctx) DecryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.DecryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
-	return toError(e)
-}
-
-// Decrypt decrypts encrypted data in a single part.
-func (c *Ctx) Decrypt(sh SessionHandle, cipher []byte) ([]byte, error) {
-	var (
-		plain    C.CK_BYTE_PTR
-		plainlen C.CK_ULONG
-	)
-	e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &plain, &plainlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	s := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
-	C.free(unsafe.Pointer(plain))
-	return s, nil
-}
-
-// DecryptUpdate continues a multiple-part decryption operation.
-func (c *Ctx) DecryptUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
-	var (
-		part    C.CK_BYTE_PTR
-		partlen C.CK_ULONG
-	)
-	e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
-	C.free(unsafe.Pointer(part))
-	return h, nil
-}
-
-// DecryptFinal finishes a multiple-part decryption operation.
-func (c *Ctx) DecryptFinal(sh SessionHandle) ([]byte, error) {
-	var (
-		plain    C.CK_BYTE_PTR
-		plainlen C.CK_ULONG
-	)
-	e := C.DecryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &plain, &plainlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
-	C.free(unsafe.Pointer(plain))
-	return h, nil
-}
-
-// DigestInit initializes a message-digesting operation.
-func (c *Ctx) DigestInit(sh SessionHandle, m []*Mechanism) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.DigestInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech)
-	return toError(e)
-}
-
-// Digest digests message in a single part.
-func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) {
-	var (
-		hash    C.CK_BYTE_PTR
-		hashlen C.CK_ULONG
-	)
-	e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &hash, &hashlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
-	C.free(unsafe.Pointer(hash))
-	return h, nil
-}
-
-// DigestUpdate continues a multiple-part message-digesting operation.
-func (c *Ctx) DigestUpdate(sh SessionHandle, message []byte) error {
-	e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
-	if toError(e) != nil {
-		return toError(e)
-	}
-	return nil
-}
-
-// DigestKey continues a multi-part message-digesting
-// operation, by digesting the value of a secret key as part of
-// the data already digested.
-func (c *Ctx) DigestKey(sh SessionHandle, key ObjectHandle) error {
-	e := C.DigestKey(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(key))
-	if toError(e) != nil {
-		return toError(e)
-	}
-	return nil
-}
-
-// DigestFinal finishes a multiple-part message-digesting operation.
-func (c *Ctx) DigestFinal(sh SessionHandle) ([]byte, error) {
-	var (
-		hash    C.CK_BYTE_PTR
-		hashlen C.CK_ULONG
-	)
-	e := C.DigestFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &hash, &hashlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
-	C.free(unsafe.Pointer(hash))
-	return h, nil
-}
-
-// SignInit initializes a signature (private key encryption)
-// operation, where the signature is (will be) an appendix to
-// the data, and plaintext cannot be recovered from the signature.
-func (c *Ctx) SignInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.SignInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
-	return toError(e)
-}
-
-// Sign signs (encrypts with private key) data in a single part, where the signature
-// is (will be) an appendix to the data, and plaintext cannot be recovered from the signature.
-func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) {
-	var (
-		sig    C.CK_BYTE_PTR
-		siglen C.CK_ULONG
-	)
-	e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &sig, &siglen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	s := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
-	C.free(unsafe.Pointer(sig))
-	return s, nil
-}
-
-// SignUpdate continues a multiple-part signature operation,
-// where the signature is (will be) an appendix to the data,
-// and plaintext cannot be recovered from the signature.
-func (c *Ctx) SignUpdate(sh SessionHandle, message []byte) error {
-	e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
-	return toError(e)
-}
-
-// SignFinal finishes a multiple-part signature operation returning the signature.
-func (c *Ctx) SignFinal(sh SessionHandle) ([]byte, error) {
-	var (
-		sig    C.CK_BYTE_PTR
-		siglen C.CK_ULONG
-	)
-	e := C.SignFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &sig, &siglen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
-	C.free(unsafe.Pointer(sig))
-	return h, nil
-}
-
-// SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
-func (c *Ctx) SignRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.SignRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
-	return toError(e)
-}
-
-// SignRecover signs data in a single operation, where the data can be recovered from the signature.
-func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) {
-	var (
-		sig    C.CK_BYTE_PTR
-		siglen C.CK_ULONG
-	)
-	e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), &sig, &siglen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
-	C.free(unsafe.Pointer(sig))
-	return h, nil
-}
-
-// VerifyInit initializes a verification operation, where the
-// signature is an appendix to the data, and plaintext cannot
-// be recovered from the signature (e.g. DSA).
-func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.VerifyInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
-	return toError(e)
-}
-
-// Verify verifies a signature in a single-part operation,
-// where the signature is an appendix to the data, and plaintext
-// cannot be recovered from the signature.
-func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error {
-	e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), cMessage(signature), C.CK_ULONG(len(signature)))
-	return toError(e)
-}
-
-// VerifyUpdate continues a multiple-part verification
-// operation, where the signature is an appendix to the data,
-// and plaintext cannot be recovered from the signature.
-func (c *Ctx) VerifyUpdate(sh SessionHandle, part []byte) error {
-	e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)))
-	return toError(e)
-}
-
-// VerifyFinal finishes a multiple-part verification
-// operation, checking the signature.
-func (c *Ctx) VerifyFinal(sh SessionHandle, signature []byte) error {
-	e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)))
-	return toError(e)
-}
-
-// VerifyRecoverInit initializes a signature verification
-// operation, where the data is recovered from the signature.
-func (c *Ctx) VerifyRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.VerifyRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
-	return toError(e)
-}
-
-// VerifyRecover verifies a signature in a single-part
-// operation, where the data is recovered from the signature.
-func (c *Ctx) VerifyRecover(sh SessionHandle, signature []byte) ([]byte, error) {
-	var (
-		data    C.CK_BYTE_PTR
-		datalen C.CK_ULONG
-	)
-	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)), &data, &datalen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(data), C.int(datalen))
-	C.free(unsafe.Pointer(data))
-	return h, nil
-}
-
-// DigestEncryptUpdate continues a multiple-part digesting and encryption operation.
-func (c *Ctx) DigestEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
-	var (
-		enc    C.CK_BYTE_PTR
-		enclen C.CK_ULONG
-	)
-	e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
-	C.free(unsafe.Pointer(enc))
-	return h, nil
-}
-
-// DecryptDigestUpdate continues a multiple-part decryption and digesting operation.
-func (c *Ctx) DecryptDigestUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
-	var (
-		part    C.CK_BYTE_PTR
-		partlen C.CK_ULONG
-	)
-	e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
-	C.free(unsafe.Pointer(part))
-	return h, nil
-}
-
-// SignEncryptUpdate continues a multiple-part signing and encryption operation.
-func (c *Ctx) SignEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
-	var (
-		enc    C.CK_BYTE_PTR
-		enclen C.CK_ULONG
-	)
-	e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
-	C.free(unsafe.Pointer(enc))
-	return h, nil
-}
-
-// DecryptVerifyUpdate continues a multiple-part decryption and verify operation.
-func (c *Ctx) DecryptVerifyUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
-	var (
-		part    C.CK_BYTE_PTR
-		partlen C.CK_ULONG
-	)
-	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
-	C.free(unsafe.Pointer(part))
-	return h, nil
-}
-
-// GenerateKey generates a secret key, creating a new key object.
-func (c *Ctx) GenerateKey(sh SessionHandle, m []*Mechanism, temp []*Attribute) (ObjectHandle, error) {
-	var key C.CK_OBJECT_HANDLE
-	attrarena, t, tcount := cAttributeList(temp)
-	defer attrarena.Free()
-	mecharena, mech := cMechanism(m)
-	defer mecharena.Free()
-	e := C.GenerateKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, t, tcount, C.CK_OBJECT_HANDLE_PTR(&key))
-	e1 := toError(e)
-	if e1 == nil {
-		return ObjectHandle(key), nil
-	}
-	return 0, e1
-}
-
-// GenerateKeyPair generates a public-key/private-key pair creating new key objects.
-func (c *Ctx) GenerateKeyPair(sh SessionHandle, m []*Mechanism, public, private []*Attribute) (ObjectHandle, ObjectHandle, error) {
-	var (
-		pubkey  C.CK_OBJECT_HANDLE
-		privkey C.CK_OBJECT_HANDLE
-	)
-	pubarena, pub, pubcount := cAttributeList(public)
-	defer pubarena.Free()
-	privarena, priv, privcount := cAttributeList(private)
-	defer privarena.Free()
-	mecharena, mech := cMechanism(m)
-	defer mecharena.Free()
-	e := C.GenerateKeyPair(c.ctx, C.CK_SESSION_HANDLE(sh), mech, pub, pubcount, priv, privcount, C.CK_OBJECT_HANDLE_PTR(&pubkey), C.CK_OBJECT_HANDLE_PTR(&privkey))
-	e1 := toError(e)
-	if e1 == nil {
-		return ObjectHandle(pubkey), ObjectHandle(privkey), nil
-	}
-	return 0, 0, e1
-}
-
-// WrapKey wraps (i.e., encrypts) a key.
-func (c *Ctx) WrapKey(sh SessionHandle, m []*Mechanism, wrappingkey, key ObjectHandle) ([]byte, error) {
-	var (
-		wrappedkey    C.CK_BYTE_PTR
-		wrappedkeylen C.CK_ULONG
-	)
-	arena, mech := cMechanism(m)
-	defer arena.Free()
-	e := C.WrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(wrappingkey), C.CK_OBJECT_HANDLE(key), &wrappedkey, &wrappedkeylen)
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(wrappedkey), C.int(wrappedkeylen))
-	C.free(unsafe.Pointer(wrappedkey))
-	return h, nil
-}
-
-// UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object.
-func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHandle, wrappedkey []byte, a []*Attribute) (ObjectHandle, error) {
-	var key C.CK_OBJECT_HANDLE
-	attrarena, ac, aclen := cAttributeList(a)
-	defer attrarena.Free()
-	mecharena, mech := cMechanism(m)
-	defer mecharena.Free()
-	e := C.UnwrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(unwrappingkey), C.CK_BYTE_PTR(unsafe.Pointer(&wrappedkey[0])), C.CK_ULONG(len(wrappedkey)), ac, aclen, &key)
-	return ObjectHandle(key), toError(e)
-}
-
-// DeriveKey derives a key from a base key, creating a new key object.
-func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle, a []*Attribute) (ObjectHandle, error) {
-	var key C.CK_OBJECT_HANDLE
-	attrarena, ac, aclen := cAttributeList(a)
-	defer attrarena.Free()
-	mecharena, mech := cMechanism(m)
-	defer mecharena.Free()
-	e := C.DeriveKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(basekey), ac, aclen, &key)
-	return ObjectHandle(key), toError(e)
-}
-
-// SeedRandom mixes additional seed material into the token's
-// random number generator.
-func (c *Ctx) SeedRandom(sh SessionHandle, seed []byte) error {
-	e := C.SeedRandom(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&seed[0])), C.CK_ULONG(len(seed)))
-	return toError(e)
-}
-
-// GenerateRandom generates random data.
-func (c *Ctx) GenerateRandom(sh SessionHandle, length int) ([]byte, error) {
-	var rand C.CK_BYTE_PTR
-	e := C.GenerateRandom(c.ctx, C.CK_SESSION_HANDLE(sh), &rand, C.CK_ULONG(length))
-	if toError(e) != nil {
-		return nil, toError(e)
-	}
-	h := C.GoBytes(unsafe.Pointer(rand), C.int(length))
-	C.free(unsafe.Pointer(rand))
-	return h, nil
-}
-
-// WaitForSlotEvent returns a channel which returns a slot event
-// (token insertion, removal, etc.) when it occurs.
-func (c *Ctx) WaitForSlotEvent(flags uint) chan SlotEvent {
-	sl := make(chan SlotEvent, 1) // hold one element
-	go c.waitForSlotEventHelper(flags, sl)
-	return sl
-}
-
-func (c *Ctx) waitForSlotEventHelper(f uint, sl chan SlotEvent) {
-	var slotID C.CK_ULONG
-	C.WaitForSlotEvent(c.ctx, C.CK_FLAGS(f), &slotID)
-	sl <- SlotEvent{uint(slotID)}
-	close(sl) // TODO(miek): Sending and then closing ...?
-}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.h b/vendor/github.com/miekg/pkcs11/pkcs11.h
deleted file mode 100644
index 0d78dd71..00000000
--- a/vendor/github.com/miekg/pkcs11/pkcs11.h
+++ /dev/null
@@ -1,265 +0,0 @@
-/* Copyright (c) OASIS Open 2016. All Rights Reserved./
- * /Distributed under the terms of the OASIS IPR Policy,
- * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
- * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
- */
-        
-/* Latest version of the specification:
- * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- */
-
-#ifndef _PKCS11_H_
-#define _PKCS11_H_ 1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 5 platform-specific macros must be defined.  These
- * macros are described below, and typical definitions for them
- * are also given.  Be advised that these definitions can depend
- * on both the platform and the compiler used (and possibly also
- * on whether a Cryptoki library is linked statically or
- * dynamically).
- *
- * In addition to defining these 5 macros, the packing convention
- * for Cryptoki structures should be set.  The Cryptoki
- * convention on packing is that structures should be 1-byte
- * aligned.
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, this might be done by using the following
- * preprocessor directive before including pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(push, cryptoki, 1)
- *
- * and using the following preprocessor directive after including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(pop, cryptoki)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, this might be done by using
- * the following preprocessor directive before including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(1)
- *
- * In a UNIX environment, you're on your own for this.  You might
- * not need to do (or be able to do!) anything.
- *
- *
- * Now for the macros:
- *
- *
- * 1. CK_PTR: The indirection string for making a pointer to an
- * object.  It can be used like this:
- *
- * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, it might be defined by:
- *
- * #define CK_PTR *
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, it might be defined by:
- *
- * #define CK_PTR far *
- *
- * In a typical UNIX environment, it might be defined by:
- *
- * #define CK_PTR *
- *
- *
- * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
- * an importable Cryptoki library function declaration out of a
- * return type and a function name.  It should be used in the
- * following fashion:
- *
- * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * );
- *
- * If you're using Microsoft Developer Studio 5.0 to declare a
- * function in a Win32 Cryptoki .dll, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllimport) name
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to declare a function in a Win16 Cryptoki .dll, it
- * might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
- * which makes a Cryptoki API function pointer declaration or
- * function pointer type declaration out of a return type and a
- * function name.  It should be used in the following fashion:
- *
- * // Define funcPtr to be a pointer to a Cryptoki API function
- * // taking arguments args and returning CK_RV.
- * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
- *
- * or
- *
- * // Define funcPtrType to be the type of a pointer to a
- * // Cryptoki API function taking arguments args and returning
- * // CK_RV, and then define funcPtr to be a variable of type
- * // funcPtrType.
- * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
- * funcPtrType funcPtr;
- *
- * If you're using Microsoft Developer Studio 5.0 to access
- * functions in a Win32 Cryptoki .dll, in might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __declspec(dllimport) (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to access functions in a Win16 Cryptoki .dll, it might
- * be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType (* name)
- *
- *
- * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
- * a function pointer type for an application callback out of
- * a return type for the callback and a name for the callback.
- * It should be used in the following fashion:
- *
- * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
- *
- * to declare a function pointer, myCallback, to a callback
- * which takes arguments args and returns a CK_RV.  It can also
- * be used like this:
- *
- * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
- * myCallbackType myCallback;
- *
- * If you're using Microsoft Developer Studio 5.0 to do Win32
- * Cryptoki development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to do Win16 development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- *
- * 5. NULL_PTR: This macro is the value of a NULL pointer.
- *
- * In any ANSI/ISO C environment (and in many others as well),
- * this should best be defined by
- *
- * #ifndef NULL_PTR
- * #define NULL_PTR 0
- * #endif
- */
-
-
-/* All the various Cryptoki types and #define'd values are in the
- * file pkcs11t.h.
- */
-#include "pkcs11t.h"
-
-#define __PASTE(x,y)      x##y
-
-
-/* ==============================================================
- * Define the "extern" form of all the entry points.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  extern CK_DECLARE_FUNCTION(CK_RV, name)
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define the typedef form of all the entry points.  That is, for
- * each Cryptoki function C_XXX, define a type CK_C_XXX which is
- * a pointer to that kind of function.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define structed vector of entry points.  A CK_FUNCTION_LIST
- * contains a CK_VERSION indicating a library's Cryptoki version
- * and then a whole slew of function pointers to the routines in
- * the library.  This type was declared, but not defined, in
- * pkcs11t.h.
- * ==============================================================
- */
-
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  __PASTE(CK_,name) name;
-
-struct CK_FUNCTION_LIST {
-
-  CK_VERSION    version;  /* Cryptoki version */
-
-/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes.
- */
-#include "pkcs11f.h"
-
-};
-
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _PKCS11_H_ */
-
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11f.h b/vendor/github.com/miekg/pkcs11/pkcs11f.h
deleted file mode 100644
index ed90affc..00000000
--- a/vendor/github.com/miekg/pkcs11/pkcs11f.h
+++ /dev/null
@@ -1,939 +0,0 @@
-/* Copyright (c) OASIS Open 2016. All Rights Reserved./
- * /Distributed under the terms of the OASIS IPR Policy,
- * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
- * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
- */
-        
-/* Latest version of the specification:
- * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- */
-
-/* This header file contains pretty much everything about all the
- * Cryptoki function prototypes.  Because this information is
- * used for more than just declaring function prototypes, the
- * order of the functions appearing herein is important, and
- * should not be altered.
- */
-
-/* General-purpose */
-
-/* C_Initialize initializes the Cryptoki library. */
-CK_PKCS11_FUNCTION_INFO(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-                            * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced
-                            */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the
- * Cryptoki library.
- */
-CK_PKCS11_FUNCTION_INFO(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about Cryptoki. */
-CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list
-                                            */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with tokens */
-  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in
- * the system.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token
- * in the system.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types
- * supported by a token.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_PKCS11_FUNCTION_INFO(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID      slotID,    /* ID of the token's slot */
-  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
-  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
-  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of the user who is logged in. */
-CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a
- * token.
- */
-CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* passed to callback */
-  CK_NOTIFY             Notify,        /* callback function */
-  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a
- * token.
- */
-CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* session's handle */
-  CK_BYTE_PTR       pOperationState,      /* gets state */
-  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic
- * operation in a session.
- */
-CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR      pOperationState,      /* holds state */
-  CK_ULONG         ulOperationStateLen,  /* holds state length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_PKCS11_FUNCTION_INFO(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_PKCS11_FUNCTION_INFO(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the
- * copy.
- */
-CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
- * attributes.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
- * attributes.
- */
-CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session
- * objects that match a template.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attrs in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session
- * objects that match a template, obtaining additional object
- * handles.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
- CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session
- * objects.
- */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* plaintext data len */
-  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* session handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-  CK_BYTE_PTR       pData,              /* gets plaintext */
-  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* input length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* p-text size */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting
- * operation, by digesting the value of a secret key as part of
- * the data already digested.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting
- * operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
- * operation, where the signature is (will be) an appendix to
- * the data, and plaintext cannot be recovered from the
- * signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single
- * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data,
- * and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data to sign */
-  CK_ULONG          ulPartLen  /* count of bytes to sign */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation,
- * returning the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, where the
- * signature is an appendix to the data, and plaintext cannot
- * cannot be recovered from the signature (e.g. DSA).
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation,
- * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* signed data */
-  CK_ULONG          ulDataLen,      /* length of signed data */
-  CK_BYTE_PTR       pSignature,     /* signature */
-  CK_ULONG          ulSignatureLen  /* signature length*/
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data,
- * and plaintext cannot be recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* signed data */
-  CK_ULONG          ulPartLen  /* length of signed data */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* signature to verify */
-  CK_ULONG          ulSignatureLen  /* signature length */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature.
- */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* signature to verify */
-  CK_ULONG          ulSignatureLen,  /* signature length */
-  CK_BYTE_PTR       pData,           /* gets signed data */
-  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation.
- */
-CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key
- * object.
- */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-  CK_ULONG             ulCount,     /* # of attrs in template */
-  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair,
- * creating new key objects.
- */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* session handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template for pub. key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub. attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template for priv. key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.  attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object.
- */
-CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key
- * object.
- */
-CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's
- * random number generator.
- */
-CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* length of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus is a legacy function; it obtains an
- * updated status of a function running in parallel with an
- * application.
- */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel.
- */
-CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur.
- */
-CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
-
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11go.h b/vendor/github.com/miekg/pkcs11/pkcs11go.h
deleted file mode 100644
index 1b98bad2..00000000
--- a/vendor/github.com/miekg/pkcs11/pkcs11go.h
+++ /dev/null
@@ -1,33 +0,0 @@
-//
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-//
-
-#define CK_PTR *
-#ifndef NULL_PTR
-#define NULL_PTR 0
-#endif
-#define CK_DEFINE_FUNCTION(returnType, name) returnType name
-#define CK_DECLARE_FUNCTION(returnType, name) returnType name
-#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-
-#include <unistd.h>
-#ifdef PACKED_STRUCTURES
-# pragma pack(push, 1)
-# include "pkcs11.h"
-# pragma pack(pop)
-#else
-# include "pkcs11.h"
-#endif
-
-// Copy of CK_INFO but with default alignment (not packed). Go hides unaligned
-// struct fields so copying to an aligned struct is necessary to read CK_INFO
-// from Go on Windows where packing is required.
-typedef struct ckInfo {
-	CK_VERSION cryptokiVersion;
-	CK_UTF8CHAR manufacturerID[32];
-	CK_FLAGS flags;
-	CK_UTF8CHAR libraryDescription[32];
-	CK_VERSION libraryVersion;
-} ckInfo, *ckInfoPtr;
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11t.h b/vendor/github.com/miekg/pkcs11/pkcs11t.h
deleted file mode 100644
index 321c3075..00000000
--- a/vendor/github.com/miekg/pkcs11/pkcs11t.h
+++ /dev/null
@@ -1,2047 +0,0 @@
-/* Copyright (c) OASIS Open 2016. All Rights Reserved./
- * /Distributed under the terms of the OASIS IPR Policy,
- * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
- * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
- */
-        
-/* Latest version of the specification:
- * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
- */
-
-/* See top of pkcs11.h for information about the macros that
- * must be defined and the structure-packing conventions that
- * must be set before including this file.
- */
-
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-#define CRYPTOKI_VERSION_MAJOR          2
-#define CRYPTOKI_VERSION_MINOR          40
-#define CRYPTOKI_VERSION_AMENDMENT      0
-
-#define CK_TRUE         1
-#define CK_FALSE        0
-
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE CK_FALSE
-#endif
-#ifndef TRUE
-#define TRUE CK_TRUE
-#endif
-#endif
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION      (~0UL)
-#define CK_EFFECTIVELY_INFINITE         0UL
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session
- * handle or object handle
- */
-#define CK_INVALID_HANDLE       0UL
-
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application
- */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER           0UL
-#define CKN_OTP_CHANGED         1UL
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001UL  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002UL  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004UL  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_UTF8CHAR   label[32];           /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_UTF8CHAR   model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001UL  /* has random # generator */
-#define CKF_WRITE_PROTECTED         0x00000002UL  /* token is write-protected */
-#define CKF_LOGIN_REQUIRED          0x00000004UL  /* user must login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008UL  /* normal user's PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state
- */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020UL
-
-/* CKF_CLOCK_ON_TOKEN.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure
- */
-#define CKF_CLOCK_ON_TOKEN          0x00000040UL
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself
- */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
-
-/* CKF_DUAL_CRYPTO_OPERATIONS.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign)
- */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200UL
-
-/* CKF_TOKEN_INITIALIZED. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of PKCS #11.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized.
- */
-#define CKF_TOKEN_INITIALIZED       0x00000400UL
-
-/* CKF_SECONDARY_AUTHENTICATION. If it is
- * true, the token supports secondary authentication for
- * private key objects.
- */
-#define CKF_SECONDARY_AUTHENTICATION  0x00000800UL
-
-/* CKF_USER_PIN_COUNT_LOW. If it is true, an
- * incorrect user login PIN has been entered at least once
- * since the last successful authentication.
- */
-#define CKF_USER_PIN_COUNT_LOW       0x00010000UL
-
-/* CKF_USER_PIN_FINAL_TRY. If it is true,
- * supplying an incorrect user PIN will it to become locked.
- */
-#define CKF_USER_PIN_FINAL_TRY       0x00020000UL
-
-/* CKF_USER_PIN_LOCKED. If it is true, the
- * user PIN has been locked. User login to the token is not
- * possible.
- */
-#define CKF_USER_PIN_LOCKED          0x00040000UL
-
-/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
- * the user PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card.
- */
-#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000UL
-
-/* CKF_SO_PIN_COUNT_LOW. If it is true, an
- * incorrect SO login PIN has been entered at least once since
- * the last successful authentication.
- */
-#define CKF_SO_PIN_COUNT_LOW         0x00100000UL
-
-/* CKF_SO_PIN_FINAL_TRY. If it is true,
- * supplying an incorrect SO PIN will it to become locked.
- */
-#define CKF_SO_PIN_FINAL_TRY         0x00200000UL
-
-/* CKF_SO_PIN_LOCKED. If it is true, the SO
- * PIN has been locked. SO login to the token is not possible.
- */
-#define CKF_SO_PIN_LOCKED            0x00400000UL
-
-/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
- * the SO PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card.
- */
-#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000UL
-
-#define CKF_ERROR_STATE              0x01000000UL
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session
- */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO                  0UL
-/* Normal user */
-#define CKU_USER                1UL
-/* Context specific */
-#define CKU_CONTEXT_SPECIFIC    2UL
-
-/* CK_STATE enumerates the session states */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION   0UL
-#define CKS_RO_USER_FUNCTIONS   1UL
-#define CKS_RW_PUBLIC_SESSION   2UL
-#define CKS_RW_USER_FUNCTIONS   3UL
-#define CKS_RW_SO_FUNCTIONS     4UL
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002UL /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004UL /* no parallel    */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object
- */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows:
- */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA              0x00000000UL
-#define CKO_CERTIFICATE       0x00000001UL
-#define CKO_PUBLIC_KEY        0x00000002UL
-#define CKO_PRIVATE_KEY       0x00000003UL
-#define CKO_SECRET_KEY        0x00000004UL
-#define CKO_HW_FEATURE        0x00000005UL
-#define CKO_DOMAIN_PARAMETERS 0x00000006UL
-#define CKO_MECHANISM         0x00000007UL
-#define CKO_OTP_KEY           0x00000008UL
-
-#define CKO_VENDOR_DEFINED    0x80000000UL
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
- * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
- */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined */
-#define CKH_MONOTONIC_COUNTER  0x00000001UL
-#define CKH_CLOCK              0x00000002UL
-#define CKH_USER_INTERFACE     0x00000003UL
-#define CKH_VENDOR_DEFINED     0x80000000UL
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA                 0x00000000UL
-#define CKK_DSA                 0x00000001UL
-#define CKK_DH                  0x00000002UL
-#define CKK_ECDSA               0x00000003UL /* Deprecated */
-#define CKK_EC                  0x00000003UL
-#define CKK_X9_42_DH            0x00000004UL
-#define CKK_KEA                 0x00000005UL
-#define CKK_GENERIC_SECRET      0x00000010UL
-#define CKK_RC2                 0x00000011UL
-#define CKK_RC4                 0x00000012UL
-#define CKK_DES                 0x00000013UL
-#define CKK_DES2                0x00000014UL
-#define CKK_DES3                0x00000015UL
-#define CKK_CAST                0x00000016UL
-#define CKK_CAST3               0x00000017UL
-#define CKK_CAST5               0x00000018UL /* Deprecated */
-#define CKK_CAST128             0x00000018UL
-#define CKK_RC5                 0x00000019UL
-#define CKK_IDEA                0x0000001AUL
-#define CKK_SKIPJACK            0x0000001BUL
-#define CKK_BATON               0x0000001CUL
-#define CKK_JUNIPER             0x0000001DUL
-#define CKK_CDMF                0x0000001EUL
-#define CKK_AES                 0x0000001FUL
-#define CKK_BLOWFISH            0x00000020UL
-#define CKK_TWOFISH             0x00000021UL
-#define CKK_SECURID             0x00000022UL
-#define CKK_HOTP                0x00000023UL
-#define CKK_ACTI                0x00000024UL
-#define CKK_CAMELLIA            0x00000025UL
-#define CKK_ARIA                0x00000026UL
-
-#define CKK_MD5_HMAC            0x00000027UL
-#define CKK_SHA_1_HMAC          0x00000028UL
-#define CKK_RIPEMD128_HMAC      0x00000029UL
-#define CKK_RIPEMD160_HMAC      0x0000002AUL
-#define CKK_SHA256_HMAC         0x0000002BUL
-#define CKK_SHA384_HMAC         0x0000002CUL
-#define CKK_SHA512_HMAC         0x0000002DUL
-#define CKK_SHA224_HMAC         0x0000002EUL
-
-#define CKK_SEED                0x0000002FUL
-#define CKK_GOSTR3410           0x00000030UL
-#define CKK_GOSTR3411           0x00000031UL
-#define CKK_GOST28147           0x00000032UL
-
-#define CKK_SHA3_224_HMAC       0x00000033UL
-#define CKK_SHA3_256_HMAC       0x00000034UL
-#define CKK_SHA3_384_HMAC       0x00000035UL
-#define CKK_SHA3_512_HMAC       0x00000036UL
-
-
-
-#define CKK_VENDOR_DEFINED      0x80000000UL
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type
- */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED     0UL
-#define CK_CERTIFICATE_CATEGORY_TOKEN_USER      1UL
-#define CK_CERTIFICATE_CATEGORY_AUTHORITY       2UL
-#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY    3UL
-
-#define CK_SECURITY_DOMAIN_UNSPECIFIED     0UL
-#define CK_SECURITY_DOMAIN_MANUFACTURER    1UL
-#define CK_SECURITY_DOMAIN_OPERATOR        2UL
-#define CK_SECURITY_DOMAIN_THIRD_PARTY     3UL
-
-
-/* The following certificate types are defined: */
-#define CKC_X_509               0x00000000UL
-#define CKC_X_509_ATTR_CERT     0x00000001UL
-#define CKC_WTLS                0x00000002UL
-#define CKC_VENDOR_DEFINED      0x80000000UL
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type
- */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
- * consists of an array of values.
- */
-#define CKF_ARRAY_ATTRIBUTE     0x40000000UL
-
-/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
-#define CK_OTP_FORMAT_DECIMAL           0UL
-#define CK_OTP_FORMAT_HEXADECIMAL       1UL
-#define CK_OTP_FORMAT_ALPHANUMERIC      2UL
-#define CK_OTP_FORMAT_BINARY            3UL
-
-/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
- * attributes
- */
-#define CK_OTP_PARAM_IGNORED            0UL
-#define CK_OTP_PARAM_OPTIONAL           1UL
-#define CK_OTP_PARAM_MANDATORY          2UL
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000UL
-#define CKA_TOKEN              0x00000001UL
-#define CKA_PRIVATE            0x00000002UL
-#define CKA_LABEL              0x00000003UL
-#define CKA_APPLICATION        0x00000010UL
-#define CKA_VALUE              0x00000011UL
-#define CKA_OBJECT_ID          0x00000012UL
-#define CKA_CERTIFICATE_TYPE   0x00000080UL
-#define CKA_ISSUER             0x00000081UL
-#define CKA_SERIAL_NUMBER      0x00000082UL
-#define CKA_AC_ISSUER          0x00000083UL
-#define CKA_OWNER              0x00000084UL
-#define CKA_ATTR_TYPES         0x00000085UL
-#define CKA_TRUSTED            0x00000086UL
-#define CKA_CERTIFICATE_CATEGORY        0x00000087UL
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088UL
-#define CKA_URL                         0x00000089UL
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
-#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL
-#define CKA_CHECK_VALUE                 0x00000090UL
-
-#define CKA_KEY_TYPE           0x00000100UL
-#define CKA_SUBJECT            0x00000101UL
-#define CKA_ID                 0x00000102UL
-#define CKA_SENSITIVE          0x00000103UL
-#define CKA_ENCRYPT            0x00000104UL
-#define CKA_DECRYPT            0x00000105UL
-#define CKA_WRAP               0x00000106UL
-#define CKA_UNWRAP             0x00000107UL
-#define CKA_SIGN               0x00000108UL
-#define CKA_SIGN_RECOVER       0x00000109UL
-#define CKA_VERIFY             0x0000010AUL
-#define CKA_VERIFY_RECOVER     0x0000010BUL
-#define CKA_DERIVE             0x0000010CUL
-#define CKA_START_DATE         0x00000110UL
-#define CKA_END_DATE           0x00000111UL
-#define CKA_MODULUS            0x00000120UL
-#define CKA_MODULUS_BITS       0x00000121UL
-#define CKA_PUBLIC_EXPONENT    0x00000122UL
-#define CKA_PRIVATE_EXPONENT   0x00000123UL
-#define CKA_PRIME_1            0x00000124UL
-#define CKA_PRIME_2            0x00000125UL
-#define CKA_EXPONENT_1         0x00000126UL
-#define CKA_EXPONENT_2         0x00000127UL
-#define CKA_COEFFICIENT        0x00000128UL
-#define CKA_PUBLIC_KEY_INFO    0x00000129UL
-#define CKA_PRIME              0x00000130UL
-#define CKA_SUBPRIME           0x00000131UL
-#define CKA_BASE               0x00000132UL
-
-#define CKA_PRIME_BITS         0x00000133UL
-#define CKA_SUBPRIME_BITS      0x00000134UL
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-
-#define CKA_VALUE_BITS         0x00000160UL
-#define CKA_VALUE_LEN          0x00000161UL
-#define CKA_EXTRACTABLE        0x00000162UL
-#define CKA_LOCAL              0x00000163UL
-#define CKA_NEVER_EXTRACTABLE  0x00000164UL
-#define CKA_ALWAYS_SENSITIVE   0x00000165UL
-#define CKA_KEY_GEN_MECHANISM  0x00000166UL
-
-#define CKA_MODIFIABLE         0x00000170UL
-#define CKA_COPYABLE           0x00000171UL
-
-#define CKA_DESTROYABLE        0x00000172UL
-
-#define CKA_ECDSA_PARAMS       0x00000180UL /* Deprecated */
-#define CKA_EC_PARAMS          0x00000180UL
-
-#define CKA_EC_POINT           0x00000181UL
-
-#define CKA_SECONDARY_AUTH     0x00000200UL /* Deprecated */
-#define CKA_AUTH_PIN_FLAGS     0x00000201UL /* Deprecated */
-
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202UL
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210UL
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
-#define CKA_DERIVE_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
-
-#define CKA_OTP_FORMAT                0x00000220UL
-#define CKA_OTP_LENGTH                0x00000221UL
-#define CKA_OTP_TIME_INTERVAL         0x00000222UL
-#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223UL
-#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
-#define CKA_OTP_TIME_REQUIREMENT      0x00000225UL
-#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226UL
-#define CKA_OTP_PIN_REQUIREMENT       0x00000227UL
-#define CKA_OTP_COUNTER               0x0000022EUL
-#define CKA_OTP_TIME                  0x0000022FUL
-#define CKA_OTP_USER_IDENTIFIER       0x0000022AUL
-#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022BUL
-#define CKA_OTP_SERVICE_LOGO          0x0000022CUL
-#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022DUL
-
-#define CKA_GOSTR3410_PARAMS            0x00000250UL
-#define CKA_GOSTR3411_PARAMS            0x00000251UL
-#define CKA_GOST28147_PARAMS            0x00000252UL
-
-#define CKA_HW_FEATURE_TYPE             0x00000300UL
-#define CKA_RESET_ON_INIT               0x00000301UL
-#define CKA_HAS_RESET                   0x00000302UL
-
-#define CKA_PIXEL_X                     0x00000400UL
-#define CKA_PIXEL_Y                     0x00000401UL
-#define CKA_RESOLUTION                  0x00000402UL
-#define CKA_CHAR_ROWS                   0x00000403UL
-#define CKA_CHAR_COLUMNS                0x00000404UL
-#define CKA_COLOR                       0x00000405UL
-#define CKA_BITS_PER_PIXEL              0x00000406UL
-#define CKA_CHAR_SETS                   0x00000480UL
-#define CKA_ENCODING_METHODS            0x00000481UL
-#define CKA_MIME_TYPES                  0x00000482UL
-#define CKA_MECHANISM_TYPE              0x00000500UL
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501UL
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502UL
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503UL
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
-
-#define CKA_VENDOR_DEFINED              0x80000000UL
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute
- */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type
- */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000UL
-#define CKM_RSA_PKCS                   0x00000001UL
-#define CKM_RSA_9796                   0x00000002UL
-#define CKM_RSA_X_509                  0x00000003UL
-
-#define CKM_MD2_RSA_PKCS               0x00000004UL
-#define CKM_MD5_RSA_PKCS               0x00000005UL
-#define CKM_SHA1_RSA_PKCS              0x00000006UL
-
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007UL
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008UL
-#define CKM_RSA_PKCS_OAEP              0x00000009UL
-
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000AUL
-#define CKM_RSA_X9_31                  0x0000000BUL
-#define CKM_SHA1_RSA_X9_31             0x0000000CUL
-#define CKM_RSA_PKCS_PSS               0x0000000DUL
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000EUL
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010UL
-#define CKM_DSA                        0x00000011UL
-#define CKM_DSA_SHA1                   0x00000012UL
-#define CKM_DSA_SHA224                 0x00000013UL
-#define CKM_DSA_SHA256                 0x00000014UL
-#define CKM_DSA_SHA384                 0x00000015UL
-#define CKM_DSA_SHA512                 0x00000016UL
-#define CKM_DSA_SHA3_224               0x00000018UL
-#define CKM_DSA_SHA3_256               0x00000019UL
-#define CKM_DSA_SHA3_384               0x0000001AUL
-#define CKM_DSA_SHA3_512               0x0000001BUL
-
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
-#define CKM_DH_PKCS_DERIVE             0x00000021UL
-
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030UL
-#define CKM_X9_42_DH_DERIVE            0x00000031UL
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032UL
-#define CKM_X9_42_MQV_DERIVE           0x00000033UL
-
-#define CKM_SHA256_RSA_PKCS            0x00000040UL
-#define CKM_SHA384_RSA_PKCS            0x00000041UL
-#define CKM_SHA512_RSA_PKCS            0x00000042UL
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043UL
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044UL
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045UL
-
-#define CKM_SHA224_RSA_PKCS            0x00000046UL
-#define CKM_SHA224_RSA_PKCS_PSS        0x00000047UL
-
-#define CKM_SHA512_224                 0x00000048UL
-#define CKM_SHA512_224_HMAC            0x00000049UL
-#define CKM_SHA512_224_HMAC_GENERAL    0x0000004AUL
-#define CKM_SHA512_224_KEY_DERIVATION  0x0000004BUL
-#define CKM_SHA512_256                 0x0000004CUL
-#define CKM_SHA512_256_HMAC            0x0000004DUL
-#define CKM_SHA512_256_HMAC_GENERAL    0x0000004EUL
-#define CKM_SHA512_256_KEY_DERIVATION  0x0000004FUL
-
-#define CKM_SHA512_T                   0x00000050UL
-#define CKM_SHA512_T_HMAC              0x00000051UL
-#define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
-#define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
-
-#define CKM_SHA3_256_RSA_PKCS          0x00000060UL
-#define CKM_SHA3_384_RSA_PKCS          0x00000061UL
-#define CKM_SHA3_512_RSA_PKCS          0x00000062UL
-#define CKM_SHA3_256_RSA_PKCS_PSS      0x00000063UL
-#define CKM_SHA3_384_RSA_PKCS_PSS      0x00000064UL
-#define CKM_SHA3_512_RSA_PKCS_PSS      0x00000065UL
-#define CKM_SHA3_224_RSA_PKCS          0x00000066UL
-#define CKM_SHA3_224_RSA_PKCS_PSS      0x00000067UL
-
-#define CKM_RC2_KEY_GEN                0x00000100UL
-#define CKM_RC2_ECB                    0x00000101UL
-#define CKM_RC2_CBC                    0x00000102UL
-#define CKM_RC2_MAC                    0x00000103UL
-
-#define CKM_RC2_MAC_GENERAL            0x00000104UL
-#define CKM_RC2_CBC_PAD                0x00000105UL
-
-#define CKM_RC4_KEY_GEN                0x00000110UL
-#define CKM_RC4                        0x00000111UL
-#define CKM_DES_KEY_GEN                0x00000120UL
-#define CKM_DES_ECB                    0x00000121UL
-#define CKM_DES_CBC                    0x00000122UL
-#define CKM_DES_MAC                    0x00000123UL
-
-#define CKM_DES_MAC_GENERAL            0x00000124UL
-#define CKM_DES_CBC_PAD                0x00000125UL
-
-#define CKM_DES2_KEY_GEN               0x00000130UL
-#define CKM_DES3_KEY_GEN               0x00000131UL
-#define CKM_DES3_ECB                   0x00000132UL
-#define CKM_DES3_CBC                   0x00000133UL
-#define CKM_DES3_MAC                   0x00000134UL
-
-#define CKM_DES3_MAC_GENERAL           0x00000135UL
-#define CKM_DES3_CBC_PAD               0x00000136UL
-#define CKM_DES3_CMAC_GENERAL          0x00000137UL
-#define CKM_DES3_CMAC                  0x00000138UL
-#define CKM_CDMF_KEY_GEN               0x00000140UL
-#define CKM_CDMF_ECB                   0x00000141UL
-#define CKM_CDMF_CBC                   0x00000142UL
-#define CKM_CDMF_MAC                   0x00000143UL
-#define CKM_CDMF_MAC_GENERAL           0x00000144UL
-#define CKM_CDMF_CBC_PAD               0x00000145UL
-
-#define CKM_DES_OFB64                  0x00000150UL
-#define CKM_DES_OFB8                   0x00000151UL
-#define CKM_DES_CFB64                  0x00000152UL
-#define CKM_DES_CFB8                   0x00000153UL
-
-#define CKM_MD2                        0x00000200UL
-
-#define CKM_MD2_HMAC                   0x00000201UL
-#define CKM_MD2_HMAC_GENERAL           0x00000202UL
-
-#define CKM_MD5                        0x00000210UL
-
-#define CKM_MD5_HMAC                   0x00000211UL
-#define CKM_MD5_HMAC_GENERAL           0x00000212UL
-
-#define CKM_SHA_1                      0x00000220UL
-
-#define CKM_SHA_1_HMAC                 0x00000221UL
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222UL
-
-#define CKM_RIPEMD128                  0x00000230UL
-#define CKM_RIPEMD128_HMAC             0x00000231UL
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232UL
-#define CKM_RIPEMD160                  0x00000240UL
-#define CKM_RIPEMD160_HMAC             0x00000241UL
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242UL
-
-#define CKM_SHA256                     0x00000250UL
-#define CKM_SHA256_HMAC                0x00000251UL
-#define CKM_SHA256_HMAC_GENERAL        0x00000252UL
-#define CKM_SHA224                     0x00000255UL
-#define CKM_SHA224_HMAC                0x00000256UL
-#define CKM_SHA224_HMAC_GENERAL        0x00000257UL
-#define CKM_SHA384                     0x00000260UL
-#define CKM_SHA384_HMAC                0x00000261UL
-#define CKM_SHA384_HMAC_GENERAL        0x00000262UL
-#define CKM_SHA512                     0x00000270UL
-#define CKM_SHA512_HMAC                0x00000271UL
-#define CKM_SHA512_HMAC_GENERAL        0x00000272UL
-#define CKM_SECURID_KEY_GEN            0x00000280UL
-#define CKM_SECURID                    0x00000282UL
-#define CKM_HOTP_KEY_GEN               0x00000290UL
-#define CKM_HOTP                       0x00000291UL
-#define CKM_ACTI                       0x000002A0UL
-#define CKM_ACTI_KEY_GEN               0x000002A1UL
-
-#define CKM_SHA3_256                   0x000002B0UL
-#define CKM_SHA3_256_HMAC              0x000002B1UL
-#define CKM_SHA3_256_HMAC_GENERAL      0x000002B2UL
-#define CKM_SHA3_256_KEY_GEN           0x000002B3UL
-#define CKM_SHA3_224                   0x000002B5UL
-#define CKM_SHA3_224_HMAC              0x000002B6UL
-#define CKM_SHA3_224_HMAC_GENERAL      0x000002B7UL
-#define CKM_SHA3_224_KEY_GEN           0x000002B8UL
-#define CKM_SHA3_384                   0x000002C0UL
-#define CKM_SHA3_384_HMAC              0x000002C1UL
-#define CKM_SHA3_384_HMAC_GENERAL      0x000002C2UL
-#define CKM_SHA3_384_KEY_GEN           0x000002C3UL
-#define CKM_SHA3_512                   0x000002D0UL
-#define CKM_SHA3_512_HMAC              0x000002D1UL
-#define CKM_SHA3_512_HMAC_GENERAL      0x000002D2UL
-#define CKM_SHA3_512_KEY_GEN           0x000002D3UL
-
-#define CKM_CAST_KEY_GEN               0x00000300UL
-#define CKM_CAST_ECB                   0x00000301UL
-#define CKM_CAST_CBC                   0x00000302UL
-#define CKM_CAST_MAC                   0x00000303UL
-#define CKM_CAST_MAC_GENERAL           0x00000304UL
-#define CKM_CAST_CBC_PAD               0x00000305UL
-#define CKM_CAST3_KEY_GEN              0x00000310UL
-#define CKM_CAST3_ECB                  0x00000311UL
-#define CKM_CAST3_CBC                  0x00000312UL
-#define CKM_CAST3_MAC                  0x00000313UL
-#define CKM_CAST3_MAC_GENERAL          0x00000314UL
-#define CKM_CAST3_CBC_PAD              0x00000315UL
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST5_KEY_GEN              0x00000320UL
-#define CKM_CAST128_KEY_GEN            0x00000320UL
-#define CKM_CAST5_ECB                  0x00000321UL
-#define CKM_CAST128_ECB                0x00000321UL
-#define CKM_CAST5_CBC                  0x00000322UL /* Deprecated */
-#define CKM_CAST128_CBC                0x00000322UL
-#define CKM_CAST5_MAC                  0x00000323UL /* Deprecated */
-#define CKM_CAST128_MAC                0x00000323UL
-#define CKM_CAST5_MAC_GENERAL          0x00000324UL /* Deprecated */
-#define CKM_CAST128_MAC_GENERAL        0x00000324UL
-#define CKM_CAST5_CBC_PAD              0x00000325UL /* Deprecated */
-#define CKM_CAST128_CBC_PAD            0x00000325UL
-#define CKM_RC5_KEY_GEN                0x00000330UL
-#define CKM_RC5_ECB                    0x00000331UL
-#define CKM_RC5_CBC                    0x00000332UL
-#define CKM_RC5_MAC                    0x00000333UL
-#define CKM_RC5_MAC_GENERAL            0x00000334UL
-#define CKM_RC5_CBC_PAD                0x00000335UL
-#define CKM_IDEA_KEY_GEN               0x00000340UL
-#define CKM_IDEA_ECB                   0x00000341UL
-#define CKM_IDEA_CBC                   0x00000342UL
-#define CKM_IDEA_MAC                   0x00000343UL
-#define CKM_IDEA_MAC_GENERAL           0x00000344UL
-#define CKM_IDEA_CBC_PAD               0x00000345UL
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350UL
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360UL
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362UL
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363UL
-#define CKM_XOR_BASE_AND_DATA          0x00000364UL
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365UL
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370UL
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371UL
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372UL
-
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373UL
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374UL
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375UL
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376UL
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377UL
-
-#define CKM_TLS_PRF                    0x00000378UL
-
-#define CKM_SSL3_MD5_MAC               0x00000380UL
-#define CKM_SSL3_SHA1_MAC              0x00000381UL
-#define CKM_MD5_KEY_DERIVATION         0x00000390UL
-#define CKM_MD2_KEY_DERIVATION         0x00000391UL
-#define CKM_SHA1_KEY_DERIVATION        0x00000392UL
-
-#define CKM_SHA256_KEY_DERIVATION      0x00000393UL
-#define CKM_SHA384_KEY_DERIVATION      0x00000394UL
-#define CKM_SHA512_KEY_DERIVATION      0x00000395UL
-#define CKM_SHA224_KEY_DERIVATION      0x00000396UL
-#define CKM_SHA3_256_KEY_DERIVE        0x00000397UL
-#define CKM_SHA3_224_KEY_DERIVE        0x00000398UL
-#define CKM_SHA3_384_KEY_DERIVE        0x00000399UL
-#define CKM_SHA3_512_KEY_DERIVE        0x0000039AUL
-#define CKM_SHAKE_128_KEY_DERIVE       0x0000039BUL
-#define CKM_SHAKE_256_KEY_DERIVE       0x0000039CUL
-
-#define CKM_PBE_MD2_DES_CBC            0x000003A0UL
-#define CKM_PBE_MD5_DES_CBC            0x000003A1UL
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2UL
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3UL
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4UL /* Deprecated */
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4UL
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5UL /* Deprecated */
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5UL
-#define CKM_PBE_SHA1_RC4_128           0x000003A6UL
-#define CKM_PBE_SHA1_RC4_40            0x000003A7UL
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8UL
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9UL
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AAUL
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003ABUL
-
-#define CKM_PKCS5_PBKD2                0x000003B0UL
-
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0UL
-
-#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0UL
-#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1UL
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2UL
-#define CKM_WTLS_PRF                        0x000003D3UL
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4UL
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5UL
-
-#define CKM_TLS10_MAC_SERVER                0x000003D6UL
-#define CKM_TLS10_MAC_CLIENT                0x000003D7UL
-#define CKM_TLS12_MAC                       0x000003D8UL
-#define CKM_TLS12_KDF                       0x000003D9UL
-#define CKM_TLS12_MASTER_KEY_DERIVE         0x000003E0UL
-#define CKM_TLS12_KEY_AND_MAC_DERIVE        0x000003E1UL
-#define CKM_TLS12_MASTER_KEY_DERIVE_DH      0x000003E2UL
-#define CKM_TLS12_KEY_SAFE_DERIVE           0x000003E3UL
-#define CKM_TLS_MAC                         0x000003E4UL
-#define CKM_TLS_KDF                         0x000003E5UL
-
-#define CKM_KEY_WRAP_LYNKS             0x00000400UL
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401UL
-
-#define CKM_CMS_SIG                    0x00000500UL
-#define CKM_KIP_DERIVE                 0x00000510UL
-#define CKM_KIP_WRAP                   0x00000511UL
-#define CKM_KIP_MAC                    0x00000512UL
-
-#define CKM_CAMELLIA_KEY_GEN           0x00000550UL
-#define CKM_CAMELLIA_ECB               0x00000551UL
-#define CKM_CAMELLIA_CBC               0x00000552UL
-#define CKM_CAMELLIA_MAC               0x00000553UL
-#define CKM_CAMELLIA_MAC_GENERAL       0x00000554UL
-#define CKM_CAMELLIA_CBC_PAD           0x00000555UL
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556UL
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557UL
-#define CKM_CAMELLIA_CTR               0x00000558UL
-
-#define CKM_ARIA_KEY_GEN               0x00000560UL
-#define CKM_ARIA_ECB                   0x00000561UL
-#define CKM_ARIA_CBC                   0x00000562UL
-#define CKM_ARIA_MAC                   0x00000563UL
-#define CKM_ARIA_MAC_GENERAL           0x00000564UL
-#define CKM_ARIA_CBC_PAD               0x00000565UL
-#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566UL
-#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567UL
-
-#define CKM_SEED_KEY_GEN               0x00000650UL
-#define CKM_SEED_ECB                   0x00000651UL
-#define CKM_SEED_CBC                   0x00000652UL
-#define CKM_SEED_MAC                   0x00000653UL
-#define CKM_SEED_MAC_GENERAL           0x00000654UL
-#define CKM_SEED_CBC_PAD               0x00000655UL
-#define CKM_SEED_ECB_ENCRYPT_DATA      0x00000656UL
-#define CKM_SEED_CBC_ENCRYPT_DATA      0x00000657UL
-
-#define CKM_SKIPJACK_KEY_GEN           0x00001000UL
-#define CKM_SKIPJACK_ECB64             0x00001001UL
-#define CKM_SKIPJACK_CBC64             0x00001002UL
-#define CKM_SKIPJACK_OFB64             0x00001003UL
-#define CKM_SKIPJACK_CFB64             0x00001004UL
-#define CKM_SKIPJACK_CFB32             0x00001005UL
-#define CKM_SKIPJACK_CFB16             0x00001006UL
-#define CKM_SKIPJACK_CFB8              0x00001007UL
-#define CKM_SKIPJACK_WRAP              0x00001008UL
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009UL
-#define CKM_SKIPJACK_RELAYX            0x0000100aUL
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010UL
-#define CKM_KEA_KEY_DERIVE             0x00001011UL
-#define CKM_KEA_DERIVE                 0x00001012UL
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020UL
-#define CKM_BATON_KEY_GEN              0x00001030UL
-#define CKM_BATON_ECB128               0x00001031UL
-#define CKM_BATON_ECB96                0x00001032UL
-#define CKM_BATON_CBC128               0x00001033UL
-#define CKM_BATON_COUNTER              0x00001034UL
-#define CKM_BATON_SHUFFLE              0x00001035UL
-#define CKM_BATON_WRAP                 0x00001036UL
-
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040UL /* Deprecated */
-#define CKM_EC_KEY_PAIR_GEN            0x00001040UL
-
-#define CKM_ECDSA                      0x00001041UL
-#define CKM_ECDSA_SHA1                 0x00001042UL
-#define CKM_ECDSA_SHA224               0x00001043UL
-#define CKM_ECDSA_SHA256               0x00001044UL
-#define CKM_ECDSA_SHA384               0x00001045UL
-#define CKM_ECDSA_SHA512               0x00001046UL
-
-#define CKM_ECDH1_DERIVE               0x00001050UL
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051UL
-#define CKM_ECMQV_DERIVE               0x00001052UL
-
-#define CKM_ECDH_AES_KEY_WRAP          0x00001053UL
-#define CKM_RSA_AES_KEY_WRAP           0x00001054UL
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060UL
-#define CKM_JUNIPER_ECB128             0x00001061UL
-#define CKM_JUNIPER_CBC128             0x00001062UL
-#define CKM_JUNIPER_COUNTER            0x00001063UL
-#define CKM_JUNIPER_SHUFFLE            0x00001064UL
-#define CKM_JUNIPER_WRAP               0x00001065UL
-#define CKM_FASTHASH                   0x00001070UL
-
-#define CKM_AES_KEY_GEN                0x00001080UL
-#define CKM_AES_ECB                    0x00001081UL
-#define CKM_AES_CBC                    0x00001082UL
-#define CKM_AES_MAC                    0x00001083UL
-#define CKM_AES_MAC_GENERAL            0x00001084UL
-#define CKM_AES_CBC_PAD                0x00001085UL
-#define CKM_AES_CTR                    0x00001086UL
-#define CKM_AES_GCM                    0x00001087UL
-#define CKM_AES_CCM                    0x00001088UL
-#define CKM_AES_CTS                    0x00001089UL
-#define CKM_AES_CMAC                   0x0000108AUL
-#define CKM_AES_CMAC_GENERAL           0x0000108BUL
-
-#define CKM_AES_XCBC_MAC               0x0000108CUL
-#define CKM_AES_XCBC_MAC_96            0x0000108DUL
-#define CKM_AES_GMAC                   0x0000108EUL
-
-#define CKM_BLOWFISH_KEY_GEN           0x00001090UL
-#define CKM_BLOWFISH_CBC               0x00001091UL
-#define CKM_TWOFISH_KEY_GEN            0x00001092UL
-#define CKM_TWOFISH_CBC                0x00001093UL
-#define CKM_BLOWFISH_CBC_PAD           0x00001094UL
-#define CKM_TWOFISH_CBC_PAD            0x00001095UL
-
-#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100UL
-#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101UL
-#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102UL
-#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103UL
-#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104UL
-#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105UL
-
-#define CKM_GOSTR3410_KEY_PAIR_GEN     0x00001200UL
-#define CKM_GOSTR3410                  0x00001201UL
-#define CKM_GOSTR3410_WITH_GOSTR3411   0x00001202UL
-#define CKM_GOSTR3410_KEY_WRAP         0x00001203UL
-#define CKM_GOSTR3410_DERIVE           0x00001204UL
-#define CKM_GOSTR3411                  0x00001210UL
-#define CKM_GOSTR3411_HMAC             0x00001211UL
-#define CKM_GOST28147_KEY_GEN          0x00001220UL
-#define CKM_GOST28147_ECB              0x00001221UL
-#define CKM_GOST28147                  0x00001222UL
-#define CKM_GOST28147_MAC              0x00001223UL
-#define CKM_GOST28147_KEY_WRAP         0x00001224UL
-
-#define CKM_DSA_PARAMETER_GEN          0x00002000UL
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001UL
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002UL
-#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN    0x00002003UL
-#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN    0x00002004UL
-
-#define CKM_AES_OFB                    0x00002104UL
-#define CKM_AES_CFB64                  0x00002105UL
-#define CKM_AES_CFB8                   0x00002106UL
-#define CKM_AES_CFB128                 0x00002107UL
-
-#define CKM_AES_CFB1                   0x00002108UL
-#define CKM_AES_KEY_WRAP               0x00002109UL     /* WAS: 0x00001090 */
-#define CKM_AES_KEY_WRAP_PAD           0x0000210AUL     /* WAS: 0x00001091 */
-
-#define CKM_RSA_PKCS_TPM_1_1           0x00004001UL
-#define CKM_RSA_PKCS_OAEP_TPM_1_1      0x00004002UL
-
-#define CKM_VENDOR_DEFINED             0x80000000UL
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism
- */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism
- */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask          Meaning */
-#define CKF_HW                 0x00000001UL  /* performed by HW */
-
-/* Specify whether or not a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100UL
-#define CKF_DECRYPT            0x00000200UL
-#define CKF_DIGEST             0x00000400UL
-#define CKF_SIGN               0x00000800UL
-#define CKF_SIGN_RECOVER       0x00001000UL
-#define CKF_VERIFY             0x00002000UL
-#define CKF_VERIFY_RECOVER     0x00004000UL
-#define CKF_GENERATE           0x00008000UL
-#define CKF_GENERATE_KEY_PAIR  0x00010000UL
-#define CKF_WRAP               0x00020000UL
-#define CKF_UNWRAP             0x00040000UL
-#define CKF_DERIVE             0x00080000UL
-
-/* Describe a token's EC capabilities not available in mechanism
- * information.
- */
-#define CKF_EC_F_P             0x00100000UL
-#define CKF_EC_F_2M            0x00200000UL
-#define CKF_EC_ECPARAMETERS    0x00400000UL
-#define CKF_EC_NAMEDCURVE      0x00800000UL
-#define CKF_EC_UNCOMPRESS      0x01000000UL
-#define CKF_EC_COMPRESS        0x02000000UL
-
-#define CKF_EXTENSION          0x80000000UL
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function
- */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000UL
-#define CKR_CANCEL                            0x00000001UL
-#define CKR_HOST_MEMORY                       0x00000002UL
-#define CKR_SLOT_ID_INVALID                   0x00000003UL
-
-#define CKR_GENERAL_ERROR                     0x00000005UL
-#define CKR_FUNCTION_FAILED                   0x00000006UL
-
-#define CKR_ARGUMENTS_BAD                     0x00000007UL
-#define CKR_NO_EVENT                          0x00000008UL
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009UL
-#define CKR_CANT_LOCK                         0x0000000AUL
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010UL
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011UL
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012UL
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013UL
-
-#define CKR_ACTION_PROHIBITED                 0x0000001BUL
-
-#define CKR_DATA_INVALID                      0x00000020UL
-#define CKR_DATA_LEN_RANGE                    0x00000021UL
-#define CKR_DEVICE_ERROR                      0x00000030UL
-#define CKR_DEVICE_MEMORY                     0x00000031UL
-#define CKR_DEVICE_REMOVED                    0x00000032UL
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040UL
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041UL
-#define CKR_FUNCTION_CANCELED                 0x00000050UL
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051UL
-
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054UL
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060UL
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062UL
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063UL
-
-#define CKR_KEY_NOT_NEEDED                    0x00000064UL
-#define CKR_KEY_CHANGED                       0x00000065UL
-#define CKR_KEY_NEEDED                        0x00000066UL
-#define CKR_KEY_INDIGESTIBLE                  0x00000067UL
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068UL
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069UL
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006AUL
-
-#define CKR_MECHANISM_INVALID                 0x00000070UL
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071UL
-
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082UL
-#define CKR_OPERATION_ACTIVE                  0x00000090UL
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091UL
-#define CKR_PIN_INCORRECT                     0x000000A0UL
-#define CKR_PIN_INVALID                       0x000000A1UL
-#define CKR_PIN_LEN_RANGE                     0x000000A2UL
-
-#define CKR_PIN_EXPIRED                       0x000000A3UL
-#define CKR_PIN_LOCKED                        0x000000A4UL
-
-#define CKR_SESSION_CLOSED                    0x000000B0UL
-#define CKR_SESSION_COUNT                     0x000000B1UL
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3UL
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4UL
-#define CKR_SESSION_READ_ONLY                 0x000000B5UL
-#define CKR_SESSION_EXISTS                    0x000000B6UL
-
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7UL
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8UL
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0UL
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1UL
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0UL
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1UL
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0UL
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1UL
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2UL
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0UL
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1UL
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2UL
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100UL
-#define CKR_USER_NOT_LOGGED_IN                0x00000101UL
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102UL
-#define CKR_USER_TYPE_INVALID                 0x00000103UL
-
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104UL
-#define CKR_USER_TOO_MANY_TYPES               0x00000105UL
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110UL
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112UL
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113UL
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114UL
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115UL
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120UL
-
-#define CKR_RANDOM_NO_RNG                     0x00000121UL
-
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130UL
-
-#define CKR_CURVE_NOT_SUPPORTED               0x00000140UL
-
-#define CKR_BUFFER_TOO_SMALL                  0x00000150UL
-#define CKR_SAVED_STATE_INVALID               0x00000160UL
-#define CKR_INFORMATION_SENSITIVE             0x00000170UL
-#define CKR_STATE_UNSAVEABLE                  0x00000180UL
-
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190UL
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191UL
-#define CKR_MUTEX_BAD                         0x000001A0UL
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1UL
-
-#define CKR_NEW_PIN_MODE                      0x000001B0UL
-#define CKR_NEXT_OTP                          0x000001B1UL
-
-#define CKR_EXCEEDED_MAX_ITERATIONS           0x000001B5UL
-#define CKR_FIPS_SELF_TEST_FAILED             0x000001B6UL
-#define CKR_LIBRARY_LOAD_FAILED               0x000001B7UL
-#define CKR_PIN_TOO_WEAK                      0x000001B8UL
-#define CKR_PUBLIC_KEY_INVALID                0x000001B9UL
-
-#define CKR_FUNCTION_REJECTED                 0x00000200UL
-
-#define CKR_VENDOR_DEFINED                    0x80000000UL
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions
- */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex
- */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize
- */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL
-#define CKF_OS_LOCKING_OK                  0x00000002UL
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-/* CK_RSA_PKCS_MGF_TYPE  is used to indicate the Message
- * Generation Function (MGF) applied to a message block when
- * formatting a message block for the PKCS #1 OAEP encryption
- * scheme.
- */
-typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-
-typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-
-/* The following MGFs are defined */
-#define CKG_MGF1_SHA1         0x00000001UL
-#define CKG_MGF1_SHA256       0x00000002UL
-#define CKG_MGF1_SHA384       0x00000003UL
-#define CKG_MGF1_SHA512       0x00000004UL
-#define CKG_MGF1_SHA224       0x00000005UL
-
-/* CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
- * of the encoding parameter when formatting a message block
- * for the PKCS #1 OAEP encryption scheme.
- */
-typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-
-typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-
-/* The following encoding parameter sources are defined */
-#define CKZ_DATA_SPECIFIED    0x00000001UL
-
-/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_OAEP mechanism.
- */
-typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-        CK_MECHANISM_TYPE hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-        CK_VOID_PTR pSourceData;
-        CK_ULONG ulSourceDataLen;
-} CK_RSA_PKCS_OAEP_PARAMS;
-
-typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-
-/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_PSS mechanism(s).
- */
-typedef struct CK_RSA_PKCS_PSS_PARAMS {
-        CK_MECHANISM_TYPE    hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_ULONG             sLen;
-} CK_RSA_PKCS_PSS_PARAMS;
-
-typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-typedef CK_ULONG CK_EC_KDF_TYPE;
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL                 0x00000001UL
-#define CKD_SHA1_KDF             0x00000002UL
-
-/* The following X9.42 DH key derivation functions are defined */
-#define CKD_SHA1_KDF_ASN1        0x00000003UL
-#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL
-#define CKD_SHA224_KDF           0x00000005UL
-#define CKD_SHA256_KDF           0x00000006UL
-#define CKD_SHA384_KDF           0x00000007UL
-#define CKD_SHA512_KDF           0x00000008UL
-#define CKD_CPDIVERSIFY_KDF      0x00000009UL
-#define CKD_SHA3_224_KDF         0x0000000AUL
-#define CKD_SHA3_256_KDF         0x0000000BUL
-#define CKD_SHA3_384_KDF         0x0000000CUL
-#define CKD_SHA3_512_KDF         0x0000000DUL
-
-/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
- * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
- * where each party contributes one key pair.
- */
-typedef struct CK_ECDH1_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_ECDH1_DERIVE_PARAMS;
-
-typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-
-/*
- * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
- * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs.
- */
-typedef struct CK_ECDH2_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_ECDH2_DERIVE_PARAMS;
-
-typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_ECMQV_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_ECMQV_DERIVE_PARAMS;
-
-typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-
-/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
- * CKM_X9_42_DH_PARAMETER_GEN mechanisms
- */
-typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-
-/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
- * contributes one key pair
- */
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_X9_42_DH1_DERIVE_PARAMS;
-
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-
-/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
- * mechanisms, where each party contributes two key pairs
- */
-typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_X9_42_DH2_DERIVE_PARAMS;
-
-typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_X9_42_MQV_DERIVE_PARAMS;
-
-typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism
- */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize
- */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism
- */
-typedef struct CK_RC2_CBC_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism
- */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms
- */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism
- */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism
- */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC
- */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[8];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[16];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism
- */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism
- */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_BYTE_PTR      pInitVector;
-  CK_UTF8CHAR_PTR  pPassword;
-  CK_ULONG         ulPasswordLen;
-  CK_BYTE_PTR      pSalt;
-  CK_ULONG         ulSaltLen;
-  CK_ULONG         ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism
- */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_TLS_PRF_PARAMS {
-  CK_BYTE_PTR  pSeed;
-  CK_ULONG     ulSeedLen;
-  CK_BYTE_PTR  pLabel;
-  CK_ULONG     ulLabelLen;
-  CK_BYTE_PTR  pOutput;
-  CK_ULONG_PTR pulOutputLen;
-} CK_TLS_PRF_PARAMS;
-
-typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_RANDOM_DATA {
-  CK_BYTE_PTR pClientRandom;
-  CK_ULONG    ulClientRandomLen;
-  CK_BYTE_PTR pServerRandom;
-  CK_ULONG    ulServerRandomLen;
-} CK_WTLS_RANDOM_DATA;
-
-typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-
-typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-  CK_MECHANISM_TYPE   DigestMechanism;
-  CK_WTLS_RANDOM_DATA RandomInfo;
-  CK_BYTE_PTR         pVersion;
-} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_WTLS_PRF_PARAMS {
-  CK_MECHANISM_TYPE DigestMechanism;
-  CK_BYTE_PTR       pSeed;
-  CK_ULONG          ulSeedLen;
-  CK_BYTE_PTR       pLabel;
-  CK_ULONG          ulLabelLen;
-  CK_BYTE_PTR       pOutput;
-  CK_ULONG_PTR      pulOutputLen;
-} CK_WTLS_PRF_PARAMS;
-
-typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hMacSecret;
-  CK_OBJECT_HANDLE hKey;
-  CK_BYTE_PTR      pIV;
-} CK_WTLS_KEY_MAT_OUT;
-
-typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_PARAMS {
-  CK_MECHANISM_TYPE       DigestMechanism;
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_ULONG                ulSequenceNumber;
-  CK_BBOOL                bIsExport;
-  CK_WTLS_RANDOM_DATA     RandomInfo;
-  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_WTLS_KEY_MAT_PARAMS;
-
-typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_CMS_SIG_PARAMS {
-  CK_OBJECT_HANDLE      certificateHandle;
-  CK_MECHANISM_PTR      pSigningMechanism;
-  CK_MECHANISM_PTR      pDigestMechanism;
-  CK_UTF8CHAR_PTR       pContentType;
-  CK_BYTE_PTR           pRequestedAttributes;
-  CK_ULONG              ulRequestedAttributesLen;
-  CK_BYTE_PTR           pRequiredAttributes;
-  CK_ULONG              ulRequiredAttributesLen;
-} CK_CMS_SIG_PARAMS;
-
-typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key
- */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
- * indicate the Pseudo-Random Function (PRF) used to generate
- * key bits using PKCS #5 PBKDF2.
- */
-typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-
-typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \
-                        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-
-#define CKP_PKCS5_PBKD2_HMAC_SHA1          0x00000001UL
-#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411     0x00000002UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA224        0x00000003UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA256        0x00000004UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA384        0x00000005UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512        0x00000006UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512_224    0x00000007UL
-#define CKP_PKCS5_PBKD2_HMAC_SHA512_256    0x00000008UL
-
-/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
- * source of the salt value when deriving a key using PKCS #5
- * PBKDF2.
- */
-typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-
-typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \
-                        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-
-/* The following salt value sources are defined in PKCS #5 v2.0. */
-#define CKZ_SALT_SPECIFIED        0x00000001UL
-
-/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the
- * parameters to the CKM_PKCS5_PBKD2 mechanism.
- */
-typedef struct CK_PKCS5_PBKD2_PARAMS {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-        CK_VOID_PTR                                pSaltSourceData;
-        CK_ULONG                                   ulSaltSourceDataLen;
-        CK_ULONG                                   iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR                                pPrfData;
-        CK_ULONG                                   ulPrfDataLen;
-        CK_UTF8CHAR_PTR                            pPassword;
-        CK_ULONG_PTR                               ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS;
-
-typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS
- * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism
- * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR.
- */
-typedef struct CK_PKCS5_PBKD2_PARAMS2 {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-        CK_VOID_PTR pSaltSourceData;
-        CK_ULONG ulSaltSourceDataLen;
-        CK_ULONG iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR pPrfData;
-        CK_ULONG ulPrfDataLen;
-        CK_UTF8CHAR_PTR pPassword;
-        CK_ULONG ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS2;
-
-typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
-
-typedef CK_ULONG CK_OTP_PARAM_TYPE;
-typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */
-
-typedef struct CK_OTP_PARAM {
-    CK_OTP_PARAM_TYPE type;
-    CK_VOID_PTR pValue;
-    CK_ULONG ulValueLen;
-} CK_OTP_PARAM;
-
-typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
-
-typedef struct CK_OTP_PARAMS {
-    CK_OTP_PARAM_PTR pParams;
-    CK_ULONG ulCount;
-} CK_OTP_PARAMS;
-
-typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
-
-typedef struct CK_OTP_SIGNATURE_INFO {
-    CK_OTP_PARAM_PTR pParams;
-    CK_ULONG ulCount;
-} CK_OTP_SIGNATURE_INFO;
-
-typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
-
-#define CK_OTP_VALUE          0UL
-#define CK_OTP_PIN            1UL
-#define CK_OTP_CHALLENGE      2UL
-#define CK_OTP_TIME           3UL
-#define CK_OTP_COUNTER        4UL
-#define CK_OTP_FLAGS          5UL
-#define CK_OTP_OUTPUT_LENGTH  6UL
-#define CK_OTP_OUTPUT_FORMAT  7UL
-
-#define CKF_NEXT_OTP          0x00000001UL
-#define CKF_EXCLUDE_TIME      0x00000002UL
-#define CKF_EXCLUDE_COUNTER   0x00000004UL
-#define CKF_EXCLUDE_CHALLENGE 0x00000008UL
-#define CKF_EXCLUDE_PIN       0x00000010UL
-#define CKF_USER_FRIENDLY_OTP 0x00000020UL
-
-typedef struct CK_KIP_PARAMS {
-    CK_MECHANISM_PTR  pMechanism;
-    CK_OBJECT_HANDLE  hKey;
-    CK_BYTE_PTR       pSeed;
-    CK_ULONG          ulSeedLen;
-} CK_KIP_PARAMS;
-
-typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
-
-typedef struct CK_AES_CTR_PARAMS {
-    CK_ULONG ulCounterBits;
-    CK_BYTE cb[16];
-} CK_AES_CTR_PARAMS;
-
-typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
-
-typedef struct CK_GCM_PARAMS {
-    CK_BYTE_PTR       pIv;
-    CK_ULONG          ulIvLen;
-    CK_ULONG          ulIvBits;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulTagBits;
-} CK_GCM_PARAMS;
-
-typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR;
-
-typedef struct CK_CCM_PARAMS {
-    CK_ULONG          ulDataLen;
-    CK_BYTE_PTR       pNonce;
-    CK_ULONG          ulNonceLen;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulMACLen;
-} CK_CCM_PARAMS;
-
-typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR;
-
-/* Deprecated. Use CK_GCM_PARAMS */
-typedef struct CK_AES_GCM_PARAMS {
-  CK_BYTE_PTR pIv;
-  CK_ULONG ulIvLen;
-  CK_ULONG ulIvBits;
-  CK_BYTE_PTR pAAD;
-  CK_ULONG ulAADLen;
-  CK_ULONG ulTagBits;
-} CK_AES_GCM_PARAMS;
-
-typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR;
-
-/* Deprecated. Use CK_CCM_PARAMS */
-typedef struct CK_AES_CCM_PARAMS {
-    CK_ULONG          ulDataLen;
-    CK_BYTE_PTR       pNonce;
-    CK_ULONG          ulNonceLen;
-    CK_BYTE_PTR       pAAD;
-    CK_ULONG          ulAADLen;
-    CK_ULONG          ulMACLen;
-} CK_AES_CCM_PARAMS;
-
-typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR;
-
-typedef struct CK_CAMELLIA_CTR_PARAMS {
-    CK_ULONG          ulCounterBits;
-    CK_BYTE           cb[16];
-} CK_CAMELLIA_CTR_PARAMS;
-
-typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
-
-typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE           iv[16];
-    CK_BYTE_PTR       pData;
-    CK_ULONG          length;
-} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE           iv[16];
-    CK_BYTE_PTR       pData;
-    CK_ULONG          length;
-} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_DSA_PARAMETER_GEN_PARAM {
-    CK_MECHANISM_TYPE  hash;
-    CK_BYTE_PTR        pSeed;
-    CK_ULONG           ulSeedLen;
-    CK_ULONG           ulIndex;
-} CK_DSA_PARAMETER_GEN_PARAM;
-
-typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR;
-
-typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS {
-    CK_ULONG           ulAESKeyBits;
-    CK_EC_KDF_TYPE     kdf;
-    CK_ULONG           ulSharedDataLen;
-    CK_BYTE_PTR        pSharedData;
-} CK_ECDH_AES_KEY_WRAP_PARAMS;
-
-typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR;
-
-typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
-
-typedef CK_ULONG CK_CERTIFICATE_CATEGORY;
-
-typedef struct CK_RSA_AES_KEY_WRAP_PARAMS {
-    CK_ULONG                      ulAESKeyBits;
-    CK_RSA_PKCS_OAEP_PARAMS_PTR   pOAEPParams;
-} CK_RSA_AES_KEY_WRAP_PARAMS;
-
-typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR;
-
-typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_VERSION_PTR            pVersion;
-    CK_MECHANISM_TYPE         prfHashMechanism;
-} CK_TLS12_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-                                CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_TLS12_KEY_MAT_PARAMS {
-    CK_ULONG                  ulMacSizeInBits;
-    CK_ULONG                  ulKeySizeInBits;
-    CK_ULONG                  ulIVSizeInBits;
-    CK_BBOOL                  bIsExport;
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_SSL3_KEY_MAT_OUT_PTR   pReturnedKeyMaterial;
-    CK_MECHANISM_TYPE         prfHashMechanism;
-} CK_TLS12_KEY_MAT_PARAMS;
-
-typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR;
-
-typedef struct CK_TLS_KDF_PARAMS {
-    CK_MECHANISM_TYPE         prfMechanism;
-    CK_BYTE_PTR               pLabel;
-    CK_ULONG                  ulLabelLength;
-    CK_SSL3_RANDOM_DATA       RandomInfo;
-    CK_BYTE_PTR               pContextData;
-    CK_ULONG                  ulContextDataLength;
-} CK_TLS_KDF_PARAMS;
-
-typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
-
-typedef struct CK_TLS_MAC_PARAMS {
-    CK_MECHANISM_TYPE         prfHashMechanism;
-    CK_ULONG                  ulMacLength;
-    CK_ULONG                  ulServerOrClient;
-} CK_TLS_MAC_PARAMS;
-
-typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR;
-
-typedef struct CK_GOSTR3410_DERIVE_PARAMS {
-    CK_EC_KDF_TYPE            kdf;
-    CK_BYTE_PTR               pPublicData;
-    CK_ULONG                  ulPublicDataLen;
-    CK_BYTE_PTR               pUKM;
-    CK_ULONG                  ulUKMLen;
-} CK_GOSTR3410_DERIVE_PARAMS;
-
-typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR;
-
-typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {
-    CK_BYTE_PTR               pWrapOID;
-    CK_ULONG                  ulWrapOIDLen;
-    CK_BYTE_PTR               pUKM;
-    CK_ULONG                  ulUKMLen;
-    CK_OBJECT_HANDLE          hKey;
-} CK_GOSTR3410_KEY_WRAP_PARAMS;
-
-typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR;
-
-typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE                   iv[16];
-    CK_BYTE_PTR               pData;
-    CK_ULONG                  length;
-} CK_SEED_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
-                                        CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-#endif /* _PKCS11T_H_ */
-
diff --git a/vendor/github.com/miekg/pkcs11/release.go b/vendor/github.com/miekg/pkcs11/release.go
deleted file mode 100644
index d8b99f14..00000000
--- a/vendor/github.com/miekg/pkcs11/release.go
+++ /dev/null
@@ -1,18 +0,0 @@
-//go:build release
-// +build release
-
-package pkcs11
-
-import "fmt"
-
-// Release is current version of the pkcs11 library.
-var Release = R{1, 1, 1}
-
-// R holds the version of this library.
-type R struct {
-	Major, Minor, Patch int
-}
-
-func (r R) String() string {
-	return fmt.Sprintf("%d.%d.%d", r.Major, r.Minor, r.Patch)
-}
diff --git a/vendor/github.com/miekg/pkcs11/softhsm.conf b/vendor/github.com/miekg/pkcs11/softhsm.conf
deleted file mode 100644
index f95862b1..00000000
--- a/vendor/github.com/miekg/pkcs11/softhsm.conf
+++ /dev/null
@@ -1 +0,0 @@
-0:hsm.db
diff --git a/vendor/github.com/miekg/pkcs11/softhsm2.conf b/vendor/github.com/miekg/pkcs11/softhsm2.conf
deleted file mode 100644
index 876990cd..00000000
--- a/vendor/github.com/miekg/pkcs11/softhsm2.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-log.level = INFO
-objectstore.backend = file
-directories.tokendir = test_data
-slots.removable = false
diff --git a/vendor/github.com/miekg/pkcs11/types.go b/vendor/github.com/miekg/pkcs11/types.go
deleted file mode 100644
index 60eadcb7..00000000
--- a/vendor/github.com/miekg/pkcs11/types.go
+++ /dev/null
@@ -1,315 +0,0 @@
-// Copyright 2013 Miek Gieben. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pkcs11
-
-/*
-#include <stdlib.h>
-#include <string.h>
-#include "pkcs11go.h"
-
-CK_ULONG Index(CK_ULONG_PTR array, CK_ULONG i)
-{
-	return array[i];
-}
-
-static inline void putAttributePval(CK_ATTRIBUTE_PTR a, CK_VOID_PTR pValue)
-{
-	a->pValue = pValue;
-}
-
-static inline void putMechanismParam(CK_MECHANISM_PTR m, CK_VOID_PTR pParameter)
-{
-	m->pParameter = pParameter;
-}
-*/
-import "C"
-
-import (
-	"fmt"
-	"time"
-	"unsafe"
-)
-
-type arena []unsafe.Pointer
-
-func (a *arena) Allocate(obj []byte) (C.CK_VOID_PTR, C.CK_ULONG) {
-	cobj := C.calloc(C.size_t(len(obj)), 1)
-	*a = append(*a, cobj)
-	C.memmove(cobj, unsafe.Pointer(&obj[0]), C.size_t(len(obj)))
-	return C.CK_VOID_PTR(cobj), C.CK_ULONG(len(obj))
-}
-
-func (a arena) Free() {
-	for _, p := range a {
-		C.free(p)
-	}
-}
-
-// toList converts from a C style array to a []uint.
-func toList(clist C.CK_ULONG_PTR, size C.CK_ULONG) []uint {
-	l := make([]uint, int(size))
-	for i := 0; i < len(l); i++ {
-		l[i] = uint(C.Index(clist, C.CK_ULONG(i)))
-	}
-	defer C.free(unsafe.Pointer(clist))
-	return l
-}
-
-// cBBool converts a bool to a CK_BBOOL.
-func cBBool(x bool) C.CK_BBOOL {
-	if x {
-		return C.CK_BBOOL(C.CK_TRUE)
-	}
-	return C.CK_BBOOL(C.CK_FALSE)
-}
-
-func uintToBytes(x uint64) []byte {
-	ul := C.CK_ULONG(x)
-	return C.GoBytes(unsafe.Pointer(&ul), C.int(unsafe.Sizeof(ul)))
-}
-
-// Error represents an PKCS#11 error.
-type Error uint
-
-func (e Error) Error() string {
-	return fmt.Sprintf("pkcs11: 0x%X: %s", uint(e), strerror[uint(e)])
-}
-
-func toError(e C.CK_RV) error {
-	if e == C.CKR_OK {
-		return nil
-	}
-	return Error(e)
-}
-
-// SessionHandle is a Cryptoki-assigned value that identifies a session.
-type SessionHandle uint
-
-// ObjectHandle is a token-specific identifier for an object.
-type ObjectHandle uint
-
-// Version represents any version information from the library.
-type Version struct {
-	Major byte
-	Minor byte
-}
-
-func toVersion(version C.CK_VERSION) Version {
-	return Version{byte(version.major), byte(version.minor)}
-}
-
-// SlotEvent holds the SlotID which for which an slot event (token insertion,
-// removal, etc.) occurred.
-type SlotEvent struct {
-	SlotID uint
-}
-
-// Info provides information about the library and hardware used.
-type Info struct {
-	CryptokiVersion    Version
-	ManufacturerID     string
-	Flags              uint
-	LibraryDescription string
-	LibraryVersion     Version
-}
-
-// SlotInfo provides information about a slot.
-type SlotInfo struct {
-	SlotDescription string // 64 bytes.
-	ManufacturerID  string // 32 bytes.
-	Flags           uint
-	HardwareVersion Version
-	FirmwareVersion Version
-}
-
-// TokenInfo provides information about a token.
-type TokenInfo struct {
-	Label              string
-	ManufacturerID     string
-	Model              string
-	SerialNumber       string
-	Flags              uint
-	MaxSessionCount    uint
-	SessionCount       uint
-	MaxRwSessionCount  uint
-	RwSessionCount     uint
-	MaxPinLen          uint
-	MinPinLen          uint
-	TotalPublicMemory  uint
-	FreePublicMemory   uint
-	TotalPrivateMemory uint
-	FreePrivateMemory  uint
-	HardwareVersion    Version
-	FirmwareVersion    Version
-	UTCTime            string
-}
-
-// SessionInfo provides information about a session.
-type SessionInfo struct {
-	SlotID      uint
-	State       uint
-	Flags       uint
-	DeviceError uint
-}
-
-// Attribute holds an attribute type/value combination.
-type Attribute struct {
-	Type  uint
-	Value []byte
-}
-
-// NewAttribute allocates a Attribute and returns a pointer to it.
-// Note that this is merely a convenience function, as values returned
-// from the HSM are not converted back to Go values, those are just raw
-// byte slices.
-func NewAttribute(typ uint, x interface{}) *Attribute {
-	// This function nicely transforms *to* an attribute, but there is
-	// no corresponding function that transform back *from* an attribute,
-	// which in PKCS#11 is just an byte array.
-	a := new(Attribute)
-	a.Type = typ
-	if x == nil {
-		return a
-	}
-	switch v := x.(type) {
-	case bool:
-		if v {
-			a.Value = []byte{1}
-		} else {
-			a.Value = []byte{0}
-		}
-	case int:
-		a.Value = uintToBytes(uint64(v))
-	case int16:
-		a.Value = uintToBytes(uint64(v))
-	case int32:
-		a.Value = uintToBytes(uint64(v))
-	case int64:
-		a.Value = uintToBytes(uint64(v))
-	case uint:
-		a.Value = uintToBytes(uint64(v))
-	case uint16:
-		a.Value = uintToBytes(uint64(v))
-	case uint32:
-		a.Value = uintToBytes(uint64(v))
-	case uint64:
-		a.Value = uintToBytes(uint64(v))
-	case string:
-		a.Value = []byte(v)
-	case []byte:
-		a.Value = v
-	case time.Time: // for CKA_DATE
-		a.Value = cDate(v)
-	default:
-		panic("pkcs11: unhandled attribute type")
-	}
-	return a
-}
-
-// cAttribute returns the start address and the length of an attribute list.
-func cAttributeList(a []*Attribute) (arena, C.CK_ATTRIBUTE_PTR, C.CK_ULONG) {
-	var arena arena
-	if len(a) == 0 {
-		return nil, nil, 0
-	}
-	pa := make([]C.CK_ATTRIBUTE, len(a))
-	for i, attr := range a {
-		pa[i]._type = C.CK_ATTRIBUTE_TYPE(attr.Type)
-		if len(attr.Value) != 0 {
-			buf, len := arena.Allocate(attr.Value)
-			// field is unaligned on windows so this has to call into C
-			C.putAttributePval(&pa[i], buf)
-			pa[i].ulValueLen = len
-		}
-	}
-	return arena, &pa[0], C.CK_ULONG(len(a))
-}
-
-func cDate(t time.Time) []byte {
-	b := make([]byte, 8)
-	year, month, day := t.Date()
-	y := fmt.Sprintf("%4d", year)
-	m := fmt.Sprintf("%02d", month)
-	d1 := fmt.Sprintf("%02d", day)
-	b[0], b[1], b[2], b[3] = y[0], y[1], y[2], y[3]
-	b[4], b[5] = m[0], m[1]
-	b[6], b[7] = d1[0], d1[1]
-	return b
-}
-
-// Mechanism holds an mechanism type/value combination.
-type Mechanism struct {
-	Mechanism uint
-	Parameter []byte
-	generator interface{}
-}
-
-// NewMechanism returns a pointer to an initialized Mechanism.
-func NewMechanism(mech uint, x interface{}) *Mechanism {
-	m := new(Mechanism)
-	m.Mechanism = mech
-	if x == nil {
-		return m
-	}
-
-	switch p := x.(type) {
-	case *GCMParams, *OAEPParams, *ECDH1DeriveParams:
-		// contains pointers; defer serialization until cMechanism
-		m.generator = p
-	case []byte:
-		m.Parameter = p
-	default:
-		panic("parameter must be one of type: []byte, *GCMParams, *OAEPParams, *ECDH1DeriveParams")
-	}
-
-	return m
-}
-
-func cMechanism(mechList []*Mechanism) (arena, *C.CK_MECHANISM) {
-	if len(mechList) != 1 {
-		panic("expected exactly one mechanism")
-	}
-	mech := mechList[0]
-	cmech := &C.CK_MECHANISM{mechanism: C.CK_MECHANISM_TYPE(mech.Mechanism)}
-	// params that contain pointers are allocated here
-	param := mech.Parameter
-	var arena arena
-	switch p := mech.generator.(type) {
-	case *GCMParams:
-		// uses its own arena because it has to outlive this function call (yuck)
-		param = cGCMParams(p)
-	case *OAEPParams:
-		param, arena = cOAEPParams(p, arena)
-	case *ECDH1DeriveParams:
-		param, arena = cECDH1DeriveParams(p, arena)
-	}
-	if len(param) != 0 {
-		buf, len := arena.Allocate(param)
-		// field is unaligned on windows so this has to call into C
-		C.putMechanismParam(cmech, buf)
-		cmech.ulParameterLen = len
-	}
-	return arena, cmech
-}
-
-// MechanismInfo provides information about a particular mechanism.
-type MechanismInfo struct {
-	MinKeySize uint
-	MaxKeySize uint
-	Flags      uint
-}
-
-// stubData is a persistent nonempty byte array used by cMessage.
-var stubData = []byte{0}
-
-// cMessage returns the pointer/length pair corresponding to data.
-func cMessage(data []byte) (dataPtr C.CK_BYTE_PTR) {
-	l := len(data)
-	if l == 0 {
-		// &data[0] is forbidden in this case, so use a nontrivial array instead.
-		data = stubData
-	}
-	return C.CK_BYTE_PTR(unsafe.Pointer(&data[0]))
-}
diff --git a/vendor/github.com/miekg/pkcs11/vendor.go b/vendor/github.com/miekg/pkcs11/vendor.go
deleted file mode 100644
index 83188e50..00000000
--- a/vendor/github.com/miekg/pkcs11/vendor.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package pkcs11
-
-// Vendor specific range for Ncipher network HSM.
-const (
-	NFCK_VENDOR_NCIPHER = 0xde436972
-	CKA_NCIPHER         = NFCK_VENDOR_NCIPHER
-	CKM_NCIPHER         = NFCK_VENDOR_NCIPHER
-	CKK_NCIPHER         = NFCK_VENDOR_NCIPHER
-)
-
-// Vendor specific mechanisms for HMAC on Ncipher HSMs where Ncipher does not allow use of generic_secret keys.
-const (
-	CKM_NC_SHA_1_HMAC_KEY_GEN  = CKM_NCIPHER + 0x3  /* no params */
-	CKM_NC_MD5_HMAC_KEY_GEN    = CKM_NCIPHER + 0x6  /* no params */
-	CKM_NC_SHA224_HMAC_KEY_GEN = CKM_NCIPHER + 0x24 /* no params */
-	CKM_NC_SHA256_HMAC_KEY_GEN = CKM_NCIPHER + 0x25 /* no params */
-	CKM_NC_SHA384_HMAC_KEY_GEN = CKM_NCIPHER + 0x26 /* no params */
-	CKM_NC_SHA512_HMAC_KEY_GEN = CKM_NCIPHER + 0x27 /* no params */
-)
-
-// Vendor specific range for Mozilla NSS.
-const (
-	NSSCK_VENDOR_NSS   = 0x4E534350
-	CKO_NSS            = CKO_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKK_NSS            = CKK_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKC_NSS            = CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKA_NSS            = CKA_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKA_TRUST          = CKA_NSS + 0x2000
-	CKM_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKR_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-	CKT_VENDOR_DEFINED = 0x80000000
-	CKT_NSS            = CKT_VENDOR_DEFINED | NSSCK_VENDOR_NSS
-)
-
-// Vendor specific values for Mozilla NSS.
-const (
-	CKO_NSS_CRL                               = CKO_NSS + 1
-	CKO_NSS_SMIME                             = CKO_NSS + 2
-	CKO_NSS_TRUST                             = CKO_NSS + 3
-	CKO_NSS_BUILTIN_ROOT_LIST                 = CKO_NSS + 4
-	CKO_NSS_NEWSLOT                           = CKO_NSS + 5
-	CKO_NSS_DELSLOT                           = CKO_NSS + 6
-	CKK_NSS_PKCS8                             = CKK_NSS + 1
-	CKK_NSS_JPAKE_ROUND1                      = CKK_NSS + 2
-	CKK_NSS_JPAKE_ROUND2                      = CKK_NSS + 3
-	CKK_NSS_CHACHA20                          = CKK_NSS + 4
-	CKA_NSS_URL                               = CKA_NSS + 1
-	CKA_NSS_EMAIL                             = CKA_NSS + 2
-	CKA_NSS_SMIME_INFO                        = CKA_NSS + 3
-	CKA_NSS_SMIME_TIMESTAMP                   = CKA_NSS + 4
-	CKA_NSS_PKCS8_SALT                        = CKA_NSS + 5
-	CKA_NSS_PASSWORD_CHECK                    = CKA_NSS + 6
-	CKA_NSS_EXPIRES                           = CKA_NSS + 7
-	CKA_NSS_KRL                               = CKA_NSS + 8
-	CKA_NSS_PQG_COUNTER                       = CKA_NSS + 20
-	CKA_NSS_PQG_SEED                          = CKA_NSS + 21
-	CKA_NSS_PQG_H                             = CKA_NSS + 22
-	CKA_NSS_PQG_SEED_BITS                     = CKA_NSS + 23
-	CKA_NSS_MODULE_SPEC                       = CKA_NSS + 24
-	CKA_NSS_OVERRIDE_EXTENSIONS               = CKA_NSS + 25
-	CKA_NSS_JPAKE_SIGNERID                    = CKA_NSS + 26
-	CKA_NSS_JPAKE_PEERID                      = CKA_NSS + 27
-	CKA_NSS_JPAKE_GX1                         = CKA_NSS + 28
-	CKA_NSS_JPAKE_GX2                         = CKA_NSS + 29
-	CKA_NSS_JPAKE_GX3                         = CKA_NSS + 30
-	CKA_NSS_JPAKE_GX4                         = CKA_NSS + 31
-	CKA_NSS_JPAKE_X2                          = CKA_NSS + 32
-	CKA_NSS_JPAKE_X2S                         = CKA_NSS + 33
-	CKA_NSS_MOZILLA_CA_POLICY                 = CKA_NSS + 34
-	CKA_TRUST_DIGITAL_SIGNATURE               = CKA_TRUST + 1
-	CKA_TRUST_NON_REPUDIATION                 = CKA_TRUST + 2
-	CKA_TRUST_KEY_ENCIPHERMENT                = CKA_TRUST + 3
-	CKA_TRUST_DATA_ENCIPHERMENT               = CKA_TRUST + 4
-	CKA_TRUST_KEY_AGREEMENT                   = CKA_TRUST + 5
-	CKA_TRUST_KEY_CERT_SIGN                   = CKA_TRUST + 6
-	CKA_TRUST_CRL_SIGN                        = CKA_TRUST + 7
-	CKA_TRUST_SERVER_AUTH                     = CKA_TRUST + 8
-	CKA_TRUST_CLIENT_AUTH                     = CKA_TRUST + 9
-	CKA_TRUST_CODE_SIGNING                    = CKA_TRUST + 10
-	CKA_TRUST_EMAIL_PROTECTION                = CKA_TRUST + 11
-	CKA_TRUST_IPSEC_END_SYSTEM                = CKA_TRUST + 12
-	CKA_TRUST_IPSEC_TUNNEL                    = CKA_TRUST + 13
-	CKA_TRUST_IPSEC_USER                      = CKA_TRUST + 14
-	CKA_TRUST_TIME_STAMPING                   = CKA_TRUST + 15
-	CKA_TRUST_STEP_UP_APPROVED                = CKA_TRUST + 16
-	CKA_CERT_SHA1_HASH                        = CKA_TRUST + 100
-	CKA_CERT_MD5_HASH                         = CKA_TRUST + 101
-	CKM_NSS_AES_KEY_WRAP                      = CKM_NSS + 1
-	CKM_NSS_AES_KEY_WRAP_PAD                  = CKM_NSS + 2
-	CKM_NSS_HKDF_SHA1                         = CKM_NSS + 3
-	CKM_NSS_HKDF_SHA256                       = CKM_NSS + 4
-	CKM_NSS_HKDF_SHA384                       = CKM_NSS + 5
-	CKM_NSS_HKDF_SHA512                       = CKM_NSS + 6
-	CKM_NSS_JPAKE_ROUND1_SHA1                 = CKM_NSS + 7
-	CKM_NSS_JPAKE_ROUND1_SHA256               = CKM_NSS + 8
-	CKM_NSS_JPAKE_ROUND1_SHA384               = CKM_NSS + 9
-	CKM_NSS_JPAKE_ROUND1_SHA512               = CKM_NSS + 10
-	CKM_NSS_JPAKE_ROUND2_SHA1                 = CKM_NSS + 11
-	CKM_NSS_JPAKE_ROUND2_SHA256               = CKM_NSS + 12
-	CKM_NSS_JPAKE_ROUND2_SHA384               = CKM_NSS + 13
-	CKM_NSS_JPAKE_ROUND2_SHA512               = CKM_NSS + 14
-	CKM_NSS_JPAKE_FINAL_SHA1                  = CKM_NSS + 15
-	CKM_NSS_JPAKE_FINAL_SHA256                = CKM_NSS + 16
-	CKM_NSS_JPAKE_FINAL_SHA384                = CKM_NSS + 17
-	CKM_NSS_JPAKE_FINAL_SHA512                = CKM_NSS + 18
-	CKM_NSS_HMAC_CONSTANT_TIME                = CKM_NSS + 19
-	CKM_NSS_SSL3_MAC_CONSTANT_TIME            = CKM_NSS + 20
-	CKM_NSS_TLS_PRF_GENERAL_SHA256            = CKM_NSS + 21
-	CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256      = CKM_NSS + 22
-	CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256     = CKM_NSS + 23
-	CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256   = CKM_NSS + 24
-	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE    = CKM_NSS + 25
-	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH = CKM_NSS + 26
-	CKM_NSS_CHACHA20_KEY_GEN                  = CKM_NSS + 27
-	CKM_NSS_CHACHA20_POLY1305                 = CKM_NSS + 28
-	CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN    = CKM_NSS + 29
-	CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN    = CKM_NSS + 30
-	CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN    = CKM_NSS + 31
-	CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN    = CKM_NSS + 32
-	CKR_NSS_CERTDB_FAILED                     = CKR_NSS + 1
-	CKR_NSS_KEYDB_FAILED                      = CKR_NSS + 2
-	CKT_NSS_TRUSTED                           = CKT_NSS + 1
-	CKT_NSS_TRUSTED_DELEGATOR                 = CKT_NSS + 2
-	CKT_NSS_MUST_VERIFY_TRUST                 = CKT_NSS + 3
-	CKT_NSS_NOT_TRUSTED                       = CKT_NSS + 10
-	CKT_NSS_TRUST_UNKNOWN                     = CKT_NSS + 5
-)
diff --git a/vendor/github.com/miekg/pkcs11/zconst.go b/vendor/github.com/miekg/pkcs11/zconst.go
deleted file mode 100644
index 41df5cfc..00000000
--- a/vendor/github.com/miekg/pkcs11/zconst.go
+++ /dev/null
@@ -1,766 +0,0 @@
-// Copyright 2013 Miek Gieben. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by "go run const_generate.go"; DO NOT EDIT.
-
-package pkcs11
-
-const (
-	CK_TRUE                              = 1
-	CK_FALSE                             = 0
-	CK_UNAVAILABLE_INFORMATION           = ^uint(0)
-	CK_EFFECTIVELY_INFINITE              = 0
-	CK_INVALID_HANDLE                    = 0
-	CKN_SURRENDER                        = 0
-	CKN_OTP_CHANGED                      = 1
-	CKF_TOKEN_PRESENT                    = 0x00000001
-	CKF_REMOVABLE_DEVICE                 = 0x00000002
-	CKF_HW_SLOT                          = 0x00000004
-	CKF_RNG                              = 0x00000001
-	CKF_WRITE_PROTECTED                  = 0x00000002
-	CKF_LOGIN_REQUIRED                   = 0x00000004
-	CKF_USER_PIN_INITIALIZED             = 0x00000008
-	CKF_RESTORE_KEY_NOT_NEEDED           = 0x00000020
-	CKF_CLOCK_ON_TOKEN                   = 0x00000040
-	CKF_PROTECTED_AUTHENTICATION_PATH    = 0x00000100
-	CKF_DUAL_CRYPTO_OPERATIONS           = 0x00000200
-	CKF_TOKEN_INITIALIZED                = 0x00000400
-	CKF_SECONDARY_AUTHENTICATION         = 0x00000800
-	CKF_USER_PIN_COUNT_LOW               = 0x00010000
-	CKF_USER_PIN_FINAL_TRY               = 0x00020000
-	CKF_USER_PIN_LOCKED                  = 0x00040000
-	CKF_USER_PIN_TO_BE_CHANGED           = 0x00080000
-	CKF_SO_PIN_COUNT_LOW                 = 0x00100000
-	CKF_SO_PIN_FINAL_TRY                 = 0x00200000
-	CKF_SO_PIN_LOCKED                    = 0x00400000
-	CKF_SO_PIN_TO_BE_CHANGED             = 0x00800000
-	CKF_ERROR_STATE                      = 0x01000000
-	CKU_SO                               = 0
-	CKU_USER                             = 1
-	CKU_CONTEXT_SPECIFIC                 = 2
-	CKS_RO_PUBLIC_SESSION                = 0
-	CKS_RO_USER_FUNCTIONS                = 1
-	CKS_RW_PUBLIC_SESSION                = 2
-	CKS_RW_USER_FUNCTIONS                = 3
-	CKS_RW_SO_FUNCTIONS                  = 4
-	CKF_RW_SESSION                       = 0x00000002
-	CKF_SERIAL_SESSION                   = 0x00000004
-	CKO_DATA                             = 0x00000000
-	CKO_CERTIFICATE                      = 0x00000001
-	CKO_PUBLIC_KEY                       = 0x00000002
-	CKO_PRIVATE_KEY                      = 0x00000003
-	CKO_SECRET_KEY                       = 0x00000004
-	CKO_HW_FEATURE                       = 0x00000005
-	CKO_DOMAIN_PARAMETERS                = 0x00000006
-	CKO_MECHANISM                        = 0x00000007
-	CKO_OTP_KEY                          = 0x00000008
-	CKO_VENDOR_DEFINED                   = 0x80000000
-	CKH_MONOTONIC_COUNTER                = 0x00000001
-	CKH_CLOCK                            = 0x00000002
-	CKH_USER_INTERFACE                   = 0x00000003
-	CKH_VENDOR_DEFINED                   = 0x80000000
-	CKK_RSA                              = 0x00000000
-	CKK_DSA                              = 0x00000001
-	CKK_DH                               = 0x00000002
-	CKK_ECDSA                            = 0x00000003 // Deprecated
-	CKK_EC                               = 0x00000003
-	CKK_X9_42_DH                         = 0x00000004
-	CKK_KEA                              = 0x00000005
-	CKK_GENERIC_SECRET                   = 0x00000010
-	CKK_RC2                              = 0x00000011
-	CKK_RC4                              = 0x00000012
-	CKK_DES                              = 0x00000013
-	CKK_DES2                             = 0x00000014
-	CKK_DES3                             = 0x00000015
-	CKK_CAST                             = 0x00000016
-	CKK_CAST3                            = 0x00000017
-	CKK_CAST5                            = 0x00000018 // Deprecated
-	CKK_CAST128                          = 0x00000018
-	CKK_RC5                              = 0x00000019
-	CKK_IDEA                             = 0x0000001A
-	CKK_SKIPJACK                         = 0x0000001B
-	CKK_BATON                            = 0x0000001C
-	CKK_JUNIPER                          = 0x0000001D
-	CKK_CDMF                             = 0x0000001E
-	CKK_AES                              = 0x0000001F
-	CKK_BLOWFISH                         = 0x00000020
-	CKK_TWOFISH                          = 0x00000021
-	CKK_SECURID                          = 0x00000022
-	CKK_HOTP                             = 0x00000023
-	CKK_ACTI                             = 0x00000024
-	CKK_CAMELLIA                         = 0x00000025
-	CKK_ARIA                             = 0x00000026
-	CKK_MD5_HMAC                         = 0x00000027
-	CKK_SHA_1_HMAC                       = 0x00000028
-	CKK_RIPEMD128_HMAC                   = 0x00000029
-	CKK_RIPEMD160_HMAC                   = 0x0000002A
-	CKK_SHA256_HMAC                      = 0x0000002B
-	CKK_SHA384_HMAC                      = 0x0000002C
-	CKK_SHA512_HMAC                      = 0x0000002D
-	CKK_SHA224_HMAC                      = 0x0000002E
-	CKK_SEED                             = 0x0000002F
-	CKK_GOSTR3410                        = 0x00000030
-	CKK_GOSTR3411                        = 0x00000031
-	CKK_GOST28147                        = 0x00000032
-	CKK_SHA3_224_HMAC                    = 0x00000033
-	CKK_SHA3_256_HMAC                    = 0x00000034
-	CKK_SHA3_384_HMAC                    = 0x00000035
-	CKK_SHA3_512_HMAC                    = 0x00000036
-	CKK_VENDOR_DEFINED                   = 0x80000000
-	CK_CERTIFICATE_CATEGORY_UNSPECIFIED  = 0
-	CK_CERTIFICATE_CATEGORY_TOKEN_USER   = 1
-	CK_CERTIFICATE_CATEGORY_AUTHORITY    = 2
-	CK_CERTIFICATE_CATEGORY_OTHER_ENTITY = 3
-	CK_SECURITY_DOMAIN_UNSPECIFIED       = 0
-	CK_SECURITY_DOMAIN_MANUFACTURER      = 1
-	CK_SECURITY_DOMAIN_OPERATOR          = 2
-	CK_SECURITY_DOMAIN_THIRD_PARTY       = 3
-	CKC_X_509                            = 0x00000000
-	CKC_X_509_ATTR_CERT                  = 0x00000001
-	CKC_WTLS                             = 0x00000002
-	CKC_VENDOR_DEFINED                   = 0x80000000
-	CKF_ARRAY_ATTRIBUTE                  = 0x40000000
-	CK_OTP_FORMAT_DECIMAL                = 0
-	CK_OTP_FORMAT_HEXADECIMAL            = 1
-	CK_OTP_FORMAT_ALPHANUMERIC           = 2
-	CK_OTP_FORMAT_BINARY                 = 3
-	CK_OTP_PARAM_IGNORED                 = 0
-	CK_OTP_PARAM_OPTIONAL                = 1
-	CK_OTP_PARAM_MANDATORY               = 2
-	CKA_CLASS                            = 0x00000000
-	CKA_TOKEN                            = 0x00000001
-	CKA_PRIVATE                          = 0x00000002
-	CKA_LABEL                            = 0x00000003
-	CKA_APPLICATION                      = 0x00000010
-	CKA_VALUE                            = 0x00000011
-	CKA_OBJECT_ID                        = 0x00000012
-	CKA_CERTIFICATE_TYPE                 = 0x00000080
-	CKA_ISSUER                           = 0x00000081
-	CKA_SERIAL_NUMBER                    = 0x00000082
-	CKA_AC_ISSUER                        = 0x00000083
-	CKA_OWNER                            = 0x00000084
-	CKA_ATTR_TYPES                       = 0x00000085
-	CKA_TRUSTED                          = 0x00000086
-	CKA_CERTIFICATE_CATEGORY             = 0x00000087
-	CKA_JAVA_MIDP_SECURITY_DOMAIN        = 0x00000088
-	CKA_URL                              = 0x00000089
-	CKA_HASH_OF_SUBJECT_PUBLIC_KEY       = 0x0000008A
-	CKA_HASH_OF_ISSUER_PUBLIC_KEY        = 0x0000008B
-	CKA_NAME_HASH_ALGORITHM              = 0x0000008C
-	CKA_CHECK_VALUE                      = 0x00000090
-	CKA_KEY_TYPE                         = 0x00000100
-	CKA_SUBJECT                          = 0x00000101
-	CKA_ID                               = 0x00000102
-	CKA_SENSITIVE                        = 0x00000103
-	CKA_ENCRYPT                          = 0x00000104
-	CKA_DECRYPT                          = 0x00000105
-	CKA_WRAP                             = 0x00000106
-	CKA_UNWRAP                           = 0x00000107
-	CKA_SIGN                             = 0x00000108
-	CKA_SIGN_RECOVER                     = 0x00000109
-	CKA_VERIFY                           = 0x0000010A
-	CKA_VERIFY_RECOVER                   = 0x0000010B
-	CKA_DERIVE                           = 0x0000010C
-	CKA_START_DATE                       = 0x00000110
-	CKA_END_DATE                         = 0x00000111
-	CKA_MODULUS                          = 0x00000120
-	CKA_MODULUS_BITS                     = 0x00000121
-	CKA_PUBLIC_EXPONENT                  = 0x00000122
-	CKA_PRIVATE_EXPONENT                 = 0x00000123
-	CKA_PRIME_1                          = 0x00000124
-	CKA_PRIME_2                          = 0x00000125
-	CKA_EXPONENT_1                       = 0x00000126
-	CKA_EXPONENT_2                       = 0x00000127
-	CKA_COEFFICIENT                      = 0x00000128
-	CKA_PUBLIC_KEY_INFO                  = 0x00000129
-	CKA_PRIME                            = 0x00000130
-	CKA_SUBPRIME                         = 0x00000131
-	CKA_BASE                             = 0x00000132
-	CKA_PRIME_BITS                       = 0x00000133
-	CKA_SUBPRIME_BITS                    = 0x00000134
-	CKA_SUB_PRIME_BITS                   = CKA_SUBPRIME_BITS
-	CKA_VALUE_BITS                       = 0x00000160
-	CKA_VALUE_LEN                        = 0x00000161
-	CKA_EXTRACTABLE                      = 0x00000162
-	CKA_LOCAL                            = 0x00000163
-	CKA_NEVER_EXTRACTABLE                = 0x00000164
-	CKA_ALWAYS_SENSITIVE                 = 0x00000165
-	CKA_KEY_GEN_MECHANISM                = 0x00000166
-	CKA_MODIFIABLE                       = 0x00000170
-	CKA_COPYABLE                         = 0x00000171
-	CKA_DESTROYABLE                      = 0x00000172
-	CKA_ECDSA_PARAMS                     = 0x00000180 // Deprecated
-	CKA_EC_PARAMS                        = 0x00000180
-	CKA_EC_POINT                         = 0x00000181
-	CKA_SECONDARY_AUTH                   = 0x00000200 // Deprecated
-	CKA_AUTH_PIN_FLAGS                   = 0x00000201 // Deprecated
-	CKA_ALWAYS_AUTHENTICATE              = 0x00000202
-	CKA_WRAP_WITH_TRUSTED                = 0x00000210
-	CKA_WRAP_TEMPLATE                    = (CKF_ARRAY_ATTRIBUTE | 0x00000211)
-	CKA_UNWRAP_TEMPLATE                  = (CKF_ARRAY_ATTRIBUTE | 0x00000212)
-	CKA_DERIVE_TEMPLATE                  = (CKF_ARRAY_ATTRIBUTE | 0x00000213)
-	CKA_OTP_FORMAT                       = 0x00000220
-	CKA_OTP_LENGTH                       = 0x00000221
-	CKA_OTP_TIME_INTERVAL                = 0x00000222
-	CKA_OTP_USER_FRIENDLY_MODE           = 0x00000223
-	CKA_OTP_CHALLENGE_REQUIREMENT        = 0x00000224
-	CKA_OTP_TIME_REQUIREMENT             = 0x00000225
-	CKA_OTP_COUNTER_REQUIREMENT          = 0x00000226
-	CKA_OTP_PIN_REQUIREMENT              = 0x00000227
-	CKA_OTP_COUNTER                      = 0x0000022E
-	CKA_OTP_TIME                         = 0x0000022F
-	CKA_OTP_USER_IDENTIFIER              = 0x0000022A
-	CKA_OTP_SERVICE_IDENTIFIER           = 0x0000022B
-	CKA_OTP_SERVICE_LOGO                 = 0x0000022C
-	CKA_OTP_SERVICE_LOGO_TYPE            = 0x0000022D
-	CKA_GOSTR3410_PARAMS                 = 0x00000250
-	CKA_GOSTR3411_PARAMS                 = 0x00000251
-	CKA_GOST28147_PARAMS                 = 0x00000252
-	CKA_HW_FEATURE_TYPE                  = 0x00000300
-	CKA_RESET_ON_INIT                    = 0x00000301
-	CKA_HAS_RESET                        = 0x00000302
-	CKA_PIXEL_X                          = 0x00000400
-	CKA_PIXEL_Y                          = 0x00000401
-	CKA_RESOLUTION                       = 0x00000402
-	CKA_CHAR_ROWS                        = 0x00000403
-	CKA_CHAR_COLUMNS                     = 0x00000404
-	CKA_COLOR                            = 0x00000405
-	CKA_BITS_PER_PIXEL                   = 0x00000406
-	CKA_CHAR_SETS                        = 0x00000480
-	CKA_ENCODING_METHODS                 = 0x00000481
-	CKA_MIME_TYPES                       = 0x00000482
-	CKA_MECHANISM_TYPE                   = 0x00000500
-	CKA_REQUIRED_CMS_ATTRIBUTES          = 0x00000501
-	CKA_DEFAULT_CMS_ATTRIBUTES           = 0x00000502
-	CKA_SUPPORTED_CMS_ATTRIBUTES         = 0x00000503
-	CKA_ALLOWED_MECHANISMS               = (CKF_ARRAY_ATTRIBUTE | 0x00000600)
-	CKA_VENDOR_DEFINED                   = 0x80000000
-	CKM_RSA_PKCS_KEY_PAIR_GEN            = 0x00000000
-	CKM_RSA_PKCS                         = 0x00000001
-	CKM_RSA_9796                         = 0x00000002
-	CKM_RSA_X_509                        = 0x00000003
-	CKM_MD2_RSA_PKCS                     = 0x00000004
-	CKM_MD5_RSA_PKCS                     = 0x00000005
-	CKM_SHA1_RSA_PKCS                    = 0x00000006
-	CKM_RIPEMD128_RSA_PKCS               = 0x00000007
-	CKM_RIPEMD160_RSA_PKCS               = 0x00000008
-	CKM_RSA_PKCS_OAEP                    = 0x00000009
-	CKM_RSA_X9_31_KEY_PAIR_GEN           = 0x0000000A
-	CKM_RSA_X9_31                        = 0x0000000B
-	CKM_SHA1_RSA_X9_31                   = 0x0000000C
-	CKM_RSA_PKCS_PSS                     = 0x0000000D
-	CKM_SHA1_RSA_PKCS_PSS                = 0x0000000E
-	CKM_DSA_KEY_PAIR_GEN                 = 0x00000010
-	CKM_DSA                              = 0x00000011
-	CKM_DSA_SHA1                         = 0x00000012
-	CKM_DSA_SHA224                       = 0x00000013
-	CKM_DSA_SHA256                       = 0x00000014
-	CKM_DSA_SHA384                       = 0x00000015
-	CKM_DSA_SHA512                       = 0x00000016
-	CKM_DSA_SHA3_224                     = 0x00000018
-	CKM_DSA_SHA3_256                     = 0x00000019
-	CKM_DSA_SHA3_384                     = 0x0000001A
-	CKM_DSA_SHA3_512                     = 0x0000001B
-	CKM_DH_PKCS_KEY_PAIR_GEN             = 0x00000020
-	CKM_DH_PKCS_DERIVE                   = 0x00000021
-	CKM_X9_42_DH_KEY_PAIR_GEN            = 0x00000030
-	CKM_X9_42_DH_DERIVE                  = 0x00000031
-	CKM_X9_42_DH_HYBRID_DERIVE           = 0x00000032
-	CKM_X9_42_MQV_DERIVE                 = 0x00000033
-	CKM_SHA256_RSA_PKCS                  = 0x00000040
-	CKM_SHA384_RSA_PKCS                  = 0x00000041
-	CKM_SHA512_RSA_PKCS                  = 0x00000042
-	CKM_SHA256_RSA_PKCS_PSS              = 0x00000043
-	CKM_SHA384_RSA_PKCS_PSS              = 0x00000044
-	CKM_SHA512_RSA_PKCS_PSS              = 0x00000045
-	CKM_SHA224_RSA_PKCS                  = 0x00000046
-	CKM_SHA224_RSA_PKCS_PSS              = 0x00000047
-	CKM_SHA512_224                       = 0x00000048
-	CKM_SHA512_224_HMAC                  = 0x00000049
-	CKM_SHA512_224_HMAC_GENERAL          = 0x0000004A
-	CKM_SHA512_224_KEY_DERIVATION        = 0x0000004B
-	CKM_SHA512_256                       = 0x0000004C
-	CKM_SHA512_256_HMAC                  = 0x0000004D
-	CKM_SHA512_256_HMAC_GENERAL          = 0x0000004E
-	CKM_SHA512_256_KEY_DERIVATION        = 0x0000004F
-	CKM_SHA512_T                         = 0x00000050
-	CKM_SHA512_T_HMAC                    = 0x00000051
-	CKM_SHA512_T_HMAC_GENERAL            = 0x00000052
-	CKM_SHA512_T_KEY_DERIVATION          = 0x00000053
-	CKM_SHA3_256_RSA_PKCS                = 0x00000060
-	CKM_SHA3_384_RSA_PKCS                = 0x00000061
-	CKM_SHA3_512_RSA_PKCS                = 0x00000062
-	CKM_SHA3_256_RSA_PKCS_PSS            = 0x00000063
-	CKM_SHA3_384_RSA_PKCS_PSS            = 0x00000064
-	CKM_SHA3_512_RSA_PKCS_PSS            = 0x00000065
-	CKM_SHA3_224_RSA_PKCS                = 0x00000066
-	CKM_SHA3_224_RSA_PKCS_PSS            = 0x00000067
-	CKM_RC2_KEY_GEN                      = 0x00000100
-	CKM_RC2_ECB                          = 0x00000101
-	CKM_RC2_CBC                          = 0x00000102
-	CKM_RC2_MAC                          = 0x00000103
-	CKM_RC2_MAC_GENERAL                  = 0x00000104
-	CKM_RC2_CBC_PAD                      = 0x00000105
-	CKM_RC4_KEY_GEN                      = 0x00000110
-	CKM_RC4                              = 0x00000111
-	CKM_DES_KEY_GEN                      = 0x00000120
-	CKM_DES_ECB                          = 0x00000121
-	CKM_DES_CBC                          = 0x00000122
-	CKM_DES_MAC                          = 0x00000123
-	CKM_DES_MAC_GENERAL                  = 0x00000124
-	CKM_DES_CBC_PAD                      = 0x00000125
-	CKM_DES2_KEY_GEN                     = 0x00000130
-	CKM_DES3_KEY_GEN                     = 0x00000131
-	CKM_DES3_ECB                         = 0x00000132
-	CKM_DES3_CBC                         = 0x00000133
-	CKM_DES3_MAC                         = 0x00000134
-	CKM_DES3_MAC_GENERAL                 = 0x00000135
-	CKM_DES3_CBC_PAD                     = 0x00000136
-	CKM_DES3_CMAC_GENERAL                = 0x00000137
-	CKM_DES3_CMAC                        = 0x00000138
-	CKM_CDMF_KEY_GEN                     = 0x00000140
-	CKM_CDMF_ECB                         = 0x00000141
-	CKM_CDMF_CBC                         = 0x00000142
-	CKM_CDMF_MAC                         = 0x00000143
-	CKM_CDMF_MAC_GENERAL                 = 0x00000144
-	CKM_CDMF_CBC_PAD                     = 0x00000145
-	CKM_DES_OFB64                        = 0x00000150
-	CKM_DES_OFB8                         = 0x00000151
-	CKM_DES_CFB64                        = 0x00000152
-	CKM_DES_CFB8                         = 0x00000153
-	CKM_MD2                              = 0x00000200
-	CKM_MD2_HMAC                         = 0x00000201
-	CKM_MD2_HMAC_GENERAL                 = 0x00000202
-	CKM_MD5                              = 0x00000210
-	CKM_MD5_HMAC                         = 0x00000211
-	CKM_MD5_HMAC_GENERAL                 = 0x00000212
-	CKM_SHA_1                            = 0x00000220
-	CKM_SHA_1_HMAC                       = 0x00000221
-	CKM_SHA_1_HMAC_GENERAL               = 0x00000222
-	CKM_RIPEMD128                        = 0x00000230
-	CKM_RIPEMD128_HMAC                   = 0x00000231
-	CKM_RIPEMD128_HMAC_GENERAL           = 0x00000232
-	CKM_RIPEMD160                        = 0x00000240
-	CKM_RIPEMD160_HMAC                   = 0x00000241
-	CKM_RIPEMD160_HMAC_GENERAL           = 0x00000242
-	CKM_SHA256                           = 0x00000250
-	CKM_SHA256_HMAC                      = 0x00000251
-	CKM_SHA256_HMAC_GENERAL              = 0x00000252
-	CKM_SHA224                           = 0x00000255
-	CKM_SHA224_HMAC                      = 0x00000256
-	CKM_SHA224_HMAC_GENERAL              = 0x00000257
-	CKM_SHA384                           = 0x00000260
-	CKM_SHA384_HMAC                      = 0x00000261
-	CKM_SHA384_HMAC_GENERAL              = 0x00000262
-	CKM_SHA512                           = 0x00000270
-	CKM_SHA512_HMAC                      = 0x00000271
-	CKM_SHA512_HMAC_GENERAL              = 0x00000272
-	CKM_SECURID_KEY_GEN                  = 0x00000280
-	CKM_SECURID                          = 0x00000282
-	CKM_HOTP_KEY_GEN                     = 0x00000290
-	CKM_HOTP                             = 0x00000291
-	CKM_ACTI                             = 0x000002A0
-	CKM_ACTI_KEY_GEN                     = 0x000002A1
-	CKM_SHA3_256                         = 0x000002B0
-	CKM_SHA3_256_HMAC                    = 0x000002B1
-	CKM_SHA3_256_HMAC_GENERAL            = 0x000002B2
-	CKM_SHA3_256_KEY_GEN                 = 0x000002B3
-	CKM_SHA3_224                         = 0x000002B5
-	CKM_SHA3_224_HMAC                    = 0x000002B6
-	CKM_SHA3_224_HMAC_GENERAL            = 0x000002B7
-	CKM_SHA3_224_KEY_GEN                 = 0x000002B8
-	CKM_SHA3_384                         = 0x000002C0
-	CKM_SHA3_384_HMAC                    = 0x000002C1
-	CKM_SHA3_384_HMAC_GENERAL            = 0x000002C2
-	CKM_SHA3_384_KEY_GEN                 = 0x000002C3
-	CKM_SHA3_512                         = 0x000002D0
-	CKM_SHA3_512_HMAC                    = 0x000002D1
-	CKM_SHA3_512_HMAC_GENERAL            = 0x000002D2
-	CKM_SHA3_512_KEY_GEN                 = 0x000002D3
-	CKM_CAST_KEY_GEN                     = 0x00000300
-	CKM_CAST_ECB                         = 0x00000301
-	CKM_CAST_CBC                         = 0x00000302
-	CKM_CAST_MAC                         = 0x00000303
-	CKM_CAST_MAC_GENERAL                 = 0x00000304
-	CKM_CAST_CBC_PAD                     = 0x00000305
-	CKM_CAST3_KEY_GEN                    = 0x00000310
-	CKM_CAST3_ECB                        = 0x00000311
-	CKM_CAST3_CBC                        = 0x00000312
-	CKM_CAST3_MAC                        = 0x00000313
-	CKM_CAST3_MAC_GENERAL                = 0x00000314
-	CKM_CAST3_CBC_PAD                    = 0x00000315
-	CKM_CAST5_KEY_GEN                    = 0x00000320
-	CKM_CAST128_KEY_GEN                  = 0x00000320
-	CKM_CAST5_ECB                        = 0x00000321
-	CKM_CAST128_ECB                      = 0x00000321
-	CKM_CAST5_CBC                        = 0x00000322 // Deprecated
-	CKM_CAST128_CBC                      = 0x00000322
-	CKM_CAST5_MAC                        = 0x00000323 // Deprecated
-	CKM_CAST128_MAC                      = 0x00000323
-	CKM_CAST5_MAC_GENERAL                = 0x00000324 // Deprecated
-	CKM_CAST128_MAC_GENERAL              = 0x00000324
-	CKM_CAST5_CBC_PAD                    = 0x00000325 // Deprecated
-	CKM_CAST128_CBC_PAD                  = 0x00000325
-	CKM_RC5_KEY_GEN                      = 0x00000330
-	CKM_RC5_ECB                          = 0x00000331
-	CKM_RC5_CBC                          = 0x00000332
-	CKM_RC5_MAC                          = 0x00000333
-	CKM_RC5_MAC_GENERAL                  = 0x00000334
-	CKM_RC5_CBC_PAD                      = 0x00000335
-	CKM_IDEA_KEY_GEN                     = 0x00000340
-	CKM_IDEA_ECB                         = 0x00000341
-	CKM_IDEA_CBC                         = 0x00000342
-	CKM_IDEA_MAC                         = 0x00000343
-	CKM_IDEA_MAC_GENERAL                 = 0x00000344
-	CKM_IDEA_CBC_PAD                     = 0x00000345
-	CKM_GENERIC_SECRET_KEY_GEN           = 0x00000350
-	CKM_CONCATENATE_BASE_AND_KEY         = 0x00000360
-	CKM_CONCATENATE_BASE_AND_DATA        = 0x00000362
-	CKM_CONCATENATE_DATA_AND_BASE        = 0x00000363
-	CKM_XOR_BASE_AND_DATA                = 0x00000364
-	CKM_EXTRACT_KEY_FROM_KEY             = 0x00000365
-	CKM_SSL3_PRE_MASTER_KEY_GEN          = 0x00000370
-	CKM_SSL3_MASTER_KEY_DERIVE           = 0x00000371
-	CKM_SSL3_KEY_AND_MAC_DERIVE          = 0x00000372
-	CKM_SSL3_MASTER_KEY_DERIVE_DH        = 0x00000373
-	CKM_TLS_PRE_MASTER_KEY_GEN           = 0x00000374
-	CKM_TLS_MASTER_KEY_DERIVE            = 0x00000375
-	CKM_TLS_KEY_AND_MAC_DERIVE           = 0x00000376
-	CKM_TLS_MASTER_KEY_DERIVE_DH         = 0x00000377
-	CKM_TLS_PRF                          = 0x00000378
-	CKM_SSL3_MD5_MAC                     = 0x00000380
-	CKM_SSL3_SHA1_MAC                    = 0x00000381
-	CKM_MD5_KEY_DERIVATION               = 0x00000390
-	CKM_MD2_KEY_DERIVATION               = 0x00000391
-	CKM_SHA1_KEY_DERIVATION              = 0x00000392
-	CKM_SHA256_KEY_DERIVATION            = 0x00000393
-	CKM_SHA384_KEY_DERIVATION            = 0x00000394
-	CKM_SHA512_KEY_DERIVATION            = 0x00000395
-	CKM_SHA224_KEY_DERIVATION            = 0x00000396
-	CKM_SHA3_256_KEY_DERIVE              = 0x00000397
-	CKM_SHA3_224_KEY_DERIVE              = 0x00000398
-	CKM_SHA3_384_KEY_DERIVE              = 0x00000399
-	CKM_SHA3_512_KEY_DERIVE              = 0x0000039A
-	CKM_SHAKE_128_KEY_DERIVE             = 0x0000039B
-	CKM_SHAKE_256_KEY_DERIVE             = 0x0000039C
-	CKM_PBE_MD2_DES_CBC                  = 0x000003A0
-	CKM_PBE_MD5_DES_CBC                  = 0x000003A1
-	CKM_PBE_MD5_CAST_CBC                 = 0x000003A2
-	CKM_PBE_MD5_CAST3_CBC                = 0x000003A3
-	CKM_PBE_MD5_CAST5_CBC                = 0x000003A4 // Deprecated
-	CKM_PBE_MD5_CAST128_CBC              = 0x000003A4
-	CKM_PBE_SHA1_CAST5_CBC               = 0x000003A5 // Deprecated
-	CKM_PBE_SHA1_CAST128_CBC             = 0x000003A5
-	CKM_PBE_SHA1_RC4_128                 = 0x000003A6
-	CKM_PBE_SHA1_RC4_40                  = 0x000003A7
-	CKM_PBE_SHA1_DES3_EDE_CBC            = 0x000003A8
-	CKM_PBE_SHA1_DES2_EDE_CBC            = 0x000003A9
-	CKM_PBE_SHA1_RC2_128_CBC             = 0x000003AA
-	CKM_PBE_SHA1_RC2_40_CBC              = 0x000003AB
-	CKM_PKCS5_PBKD2                      = 0x000003B0
-	CKM_PBA_SHA1_WITH_SHA1_HMAC          = 0x000003C0
-	CKM_WTLS_PRE_MASTER_KEY_GEN          = 0x000003D0
-	CKM_WTLS_MASTER_KEY_DERIVE           = 0x000003D1
-	CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC    = 0x000003D2
-	CKM_WTLS_PRF                         = 0x000003D3
-	CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE   = 0x000003D4
-	CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE   = 0x000003D5
-	CKM_TLS10_MAC_SERVER                 = 0x000003D6
-	CKM_TLS10_MAC_CLIENT                 = 0x000003D7
-	CKM_TLS12_MAC                        = 0x000003D8
-	CKM_TLS12_KDF                        = 0x000003D9
-	CKM_TLS12_MASTER_KEY_DERIVE          = 0x000003E0
-	CKM_TLS12_KEY_AND_MAC_DERIVE         = 0x000003E1
-	CKM_TLS12_MASTER_KEY_DERIVE_DH       = 0x000003E2
-	CKM_TLS12_KEY_SAFE_DERIVE            = 0x000003E3
-	CKM_TLS_MAC                          = 0x000003E4
-	CKM_TLS_KDF                          = 0x000003E5
-	CKM_KEY_WRAP_LYNKS                   = 0x00000400
-	CKM_KEY_WRAP_SET_OAEP                = 0x00000401
-	CKM_CMS_SIG                          = 0x00000500
-	CKM_KIP_DERIVE                       = 0x00000510
-	CKM_KIP_WRAP                         = 0x00000511
-	CKM_KIP_MAC                          = 0x00000512
-	CKM_CAMELLIA_KEY_GEN                 = 0x00000550
-	CKM_CAMELLIA_ECB                     = 0x00000551
-	CKM_CAMELLIA_CBC                     = 0x00000552
-	CKM_CAMELLIA_MAC                     = 0x00000553
-	CKM_CAMELLIA_MAC_GENERAL             = 0x00000554
-	CKM_CAMELLIA_CBC_PAD                 = 0x00000555
-	CKM_CAMELLIA_ECB_ENCRYPT_DATA        = 0x00000556
-	CKM_CAMELLIA_CBC_ENCRYPT_DATA        = 0x00000557
-	CKM_CAMELLIA_CTR                     = 0x00000558
-	CKM_ARIA_KEY_GEN                     = 0x00000560
-	CKM_ARIA_ECB                         = 0x00000561
-	CKM_ARIA_CBC                         = 0x00000562
-	CKM_ARIA_MAC                         = 0x00000563
-	CKM_ARIA_MAC_GENERAL                 = 0x00000564
-	CKM_ARIA_CBC_PAD                     = 0x00000565
-	CKM_ARIA_ECB_ENCRYPT_DATA            = 0x00000566
-	CKM_ARIA_CBC_ENCRYPT_DATA            = 0x00000567
-	CKM_SEED_KEY_GEN                     = 0x00000650
-	CKM_SEED_ECB                         = 0x00000651
-	CKM_SEED_CBC                         = 0x00000652
-	CKM_SEED_MAC                         = 0x00000653
-	CKM_SEED_MAC_GENERAL                 = 0x00000654
-	CKM_SEED_CBC_PAD                     = 0x00000655
-	CKM_SEED_ECB_ENCRYPT_DATA            = 0x00000656
-	CKM_SEED_CBC_ENCRYPT_DATA            = 0x00000657
-	CKM_SKIPJACK_KEY_GEN                 = 0x00001000
-	CKM_SKIPJACK_ECB64                   = 0x00001001
-	CKM_SKIPJACK_CBC64                   = 0x00001002
-	CKM_SKIPJACK_OFB64                   = 0x00001003
-	CKM_SKIPJACK_CFB64                   = 0x00001004
-	CKM_SKIPJACK_CFB32                   = 0x00001005
-	CKM_SKIPJACK_CFB16                   = 0x00001006
-	CKM_SKIPJACK_CFB8                    = 0x00001007
-	CKM_SKIPJACK_WRAP                    = 0x00001008
-	CKM_SKIPJACK_PRIVATE_WRAP            = 0x00001009
-	CKM_SKIPJACK_RELAYX                  = 0x0000100a
-	CKM_KEA_KEY_PAIR_GEN                 = 0x00001010
-	CKM_KEA_KEY_DERIVE                   = 0x00001011
-	CKM_KEA_DERIVE                       = 0x00001012
-	CKM_FORTEZZA_TIMESTAMP               = 0x00001020
-	CKM_BATON_KEY_GEN                    = 0x00001030
-	CKM_BATON_ECB128                     = 0x00001031
-	CKM_BATON_ECB96                      = 0x00001032
-	CKM_BATON_CBC128                     = 0x00001033
-	CKM_BATON_COUNTER                    = 0x00001034
-	CKM_BATON_SHUFFLE                    = 0x00001035
-	CKM_BATON_WRAP                       = 0x00001036
-	CKM_ECDSA_KEY_PAIR_GEN               = 0x00001040 // Deprecated
-	CKM_EC_KEY_PAIR_GEN                  = 0x00001040
-	CKM_ECDSA                            = 0x00001041
-	CKM_ECDSA_SHA1                       = 0x00001042
-	CKM_ECDSA_SHA224                     = 0x00001043
-	CKM_ECDSA_SHA256                     = 0x00001044
-	CKM_ECDSA_SHA384                     = 0x00001045
-	CKM_ECDSA_SHA512                     = 0x00001046
-	CKM_ECDH1_DERIVE                     = 0x00001050
-	CKM_ECDH1_COFACTOR_DERIVE            = 0x00001051
-	CKM_ECMQV_DERIVE                     = 0x00001052
-	CKM_ECDH_AES_KEY_WRAP                = 0x00001053
-	CKM_RSA_AES_KEY_WRAP                 = 0x00001054
-	CKM_JUNIPER_KEY_GEN                  = 0x00001060
-	CKM_JUNIPER_ECB128                   = 0x00001061
-	CKM_JUNIPER_CBC128                   = 0x00001062
-	CKM_JUNIPER_COUNTER                  = 0x00001063
-	CKM_JUNIPER_SHUFFLE                  = 0x00001064
-	CKM_JUNIPER_WRAP                     = 0x00001065
-	CKM_FASTHASH                         = 0x00001070
-	CKM_AES_KEY_GEN                      = 0x00001080
-	CKM_AES_ECB                          = 0x00001081
-	CKM_AES_CBC                          = 0x00001082
-	CKM_AES_MAC                          = 0x00001083
-	CKM_AES_MAC_GENERAL                  = 0x00001084
-	CKM_AES_CBC_PAD                      = 0x00001085
-	CKM_AES_CTR                          = 0x00001086
-	CKM_AES_GCM                          = 0x00001087
-	CKM_AES_CCM                          = 0x00001088
-	CKM_AES_CTS                          = 0x00001089
-	CKM_AES_CMAC                         = 0x0000108A
-	CKM_AES_CMAC_GENERAL                 = 0x0000108B
-	CKM_AES_XCBC_MAC                     = 0x0000108C
-	CKM_AES_XCBC_MAC_96                  = 0x0000108D
-	CKM_AES_GMAC                         = 0x0000108E
-	CKM_BLOWFISH_KEY_GEN                 = 0x00001090
-	CKM_BLOWFISH_CBC                     = 0x00001091
-	CKM_TWOFISH_KEY_GEN                  = 0x00001092
-	CKM_TWOFISH_CBC                      = 0x00001093
-	CKM_BLOWFISH_CBC_PAD                 = 0x00001094
-	CKM_TWOFISH_CBC_PAD                  = 0x00001095
-	CKM_DES_ECB_ENCRYPT_DATA             = 0x00001100
-	CKM_DES_CBC_ENCRYPT_DATA             = 0x00001101
-	CKM_DES3_ECB_ENCRYPT_DATA            = 0x00001102
-	CKM_DES3_CBC_ENCRYPT_DATA            = 0x00001103
-	CKM_AES_ECB_ENCRYPT_DATA             = 0x00001104
-	CKM_AES_CBC_ENCRYPT_DATA             = 0x00001105
-	CKM_GOSTR3410_KEY_PAIR_GEN           = 0x00001200
-	CKM_GOSTR3410                        = 0x00001201
-	CKM_GOSTR3410_WITH_GOSTR3411         = 0x00001202
-	CKM_GOSTR3410_KEY_WRAP               = 0x00001203
-	CKM_GOSTR3410_DERIVE                 = 0x00001204
-	CKM_GOSTR3411                        = 0x00001210
-	CKM_GOSTR3411_HMAC                   = 0x00001211
-	CKM_GOST28147_KEY_GEN                = 0x00001220
-	CKM_GOST28147_ECB                    = 0x00001221
-	CKM_GOST28147                        = 0x00001222
-	CKM_GOST28147_MAC                    = 0x00001223
-	CKM_GOST28147_KEY_WRAP               = 0x00001224
-	CKM_DSA_PARAMETER_GEN                = 0x00002000
-	CKM_DH_PKCS_PARAMETER_GEN            = 0x00002001
-	CKM_X9_42_DH_PARAMETER_GEN           = 0x00002002
-	CKM_DSA_PROBABLISTIC_PARAMETER_GEN   = 0x00002003
-	CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN   = 0x00002004
-	CKM_AES_OFB                          = 0x00002104
-	CKM_AES_CFB64                        = 0x00002105
-	CKM_AES_CFB8                         = 0x00002106
-	CKM_AES_CFB128                       = 0x00002107
-	CKM_AES_CFB1                         = 0x00002108
-	CKM_AES_KEY_WRAP                     = 0x00002109
-	CKM_AES_KEY_WRAP_PAD                 = 0x0000210A
-	CKM_RSA_PKCS_TPM_1_1                 = 0x00004001
-	CKM_RSA_PKCS_OAEP_TPM_1_1            = 0x00004002
-	CKM_VENDOR_DEFINED                   = 0x80000000
-	CKF_HW                               = 0x00000001
-	CKF_ENCRYPT                          = 0x00000100
-	CKF_DECRYPT                          = 0x00000200
-	CKF_DIGEST                           = 0x00000400
-	CKF_SIGN                             = 0x00000800
-	CKF_SIGN_RECOVER                     = 0x00001000
-	CKF_VERIFY                           = 0x00002000
-	CKF_VERIFY_RECOVER                   = 0x00004000
-	CKF_GENERATE                         = 0x00008000
-	CKF_GENERATE_KEY_PAIR                = 0x00010000
-	CKF_WRAP                             = 0x00020000
-	CKF_UNWRAP                           = 0x00040000
-	CKF_DERIVE                           = 0x00080000
-	CKF_EC_F_P                           = 0x00100000
-	CKF_EC_F_2M                          = 0x00200000
-	CKF_EC_ECPARAMETERS                  = 0x00400000
-	CKF_EC_NAMEDCURVE                    = 0x00800000
-	CKF_EC_UNCOMPRESS                    = 0x01000000
-	CKF_EC_COMPRESS                      = 0x02000000
-	CKF_EXTENSION                        = 0x80000000
-	CKR_OK                               = 0x00000000
-	CKR_CANCEL                           = 0x00000001
-	CKR_HOST_MEMORY                      = 0x00000002
-	CKR_SLOT_ID_INVALID                  = 0x00000003
-	CKR_GENERAL_ERROR                    = 0x00000005
-	CKR_FUNCTION_FAILED                  = 0x00000006
-	CKR_ARGUMENTS_BAD                    = 0x00000007
-	CKR_NO_EVENT                         = 0x00000008
-	CKR_NEED_TO_CREATE_THREADS           = 0x00000009
-	CKR_CANT_LOCK                        = 0x0000000A
-	CKR_ATTRIBUTE_READ_ONLY              = 0x00000010
-	CKR_ATTRIBUTE_SENSITIVE              = 0x00000011
-	CKR_ATTRIBUTE_TYPE_INVALID           = 0x00000012
-	CKR_ATTRIBUTE_VALUE_INVALID          = 0x00000013
-	CKR_ACTION_PROHIBITED                = 0x0000001B
-	CKR_DATA_INVALID                     = 0x00000020
-	CKR_DATA_LEN_RANGE                   = 0x00000021
-	CKR_DEVICE_ERROR                     = 0x00000030
-	CKR_DEVICE_MEMORY                    = 0x00000031
-	CKR_DEVICE_REMOVED                   = 0x00000032
-	CKR_ENCRYPTED_DATA_INVALID           = 0x00000040
-	CKR_ENCRYPTED_DATA_LEN_RANGE         = 0x00000041
-	CKR_FUNCTION_CANCELED                = 0x00000050
-	CKR_FUNCTION_NOT_PARALLEL            = 0x00000051
-	CKR_FUNCTION_NOT_SUPPORTED           = 0x00000054
-	CKR_KEY_HANDLE_INVALID               = 0x00000060
-	CKR_KEY_SIZE_RANGE                   = 0x00000062
-	CKR_KEY_TYPE_INCONSISTENT            = 0x00000063
-	CKR_KEY_NOT_NEEDED                   = 0x00000064
-	CKR_KEY_CHANGED                      = 0x00000065
-	CKR_KEY_NEEDED                       = 0x00000066
-	CKR_KEY_INDIGESTIBLE                 = 0x00000067
-	CKR_KEY_FUNCTION_NOT_PERMITTED       = 0x00000068
-	CKR_KEY_NOT_WRAPPABLE                = 0x00000069
-	CKR_KEY_UNEXTRACTABLE                = 0x0000006A
-	CKR_MECHANISM_INVALID                = 0x00000070
-	CKR_MECHANISM_PARAM_INVALID          = 0x00000071
-	CKR_OBJECT_HANDLE_INVALID            = 0x00000082
-	CKR_OPERATION_ACTIVE                 = 0x00000090
-	CKR_OPERATION_NOT_INITIALIZED        = 0x00000091
-	CKR_PIN_INCORRECT                    = 0x000000A0
-	CKR_PIN_INVALID                      = 0x000000A1
-	CKR_PIN_LEN_RANGE                    = 0x000000A2
-	CKR_PIN_EXPIRED                      = 0x000000A3
-	CKR_PIN_LOCKED                       = 0x000000A4
-	CKR_SESSION_CLOSED                   = 0x000000B0
-	CKR_SESSION_COUNT                    = 0x000000B1
-	CKR_SESSION_HANDLE_INVALID           = 0x000000B3
-	CKR_SESSION_PARALLEL_NOT_SUPPORTED   = 0x000000B4
-	CKR_SESSION_READ_ONLY                = 0x000000B5
-	CKR_SESSION_EXISTS                   = 0x000000B6
-	CKR_SESSION_READ_ONLY_EXISTS         = 0x000000B7
-	CKR_SESSION_READ_WRITE_SO_EXISTS     = 0x000000B8
-	CKR_SIGNATURE_INVALID                = 0x000000C0
-	CKR_SIGNATURE_LEN_RANGE              = 0x000000C1
-	CKR_TEMPLATE_INCOMPLETE              = 0x000000D0
-	CKR_TEMPLATE_INCONSISTENT            = 0x000000D1
-	CKR_TOKEN_NOT_PRESENT                = 0x000000E0
-	CKR_TOKEN_NOT_RECOGNIZED             = 0x000000E1
-	CKR_TOKEN_WRITE_PROTECTED            = 0x000000E2
-	CKR_UNWRAPPING_KEY_HANDLE_INVALID    = 0x000000F0
-	CKR_UNWRAPPING_KEY_SIZE_RANGE        = 0x000000F1
-	CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2
-	CKR_USER_ALREADY_LOGGED_IN           = 0x00000100
-	CKR_USER_NOT_LOGGED_IN               = 0x00000101
-	CKR_USER_PIN_NOT_INITIALIZED         = 0x00000102
-	CKR_USER_TYPE_INVALID                = 0x00000103
-	CKR_USER_ANOTHER_ALREADY_LOGGED_IN   = 0x00000104
-	CKR_USER_TOO_MANY_TYPES              = 0x00000105
-	CKR_WRAPPED_KEY_INVALID              = 0x00000110
-	CKR_WRAPPED_KEY_LEN_RANGE            = 0x00000112
-	CKR_WRAPPING_KEY_HANDLE_INVALID      = 0x00000113
-	CKR_WRAPPING_KEY_SIZE_RANGE          = 0x00000114
-	CKR_WRAPPING_KEY_TYPE_INCONSISTENT   = 0x00000115
-	CKR_RANDOM_SEED_NOT_SUPPORTED        = 0x00000120
-	CKR_RANDOM_NO_RNG                    = 0x00000121
-	CKR_DOMAIN_PARAMS_INVALID            = 0x00000130
-	CKR_CURVE_NOT_SUPPORTED              = 0x00000140
-	CKR_BUFFER_TOO_SMALL                 = 0x00000150
-	CKR_SAVED_STATE_INVALID              = 0x00000160
-	CKR_INFORMATION_SENSITIVE            = 0x00000170
-	CKR_STATE_UNSAVEABLE                 = 0x00000180
-	CKR_CRYPTOKI_NOT_INITIALIZED         = 0x00000190
-	CKR_CRYPTOKI_ALREADY_INITIALIZED     = 0x00000191
-	CKR_MUTEX_BAD                        = 0x000001A0
-	CKR_MUTEX_NOT_LOCKED                 = 0x000001A1
-	CKR_NEW_PIN_MODE                     = 0x000001B0
-	CKR_NEXT_OTP                         = 0x000001B1
-	CKR_EXCEEDED_MAX_ITERATIONS          = 0x000001B5
-	CKR_FIPS_SELF_TEST_FAILED            = 0x000001B6
-	CKR_LIBRARY_LOAD_FAILED              = 0x000001B7
-	CKR_PIN_TOO_WEAK                     = 0x000001B8
-	CKR_PUBLIC_KEY_INVALID               = 0x000001B9
-	CKR_FUNCTION_REJECTED                = 0x00000200
-	CKR_VENDOR_DEFINED                   = 0x80000000
-	CKF_LIBRARY_CANT_CREATE_OS_THREADS   = 0x00000001
-	CKF_OS_LOCKING_OK                    = 0x00000002
-	CKF_DONT_BLOCK                       = 1
-	CKG_MGF1_SHA1                        = 0x00000001
-	CKG_MGF1_SHA256                      = 0x00000002
-	CKG_MGF1_SHA384                      = 0x00000003
-	CKG_MGF1_SHA512                      = 0x00000004
-	CKG_MGF1_SHA224                      = 0x00000005
-	CKZ_DATA_SPECIFIED                   = 0x00000001
-	CKD_NULL                             = 0x00000001
-	CKD_SHA1_KDF                         = 0x00000002
-	CKD_SHA1_KDF_ASN1                    = 0x00000003
-	CKD_SHA1_KDF_CONCATENATE             = 0x00000004
-	CKD_SHA224_KDF                       = 0x00000005
-	CKD_SHA256_KDF                       = 0x00000006
-	CKD_SHA384_KDF                       = 0x00000007
-	CKD_SHA512_KDF                       = 0x00000008
-	CKD_CPDIVERSIFY_KDF                  = 0x00000009
-	CKD_SHA3_224_KDF                     = 0x0000000A
-	CKD_SHA3_256_KDF                     = 0x0000000B
-	CKD_SHA3_384_KDF                     = 0x0000000C
-	CKD_SHA3_512_KDF                     = 0x0000000D
-	CKP_PKCS5_PBKD2_HMAC_SHA1            = 0x00000001
-	CKP_PKCS5_PBKD2_HMAC_GOSTR3411       = 0x00000002
-	CKP_PKCS5_PBKD2_HMAC_SHA224          = 0x00000003
-	CKP_PKCS5_PBKD2_HMAC_SHA256          = 0x00000004
-	CKP_PKCS5_PBKD2_HMAC_SHA384          = 0x00000005
-	CKP_PKCS5_PBKD2_HMAC_SHA512          = 0x00000006
-	CKP_PKCS5_PBKD2_HMAC_SHA512_224      = 0x00000007
-	CKP_PKCS5_PBKD2_HMAC_SHA512_256      = 0x00000008
-	CKZ_SALT_SPECIFIED                   = 0x00000001
-	CK_OTP_VALUE                         = 0
-	CK_OTP_PIN                           = 1
-	CK_OTP_CHALLENGE                     = 2
-	CK_OTP_TIME                          = 3
-	CK_OTP_COUNTER                       = 4
-	CK_OTP_FLAGS                         = 5
-	CK_OTP_OUTPUT_LENGTH                 = 6
-	CK_OTP_OUTPUT_FORMAT                 = 7
-	CKF_NEXT_OTP                         = 0x00000001
-	CKF_EXCLUDE_TIME                     = 0x00000002
-	CKF_EXCLUDE_COUNTER                  = 0x00000004
-	CKF_EXCLUDE_CHALLENGE                = 0x00000008
-	CKF_EXCLUDE_PIN                      = 0x00000010
-	CKF_USER_FRIENDLY_OTP                = 0x00000020
-)
diff --git a/vendor/github.com/moby/go-archive/.gitattributes b/vendor/github.com/moby/go-archive/.gitattributes
new file mode 100644
index 00000000..4bb139d9
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/.gitattributes
@@ -0,0 +1,2 @@
+*.go -text diff=golang
+*.go text eol=lf
diff --git a/vendor/github.com/moby/go-archive/.gitignore b/vendor/github.com/moby/go-archive/.gitignore
new file mode 100644
index 00000000..3f2bc474
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/.gitignore
@@ -0,0 +1 @@
+/coverage.txt
diff --git a/vendor/github.com/moby/go-archive/.golangci.yml b/vendor/github.com/moby/go-archive/.golangci.yml
new file mode 100644
index 00000000..21439e5c
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/.golangci.yml
@@ -0,0 +1,33 @@
+version: "2"
+
+issues:
+  # Disable maximum issues count per one linter.
+  max-issues-per-linter: 0
+  # Disable maximum count of issues with the same text.
+  max-same-issues: 0
+
+linters:
+  enable:
+    - errorlint
+    - unconvert
+    - unparam
+  exclusions:
+    generated: disable
+    presets:
+      - comments
+      - std-error-handling
+  settings:
+    staticcheck:
+      # Enable all options, with some exceptions.
+      # For defaults, see https://golangci-lint.run/usage/linters/#staticcheck
+      checks:
+        - all
+        - -QF1008     # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
+        - -ST1003     # Poorly chosen identifier; https://staticcheck.dev/docs/checks/#ST1003
+
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: disable
diff --git a/vendor/github.com/theupdateframework/notary/LICENSE b/vendor/github.com/moby/go-archive/LICENSE
similarity index 99%
rename from vendor/github.com/theupdateframework/notary/LICENSE
rename to vendor/github.com/moby/go-archive/LICENSE
index ad950095..d6456956 100644
--- a/vendor/github.com/theupdateframework/notary/LICENSE
+++ b/vendor/github.com/moby/go-archive/LICENSE
@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -178,7 +179,7 @@
    APPENDIX: How to apply the Apache License to your work.
 
       To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
+      boilerplate notice, with the fields enclosed by brackets "[]"
       replaced with your own identifying information. (Don't include
       the brackets!)  The text should be enclosed in the appropriate
       comment syntax for the file format. We also recommend that a
@@ -186,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2015 Docker, Inc.
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive.go b/vendor/github.com/moby/go-archive/archive.go
similarity index 72%
rename from vendor/github.com/docker/docker/pkg/archive/archive.go
rename to vendor/github.com/moby/go-archive/archive.go
index b0578040..7a105aef 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/moby/go-archive/archive.go
@@ -3,32 +3,24 @@ package archive
 
 import (
 	"archive/tar"
-	"bufio"
-	"bytes"
-	"compress/bzip2"
-	"compress/gzip"
 	"context"
-	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
-	"runtime/debug"
-	"strconv"
 	"strings"
-	"sync"
-	"sync/atomic"
 	"syscall"
 	"time"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/idtools"
-	"github.com/klauspost/compress/zstd"
 	"github.com/moby/patternmatcher"
 	"github.com/moby/sys/sequential"
+	"github.com/moby/sys/user"
+
+	"github.com/moby/go-archive/compression"
+	"github.com/moby/go-archive/tarheader"
 )
 
 // ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
@@ -45,18 +37,25 @@ const ImpliedDirectoryMode = 0o755
 
 type (
 	// Compression is the state represents if compressed or not.
-	Compression int
+	//
+	// Deprecated: use [compression.Compression].
+	Compression = compression.Compression
 	// WhiteoutFormat is the format of whiteouts unpacked
 	WhiteoutFormat int
 
+	ChownOpts struct {
+		UID int
+		GID int
+	}
+
 	// TarOptions wraps the tar options.
 	TarOptions struct {
 		IncludeFiles     []string
 		ExcludePatterns  []string
-		Compression      Compression
+		Compression      compression.Compression
 		NoLchown         bool
-		IDMap            idtools.IdentityMapping
-		ChownOpts        *idtools.Identity
+		IDMap            user.IdentityMapping
+		ChownOpts        *ChownOpts
 		IncludeSourceDir bool
 		// WhiteoutFormat is the expected on disk format for whiteout files.
 		// This format will be converted to the standard format on pack
@@ -83,7 +82,7 @@ type (
 // mappings for untar, an Archiver can be created with maps which will then be passed to Untar operations.
 type Archiver struct {
 	Untar     func(io.Reader, string, *TarOptions) error
-	IDMapping idtools.IdentityMapping
+	IDMapping user.IdentityMapping
 }
 
 // NewDefaultArchiver returns a new Archiver without any IdentityMapping
@@ -97,11 +96,11 @@ func NewDefaultArchiver() *Archiver {
 type breakoutError error
 
 const (
-	Uncompressed Compression = 0 // Uncompressed represents the uncompressed.
-	Bzip2        Compression = 1 // Bzip2 is bzip2 compression algorithm.
-	Gzip         Compression = 2 // Gzip is gzip compression algorithm.
-	Xz           Compression = 3 // Xz is xz compression algorithm.
-	Zstd         Compression = 4 // Zstd is zstd compression algorithm.
+	Uncompressed = compression.None  // Deprecated: use [compression.None].
+	Bzip2        = compression.Bzip2 // Deprecated: use [compression.Bzip2].
+	Gzip         = compression.Gzip  // Deprecated: use [compression.Gzip].
+	Xz           = compression.Xz    // Deprecated: use [compression.Xz].
+	Zstd         = compression.Zstd  // Deprecated: use [compression.Zstd].
 )
 
 const (
@@ -117,7 +116,7 @@ func IsArchivePath(path string) bool {
 		return false
 	}
 	defer file.Close()
-	rdr, err := DecompressStream(file)
+	rdr, err := compression.DecompressStream(file)
 	if err != nil {
 		return false
 	}
@@ -127,244 +126,25 @@ func IsArchivePath(path string) bool {
 	return err == nil
 }
 
-const (
-	zstdMagicSkippableStart = 0x184D2A50
-	zstdMagicSkippableMask  = 0xFFFFFFF0
-)
-
-var (
-	bzip2Magic = []byte{0x42, 0x5A, 0x68}
-	gzipMagic  = []byte{0x1F, 0x8B, 0x08}
-	xzMagic    = []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}
-	zstdMagic  = []byte{0x28, 0xb5, 0x2f, 0xfd}
-)
-
-type matcher = func([]byte) bool
-
-func magicNumberMatcher(m []byte) matcher {
-	return func(source []byte) bool {
-		return bytes.HasPrefix(source, m)
-	}
-}
-
-// zstdMatcher detects zstd compression algorithm.
-// Zstandard compressed data is made of one or more frames.
-// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.
-// See https://datatracker.ietf.org/doc/html/rfc8878#section-3 for more details.
-func zstdMatcher() matcher {
-	return func(source []byte) bool {
-		if bytes.HasPrefix(source, zstdMagic) {
-			// Zstandard frame
-			return true
-		}
-		// skippable frame
-		if len(source) < 8 {
-			return false
-		}
-		// magic number from 0x184D2A50 to 0x184D2A5F.
-		if binary.LittleEndian.Uint32(source[:4])&zstdMagicSkippableMask == zstdMagicSkippableStart {
-			return true
-		}
-		return false
-	}
-}
-
 // DetectCompression detects the compression algorithm of the source.
-func DetectCompression(source []byte) Compression {
-	compressionMap := map[Compression]matcher{
-		Bzip2: magicNumberMatcher(bzip2Magic),
-		Gzip:  magicNumberMatcher(gzipMagic),
-		Xz:    magicNumberMatcher(xzMagic),
-		Zstd:  zstdMatcher(),
-	}
-	for _, compression := range []Compression{Bzip2, Gzip, Xz, Zstd} {
-		fn := compressionMap[compression]
-		if fn(source) {
-			return compression
-		}
-	}
-	return Uncompressed
-}
-
-func xzDecompress(ctx context.Context, archive io.Reader) (io.ReadCloser, error) {
-	args := []string{"xz", "-d", "-c", "-q"}
-
-	return cmdStream(exec.CommandContext(ctx, args[0], args[1:]...), archive)
-}
-
-func gzDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
-	if noPigzEnv := os.Getenv("MOBY_DISABLE_PIGZ"); noPigzEnv != "" {
-		noPigz, err := strconv.ParseBool(noPigzEnv)
-		if err != nil {
-			log.G(ctx).WithError(err).Warn("invalid value in MOBY_DISABLE_PIGZ env var")
-		}
-		if noPigz {
-			log.G(ctx).Debugf("Use of pigz is disabled due to MOBY_DISABLE_PIGZ=%s", noPigzEnv)
-			return gzip.NewReader(buf)
-		}
-	}
-
-	unpigzPath, err := exec.LookPath("unpigz")
-	if err != nil {
-		log.G(ctx).Debugf("unpigz binary not found, falling back to go gzip library")
-		return gzip.NewReader(buf)
-	}
-
-	log.G(ctx).Debugf("Using %s to decompress", unpigzPath)
-
-	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
-}
-
-type readCloserWrapper struct {
-	io.Reader
-	closer func() error
-	closed atomic.Bool
-}
-
-func (r *readCloserWrapper) Close() error {
-	if !r.closed.CompareAndSwap(false, true) {
-		log.G(context.TODO()).Error("subsequent attempt to close readCloserWrapper")
-		if log.GetLevel() >= log.DebugLevel {
-			log.G(context.TODO()).Errorf("stack trace: %s", string(debug.Stack()))
-		}
-
-		return nil
-	}
-	if r.closer != nil {
-		return r.closer()
-	}
-	return nil
-}
-
-var (
-	bufioReader32KPool = &sync.Pool{
-		New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) },
-	}
-)
-
-type bufferedReader struct {
-	buf *bufio.Reader
-}
-
-func newBufferedReader(r io.Reader) *bufferedReader {
-	buf := bufioReader32KPool.Get().(*bufio.Reader)
-	buf.Reset(r)
-	return &bufferedReader{buf}
-}
-
-func (r *bufferedReader) Read(p []byte) (n int, err error) {
-	if r.buf == nil {
-		return 0, io.EOF
-	}
-	n, err = r.buf.Read(p)
-	if err == io.EOF {
-		r.buf.Reset(nil)
-		bufioReader32KPool.Put(r.buf)
-		r.buf = nil
-	}
-	return
-}
-
-func (r *bufferedReader) Peek(n int) ([]byte, error) {
-	if r.buf == nil {
-		return nil, io.EOF
-	}
-	return r.buf.Peek(n)
+//
+// Deprecated: use [compression.Detect].
+func DetectCompression(source []byte) compression.Compression {
+	return compression.Detect(source)
 }
 
 // DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
+//
+// Deprecated: use [compression.DecompressStream].
 func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
-	buf := newBufferedReader(archive)
-	bs, err := buf.Peek(10)
-	if err != nil && err != io.EOF {
-		// Note: we'll ignore any io.EOF error because there are some odd
-		// cases where the layer.tar file will be empty (zero bytes) and
-		// that results in an io.EOF from the Peek() call. So, in those
-		// cases we'll just treat it as a non-compressed stream and
-		// that means just create an empty layer.
-		// See Issue 18170
-		return nil, err
-	}
-
-	compression := DetectCompression(bs)
-	switch compression {
-	case Uncompressed:
-		return &readCloserWrapper{
-			Reader: buf,
-		}, nil
-	case Gzip:
-		ctx, cancel := context.WithCancel(context.Background())
-
-		gzReader, err := gzDecompress(ctx, buf)
-		if err != nil {
-			cancel()
-			return nil, err
-		}
-		return &readCloserWrapper{
-			Reader: gzReader,
-			closer: func() error {
-				cancel()
-				return gzReader.Close()
-			},
-		}, nil
-	case Bzip2:
-		bz2Reader := bzip2.NewReader(buf)
-		return &readCloserWrapper{
-			Reader: bz2Reader,
-		}, nil
-	case Xz:
-		ctx, cancel := context.WithCancel(context.Background())
-
-		xzReader, err := xzDecompress(ctx, buf)
-		if err != nil {
-			cancel()
-			return nil, err
-		}
-
-		return &readCloserWrapper{
-			Reader: xzReader,
-			closer: func() error {
-				cancel()
-				return xzReader.Close()
-			},
-		}, nil
-	case Zstd:
-		zstdReader, err := zstd.NewReader(buf)
-		if err != nil {
-			return nil, err
-		}
-		return &readCloserWrapper{
-			Reader: zstdReader,
-			closer: func() error {
-				zstdReader.Close()
-				return nil
-			},
-		}, nil
-	default:
-		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
-	}
+	return compression.DecompressStream(archive)
 }
 
-type nopWriteCloser struct {
-	io.Writer
-}
-
-func (nopWriteCloser) Close() error { return nil }
-
 // CompressStream compresses the dest with specified compression algorithm.
-func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) {
-	switch compression {
-	case Uncompressed:
-		return nopWriteCloser{dest}, nil
-	case Gzip:
-		return gzip.NewWriter(dest), nil
-	case Bzip2, Xz:
-		// archive/bzip2 does not support writing, and there is no xz support at all
-		// However, this is not a problem as docker only currently generates gzipped tars
-		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
-	default:
-		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
-	}
+//
+// Deprecated: use [compression.CompressStream].
+func CompressStream(dest io.Writer, comp compression.Compression) (io.WriteCloser, error) {
+	return compression.CompressStream(dest, comp)
 }
 
 // TarModifierFunc is a function that can be passed to ReplaceFileTarWrapper to
@@ -413,7 +193,7 @@ func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]TarModi
 		var originalHeader *tar.Header
 		for {
 			originalHeader, err = tarReader.Next()
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				break
 			}
 			if err != nil {
@@ -428,7 +208,7 @@ func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]TarModi
 					pipeWriter.CloseWithError(err)
 					return
 				}
-				if _, err := copyWithBuffer(tarWriter, tarReader); err != nil {
+				if err := copyWithBuffer(tarWriter, tarReader); err != nil {
 					pipeWriter.CloseWithError(err)
 					return
 				}
@@ -455,90 +235,11 @@ func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]TarModi
 	return pipeReader
 }
 
-// Extension returns the extension of a file that uses the specified compression algorithm.
-func (compression *Compression) Extension() string {
-	switch *compression {
-	case Uncompressed:
-		return "tar"
-	case Bzip2:
-		return "tar.bz2"
-	case Gzip:
-		return "tar.gz"
-	case Xz:
-		return "tar.xz"
-	case Zstd:
-		return "tar.zst"
-	}
-	return ""
-}
-
-// assert that we implement [tar.FileInfoNames].
-//
-// TODO(thaJeztah): disabled to allow compiling on < go1.23. un-comment once we drop support for older versions of go.
-// var _ tar.FileInfoNames = (*nosysFileInfo)(nil)
-
-// nosysFileInfo hides the system-dependent info of the wrapped FileInfo to
-// prevent tar.FileInfoHeader from introspecting it and potentially calling into
-// glibc.
-//
-// It implements [tar.FileInfoNames] to further prevent [tar.FileInfoHeader]
-// from performing any lookups on go1.23 and up. see https://go.dev/issue/50102
-type nosysFileInfo struct {
-	os.FileInfo
-}
-
-// Uname stubs out looking up username. It implements [tar.FileInfoNames]
-// to prevent [tar.FileInfoHeader] from loading libraries to perform
-// username lookups.
-func (fi nosysFileInfo) Uname() (string, error) {
-	return "", nil
-}
-
-// Gname stubs out looking up group-name. It implements [tar.FileInfoNames]
-// to prevent [tar.FileInfoHeader] from loading libraries to perform
-// username lookups.
-func (fi nosysFileInfo) Gname() (string, error) {
-	return "", nil
-}
-
-func (fi nosysFileInfo) Sys() interface{} {
-	// A Sys value of type *tar.Header is safe as it is system-independent.
-	// The tar.FileInfoHeader function copies the fields into the returned
-	// header without performing any OS lookups.
-	if sys, ok := fi.FileInfo.Sys().(*tar.Header); ok {
-		return sys
-	}
-	return nil
-}
-
-// sysStat, if non-nil, populates hdr from system-dependent fields of fi.
-var sysStat func(fi os.FileInfo, hdr *tar.Header) error
-
 // FileInfoHeaderNoLookups creates a partially-populated tar.Header from fi.
 //
-// Compared to the archive/tar.FileInfoHeader function, this function is safe to
-// call from a chrooted process as it does not populate fields which would
-// require operating system lookups. It behaves identically to
-// tar.FileInfoHeader when fi is a FileInfo value returned from
-// tar.Header.FileInfo().
-//
-// When fi is a FileInfo for a native file, such as returned from os.Stat() and
-// os.Lstat(), the returned Header value differs from one returned from
-// tar.FileInfoHeader in the following ways. The Uname and Gname fields are not
-// set as OS lookups would be required to populate them. The AccessTime and
-// ChangeTime fields are not currently set (not yet implemented) although that
-// is subject to change. Callers which require the AccessTime or ChangeTime
-// fields to be zeroed should explicitly zero them out in the returned Header
-// value to avoid any compatibility issues in the future.
+// Deprecated: use [tarheader.FileInfoHeaderNoLookups].
 func FileInfoHeaderNoLookups(fi os.FileInfo, link string) (*tar.Header, error) {
-	hdr, err := tar.FileInfoHeader(nosysFileInfo{fi}, link)
-	if err != nil {
-		return nil, err
-	}
-	if sysStat != nil {
-		return hdr, sysStat(fi, hdr)
-	}
-	return hdr, nil
+	return tarheader.FileInfoHeaderNoLookups(fi, link)
 }
 
 // FileInfoHeader creates a populated Header from fi.
@@ -549,7 +250,7 @@ func FileInfoHeaderNoLookups(fi os.FileInfo, link string) (*tar.Header, error) {
 // precision, and the Uname and Gname fields are only set when fi is a FileInfo
 // value returned from tar.Header.FileInfo().
 func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, error) {
-	hdr, err := FileInfoHeaderNoLookups(fi, link)
+	hdr, err := tarheader.FileInfoHeaderNoLookups(fi, link)
 	if err != nil {
 		return nil, err
 	}
@@ -600,8 +301,8 @@ type tarAppender struct {
 
 	// for hardlink mapping
 	SeenFiles       map[uint64]string
-	IdentityMapping idtools.IdentityMapping
-	ChownOpts       *idtools.Identity
+	IdentityMapping user.IdentityMapping
+	ChownOpts       *ChownOpts
 
 	// For packing and unpacking whiteout files in the
 	// non standard format. The whiteout files defined
@@ -610,7 +311,7 @@ type tarAppender struct {
 	WhiteoutConverter tarWhiteoutConverter
 }
 
-func newTarAppender(idMapping idtools.IdentityMapping, writer io.Writer, chownOpts *idtools.Identity) *tarAppender {
+func newTarAppender(idMapping user.IdentityMapping, writer io.Writer, chownOpts *ChownOpts) *tarAppender {
 	return &tarAppender{
 		SeenFiles:       make(map[uint64]string),
 		TarWriter:       tar.NewWriter(writer),
@@ -681,11 +382,11 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 	// writing tar headers/files. We skip whiteout files because they were written
 	// by the kernel and already have proper ownership relative to the host
 	if !isOverlayWhiteout && !strings.HasPrefix(filepath.Base(hdr.Name), WhiteoutPrefix) && !ta.IdentityMapping.Empty() {
-		fileIDPair, err := getFileUIDGID(fi.Sys())
+		uid, gid, err := getFileUIDGID(fi.Sys())
 		if err != nil {
 			return err
 		}
-		hdr.Uid, hdr.Gid, err = ta.IdentityMapping.ToContainer(fileIDPair)
+		hdr.Uid, hdr.Gid, err = ta.IdentityMapping.ToContainer(uid, gid)
 		if err != nil {
 			return err
 		}
@@ -731,7 +432,7 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 			return err
 		}
 
-		_, err = copyWithBuffer(ta.TarWriter, file)
+		err = copyWithBuffer(ta.TarWriter, file)
 		file.Close()
 		if err != nil {
 			return err
@@ -745,7 +446,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 	var (
 		Lchown                     = true
 		inUserns, bestEffortXattrs bool
-		chownOpts                  *idtools.Identity
+		chownOpts                  *ChownOpts
 	)
 
 	// TODO(thaJeztah): make opts a required argument.
@@ -765,7 +466,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 	case tar.TypeDir:
 		// Create directory unless it exists as a directory already.
 		// In that case we just want to merge the two
-		if fi, err := os.Lstat(path); !(err == nil && fi.IsDir()) {
+		if fi, err := os.Lstat(path); err != nil || !fi.IsDir() {
 			if err := os.Mkdir(path, hdrInfo.Mode()); err != nil {
 				return err
 			}
@@ -778,11 +479,11 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 		if err != nil {
 			return err
 		}
-		if _, err := copyWithBuffer(file, reader); err != nil {
-			file.Close()
+		if err := copyWithBuffer(file, reader); err != nil {
+			_ = file.Close()
 			return err
 		}
-		file.Close()
+		_ = file.Close()
 
 	case tar.TypeBlock, tar.TypeChar:
 		if inUserns { // cannot create devices in a userns
@@ -841,7 +542,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 	// Lchown is not supported on Windows.
 	if Lchown && runtime.GOOS != "windows" {
 		if chownOpts == nil {
-			chownOpts = &idtools.Identity{UID: hdr.Uid, GID: hdr.Gid}
+			chownOpts = &ChownOpts{UID: hdr.Uid, GID: hdr.Gid}
 		}
 		if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
 			var msg string
@@ -905,8 +606,8 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 
 // Tar creates an archive from the directory at `path`, and returns it as a
 // stream of bytes.
-func Tar(path string, compression Compression) (io.ReadCloser, error) {
-	return TarWithOptions(path, &TarOptions{Compression: compression})
+func Tar(path string, comp compression.Compression) (io.ReadCloser, error) {
+	return TarWithOptions(path, &TarOptions{Compression: comp})
 }
 
 // TarWithOptions creates an archive from the directory at `path`, only including files whose relative
@@ -942,7 +643,7 @@ func NewTarballer(srcPath string, options *TarOptions) (*Tarballer, error) {
 
 	pipeReader, pipeWriter := io.Pipe()
 
-	compressWriter, err := CompressStream(pipeWriter, options.Compression)
+	compressWriter, err := compression.CompressStream(pipeWriter, options.Compression)
 	if err != nil {
 		return nil, err
 	}
@@ -1028,7 +729,8 @@ func (t *Tarballer) Do() {
 		)
 
 		walkRoot := getWalkRoot(t.srcPath, include)
-		filepath.WalkDir(walkRoot, func(filePath string, f os.DirEntry, err error) error {
+		// TODO(thaJeztah): should this error be handled?
+		_ = filepath.WalkDir(walkRoot, func(filePath string, f os.DirEntry, err error) error {
 			if err != nil {
 				log.G(context.TODO()).Errorf("Tar: Can't stat file %s to tar: %s", t.srcPath, err)
 				return nil
@@ -1132,7 +834,7 @@ func (t *Tarballer) Do() {
 			if err := ta.addTarFile(filePath, relFilePath); err != nil {
 				log.G(context.TODO()).Errorf("Can't add file %s to tar: %s", filePath, err)
 				// if pipe is broken, stop writing tar stream to it
-				if err == io.ErrClosedPipe {
+				if errors.Is(err, io.ErrClosedPipe) {
 					return err
 				}
 			}
@@ -1152,7 +854,7 @@ func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) err
 loop:
 	for {
 		hdr, err := tr.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			// end of tar archive
 			break
 		}
@@ -1214,7 +916,7 @@ loop:
 				continue
 			}
 
-			if !(fi.IsDir() && hdr.Typeflag == tar.TypeDir) {
+			if !fi.IsDir() || hdr.Typeflag != tar.TypeDir {
 				if err := os.RemoveAll(path); err != nil {
 					return err
 				}
@@ -1274,9 +976,9 @@ func createImpliedDirectories(dest string, hdr *tar.Header, options *TarOptions)
 			// RootPair() is confined inside this loop as most cases will not require a call, so we can spend some
 			// unneeded function calls in the uncommon case to encapsulate logic -- implied directories are a niche
 			// usage that reduces the portability of an image.
-			rootIDs := options.IDMap.RootPair()
+			uid, gid := options.IDMap.RootPair()
 
-			err = idtools.MkdirAllAndChownNew(parentPath, ImpliedDirectoryMode, rootIDs)
+			err = user.MkdirAllAndChown(parentPath, ImpliedDirectoryMode, uid, gid, user.WithOnlyNew)
 			if err != nil {
 				return err
 			}
@@ -1306,7 +1008,7 @@ func UntarUncompressed(tarArchive io.Reader, dest string, options *TarOptions) e
 // Handler for teasing out the automatic decompression
 func untarHandler(tarArchive io.Reader, dest string, options *TarOptions, decompress bool) error {
 	if tarArchive == nil {
-		return fmt.Errorf("Empty archive")
+		return errors.New("empty archive")
 	}
 	dest = filepath.Clean(dest)
 	if options == nil {
@@ -1318,7 +1020,7 @@ func untarHandler(tarArchive io.Reader, dest string, options *TarOptions, decomp
 
 	r := tarArchive
 	if decompress {
-		decompressedArchive, err := DecompressStream(tarArchive)
+		decompressedArchive, err := compression.DecompressStream(tarArchive)
 		if err != nil {
 			return err
 		}
@@ -1332,15 +1034,14 @@ func untarHandler(tarArchive io.Reader, dest string, options *TarOptions, decomp
 // TarUntar is a convenience function which calls Tar and Untar, with the output of one piped into the other.
 // If either Tar or Untar fails, TarUntar aborts and returns the error.
 func (archiver *Archiver) TarUntar(src, dst string) error {
-	archive, err := TarWithOptions(src, &TarOptions{Compression: Uncompressed})
+	archive, err := Tar(src, compression.None)
 	if err != nil {
 		return err
 	}
 	defer archive.Close()
-	options := &TarOptions{
+	return archiver.Untar(archive, dst, &TarOptions{
 		IDMap: archiver.IDMapping,
-	}
-	return archiver.Untar(archive, dst, options)
+	})
 }
 
 // UntarPath untar a file from path to a destination, src is the source tar file path.
@@ -1350,10 +1051,9 @@ func (archiver *Archiver) UntarPath(src, dst string) error {
 		return err
 	}
 	defer archive.Close()
-	options := &TarOptions{
+	return archiver.Untar(archive, dst, &TarOptions{
 		IDMap: archiver.IDMapping,
-	}
-	return archiver.Untar(archive, dst, options)
+	})
 }
 
 // CopyWithTar creates a tar archive of filesystem path `src`, and
@@ -1372,9 +1072,9 @@ func (archiver *Archiver) CopyWithTar(src, dst string) error {
 	// if this Archiver is set up with ID mapping we need to create
 	// the new destination directory with the remapped root UID/GID pair
 	// as owner
-	rootIDs := archiver.IDMapping.RootPair()
+	uid, gid := archiver.IDMapping.RootPair()
 	// Create dst, copy src's content into it
-	if err := idtools.MkdirAllAndChownNew(dst, 0o755, rootIDs); err != nil {
+	if err := user.MkdirAllAndChown(dst, 0o755, uid, gid, user.WithOnlyNew); err != nil {
 		return err
 	}
 	return archiver.TarUntar(src, dst)
@@ -1390,7 +1090,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 	}
 
 	if srcSt.IsDir() {
-		return fmt.Errorf("Can't copy a directory")
+		return errors.New("can't copy a directory")
 	}
 
 	// Clean up the trailing slash. This must be done in an operating
@@ -1418,7 +1118,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 			}
 			defer srcF.Close()
 
-			hdr, err := FileInfoHeaderNoLookups(srcSt, "")
+			hdr, err := tarheader.FileInfoHeaderNoLookups(srcSt, "")
 			if err != nil {
 				return err
 			}
@@ -1438,7 +1138,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 			if err := tw.WriteHeader(hdr); err != nil {
 				return err
 			}
-			if _, err := copyWithBuffer(tw, srcF); err != nil {
+			if err := copyWithBuffer(tw, srcF); err != nil {
 				return err
 			}
 			return nil
@@ -1458,52 +1158,12 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 }
 
 // IdentityMapping returns the IdentityMapping of the archiver.
-func (archiver *Archiver) IdentityMapping() idtools.IdentityMapping {
+func (archiver *Archiver) IdentityMapping() user.IdentityMapping {
 	return archiver.IDMapping
 }
 
-func remapIDs(idMapping idtools.IdentityMapping, hdr *tar.Header) error {
-	ids, err := idMapping.ToHost(idtools.Identity{UID: hdr.Uid, GID: hdr.Gid})
-	hdr.Uid, hdr.Gid = ids.UID, ids.GID
+func remapIDs(idMapping user.IdentityMapping, hdr *tar.Header) error {
+	uid, gid, err := idMapping.ToHost(hdr.Uid, hdr.Gid)
+	hdr.Uid, hdr.Gid = uid, gid
 	return err
 }
-
-// cmdStream executes a command, and returns its stdout as a stream.
-// If the command fails to run or doesn't complete successfully, an error
-// will be returned, including anything written on stderr.
-func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
-	cmd.Stdin = input
-	pipeR, pipeW := io.Pipe()
-	cmd.Stdout = pipeW
-	var errBuf bytes.Buffer
-	cmd.Stderr = &errBuf
-
-	// Run the command and return the pipe
-	if err := cmd.Start(); err != nil {
-		return nil, err
-	}
-
-	// Ensure the command has exited before we clean anything up
-	done := make(chan struct{})
-
-	// Copy stdout to the returned pipe
-	go func() {
-		if err := cmd.Wait(); err != nil {
-			pipeW.CloseWithError(fmt.Errorf("%s: %s", err, errBuf.String()))
-		} else {
-			pipeW.Close()
-		}
-		close(done)
-	}()
-
-	return &readCloserWrapper{
-		Reader: pipeR,
-		closer: func() error {
-			// Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
-			// cmd.Wait waits for any non-file stdout/stderr/stdin to close.
-			err := pipeR.Close()
-			<-done
-			return err
-		},
-	}, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go b/vendor/github.com/moby/go-archive/archive_linux.go
similarity index 62%
rename from vendor/github.com/docker/docker/pkg/archive/archive_linux.go
rename to vendor/github.com/moby/go-archive/archive_linux.go
index 631d2e3c..7b6c3e02 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
+++ b/vendor/github.com/moby/go-archive/archive_linux.go
@@ -20,7 +20,7 @@ func getWhiteoutConverter(format WhiteoutFormat) tarWhiteoutConverter {
 
 type overlayWhiteoutConverter struct{}
 
-func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os.FileInfo) (wo *tar.Header, err error) {
+func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os.FileInfo) (wo *tar.Header, _ error) {
 	// convert whiteouts to AUFS format
 	if fi.Mode()&os.ModeCharDevice != 0 && hdr.Devmajor == 0 && hdr.Devminor == 0 {
 		// we just rename the file and make it normal
@@ -31,38 +31,41 @@ func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os
 		hdr.Size = 0
 	}
 
-	if fi.Mode()&os.ModeDir != 0 {
-		opaqueXattrName := "trusted.overlay.opaque"
-		if userns.RunningInUserNS() {
-			opaqueXattrName = "user.overlay.opaque"
-		}
-
-		// convert opaque dirs to AUFS format by writing an empty file with the prefix
-		opaque, err := lgetxattr(path, opaqueXattrName)
-		if err != nil {
-			return nil, err
-		}
-		if len(opaque) == 1 && opaque[0] == 'y' {
-			delete(hdr.PAXRecords, paxSchilyXattr+opaqueXattrName)
-
-			// create a header for the whiteout file
-			// it should inherit some properties from the parent, but be a regular file
-			wo = &tar.Header{
-				Typeflag:   tar.TypeReg,
-				Mode:       hdr.Mode & int64(os.ModePerm),
-				Name:       filepath.Join(hdr.Name, WhiteoutOpaqueDir), // #nosec G305 -- An archive is being created, not extracted.
-				Size:       0,
-				Uid:        hdr.Uid,
-				Uname:      hdr.Uname,
-				Gid:        hdr.Gid,
-				Gname:      hdr.Gname,
-				AccessTime: hdr.AccessTime,
-				ChangeTime: hdr.ChangeTime,
-			}
-		}
+	if fi.Mode()&os.ModeDir == 0 {
+		// FIXME(thaJeztah): return a sentinel error instead of nil, nil
+		return nil, nil
 	}
 
-	return
+	opaqueXattrName := "trusted.overlay.opaque"
+	if userns.RunningInUserNS() {
+		opaqueXattrName = "user.overlay.opaque"
+	}
+
+	// convert opaque dirs to AUFS format by writing an empty file with the prefix
+	opaque, err := lgetxattr(path, opaqueXattrName)
+	if err != nil {
+		return nil, err
+	}
+	if len(opaque) != 1 || opaque[0] != 'y' {
+		// FIXME(thaJeztah): return a sentinel error instead of nil, nil
+		return nil, nil
+	}
+	delete(hdr.PAXRecords, paxSchilyXattr+opaqueXattrName)
+
+	// create a header for the whiteout file
+	// it should inherit some properties from the parent, but be a regular file
+	return &tar.Header{
+		Typeflag:   tar.TypeReg,
+		Mode:       hdr.Mode & int64(os.ModePerm),
+		Name:       filepath.Join(hdr.Name, WhiteoutOpaqueDir), // #nosec G305 -- An archive is being created, not extracted.
+		Size:       0,
+		Uid:        hdr.Uid,
+		Uname:      hdr.Uname,
+		Gid:        hdr.Gid,
+		Gname:      hdr.Gname,
+		AccessTime: hdr.AccessTime,
+		ChangeTime: hdr.ChangeTime,
+	}, nil
 }
 
 func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (bool, error) {
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_other.go b/vendor/github.com/moby/go-archive/archive_other.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/archive_other.go
rename to vendor/github.com/moby/go-archive/archive_other.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go b/vendor/github.com/moby/go-archive/archive_unix.go
similarity index 57%
rename from vendor/github.com/docker/docker/pkg/archive/archive_unix.go
rename to vendor/github.com/moby/go-archive/archive_unix.go
index 9c70d178..3a9f5b0b 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
+++ b/vendor/github.com/moby/go-archive/archive_unix.go
@@ -7,18 +7,12 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"syscall"
 
-	"github.com/docker/docker/pkg/idtools"
 	"golang.org/x/sys/unix"
 )
 
-func init() {
-	sysStat = statUnix
-}
-
 // addLongPathPrefix adds the Windows long path prefix to the path provided if
 // it does not already have it. It is a no-op on platforms other than Windows.
 func addLongPathPrefix(srcPath string) string {
@@ -39,57 +33,22 @@ func chmodTarEntry(perm os.FileMode) os.FileMode {
 	return perm // noop for unix as golang APIs provide perm bits correctly
 }
 
-// statUnix populates hdr from system-dependent fields of fi without performing
-// any OS lookups.
-func statUnix(fi os.FileInfo, hdr *tar.Header) error {
-	// Devmajor and Devminor are only needed for special devices.
-
-	// In FreeBSD, RDev for regular files is -1 (unless overridden by FS):
-	// https://cgit.freebsd.org/src/tree/sys/kern/vfs_default.c?h=stable/13#n1531
-	// (NODEV is -1: https://cgit.freebsd.org/src/tree/sys/sys/param.h?h=stable/13#n241).
-
-	// ZFS in particular does not override the default:
-	// https://cgit.freebsd.org/src/tree/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c?h=stable/13#n2027
-
-	// Since `Stat_t.Rdev` is uint64, the cast turns -1 into (2^64 - 1).
-	// Such large values cannot be encoded in a tar header.
-	if runtime.GOOS == "freebsd" && hdr.Typeflag != tar.TypeBlock && hdr.Typeflag != tar.TypeChar {
-		return nil
-	}
-	s, ok := fi.Sys().(*syscall.Stat_t)
-	if !ok {
-		return nil
-	}
-
-	hdr.Uid = int(s.Uid)
-	hdr.Gid = int(s.Gid)
-
-	if s.Mode&unix.S_IFBLK != 0 ||
-		s.Mode&unix.S_IFCHR != 0 {
-		hdr.Devmajor = int64(unix.Major(uint64(s.Rdev))) //nolint: unconvert
-		hdr.Devminor = int64(unix.Minor(uint64(s.Rdev))) //nolint: unconvert
-	}
-
-	return nil
-}
-
-func getInodeFromStat(stat interface{}) (inode uint64, err error) {
+func getInodeFromStat(stat interface{}) (uint64, error) {
 	s, ok := stat.(*syscall.Stat_t)
-
-	if ok {
-		inode = s.Ino
+	if !ok {
+		// FIXME(thaJeztah): this should likely return an error; see https://github.com/moby/moby/pull/49493#discussion_r1979152897
+		return 0, nil
 	}
-
-	return
+	return s.Ino, nil
 }
 
-func getFileUIDGID(stat interface{}) (idtools.Identity, error) {
+func getFileUIDGID(stat interface{}) (int, int, error) {
 	s, ok := stat.(*syscall.Stat_t)
 
 	if !ok {
-		return idtools.Identity{}, errors.New("cannot convert stat value to syscall.Stat_t")
+		return 0, 0, errors.New("cannot convert stat value to syscall.Stat_t")
 	}
-	return idtools.Identity{UID: int(s.Uid), GID: int(s.Gid)}, nil
+	return int(s.Uid), int(s.Gid), nil
 }
 
 // handleTarTypeBlockCharFifo is an OS-specific helper function used by
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go b/vendor/github.com/moby/go-archive/archive_windows.go
similarity index 81%
rename from vendor/github.com/docker/docker/pkg/archive/archive_windows.go
rename to vendor/github.com/moby/go-archive/archive_windows.go
index 03160816..0e3e316a 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
+++ b/vendor/github.com/moby/go-archive/archive_windows.go
@@ -5,8 +5,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-
-	"github.com/docker/docker/pkg/idtools"
 )
 
 // longPathPrefix is the longpath prefix for Windows file paths.
@@ -43,14 +41,9 @@ func chmodTarEntry(perm os.FileMode) os.FileMode {
 	return perm | 0o111
 }
 
-func setHeaderForSpecialDevice(hdr *tar.Header, name string, stat interface{}) (err error) {
-	// do nothing. no notion of Rdev, Nlink in stat on Windows
-	return
-}
-
-func getInodeFromStat(stat interface{}) (inode uint64, err error) {
+func getInodeFromStat(stat interface{}) (uint64, error) {
 	// do nothing. no notion of Inode in stat on Windows
-	return
+	return 0, nil
 }
 
 // handleTarTypeBlockCharFifo is an OS-specific helper function used by
@@ -63,7 +56,7 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
 	return nil
 }
 
-func getFileUIDGID(stat interface{}) (idtools.Identity, error) {
+func getFileUIDGID(stat interface{}) (int, int, error) {
 	// no notion of file ownership mapping yet on Windows
-	return idtools.Identity{UID: 0, GID: 0}, nil
+	return 0, 0, nil
 }
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes.go b/vendor/github.com/moby/go-archive/changes.go
similarity index 97%
rename from vendor/github.com/docker/docker/pkg/archive/changes.go
rename to vendor/github.com/moby/go-archive/changes.go
index 79c810a6..02a0372c 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes.go
+++ b/vendor/github.com/moby/go-archive/changes.go
@@ -14,7 +14,7 @@ import (
 	"time"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/sys/user"
 )
 
 // ChangeType represents the change type.
@@ -75,7 +75,7 @@ func sameFsTime(a, b time.Time) bool {
 // Changes walks the path rw and determines changes for the files in the path,
 // with respect to the parent layers
 func Changes(layers []string, rw string) ([]Change, error) {
-	return changes(layers, rw, aufsDeletedFile, aufsMetadataSkip)
+	return collectChanges(layers, rw, aufsDeletedFile, aufsMetadataSkip)
 }
 
 func aufsMetadataSkip(path string) (skip bool, err error) {
@@ -83,7 +83,7 @@ func aufsMetadataSkip(path string) (skip bool, err error) {
 	if err != nil {
 		skip = true
 	}
-	return
+	return skip, err
 }
 
 func aufsDeletedFile(root, path string, fi os.FileInfo) (string, error) {
@@ -103,7 +103,7 @@ type (
 	deleteChange func(string, string, os.FileInfo) (string, error)
 )
 
-func changes(layers []string, rw string, dc deleteChange, sc skipChange) ([]Change, error) {
+func collectChanges(layers []string, rw string, dc deleteChange, sc skipChange) ([]Change, error) {
 	var (
 		changes     []Change
 		changedDirs = make(map[string]struct{})
@@ -383,7 +383,7 @@ func ChangesSize(newDir string, changes []Change) int64 {
 }
 
 // ExportChanges produces an Archive from the provided changes, relative to dir.
-func ExportChanges(dir string, changes []Change, idMap idtools.IdentityMapping) (io.ReadCloser, error) {
+func ExportChanges(dir string, changes []Change, idMap user.IdentityMapping) (io.ReadCloser, error) {
 	reader, writer := io.Pipe()
 	go func() {
 		ta := newTarAppender(idMap, writer, nil)
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go b/vendor/github.com/moby/go-archive/changes_linux.go
similarity index 98%
rename from vendor/github.com/docker/docker/pkg/archive/changes_linux.go
rename to vendor/github.com/moby/go-archive/changes_linux.go
index 9a041b09..8289fe17 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
+++ b/vendor/github.com/moby/go-archive/changes_linux.go
@@ -132,14 +132,7 @@ func (w *walker) walk(path string, i1, i2 os.FileInfo) (err error) {
 	ix1 := 0
 	ix2 := 0
 
-	for {
-		if ix1 >= len(names1) {
-			break
-		}
-		if ix2 >= len(names2) {
-			break
-		}
-
+	for ix1 < len(names1) && ix2 < len(names2) {
 		ni1 := names1[ix1]
 		ni2 := names2[ix2]
 
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_other.go b/vendor/github.com/moby/go-archive/changes_other.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/changes_other.go
rename to vendor/github.com/moby/go-archive/changes_other.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_unix.go b/vendor/github.com/moby/go-archive/changes_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/changes_unix.go
rename to vendor/github.com/moby/go-archive/changes_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_windows.go b/vendor/github.com/moby/go-archive/changes_windows.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/changes_windows.go
rename to vendor/github.com/moby/go-archive/changes_windows.go
diff --git a/vendor/github.com/moby/go-archive/compression/compression.go b/vendor/github.com/moby/go-archive/compression/compression.go
new file mode 100644
index 00000000..e298cefb
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/compression/compression.go
@@ -0,0 +1,263 @@
+package compression
+
+import (
+	"bufio"
+	"bytes"
+	"compress/bzip2"
+	"compress/gzip"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strconv"
+	"sync"
+
+	"github.com/containerd/log"
+	"github.com/klauspost/compress/zstd"
+)
+
+// Compression is the state represents if compressed or not.
+type Compression int
+
+const (
+	None  Compression = 0 // None represents the uncompressed.
+	Bzip2 Compression = 1 // Bzip2 is bzip2 compression algorithm.
+	Gzip  Compression = 2 // Gzip is gzip compression algorithm.
+	Xz    Compression = 3 // Xz is xz compression algorithm.
+	Zstd  Compression = 4 // Zstd is zstd compression algorithm.
+)
+
+// Extension returns the extension of a file that uses the specified compression algorithm.
+func (c *Compression) Extension() string {
+	switch *c {
+	case None:
+		return "tar"
+	case Bzip2:
+		return "tar.bz2"
+	case Gzip:
+		return "tar.gz"
+	case Xz:
+		return "tar.xz"
+	case Zstd:
+		return "tar.zst"
+	default:
+		return ""
+	}
+}
+
+type readCloserWrapper struct {
+	io.Reader
+	closer func() error
+}
+
+func (r *readCloserWrapper) Close() error {
+	if r.closer != nil {
+		return r.closer()
+	}
+	return nil
+}
+
+type nopWriteCloser struct {
+	io.Writer
+}
+
+func (nopWriteCloser) Close() error { return nil }
+
+var bufioReader32KPool = &sync.Pool{
+	New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) },
+}
+
+type bufferedReader struct {
+	buf *bufio.Reader
+}
+
+func newBufferedReader(r io.Reader) *bufferedReader {
+	buf := bufioReader32KPool.Get().(*bufio.Reader)
+	buf.Reset(r)
+	return &bufferedReader{buf}
+}
+
+func (r *bufferedReader) Read(p []byte) (int, error) {
+	if r.buf == nil {
+		return 0, io.EOF
+	}
+	n, err := r.buf.Read(p)
+	if errors.Is(err, io.EOF) {
+		r.buf.Reset(nil)
+		bufioReader32KPool.Put(r.buf)
+		r.buf = nil
+	}
+	return n, err
+}
+
+func (r *bufferedReader) Peek(n int) ([]byte, error) {
+	if r.buf == nil {
+		return nil, io.EOF
+	}
+	return r.buf.Peek(n)
+}
+
+// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
+func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
+	buf := newBufferedReader(archive)
+	bs, err := buf.Peek(10)
+	if err != nil && !errors.Is(err, io.EOF) {
+		// Note: we'll ignore any io.EOF error because there are some odd
+		// cases where the layer.tar file will be empty (zero bytes) and
+		// that results in an io.EOF from the Peek() call. So, in those
+		// cases we'll just treat it as a non-compressed stream and
+		// that means just create an empty layer.
+		// See Issue 18170
+		return nil, err
+	}
+
+	switch compression := Detect(bs); compression {
+	case None:
+		return &readCloserWrapper{
+			Reader: buf,
+		}, nil
+	case Gzip:
+		ctx, cancel := context.WithCancel(context.Background())
+		gzReader, err := gzipDecompress(ctx, buf)
+		if err != nil {
+			cancel()
+			return nil, err
+		}
+
+		return &readCloserWrapper{
+			Reader: gzReader,
+			closer: func() error {
+				cancel()
+				return gzReader.Close()
+			},
+		}, nil
+	case Bzip2:
+		bz2Reader := bzip2.NewReader(buf)
+		return &readCloserWrapper{
+			Reader: bz2Reader,
+		}, nil
+	case Xz:
+		ctx, cancel := context.WithCancel(context.Background())
+
+		xzReader, err := xzDecompress(ctx, buf)
+		if err != nil {
+			cancel()
+			return nil, err
+		}
+
+		return &readCloserWrapper{
+			Reader: xzReader,
+			closer: func() error {
+				cancel()
+				return xzReader.Close()
+			},
+		}, nil
+	case Zstd:
+		zstdReader, err := zstd.NewReader(buf)
+		if err != nil {
+			return nil, err
+		}
+		return &readCloserWrapper{
+			Reader: zstdReader,
+			closer: func() error {
+				zstdReader.Close()
+				return nil
+			},
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported compression format (%d)", compression)
+	}
+}
+
+// CompressStream compresses the dest with specified compression algorithm.
+func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) {
+	switch compression {
+	case None:
+		return nopWriteCloser{dest}, nil
+	case Gzip:
+		return gzip.NewWriter(dest), nil
+	case Bzip2:
+		// archive/bzip2 does not support writing.
+		return nil, errors.New("unsupported compression format: tar.bz2")
+	case Xz:
+		// there is no xz support at all
+		// However, this is not a problem as docker only currently generates gzipped tars
+		return nil, errors.New("unsupported compression format: tar.xz")
+	default:
+		return nil, fmt.Errorf("unsupported compression format (%d)", compression)
+	}
+}
+
+func xzDecompress(ctx context.Context, archive io.Reader) (io.ReadCloser, error) {
+	args := []string{"xz", "-d", "-c", "-q"}
+
+	return cmdStream(exec.CommandContext(ctx, args[0], args[1:]...), archive)
+}
+
+func gzipDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
+	if noPigzEnv := os.Getenv("MOBY_DISABLE_PIGZ"); noPigzEnv != "" {
+		noPigz, err := strconv.ParseBool(noPigzEnv)
+		if err != nil {
+			log.G(ctx).WithError(err).Warn("invalid value in MOBY_DISABLE_PIGZ env var")
+		}
+		if noPigz {
+			log.G(ctx).Debugf("Use of pigz is disabled due to MOBY_DISABLE_PIGZ=%s", noPigzEnv)
+			return gzip.NewReader(buf)
+		}
+	}
+
+	unpigzPath, err := exec.LookPath("unpigz")
+	if err != nil {
+		log.G(ctx).Debugf("unpigz binary not found, falling back to go gzip library")
+		return gzip.NewReader(buf)
+	}
+
+	log.G(ctx).Debugf("Using %s to decompress", unpigzPath)
+
+	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
+}
+
+// cmdStream executes a command, and returns its stdout as a stream.
+// If the command fails to run or doesn't complete successfully, an error
+// will be returned, including anything written on stderr.
+func cmdStream(cmd *exec.Cmd, in io.Reader) (io.ReadCloser, error) {
+	reader, writer := io.Pipe()
+
+	cmd.Stdin = in
+	cmd.Stdout = writer
+
+	var errBuf bytes.Buffer
+	cmd.Stderr = &errBuf
+
+	// Run the command and return the pipe
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+
+	// Ensure the command has exited before we clean anything up
+	done := make(chan struct{})
+
+	// Copy stdout to the returned pipe
+	go func() {
+		if err := cmd.Wait(); err != nil {
+			_ = writer.CloseWithError(fmt.Errorf("%w: %s", err, errBuf.String()))
+		} else {
+			_ = writer.Close()
+		}
+		close(done)
+	}()
+
+	return &readCloserWrapper{
+		Reader: reader,
+		closer: func() error {
+			// Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
+			// cmd.Wait waits for any non-file stdout/stderr/stdin to close.
+			err := reader.Close()
+			<-done
+			return err
+		},
+	}, nil
+}
diff --git a/vendor/github.com/moby/go-archive/compression/compression_detect.go b/vendor/github.com/moby/go-archive/compression/compression_detect.go
new file mode 100644
index 00000000..85eda927
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/compression/compression_detect.go
@@ -0,0 +1,65 @@
+package compression
+
+import (
+	"bytes"
+	"encoding/binary"
+)
+
+const (
+	zstdMagicSkippableStart = 0x184D2A50
+	zstdMagicSkippableMask  = 0xFFFFFFF0
+)
+
+var (
+	bzip2Magic = []byte{0x42, 0x5A, 0x68}
+	gzipMagic  = []byte{0x1F, 0x8B, 0x08}
+	xzMagic    = []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}
+	zstdMagic  = []byte{0x28, 0xb5, 0x2f, 0xfd}
+)
+
+type matcher = func([]byte) bool
+
+// Detect detects the compression algorithm of the source.
+func Detect(source []byte) Compression {
+	compressionMap := map[Compression]matcher{
+		Bzip2: magicNumberMatcher(bzip2Magic),
+		Gzip:  magicNumberMatcher(gzipMagic),
+		Xz:    magicNumberMatcher(xzMagic),
+		Zstd:  zstdMatcher(),
+	}
+	for _, compression := range []Compression{Bzip2, Gzip, Xz, Zstd} {
+		fn := compressionMap[compression]
+		if fn(source) {
+			return compression
+		}
+	}
+	return None
+}
+
+func magicNumberMatcher(m []byte) matcher {
+	return func(source []byte) bool {
+		return bytes.HasPrefix(source, m)
+	}
+}
+
+// zstdMatcher detects zstd compression algorithm.
+// Zstandard compressed data is made of one or more frames.
+// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.
+// See https://datatracker.ietf.org/doc/html/rfc8878#section-3 for more details.
+func zstdMatcher() matcher {
+	return func(source []byte) bool {
+		if bytes.HasPrefix(source, zstdMagic) {
+			// Zstandard frame
+			return true
+		}
+		// skippable frame
+		if len(source) < 8 {
+			return false
+		}
+		// magic number from 0x184D2A50 to 0x184D2A5F.
+		if binary.LittleEndian.Uint32(source[:4])&zstdMagicSkippableMask == zstdMagicSkippableStart {
+			return true
+		}
+		return false
+	}
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy.go b/vendor/github.com/moby/go-archive/copy.go
similarity index 97%
rename from vendor/github.com/docker/docker/pkg/archive/copy.go
rename to vendor/github.com/moby/go-archive/copy.go
index cddf18ec..77d038c4 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy.go
+++ b/vendor/github.com/moby/go-archive/copy.go
@@ -25,11 +25,11 @@ var copyPool = sync.Pool{
 	New: func() interface{} { s := make([]byte, 32*1024); return &s },
 }
 
-func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) {
+func copyWithBuffer(dst io.Writer, src io.Reader) error {
 	buf := copyPool.Get().(*[]byte)
-	written, err = io.CopyBuffer(dst, src, *buf)
+	_, err := io.CopyBuffer(dst, src, *buf)
 	copyPool.Put(buf)
-	return
+	return err
 }
 
 // PreserveTrailingDotOrSeparator returns the given cleaned path (after
@@ -105,13 +105,13 @@ func TarResource(sourceInfo CopyInfo) (content io.ReadCloser, err error) {
 
 // TarResourceRebase is like TarResource but renames the first path element of
 // items in the resulting tar archive to match the given rebaseName if not "".
-func TarResourceRebase(sourcePath, rebaseName string) (content io.ReadCloser, err error) {
+func TarResourceRebase(sourcePath, rebaseName string) (content io.ReadCloser, _ error) {
 	sourcePath = normalizePath(sourcePath)
-	if _, err = os.Lstat(sourcePath); err != nil {
+	if _, err := os.Lstat(sourcePath); err != nil {
 		// Catches the case where the source does not exist or is not a
 		// directory if asserted to be a directory, as this also causes an
 		// error.
-		return
+		return nil, err
 	}
 
 	// Separate the source path between its directory and
@@ -128,7 +128,6 @@ func TarResourceRebase(sourcePath, rebaseName string) (content io.ReadCloser, er
 func TarResourceRebaseOpts(sourceBase string, rebaseName string) *TarOptions {
 	filter := []string{sourceBase}
 	return &TarOptions{
-		Compression:      Uncompressed,
 		IncludeFiles:     filter,
 		IncludeSourceDir: true,
 		RebaseNames: map[string]string{
@@ -335,7 +334,7 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read
 
 		for {
 			hdr, err := srcTar.Next()
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				// Signals end of archive.
 				rebasedTar.Close()
 				w.Close()
@@ -442,11 +441,12 @@ func CopyTo(content io.Reader, srcInfo CopyInfo, dstPath string) error {
 // whether to follow symbol link or not, if followLink is true, resolvedPath will return
 // link target of any symbol link file, else it will only resolve symlink of directory
 // but return symbol link file itself without resolving.
-func ResolveHostSourcePath(path string, followLink bool) (resolvedPath, rebaseName string, err error) {
+func ResolveHostSourcePath(path string, followLink bool) (resolvedPath, rebaseName string, _ error) {
 	if followLink {
+		var err error
 		resolvedPath, err = filepath.EvalSymlinks(path)
 		if err != nil {
-			return
+			return "", "", err
 		}
 
 		resolvedPath, rebaseName = GetRebaseName(path, resolvedPath)
@@ -454,10 +454,9 @@ func ResolveHostSourcePath(path string, followLink bool) (resolvedPath, rebaseNa
 		dirPath, basePath := filepath.Split(path)
 
 		// if not follow symbol link, then resolve symbol link of parent dir
-		var resolvedDirPath string
-		resolvedDirPath, err = filepath.EvalSymlinks(dirPath)
+		resolvedDirPath, err := filepath.EvalSymlinks(dirPath)
 		if err != nil {
-			return
+			return "", "", err
 		}
 		// resolvedDirPath will have been cleaned (no trailing path separators) so
 		// we can manually join it with the base path element.
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_unix.go b/vendor/github.com/moby/go-archive/copy_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/copy_unix.go
rename to vendor/github.com/moby/go-archive/copy_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_windows.go b/vendor/github.com/moby/go-archive/copy_windows.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/copy_windows.go
rename to vendor/github.com/moby/go-archive/copy_windows.go
diff --git a/vendor/github.com/moby/go-archive/dev_freebsd.go b/vendor/github.com/moby/go-archive/dev_freebsd.go
new file mode 100644
index 00000000..b3068fce
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/dev_freebsd.go
@@ -0,0 +1,9 @@
+//go:build freebsd
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+func mknod(path string, mode uint32, dev uint64) error {
+	return unix.Mknod(path, mode, dev)
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_unix.go b/vendor/github.com/moby/go-archive/dev_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/dev_unix.go
rename to vendor/github.com/moby/go-archive/dev_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff.go b/vendor/github.com/moby/go-archive/diff.go
similarity index 94%
rename from vendor/github.com/docker/docker/pkg/archive/diff.go
rename to vendor/github.com/moby/go-archive/diff.go
index d5a394cd..96db972d 100644
--- a/vendor/github.com/docker/docker/pkg/archive/diff.go
+++ b/vendor/github.com/moby/go-archive/diff.go
@@ -3,6 +3,7 @@ package archive
 import (
 	"archive/tar"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -11,6 +12,8 @@ import (
 	"strings"
 
 	"github.com/containerd/log"
+
+	"github.com/moby/go-archive/compression"
 )
 
 // UnpackLayer unpack `layer` to a `dest`. The stream `layer` can be
@@ -35,7 +38,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 	// Iterate through the files in the archive.
 	for {
 		hdr, err := tr.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			// end of tar archive
 			break
 		}
@@ -149,7 +152,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 			// the layer is also a directory. Then we want to merge them (i.e.
 			// just apply the metadata from the layer).
 			if fi, err := os.Lstat(path); err == nil {
-				if !(fi.IsDir() && hdr.Typeflag == tar.TypeDir) {
+				if !fi.IsDir() || hdr.Typeflag != tar.TypeDir {
 					if err := os.RemoveAll(path); err != nil {
 						return 0, err
 					}
@@ -165,7 +168,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
 				linkBasename := filepath.Base(hdr.Linkname)
 				srcHdr = aufsHardlinks[linkBasename]
 				if srcHdr == nil {
-					return 0, fmt.Errorf("Invalid aufs hardlink")
+					return 0, errors.New("invalid aufs hardlink")
 				}
 				tmpFile, err := os.Open(filepath.Join(aufsTempdir, linkBasename))
 				if err != nil {
@@ -221,18 +224,18 @@ func ApplyUncompressedLayer(dest string, layer io.Reader, options *TarOptions) (
 
 // IsEmpty checks if the tar archive is empty (doesn't contain any entries).
 func IsEmpty(rd io.Reader) (bool, error) {
-	decompRd, err := DecompressStream(rd)
+	decompRd, err := compression.DecompressStream(rd)
 	if err != nil {
-		return true, fmt.Errorf("failed to decompress archive: %v", err)
+		return true, fmt.Errorf("failed to decompress archive: %w", err)
 	}
 	defer decompRd.Close()
 
 	tarReader := tar.NewReader(decompRd)
 	if _, err := tarReader.Next(); err != nil {
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			return true, nil
 		}
-		return false, fmt.Errorf("failed to read next archive header: %v", err)
+		return false, fmt.Errorf("failed to read next archive header: %w", err)
 	}
 
 	return false, nil
@@ -247,7 +250,7 @@ func applyLayerHandler(dest string, layer io.Reader, options *TarOptions, decomp
 	defer restore()
 
 	if decompress {
-		decompLayer, err := DecompressStream(layer)
+		decompLayer, err := compression.DecompressStream(layer)
 		if err != nil {
 			return 0, err
 		}
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff_unix.go b/vendor/github.com/moby/go-archive/diff_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/diff_unix.go
rename to vendor/github.com/moby/go-archive/diff_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff_windows.go b/vendor/github.com/moby/go-archive/diff_windows.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/diff_windows.go
rename to vendor/github.com/moby/go-archive/diff_windows.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/path.go b/vendor/github.com/moby/go-archive/path.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/path.go
rename to vendor/github.com/moby/go-archive/path.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/path_unix.go b/vendor/github.com/moby/go-archive/path_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/path_unix.go
rename to vendor/github.com/moby/go-archive/path_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/path_windows.go b/vendor/github.com/moby/go-archive/path_windows.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/path_windows.go
rename to vendor/github.com/moby/go-archive/path_windows.go
diff --git a/vendor/github.com/moby/go-archive/tarheader/tarheader.go b/vendor/github.com/moby/go-archive/tarheader/tarheader.go
new file mode 100644
index 00000000..03732a4f
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/tarheader/tarheader.go
@@ -0,0 +1,67 @@
+package tarheader
+
+import (
+	"archive/tar"
+	"os"
+)
+
+// assert that we implement [tar.FileInfoNames].
+var _ tar.FileInfoNames = (*nosysFileInfo)(nil)
+
+// nosysFileInfo hides the system-dependent info of the wrapped FileInfo to
+// prevent tar.FileInfoHeader from introspecting it and potentially calling into
+// glibc.
+//
+// It implements [tar.FileInfoNames] to further prevent [tar.FileInfoHeader]
+// from performing any lookups on go1.23 and up. see https://go.dev/issue/50102
+type nosysFileInfo struct {
+	os.FileInfo
+}
+
+// Uname stubs out looking up username. It implements [tar.FileInfoNames]
+// to prevent [tar.FileInfoHeader] from loading libraries to perform
+// username lookups.
+func (fi nosysFileInfo) Uname() (string, error) {
+	return "", nil
+}
+
+// Gname stubs out looking up group-name. It implements [tar.FileInfoNames]
+// to prevent [tar.FileInfoHeader] from loading libraries to perform
+// username lookups.
+func (fi nosysFileInfo) Gname() (string, error) {
+	return "", nil
+}
+
+func (fi nosysFileInfo) Sys() interface{} {
+	// A Sys value of type *tar.Header is safe as it is system-independent.
+	// The tar.FileInfoHeader function copies the fields into the returned
+	// header without performing any OS lookups.
+	if sys, ok := fi.FileInfo.Sys().(*tar.Header); ok {
+		return sys
+	}
+	return nil
+}
+
+// FileInfoHeaderNoLookups creates a partially-populated tar.Header from fi.
+//
+// Compared to the archive/tar.FileInfoHeader function, this function is safe to
+// call from a chrooted process as it does not populate fields which would
+// require operating system lookups. It behaves identically to
+// tar.FileInfoHeader when fi is a FileInfo value returned from
+// tar.Header.FileInfo().
+//
+// When fi is a FileInfo for a native file, such as returned from os.Stat() and
+// os.Lstat(), the returned Header value differs from one returned from
+// tar.FileInfoHeader in the following ways. The Uname and Gname fields are not
+// set as OS lookups would be required to populate them. The AccessTime and
+// ChangeTime fields are not currently set (not yet implemented) although that
+// is subject to change. Callers which require the AccessTime or ChangeTime
+// fields to be zeroed should explicitly zero them out in the returned Header
+// value to avoid any compatibility issues in the future.
+func FileInfoHeaderNoLookups(fi os.FileInfo, link string) (*tar.Header, error) {
+	hdr, err := tar.FileInfoHeader(nosysFileInfo{fi}, link)
+	if err != nil {
+		return nil, err
+	}
+	return hdr, sysStat(fi, hdr)
+}
diff --git a/vendor/github.com/moby/go-archive/tarheader/tarheader_unix.go b/vendor/github.com/moby/go-archive/tarheader/tarheader_unix.go
new file mode 100644
index 00000000..9c3311c6
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/tarheader/tarheader_unix.go
@@ -0,0 +1,46 @@
+//go:build !windows
+
+package tarheader
+
+import (
+	"archive/tar"
+	"os"
+	"runtime"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// sysStat populates hdr from system-dependent fields of fi without performing
+// any OS lookups.
+func sysStat(fi os.FileInfo, hdr *tar.Header) error {
+	// Devmajor and Devminor are only needed for special devices.
+
+	// In FreeBSD, RDev for regular files is -1 (unless overridden by FS):
+	// https://cgit.freebsd.org/src/tree/sys/kern/vfs_default.c?h=stable/13#n1531
+	// (NODEV is -1: https://cgit.freebsd.org/src/tree/sys/sys/param.h?h=stable/13#n241).
+
+	// ZFS in particular does not override the default:
+	// https://cgit.freebsd.org/src/tree/sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vnops_os.c?h=stable/13#n2027
+
+	// Since `Stat_t.Rdev` is uint64, the cast turns -1 into (2^64 - 1).
+	// Such large values cannot be encoded in a tar header.
+	if runtime.GOOS == "freebsd" && hdr.Typeflag != tar.TypeBlock && hdr.Typeflag != tar.TypeChar {
+		return nil
+	}
+	s, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return nil
+	}
+
+	hdr.Uid = int(s.Uid)
+	hdr.Gid = int(s.Gid)
+
+	if s.Mode&unix.S_IFBLK != 0 ||
+		s.Mode&unix.S_IFCHR != 0 {
+		hdr.Devmajor = int64(unix.Major(uint64(s.Rdev))) //nolint: unconvert
+		hdr.Devminor = int64(unix.Minor(uint64(s.Rdev))) //nolint: unconvert
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/moby/go-archive/tarheader/tarheader_windows.go b/vendor/github.com/moby/go-archive/tarheader/tarheader_windows.go
new file mode 100644
index 00000000..5d4483ce
--- /dev/null
+++ b/vendor/github.com/moby/go-archive/tarheader/tarheader_windows.go
@@ -0,0 +1,12 @@
+package tarheader
+
+import (
+	"archive/tar"
+	"os"
+)
+
+// sysStat populates hdr from system-dependent fields of fi without performing
+// any OS lookups. It is a no-op on Windows.
+func sysStat(os.FileInfo, *tar.Header) error {
+	return nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time.go b/vendor/github.com/moby/go-archive/time.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/time.go
rename to vendor/github.com/moby/go-archive/time.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go b/vendor/github.com/moby/go-archive/time_nonwindows.go
similarity index 88%
rename from vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
rename to vendor/github.com/moby/go-archive/time_nonwindows.go
index 8ce83bd0..5bfdfa2f 100644
--- a/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
+++ b/vendor/github.com/moby/go-archive/time_nonwindows.go
@@ -17,12 +17,13 @@ func chtimes(name string, atime time.Time, mtime time.Time) error {
 	return os.Chtimes(name, atime, mtime)
 }
 
-func timeToTimespec(time time.Time) (ts unix.Timespec) {
+func timeToTimespec(time time.Time) unix.Timespec {
 	if time.IsZero() {
 		// Return UTIME_OMIT special value
-		ts.Sec = 0
-		ts.Nsec = (1 << 30) - 2
-		return
+		return unix.Timespec{
+			Sec:  0,
+			Nsec: (1 << 30) - 2,
+		}
 	}
 	return unix.NsecToTimespec(time.UnixNano())
 }
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_windows.go b/vendor/github.com/moby/go-archive/time_windows.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/time_windows.go
rename to vendor/github.com/moby/go-archive/time_windows.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/whiteouts.go b/vendor/github.com/moby/go-archive/whiteouts.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/whiteouts.go
rename to vendor/github.com/moby/go-archive/whiteouts.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/wrap.go b/vendor/github.com/moby/go-archive/wrap.go
similarity index 91%
rename from vendor/github.com/docker/docker/pkg/archive/wrap.go
rename to vendor/github.com/moby/go-archive/wrap.go
index 903befd7..f8a97254 100644
--- a/vendor/github.com/docker/docker/pkg/archive/wrap.go
+++ b/vendor/github.com/moby/go-archive/wrap.go
@@ -45,8 +45,8 @@ func Generate(input ...string) (io.Reader, error) {
 	return buf, nil
 }
 
-func parseStringPairs(input ...string) (output [][2]string) {
-	output = make([][2]string, 0, len(input)/2+1)
+func parseStringPairs(input ...string) [][2]string {
+	output := make([][2]string, 0, len(input)/2+1)
 	for i := 0; i < len(input); i += 2 {
 		var pair [2]string
 		pair[0] = input[i]
@@ -55,5 +55,5 @@ func parseStringPairs(input ...string) (output [][2]string) {
 		}
 		output = append(output, pair)
 	}
-	return
+	return output
 }
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go b/vendor/github.com/moby/go-archive/xattr_supported.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/xattr_supported.go
rename to vendor/github.com/moby/go-archive/xattr_supported.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go b/vendor/github.com/moby/go-archive/xattr_supported_linux.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go
rename to vendor/github.com/moby/go-archive/xattr_supported_linux.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go b/vendor/github.com/moby/go-archive/xattr_supported_unix.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go
rename to vendor/github.com/moby/go-archive/xattr_supported_unix.go
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go b/vendor/github.com/moby/go-archive/xattr_unsupported.go
similarity index 100%
rename from vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go
rename to vendor/github.com/moby/go-archive/xattr_unsupported.go
diff --git a/vendor/github.com/moby/sys/atomicwriter/LICENSE b/vendor/github.com/moby/sys/atomicwriter/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/vendor/github.com/moby/sys/atomicwriter/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/docker/docker/pkg/atomicwriter/atomicwriter.go b/vendor/github.com/moby/sys/atomicwriter/atomicwriter.go
similarity index 51%
rename from vendor/github.com/docker/docker/pkg/atomicwriter/atomicwriter.go
rename to vendor/github.com/moby/sys/atomicwriter/atomicwriter.go
index cbbe835b..d0d3be88 100644
--- a/vendor/github.com/docker/docker/pkg/atomicwriter/atomicwriter.go
+++ b/vendor/github.com/moby/sys/atomicwriter/atomicwriter.go
@@ -1,22 +1,90 @@
+// Package atomicwriter provides utilities to perform atomic writes to a
+// file or set of files.
 package atomicwriter
 
 import (
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"syscall"
+
+	"github.com/moby/sys/sequential"
 )
 
+func validateDestination(fileName string) error {
+	if fileName == "" {
+		return errors.New("file name is empty")
+	}
+	if dir := filepath.Dir(fileName); dir != "" && dir != "." && dir != ".." {
+		di, err := os.Stat(dir)
+		if err != nil {
+			return fmt.Errorf("invalid output path: %w", err)
+		}
+		if !di.IsDir() {
+			return fmt.Errorf("invalid output path: %w", &os.PathError{Op: "stat", Path: dir, Err: syscall.ENOTDIR})
+		}
+	}
+
+	// Deliberately using Lstat here to match the behavior of [os.Rename],
+	// which is used when completing the write and does not resolve symlinks.
+	fi, err := os.Lstat(fileName)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return fmt.Errorf("failed to stat output path: %w", err)
+	}
+
+	switch mode := fi.Mode(); {
+	case mode.IsRegular():
+		return nil // Regular file
+	case mode&os.ModeDir != 0:
+		return errors.New("cannot write to a directory")
+	case mode&os.ModeSymlink != 0:
+		return errors.New("cannot write to a symbolic link directly")
+	case mode&os.ModeNamedPipe != 0:
+		return errors.New("cannot write to a named pipe (FIFO)")
+	case mode&os.ModeSocket != 0:
+		return errors.New("cannot write to a socket")
+	case mode&os.ModeDevice != 0:
+		if mode&os.ModeCharDevice != 0 {
+			return errors.New("cannot write to a character device file")
+		}
+		return errors.New("cannot write to a block device file")
+	case mode&os.ModeSetuid != 0:
+		return errors.New("cannot write to a setuid file")
+	case mode&os.ModeSetgid != 0:
+		return errors.New("cannot write to a setgid file")
+	case mode&os.ModeSticky != 0:
+		return errors.New("cannot write to a sticky bit file")
+	default:
+		return fmt.Errorf("unknown file mode: %[1]s (%#[1]o)", mode)
+	}
+}
+
 // New returns a WriteCloser so that writing to it writes to a
 // temporary file and closing it atomically changes the temporary file to
 // destination path. Writing and closing concurrently is not allowed.
 // NOTE: umask is not considered for the file's permissions.
+//
+// New uses [sequential.CreateTemp] to use sequential file access on Windows,
+// avoiding depleting the standby list un-necessarily. On Linux, this equates to
+// a regular [os.CreateTemp]. Refer to the [Win32 API documentation] for details
+// on sequential file access.
+//
+// [Win32 API documentation]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
 func New(filename string, perm os.FileMode) (io.WriteCloser, error) {
-	f, err := os.CreateTemp(filepath.Dir(filename), ".tmp-"+filepath.Base(filename))
+	if err := validateDestination(filename); err != nil {
+		return nil, err
+	}
+	abspath, err := filepath.Abs(filename)
 	if err != nil {
 		return nil, err
 	}
 
-	abspath, err := filepath.Abs(filename)
+	f, err := sequential.CreateTemp(filepath.Dir(abspath), ".tmp-"+filepath.Base(filename))
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +95,12 @@ func New(filename string, perm os.FileMode) (io.WriteCloser, error) {
 	}, nil
 }
 
-// WriteFile atomically writes data to a file named by filename and with the specified permission bits.
+// WriteFile atomically writes data to a file named by filename and with the
+// specified permission bits. The given filename is created if it does not exist,
+// but the destination directory must exist. It can be used as a drop-in replacement
+// for [os.WriteFile], but currently does not allow the destination path to be
+// a symlink. WriteFile is implemented using [New] for its implementation.
+//
 // NOTE: umask is not considered for the file's permissions.
 func WriteFile(filename string, data []byte, perm os.FileMode) error {
 	f, err := New(filename, perm)
@@ -49,10 +122,12 @@ type atomicFileWriter struct {
 	f        *os.File
 	fn       string
 	writeErr error
+	written  bool
 	perm     os.FileMode
 }
 
 func (w *atomicFileWriter) Write(dt []byte) (int, error) {
+	w.written = true
 	n, err := w.f.Write(dt)
 	if err != nil {
 		w.writeErr = err
@@ -62,12 +137,12 @@ func (w *atomicFileWriter) Write(dt []byte) (int, error) {
 
 func (w *atomicFileWriter) Close() (retErr error) {
 	defer func() {
-		if retErr != nil || w.writeErr != nil {
-			os.Remove(w.f.Name())
+		if err := os.Remove(w.f.Name()); !errors.Is(err, os.ErrNotExist) && retErr == nil {
+			retErr = err
 		}
 	}()
 	if err := w.f.Sync(); err != nil {
-		w.f.Close()
+		_ = w.f.Close()
 		return err
 	}
 	if err := w.f.Close(); err != nil {
@@ -76,7 +151,7 @@ func (w *atomicFileWriter) Close() (retErr error) {
 	if err := os.Chmod(w.f.Name(), w.perm); err != nil {
 		return err
 	}
-	if w.writeErr == nil {
+	if w.writeErr == nil && w.written {
 		return os.Rename(w.f.Name(), w.fn)
 	}
 	return nil
@@ -136,8 +211,15 @@ func (w syncFileCloser) Close() error {
 
 // FileWriter opens a file writer inside the set. The file
 // should be synced and closed before calling commit.
+//
+// FileWriter uses [sequential.OpenFile] to use sequential file access on Windows,
+// avoiding depleting the standby list un-necessarily. On Linux, this equates to
+// a regular [os.OpenFile]. Refer to the [Win32 API documentation] for details
+// on sequential file access.
+//
+// [Win32 API documentation]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
 func (ws *WriteSet) FileWriter(name string, flag int, perm os.FileMode) (io.WriteCloser, error) {
-	f, err := os.OpenFile(filepath.Join(ws.root, name), flag, perm)
+	f, err := sequential.OpenFile(filepath.Join(ws.root, name), flag, perm)
 	if err != nil {
 		return nil, err
 	}
diff --git a/vendor/github.com/moby/sys/user/idtools.go b/vendor/github.com/moby/sys/user/idtools.go
new file mode 100644
index 00000000..595b7a92
--- /dev/null
+++ b/vendor/github.com/moby/sys/user/idtools.go
@@ -0,0 +1,141 @@
+package user
+
+import (
+	"fmt"
+	"os"
+)
+
+// MkdirOpt is a type for options to pass to Mkdir calls
+type MkdirOpt func(*mkdirOptions)
+
+type mkdirOptions struct {
+	onlyNew bool
+}
+
+// WithOnlyNew is an option for MkdirAllAndChown that will only change ownership and permissions
+// on newly created directories.  If the directory already exists, it will not be modified
+func WithOnlyNew(o *mkdirOptions) {
+	o.onlyNew = true
+}
+
+// MkdirAllAndChown creates a directory (include any along the path) and then modifies
+// ownership to the requested uid/gid.  By default, if the directory already exists, this
+// function will still change ownership and permissions. If WithOnlyNew is passed as an
+// option, then only the newly created directories will have ownership and permissions changed.
+func MkdirAllAndChown(path string, mode os.FileMode, uid, gid int, opts ...MkdirOpt) error {
+	var options mkdirOptions
+	for _, opt := range opts {
+		opt(&options)
+	}
+
+	return mkdirAs(path, mode, uid, gid, true, options.onlyNew)
+}
+
+// MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
+// By default, if the directory already exists, this function still changes ownership and permissions.
+// If WithOnlyNew is passed as an option, then only the newly created directory will have ownership
+// and permissions changed.
+// Note that unlike os.Mkdir(), this function does not return IsExist error
+// in case path already exists.
+func MkdirAndChown(path string, mode os.FileMode, uid, gid int, opts ...MkdirOpt) error {
+	var options mkdirOptions
+	for _, opt := range opts {
+		opt(&options)
+	}
+	return mkdirAs(path, mode, uid, gid, false, options.onlyNew)
+}
+
+// getRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
+// If the maps are empty, then the root uid/gid will default to "real" 0/0
+func getRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+	uid, err := toHost(0, uidMap)
+	if err != nil {
+		return -1, -1, err
+	}
+	gid, err := toHost(0, gidMap)
+	if err != nil {
+		return -1, -1, err
+	}
+	return uid, gid, nil
+}
+
+// toContainer takes an id mapping, and uses it to translate a
+// host ID to the remapped ID. If no map is provided, then the translation
+// assumes a 1-to-1 mapping and returns the passed in id
+func toContainer(hostID int, idMap []IDMap) (int, error) {
+	if idMap == nil {
+		return hostID, nil
+	}
+	for _, m := range idMap {
+		if (int64(hostID) >= m.ParentID) && (int64(hostID) <= (m.ParentID + m.Count - 1)) {
+			contID := int(m.ID + (int64(hostID) - m.ParentID))
+			return contID, nil
+		}
+	}
+	return -1, fmt.Errorf("host ID %d cannot be mapped to a container ID", hostID)
+}
+
+// toHost takes an id mapping and a remapped ID, and translates the
+// ID to the mapped host ID. If no map is provided, then the translation
+// assumes a 1-to-1 mapping and returns the passed in id #
+func toHost(contID int, idMap []IDMap) (int, error) {
+	if idMap == nil {
+		return contID, nil
+	}
+	for _, m := range idMap {
+		if (int64(contID) >= m.ID) && (int64(contID) <= (m.ID + m.Count - 1)) {
+			hostID := int(m.ParentID + (int64(contID) - m.ID))
+			return hostID, nil
+		}
+	}
+	return -1, fmt.Errorf("container ID %d cannot be mapped to a host ID", contID)
+}
+
+// IdentityMapping contains a mappings of UIDs and GIDs.
+// The zero value represents an empty mapping.
+type IdentityMapping struct {
+	UIDMaps []IDMap `json:"UIDMaps"`
+	GIDMaps []IDMap `json:"GIDMaps"`
+}
+
+// RootPair returns a uid and gid pair for the root user. The error is ignored
+// because a root user always exists, and the defaults are correct when the uid
+// and gid maps are empty.
+func (i IdentityMapping) RootPair() (int, int) {
+	uid, gid, _ := getRootUIDGID(i.UIDMaps, i.GIDMaps)
+	return uid, gid
+}
+
+// ToHost returns the host UID and GID for the container uid, gid.
+// Remapping is only performed if the ids aren't already the remapped root ids
+func (i IdentityMapping) ToHost(uid, gid int) (int, int, error) {
+	var err error
+	ruid, rgid := i.RootPair()
+
+	if uid != ruid {
+		ruid, err = toHost(uid, i.UIDMaps)
+		if err != nil {
+			return ruid, rgid, err
+		}
+	}
+
+	if gid != rgid {
+		rgid, err = toHost(gid, i.GIDMaps)
+	}
+	return ruid, rgid, err
+}
+
+// ToContainer returns the container UID and GID for the host uid and gid
+func (i IdentityMapping) ToContainer(uid, gid int) (int, int, error) {
+	ruid, err := toContainer(uid, i.UIDMaps)
+	if err != nil {
+		return -1, -1, err
+	}
+	rgid, err := toContainer(gid, i.GIDMaps)
+	return ruid, rgid, err
+}
+
+// Empty returns true if there are no id mappings
+func (i IdentityMapping) Empty() bool {
+	return len(i.UIDMaps) == 0 && len(i.GIDMaps) == 0
+}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go b/vendor/github.com/moby/sys/user/idtools_unix.go
similarity index 62%
rename from vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
rename to vendor/github.com/moby/sys/user/idtools_unix.go
index 1f11fe47..4e39d244 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
+++ b/vendor/github.com/moby/sys/user/idtools_unix.go
@@ -1,6 +1,6 @@
 //go:build !windows
 
-package idtools
+package user
 
 import (
 	"fmt"
@@ -8,11 +8,9 @@ import (
 	"path/filepath"
 	"strconv"
 	"syscall"
-
-	"github.com/moby/sys/user"
 )
 
-func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
+func mkdirAs(path string, mode os.FileMode, uid, gid int, mkAll, onlyNew bool) error {
 	path, err := filepath.Abs(path)
 	if err != nil {
 		return err
@@ -23,21 +21,21 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
 		if !stat.IsDir() {
 			return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
 		}
-		if !chownExisting {
+		if onlyNew {
 			return nil
 		}
 
 		// short-circuit -- we were called with an existing directory and chown was requested
-		return setPermissions(path, mode, owner, stat)
+		return setPermissions(path, mode, uid, gid, stat)
 	}
 
 	// make an array containing the original path asked for, plus (for mkAll == true)
 	// all path components leading up to the complete path that don't exist before we MkdirAll
-	// so that we can chown all of them properly at the end.  If chownExisting is false, we won't
+	// so that we can chown all of them properly at the end.  If onlyNew is true, we won't
 	// chown the full directory path if it exists
 	var paths []string
 	if os.IsNotExist(err) {
-		paths = []string{path}
+		paths = append(paths, path)
 	}
 
 	if mkAll {
@@ -49,7 +47,7 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
 			if dirPath == "/" {
 				break
 			}
-			if _, err = os.Stat(dirPath); err != nil && os.IsNotExist(err) {
+			if _, err = os.Stat(dirPath); os.IsNotExist(err) {
 				paths = append(paths, dirPath)
 			}
 		}
@@ -62,39 +60,18 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
 	// even if it existed, we will chown the requested path + any subpaths that
 	// didn't exist when we called MkdirAll
 	for _, pathComponent := range paths {
-		if err = setPermissions(pathComponent, mode, owner, nil); err != nil {
+		if err = setPermissions(pathComponent, mode, uid, gid, nil); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 
-// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username
-//
-// Deprecated: use [user.LookupUser] instead
-func LookupUser(name string) (user.User, error) {
-	return user.LookupUser(name)
-}
-
-// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid
-//
-// Deprecated: use [user.LookupUid] instead
-func LookupUID(uid int) (user.User, error) {
-	return user.LookupUid(uid)
-}
-
-// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
-//
-// Deprecated: use [user.LookupGroup] instead
-func LookupGroup(name string) (user.Group, error) {
-	return user.LookupGroup(name)
-}
-
 // setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
 // Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
 // dir is on an NFS share, so don't call chown unless we absolutely must.
 // Likewise for setting permissions.
-func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo) error {
+func setPermissions(p string, mode os.FileMode, uid, gid int, stat os.FileInfo) error {
 	if stat == nil {
 		var err error
 		stat, err = os.Stat(p)
@@ -108,10 +85,10 @@ func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo
 		}
 	}
 	ssi := stat.Sys().(*syscall.Stat_t)
-	if ssi.Uid == uint32(owner.UID) && ssi.Gid == uint32(owner.GID) {
+	if ssi.Uid == uint32(uid) && ssi.Gid == uint32(gid) {
 		return nil
 	}
-	return os.Chown(p, owner.UID, owner.GID)
+	return os.Chown(p, uid, gid)
 }
 
 // LoadIdentityMapping takes a requested username and
@@ -119,9 +96,9 @@ func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo
 // proper uid and gid remapping ranges for that user/group pair
 func LoadIdentityMapping(name string) (IdentityMapping, error) {
 	// TODO: Consider adding support for calling out to "getent"
-	usr, err := user.LookupUser(name)
+	usr, err := LookupUser(name)
 	if err != nil {
-		return IdentityMapping{}, fmt.Errorf("could not get user for username %s: %v", name, err)
+		return IdentityMapping{}, fmt.Errorf("could not get user for username %s: %w", name, err)
 	}
 
 	subuidRanges, err := lookupSubRangesFile("/etc/subuid", usr)
@@ -139,9 +116,9 @@ func LoadIdentityMapping(name string) (IdentityMapping, error) {
 	}, nil
 }
 
-func lookupSubRangesFile(path string, usr user.User) ([]IDMap, error) {
+func lookupSubRangesFile(path string, usr User) ([]IDMap, error) {
 	uidstr := strconv.Itoa(usr.Uid)
-	rangeList, err := user.ParseSubIDFileFilter(path, func(sid user.SubID) bool {
+	rangeList, err := ParseSubIDFileFilter(path, func(sid SubID) bool {
 		return sid.Name == usr.Name || sid.Name == uidstr
 	})
 	if err != nil {
@@ -153,14 +130,14 @@ func lookupSubRangesFile(path string, usr user.User) ([]IDMap, error) {
 
 	idMap := []IDMap{}
 
-	containerID := 0
+	var containerID int64
 	for _, idrange := range rangeList {
 		idMap = append(idMap, IDMap{
-			ContainerID: containerID,
-			HostID:      int(idrange.SubID),
-			Size:        int(idrange.Count),
+			ID:       containerID,
+			ParentID: idrange.SubID,
+			Count:    idrange.Count,
 		})
-		containerID = containerID + int(idrange.Count)
+		containerID = containerID + idrange.Count
 	}
 	return idMap, nil
 }
diff --git a/vendor/github.com/moby/sys/user/idtools_windows.go b/vendor/github.com/moby/sys/user/idtools_windows.go
new file mode 100644
index 00000000..9de730ca
--- /dev/null
+++ b/vendor/github.com/moby/sys/user/idtools_windows.go
@@ -0,0 +1,13 @@
+package user
+
+import (
+	"os"
+)
+
+// This is currently a wrapper around [os.MkdirAll] since currently
+// permissions aren't set through this path, the identity isn't utilized.
+// Ownership is handled elsewhere, but in the future could be support here
+// too.
+func mkdirAs(path string, _ os.FileMode, _, _ int, _, _ bool) error {
+	return os.MkdirAll(path, 0)
+}
diff --git a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
index 4230fba0..f1199315 100644
--- a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
+++ b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
@@ -1,4 +1,4 @@
-FROM golang:1.23@sha256:51a6466e8dbf3e00e422eb0f7a97ac450b2d57b33617bbe8d2ee0bddcd9d0d37
+FROM golang:1.24@sha256:20a022e5112a144aa7b7aeb3f22ebf2cdaefcc4aac0d64e8deeee8cdc18b9c0f
 
 ENV GOOS=linux
 ENV GOARCH=arm
diff --git a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64 b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
index 59928252..fa63a029 100644
--- a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
+++ b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
@@ -1,4 +1,4 @@
-FROM golang:1.23@sha256:51a6466e8dbf3e00e422eb0f7a97ac450b2d57b33617bbe8d2ee0bddcd9d0d37
+FROM golang:1.24@sha256:20a022e5112a144aa7b7aeb3f22ebf2cdaefcc4aac0d64e8deeee8cdc18b9c0f
 
 ENV GOOS=linux
 ENV GOARCH=arm64
diff --git a/vendor/github.com/pjbgf/sha1cd/Makefile b/vendor/github.com/pjbgf/sha1cd/Makefile
index 278a109d..a9a738b9 100644
--- a/vendor/github.com/pjbgf/sha1cd/Makefile
+++ b/vendor/github.com/pjbgf/sha1cd/Makefile
@@ -4,7 +4,7 @@ export CGO_ENABLED := 1
 
 .PHONY: test
 test:
-	go test ./...
+	go test -race -timeout 15s ./...
 
 .PHONY: bench
 bench:
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.go b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.go
index 95e08308..7ee0f20a 100644
--- a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.go
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.go
@@ -1,5 +1,5 @@
-//go:build !noasm && gc && amd64
-// +build !noasm,gc,amd64
+//go:build !noasm && gc && amd64 && !arm64
+// +build !noasm,gc,amd64,!arm64
 
 package sha1cd
 
@@ -10,12 +10,6 @@ import (
 	shared "github.com/pjbgf/sha1cd/internal"
 )
 
-type sliceHeader struct {
-	base uintptr
-	len  int
-	cap  int
-}
-
 // blockAMD64 hashes the message p into the current state in dig.
 // Both m1 and cs are used to store intermediate results which are used by the collision detection logic.
 //
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
index e5e213a5..fa5022be 100644
--- a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
@@ -1,17 +1,17 @@
 // Code generated by command: go run asm.go -out ../sha1cdblock_amd64.s -pkg sha1cd. DO NOT EDIT.
 
-//go:build !noasm && gc && amd64
+//go:build !noasm && gc && amd64 && !arm64
 
 #include "textflag.h"
 
 // func blockAMD64(dig *digest, p []byte, m1 []uint32, cs [][5]uint32)
 TEXT ·blockAMD64(SB), NOSPLIT, $64-80
 	MOVQ dig+0(FP), R8
-	MOVQ p_base+8(FP), DI
+	MOVQ p_base+8(FP), SI
 	MOVQ p_len+16(FP), DX
 	SHRQ $+6, DX
 	SHLQ $+6, DX
-	LEAQ (DI)(DX*1), SI
+	LEAQ (SI)(DX*1), DI
 
 	// Load h0, h1, h2, h3, h4.
 	MOVL (R8), AX
@@ -22,2252 +22,2251 @@ TEXT ·blockAMD64(SB), NOSPLIT, $64-80
 
 	// len(p) >= chunk
 	CMPQ DI, SI
-	JEQ  end
+	JBE  end
 
 loop:
 	// Initialize registers a, b, c, d, e.
-	MOVL AX, R10
-	MOVL BX, R11
-	MOVL CX, R12
-	MOVL DX, R13
-	MOVL BP, R14
+	MOVL AX, R9
+	MOVL BX, R10
+	MOVL CX, R11
+	MOVL DX, R12
+	MOVL BP, R13
 
 	// ROUND1 (steps 0-15)
 	// Load cs
 	MOVQ cs_base+56(FP), R8
-	MOVL R10, (R8)
-	MOVL R11, 4(R8)
-	MOVL R12, 8(R8)
-	MOVL R13, 12(R8)
-	MOVL R14, 16(R8)
+	MOVL R9, (R8)
+	MOVL R10, 4(R8)
+	MOVL R11, 8(R8)
+	MOVL R12, 12(R8)
+	MOVL R13, 16(R8)
 
 	// ROUND1(0)
 	// LOAD
-	MOVL   (DI), R9
-	BSWAPL R9
-	MOVL   R9, (SP)
+	MOVL   (SI), DI
+	BSWAPL DI
+	MOVL   DI, (SP)
 
 	// FUNC1
-	MOVL R13, R15
-	XORL R12, R15
-	ANDL R11, R15
-	XORL R13, R15
+	MOVL R12, R14
+	XORL R11, R14
+	ANDL R10, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1518500249(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL (SP), R9
-	MOVL R9, (R8)
+	MOVL (SP), DI
+	MOVL DI, (R8)
 
 	// ROUND1(1)
 	// LOAD
-	MOVL   4(DI), R9
-	BSWAPL R9
-	MOVL   R9, 4(SP)
+	MOVL   4(SI), DI
+	BSWAPL DI
+	MOVL   DI, 4(SP)
 
 	// FUNC1
-	MOVL R12, R15
-	XORL R11, R15
-	ANDL R10, R15
-	XORL R12, R15
+	MOVL R11, R14
+	XORL R10, R14
+	ANDL R9, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 1518500249(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 4(SP), R9
-	MOVL R9, 4(R8)
+	MOVL 4(SP), DI
+	MOVL DI, 4(R8)
 
 	// ROUND1(2)
 	// LOAD
-	MOVL   8(DI), R9
-	BSWAPL R9
-	MOVL   R9, 8(SP)
+	MOVL   8(SI), DI
+	BSWAPL DI
+	MOVL   DI, 8(SP)
 
 	// FUNC1
-	MOVL R11, R15
-	XORL R10, R15
-	ANDL R14, R15
-	XORL R11, R15
+	MOVL R10, R14
+	XORL R9, R14
+	ANDL R13, R14
+	XORL R10, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 1518500249(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 8(SP), R9
-	MOVL R9, 8(R8)
+	MOVL 8(SP), DI
+	MOVL DI, 8(R8)
 
 	// ROUND1(3)
 	// LOAD
-	MOVL   12(DI), R9
-	BSWAPL R9
-	MOVL   R9, 12(SP)
+	MOVL   12(SI), DI
+	BSWAPL DI
+	MOVL   DI, 12(SP)
 
 	// FUNC1
-	MOVL R10, R15
-	XORL R14, R15
-	ANDL R13, R15
-	XORL R10, R15
+	MOVL R9, R14
+	XORL R13, R14
+	ANDL R12, R14
+	XORL R9, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 1518500249(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 12(SP), R9
-	MOVL R9, 12(R8)
+	MOVL 12(SP), DI
+	MOVL DI, 12(R8)
 
 	// ROUND1(4)
 	// LOAD
-	MOVL   16(DI), R9
-	BSWAPL R9
-	MOVL   R9, 16(SP)
+	MOVL   16(SI), DI
+	BSWAPL DI
+	MOVL   DI, 16(SP)
 
 	// FUNC1
-	MOVL R14, R15
-	XORL R13, R15
-	ANDL R12, R15
-	XORL R14, R15
+	MOVL R13, R14
+	XORL R12, R14
+	ANDL R11, R14
+	XORL R13, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 1518500249(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 16(SP), R9
-	MOVL R9, 16(R8)
+	MOVL 16(SP), DI
+	MOVL DI, 16(R8)
 
 	// ROUND1(5)
 	// LOAD
-	MOVL   20(DI), R9
-	BSWAPL R9
-	MOVL   R9, 20(SP)
+	MOVL   20(SI), DI
+	BSWAPL DI
+	MOVL   DI, 20(SP)
 
 	// FUNC1
-	MOVL R13, R15
-	XORL R12, R15
-	ANDL R11, R15
-	XORL R13, R15
+	MOVL R12, R14
+	XORL R11, R14
+	ANDL R10, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1518500249(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 20(SP), R9
-	MOVL R9, 20(R8)
+	MOVL 20(SP), DI
+	MOVL DI, 20(R8)
 
 	// ROUND1(6)
 	// LOAD
-	MOVL   24(DI), R9
-	BSWAPL R9
-	MOVL   R9, 24(SP)
+	MOVL   24(SI), DI
+	BSWAPL DI
+	MOVL   DI, 24(SP)
 
 	// FUNC1
-	MOVL R12, R15
-	XORL R11, R15
-	ANDL R10, R15
-	XORL R12, R15
+	MOVL R11, R14
+	XORL R10, R14
+	ANDL R9, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 1518500249(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 24(SP), R9
-	MOVL R9, 24(R8)
+	MOVL 24(SP), DI
+	MOVL DI, 24(R8)
 
 	// ROUND1(7)
 	// LOAD
-	MOVL   28(DI), R9
-	BSWAPL R9
-	MOVL   R9, 28(SP)
+	MOVL   28(SI), DI
+	BSWAPL DI
+	MOVL   DI, 28(SP)
 
 	// FUNC1
-	MOVL R11, R15
-	XORL R10, R15
-	ANDL R14, R15
-	XORL R11, R15
-
-	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
-	ROLL $+5, R8
-	LEAL 1518500249(R12)(R9*1), R12
-	ADDL R8, R12
-
-	// Load m1
-	MOVQ m1_base+32(FP), R8
-	MOVL 28(SP), R9
-	MOVL R9, 28(R8)
-
-	// ROUND1(8)
-	// LOAD
-	MOVL   32(DI), R9
-	BSWAPL R9
-	MOVL   R9, 32(SP)
-
-	// FUNC1
-	MOVL R10, R15
-	XORL R14, R15
-	ANDL R13, R15
-	XORL R10, R15
+	MOVL R10, R14
+	XORL R9, R14
+	ANDL R13, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R11)(R9*1), R11
+	LEAL 1518500249(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 32(SP), R9
-	MOVL R9, 32(R8)
+	MOVL 28(SP), DI
+	MOVL DI, 28(R8)
 
-	// ROUND1(9)
+	// ROUND1(8)
 	// LOAD
-	MOVL   36(DI), R9
-	BSWAPL R9
-	MOVL   R9, 36(SP)
+	MOVL   32(SI), DI
+	BSWAPL DI
+	MOVL   DI, 32(SP)
 
 	// FUNC1
-	MOVL R14, R15
-	XORL R13, R15
-	ANDL R12, R15
-	XORL R14, R15
+	MOVL R9, R14
+	XORL R13, R14
+	ANDL R12, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R10)(R9*1), R10
+	LEAL 1518500249(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 36(SP), R9
-	MOVL R9, 36(R8)
+	MOVL 32(SP), DI
+	MOVL DI, 32(R8)
 
-	// ROUND1(10)
+	// ROUND1(9)
 	// LOAD
-	MOVL   40(DI), R9
-	BSWAPL R9
-	MOVL   R9, 40(SP)
+	MOVL   36(SI), DI
+	BSWAPL DI
+	MOVL   DI, 36(SP)
 
 	// FUNC1
-	MOVL R13, R15
-	XORL R12, R15
-	ANDL R11, R15
-	XORL R13, R15
+	MOVL R13, R14
+	XORL R12, R14
+	ANDL R11, R14
+	XORL R13, R14
 
 	// MIX
 	ROLL $+30, R11
-	ADDL R15, R14
+	ADDL R14, R9
 	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1518500249(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 40(SP), R9
-	MOVL R9, 40(R8)
+	MOVL 36(SP), DI
+	MOVL DI, 36(R8)
 
-	// ROUND1(11)
+	// ROUND1(10)
 	// LOAD
-	MOVL   44(DI), R9
-	BSWAPL R9
-	MOVL   R9, 44(SP)
+	MOVL   40(SI), DI
+	BSWAPL DI
+	MOVL   DI, 40(SP)
 
 	// FUNC1
-	MOVL R12, R15
-	XORL R11, R15
-	ANDL R10, R15
-	XORL R12, R15
+	MOVL R12, R14
+	XORL R11, R14
+	ANDL R10, R14
+	XORL R12, R14
 
 	// MIX
 	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R13)(R9*1), R13
+	LEAL 1518500249(R13)(DI*1), R13
 	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 44(SP), R9
-	MOVL R9, 44(R8)
+	MOVL 40(SP), DI
+	MOVL DI, 40(R8)
 
-	// ROUND1(12)
+	// ROUND1(11)
 	// LOAD
-	MOVL   48(DI), R9
-	BSWAPL R9
-	MOVL   R9, 48(SP)
+	MOVL   44(SI), DI
+	BSWAPL DI
+	MOVL   DI, 44(SP)
 
 	// FUNC1
-	MOVL R11, R15
-	XORL R10, R15
-	ANDL R14, R15
-	XORL R11, R15
+	MOVL R11, R14
+	XORL R10, R14
+	ANDL R9, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R12)(R9*1), R12
+	LEAL 1518500249(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 48(SP), R9
-	MOVL R9, 48(R8)
+	MOVL 44(SP), DI
+	MOVL DI, 44(R8)
 
-	// ROUND1(13)
+	// ROUND1(12)
 	// LOAD
-	MOVL   52(DI), R9
-	BSWAPL R9
-	MOVL   R9, 52(SP)
+	MOVL   48(SI), DI
+	BSWAPL DI
+	MOVL   DI, 48(SP)
 
 	// FUNC1
-	MOVL R10, R15
-	XORL R14, R15
-	ANDL R13, R15
-	XORL R10, R15
+	MOVL R10, R14
+	XORL R9, R14
+	ANDL R13, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R11)(R9*1), R11
+	LEAL 1518500249(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 52(SP), R9
-	MOVL R9, 52(R8)
+	MOVL 48(SP), DI
+	MOVL DI, 48(R8)
 
-	// ROUND1(14)
+	// ROUND1(13)
 	// LOAD
-	MOVL   56(DI), R9
-	BSWAPL R9
-	MOVL   R9, 56(SP)
+	MOVL   52(SI), DI
+	BSWAPL DI
+	MOVL   DI, 52(SP)
 
 	// FUNC1
-	MOVL R14, R15
-	XORL R13, R15
-	ANDL R12, R15
-	XORL R14, R15
+	MOVL R9, R14
+	XORL R13, R14
+	ANDL R12, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R10)(R9*1), R10
+	LEAL 1518500249(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 56(SP), R9
-	MOVL R9, 56(R8)
+	MOVL 52(SP), DI
+	MOVL DI, 52(R8)
 
-	// ROUND1(15)
+	// ROUND1(14)
 	// LOAD
-	MOVL   60(DI), R9
-	BSWAPL R9
-	MOVL   R9, 60(SP)
+	MOVL   56(SI), DI
+	BSWAPL DI
+	MOVL   DI, 56(SP)
 
 	// FUNC1
-	MOVL R13, R15
-	XORL R12, R15
-	ANDL R11, R15
-	XORL R13, R15
+	MOVL R13, R14
+	XORL R12, R14
+	ANDL R11, R14
+	XORL R13, R14
 
 	// MIX
 	ROLL $+30, R11
-	ADDL R15, R14
+	ADDL R14, R9
 	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1518500249(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 60(SP), R9
-	MOVL R9, 60(R8)
+	MOVL 56(SP), DI
+	MOVL DI, 56(R8)
+
+	// ROUND1(15)
+	// LOAD
+	MOVL   60(SI), DI
+	BSWAPL DI
+	MOVL   DI, 60(SP)
+
+	// FUNC1
+	MOVL R12, R14
+	XORL R11, R14
+	ANDL R10, R14
+	XORL R12, R14
+
+	// MIX
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
+	ROLL $+5, R8
+	LEAL 1518500249(R13)(DI*1), R13
+	ADDL R8, R13
+
+	// Load m1
+	MOVQ m1_base+32(FP), R8
+	MOVL 60(SP), DI
+	MOVL DI, 60(R8)
 
 	// ROUND1x (steps 16-19) - same as ROUND1 but with no data load.
 	// ROUND1x(16)
 	// SHUFFLE
-	MOVL (SP), R9
-	XORL 52(SP), R9
-	XORL 32(SP), R9
-	XORL 8(SP), R9
-	ROLL $+1, R9
-	MOVL R9, (SP)
+	MOVL (SP), DI
+	XORL 52(SP), DI
+	XORL 32(SP), DI
+	XORL 8(SP), DI
+	ROLL $+1, DI
+	MOVL DI, (SP)
 
 	// FUNC1
-	MOVL R12, R15
-	XORL R11, R15
-	ANDL R10, R15
-	XORL R12, R15
+	MOVL R11, R14
+	XORL R10, R14
+	ANDL R9, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
-	ROLL $+5, R8
-	LEAL 1518500249(R13)(R9*1), R13
-	ADDL R8, R13
-
-	// Load m1
-	MOVQ m1_base+32(FP), R8
-	MOVL (SP), R9
-	MOVL R9, 64(R8)
-
-	// ROUND1x(17)
-	// SHUFFLE
-	MOVL 4(SP), R9
-	XORL 56(SP), R9
-	XORL 36(SP), R9
-	XORL 12(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 4(SP)
-
-	// FUNC1
-	MOVL R11, R15
-	XORL R10, R15
-	ANDL R14, R15
-	XORL R11, R15
-
-	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R12)(R9*1), R12
+	LEAL 1518500249(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 4(SP), R9
-	MOVL R9, 68(R8)
+	MOVL (SP), DI
+	MOVL DI, 64(R8)
 
-	// ROUND1x(18)
+	// ROUND1x(17)
 	// SHUFFLE
-	MOVL 8(SP), R9
-	XORL 60(SP), R9
-	XORL 40(SP), R9
-	XORL 16(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 8(SP)
+	MOVL 4(SP), DI
+	XORL 56(SP), DI
+	XORL 36(SP), DI
+	XORL 12(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 4(SP)
 
 	// FUNC1
-	MOVL R10, R15
-	XORL R14, R15
-	ANDL R13, R15
-	XORL R10, R15
+	MOVL R10, R14
+	XORL R9, R14
+	ANDL R13, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R11)(R9*1), R11
+	LEAL 1518500249(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 8(SP), R9
-	MOVL R9, 72(R8)
+	MOVL 4(SP), DI
+	MOVL DI, 68(R8)
 
-	// ROUND1x(19)
+	// ROUND1x(18)
 	// SHUFFLE
-	MOVL 12(SP), R9
-	XORL (SP), R9
-	XORL 44(SP), R9
-	XORL 20(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 12(SP)
+	MOVL 8(SP), DI
+	XORL 60(SP), DI
+	XORL 40(SP), DI
+	XORL 16(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 8(SP)
 
 	// FUNC1
-	MOVL R14, R15
-	XORL R13, R15
-	ANDL R12, R15
-	XORL R14, R15
+	MOVL R9, R14
+	XORL R13, R14
+	ANDL R12, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1518500249(R10)(R9*1), R10
+	LEAL 1518500249(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 12(SP), R9
-	MOVL R9, 76(R8)
+	MOVL 8(SP), DI
+	MOVL DI, 72(R8)
+
+	// ROUND1x(19)
+	// SHUFFLE
+	MOVL 12(SP), DI
+	XORL (SP), DI
+	XORL 44(SP), DI
+	XORL 20(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 12(SP)
+
+	// FUNC1
+	MOVL R13, R14
+	XORL R12, R14
+	ANDL R11, R14
+	XORL R13, R14
+
+	// MIX
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
+	ROLL $+5, R8
+	LEAL 1518500249(R9)(DI*1), R9
+	ADDL R8, R9
+
+	// Load m1
+	MOVQ m1_base+32(FP), R8
+	MOVL 12(SP), DI
+	MOVL DI, 76(R8)
 
 	// ROUND2 (steps 20-39)
 	// ROUND2(20)
 	// SHUFFLE
-	MOVL 16(SP), R9
-	XORL 4(SP), R9
-	XORL 48(SP), R9
-	XORL 24(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 16(SP)
+	MOVL 16(SP), DI
+	XORL 4(SP), DI
+	XORL 48(SP), DI
+	XORL 24(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 16(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1859775393(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 16(SP), R9
-	MOVL R9, 80(R8)
+	MOVL 16(SP), DI
+	MOVL DI, 80(R8)
 
 	// ROUND2(21)
 	// SHUFFLE
-	MOVL 20(SP), R9
-	XORL 8(SP), R9
-	XORL 52(SP), R9
-	XORL 28(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 20(SP)
+	MOVL 20(SP), DI
+	XORL 8(SP), DI
+	XORL 52(SP), DI
+	XORL 28(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 20(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 1859775393(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 20(SP), R9
-	MOVL R9, 84(R8)
+	MOVL 20(SP), DI
+	MOVL DI, 84(R8)
 
 	// ROUND2(22)
 	// SHUFFLE
-	MOVL 24(SP), R9
-	XORL 12(SP), R9
-	XORL 56(SP), R9
-	XORL 32(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 24(SP)
+	MOVL 24(SP), DI
+	XORL 12(SP), DI
+	XORL 56(SP), DI
+	XORL 32(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 24(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 1859775393(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 24(SP), R9
-	MOVL R9, 88(R8)
+	MOVL 24(SP), DI
+	MOVL DI, 88(R8)
 
 	// ROUND2(23)
 	// SHUFFLE
-	MOVL 28(SP), R9
-	XORL 16(SP), R9
-	XORL 60(SP), R9
-	XORL 36(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 28(SP)
+	MOVL 28(SP), DI
+	XORL 16(SP), DI
+	XORL 60(SP), DI
+	XORL 36(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 28(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 1859775393(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 28(SP), R9
-	MOVL R9, 92(R8)
+	MOVL 28(SP), DI
+	MOVL DI, 92(R8)
 
 	// ROUND2(24)
 	// SHUFFLE
-	MOVL 32(SP), R9
-	XORL 20(SP), R9
-	XORL (SP), R9
-	XORL 40(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 32(SP)
+	MOVL 32(SP), DI
+	XORL 20(SP), DI
+	XORL (SP), DI
+	XORL 40(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 32(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 1859775393(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 32(SP), R9
-	MOVL R9, 96(R8)
+	MOVL 32(SP), DI
+	MOVL DI, 96(R8)
 
 	// ROUND2(25)
 	// SHUFFLE
-	MOVL 36(SP), R9
-	XORL 24(SP), R9
-	XORL 4(SP), R9
-	XORL 44(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 36(SP)
+	MOVL 36(SP), DI
+	XORL 24(SP), DI
+	XORL 4(SP), DI
+	XORL 44(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 36(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1859775393(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 36(SP), R9
-	MOVL R9, 100(R8)
+	MOVL 36(SP), DI
+	MOVL DI, 100(R8)
 
 	// ROUND2(26)
 	// SHUFFLE
-	MOVL 40(SP), R9
-	XORL 28(SP), R9
-	XORL 8(SP), R9
-	XORL 48(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 40(SP)
+	MOVL 40(SP), DI
+	XORL 28(SP), DI
+	XORL 8(SP), DI
+	XORL 48(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 40(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 1859775393(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 40(SP), R9
-	MOVL R9, 104(R8)
+	MOVL 40(SP), DI
+	MOVL DI, 104(R8)
 
 	// ROUND2(27)
 	// SHUFFLE
-	MOVL 44(SP), R9
-	XORL 32(SP), R9
-	XORL 12(SP), R9
-	XORL 52(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 44(SP)
+	MOVL 44(SP), DI
+	XORL 32(SP), DI
+	XORL 12(SP), DI
+	XORL 52(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 44(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 1859775393(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 44(SP), R9
-	MOVL R9, 108(R8)
+	MOVL 44(SP), DI
+	MOVL DI, 108(R8)
 
 	// ROUND2(28)
 	// SHUFFLE
-	MOVL 48(SP), R9
-	XORL 36(SP), R9
-	XORL 16(SP), R9
-	XORL 56(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 48(SP)
+	MOVL 48(SP), DI
+	XORL 36(SP), DI
+	XORL 16(SP), DI
+	XORL 56(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 48(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 1859775393(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 48(SP), R9
-	MOVL R9, 112(R8)
+	MOVL 48(SP), DI
+	MOVL DI, 112(R8)
 
 	// ROUND2(29)
 	// SHUFFLE
-	MOVL 52(SP), R9
-	XORL 40(SP), R9
-	XORL 20(SP), R9
-	XORL 60(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 52(SP)
+	MOVL 52(SP), DI
+	XORL 40(SP), DI
+	XORL 20(SP), DI
+	XORL 60(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 52(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 1859775393(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 52(SP), R9
-	MOVL R9, 116(R8)
+	MOVL 52(SP), DI
+	MOVL DI, 116(R8)
 
 	// ROUND2(30)
 	// SHUFFLE
-	MOVL 56(SP), R9
-	XORL 44(SP), R9
-	XORL 24(SP), R9
-	XORL (SP), R9
-	ROLL $+1, R9
-	MOVL R9, 56(SP)
+	MOVL 56(SP), DI
+	XORL 44(SP), DI
+	XORL 24(SP), DI
+	XORL (SP), DI
+	ROLL $+1, DI
+	MOVL DI, 56(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1859775393(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 56(SP), R9
-	MOVL R9, 120(R8)
+	MOVL 56(SP), DI
+	MOVL DI, 120(R8)
 
 	// ROUND2(31)
 	// SHUFFLE
-	MOVL 60(SP), R9
-	XORL 48(SP), R9
-	XORL 28(SP), R9
-	XORL 4(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 60(SP)
+	MOVL 60(SP), DI
+	XORL 48(SP), DI
+	XORL 28(SP), DI
+	XORL 4(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 60(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 1859775393(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 60(SP), R9
-	MOVL R9, 124(R8)
+	MOVL 60(SP), DI
+	MOVL DI, 124(R8)
 
 	// ROUND2(32)
 	// SHUFFLE
-	MOVL (SP), R9
-	XORL 52(SP), R9
-	XORL 32(SP), R9
-	XORL 8(SP), R9
-	ROLL $+1, R9
-	MOVL R9, (SP)
+	MOVL (SP), DI
+	XORL 52(SP), DI
+	XORL 32(SP), DI
+	XORL 8(SP), DI
+	ROLL $+1, DI
+	MOVL DI, (SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
-
-	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
-	ROLL $+5, R8
-	LEAL 1859775393(R12)(R9*1), R12
-	ADDL R8, R12
-
-	// Load m1
-	MOVQ m1_base+32(FP), R8
-	MOVL (SP), R9
-	MOVL R9, 128(R8)
-
-	// ROUND2(33)
-	// SHUFFLE
-	MOVL 4(SP), R9
-	XORL 56(SP), R9
-	XORL 36(SP), R9
-	XORL 12(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 4(SP)
-
-	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R11)(R9*1), R11
+	LEAL 1859775393(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 4(SP), R9
-	MOVL R9, 132(R8)
+	MOVL (SP), DI
+	MOVL DI, 128(R8)
 
-	// ROUND2(34)
+	// ROUND2(33)
 	// SHUFFLE
-	MOVL 8(SP), R9
-	XORL 60(SP), R9
-	XORL 40(SP), R9
-	XORL 16(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 8(SP)
+	MOVL 4(SP), DI
+	XORL 56(SP), DI
+	XORL 36(SP), DI
+	XORL 12(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 4(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R10)(R9*1), R10
+	LEAL 1859775393(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 8(SP), R9
-	MOVL R9, 136(R8)
+	MOVL 4(SP), DI
+	MOVL DI, 132(R8)
 
-	// ROUND2(35)
+	// ROUND2(34)
 	// SHUFFLE
-	MOVL 12(SP), R9
-	XORL (SP), R9
-	XORL 44(SP), R9
-	XORL 20(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 12(SP)
+	MOVL 8(SP), DI
+	XORL 60(SP), DI
+	XORL 40(SP), DI
+	XORL 16(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 8(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
 	ROLL $+30, R11
-	ADDL R15, R14
+	ADDL R14, R9
 	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 1859775393(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 12(SP), R9
-	MOVL R9, 140(R8)
+	MOVL 8(SP), DI
+	MOVL DI, 136(R8)
 
-	// ROUND2(36)
+	// ROUND2(35)
 	// SHUFFLE
-	MOVL 16(SP), R9
-	XORL 4(SP), R9
-	XORL 48(SP), R9
-	XORL 24(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 16(SP)
+	MOVL 12(SP), DI
+	XORL (SP), DI
+	XORL 44(SP), DI
+	XORL 20(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 12(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
 	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R13)(R9*1), R13
+	LEAL 1859775393(R13)(DI*1), R13
 	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 16(SP), R9
-	MOVL R9, 144(R8)
+	MOVL 12(SP), DI
+	MOVL DI, 140(R8)
 
-	// ROUND2(37)
+	// ROUND2(36)
 	// SHUFFLE
-	MOVL 20(SP), R9
-	XORL 8(SP), R9
-	XORL 52(SP), R9
-	XORL 28(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 20(SP)
+	MOVL 16(SP), DI
+	XORL 4(SP), DI
+	XORL 48(SP), DI
+	XORL 24(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 16(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R12)(R9*1), R12
+	LEAL 1859775393(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 20(SP), R9
-	MOVL R9, 148(R8)
+	MOVL 16(SP), DI
+	MOVL DI, 144(R8)
 
-	// ROUND2(38)
+	// ROUND2(37)
 	// SHUFFLE
-	MOVL 24(SP), R9
-	XORL 12(SP), R9
-	XORL 56(SP), R9
-	XORL 32(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 24(SP)
+	MOVL 20(SP), DI
+	XORL 8(SP), DI
+	XORL 52(SP), DI
+	XORL 28(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 20(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R11)(R9*1), R11
+	LEAL 1859775393(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 24(SP), R9
-	MOVL R9, 152(R8)
+	MOVL 20(SP), DI
+	MOVL DI, 148(R8)
 
-	// ROUND2(39)
+	// ROUND2(38)
 	// SHUFFLE
-	MOVL 28(SP), R9
-	XORL 16(SP), R9
-	XORL 60(SP), R9
-	XORL 36(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 28(SP)
+	MOVL 24(SP), DI
+	XORL 12(SP), DI
+	XORL 56(SP), DI
+	XORL 32(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 24(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 1859775393(R10)(R9*1), R10
+	LEAL 1859775393(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 28(SP), R9
-	MOVL R9, 156(R8)
+	MOVL 24(SP), DI
+	MOVL DI, 152(R8)
+
+	// ROUND2(39)
+	// SHUFFLE
+	MOVL 28(SP), DI
+	XORL 16(SP), DI
+	XORL 60(SP), DI
+	XORL 36(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 28(SP)
+
+	// FUNC2
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
+
+	// MIX
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
+	ROLL $+5, R8
+	LEAL 1859775393(R9)(DI*1), R9
+	ADDL R8, R9
+
+	// Load m1
+	MOVQ m1_base+32(FP), R8
+	MOVL 28(SP), DI
+	MOVL DI, 156(R8)
 
 	// ROUND3 (steps 40-59)
 	// ROUND3(40)
 	// SHUFFLE
-	MOVL 32(SP), R9
-	XORL 20(SP), R9
-	XORL (SP), R9
-	XORL 40(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 32(SP)
+	MOVL 32(SP), DI
+	XORL 20(SP), DI
+	XORL (SP), DI
+	XORL 40(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 32(SP)
 
 	// FUNC3
-	MOVL R11, R8
-	ORL  R12, R8
-	ANDL R13, R8
-	MOVL R11, R15
-	ANDL R12, R15
-	ORL  R8, R15
+	MOVL R10, R8
+	ORL  R11, R8
+	ANDL R12, R8
+	MOVL R10, R14
+	ANDL R11, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 2400959708(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 32(SP), R9
-	MOVL R9, 160(R8)
+	MOVL 32(SP), DI
+	MOVL DI, 160(R8)
 
 	// ROUND3(41)
 	// SHUFFLE
-	MOVL 36(SP), R9
-	XORL 24(SP), R9
-	XORL 4(SP), R9
-	XORL 44(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 36(SP)
+	MOVL 36(SP), DI
+	XORL 24(SP), DI
+	XORL 4(SP), DI
+	XORL 44(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 36(SP)
 
 	// FUNC3
-	MOVL R10, R8
-	ORL  R11, R8
-	ANDL R12, R8
-	MOVL R10, R15
-	ANDL R11, R15
-	ORL  R8, R15
+	MOVL R9, R8
+	ORL  R10, R8
+	ANDL R11, R8
+	MOVL R9, R14
+	ANDL R10, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 2400959708(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 36(SP), R9
-	MOVL R9, 164(R8)
+	MOVL 36(SP), DI
+	MOVL DI, 164(R8)
 
 	// ROUND3(42)
 	// SHUFFLE
-	MOVL 40(SP), R9
-	XORL 28(SP), R9
-	XORL 8(SP), R9
-	XORL 48(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 40(SP)
+	MOVL 40(SP), DI
+	XORL 28(SP), DI
+	XORL 8(SP), DI
+	XORL 48(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 40(SP)
 
 	// FUNC3
-	MOVL R14, R8
-	ORL  R10, R8
-	ANDL R11, R8
-	MOVL R14, R15
-	ANDL R10, R15
-	ORL  R8, R15
+	MOVL R13, R8
+	ORL  R9, R8
+	ANDL R10, R8
+	MOVL R13, R14
+	ANDL R9, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 2400959708(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 40(SP), R9
-	MOVL R9, 168(R8)
+	MOVL 40(SP), DI
+	MOVL DI, 168(R8)
 
 	// ROUND3(43)
 	// SHUFFLE
-	MOVL 44(SP), R9
-	XORL 32(SP), R9
-	XORL 12(SP), R9
-	XORL 52(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 44(SP)
+	MOVL 44(SP), DI
+	XORL 32(SP), DI
+	XORL 12(SP), DI
+	XORL 52(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 44(SP)
 
 	// FUNC3
-	MOVL R13, R8
-	ORL  R14, R8
-	ANDL R10, R8
-	MOVL R13, R15
-	ANDL R14, R15
-	ORL  R8, R15
+	MOVL R12, R8
+	ORL  R13, R8
+	ANDL R9, R8
+	MOVL R12, R14
+	ANDL R13, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 2400959708(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 44(SP), R9
-	MOVL R9, 172(R8)
+	MOVL 44(SP), DI
+	MOVL DI, 172(R8)
 
 	// ROUND3(44)
 	// SHUFFLE
-	MOVL 48(SP), R9
-	XORL 36(SP), R9
-	XORL 16(SP), R9
-	XORL 56(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 48(SP)
+	MOVL 48(SP), DI
+	XORL 36(SP), DI
+	XORL 16(SP), DI
+	XORL 56(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 48(SP)
 
 	// FUNC3
-	MOVL R12, R8
-	ORL  R13, R8
-	ANDL R14, R8
-	MOVL R12, R15
-	ANDL R13, R15
-	ORL  R8, R15
+	MOVL R11, R8
+	ORL  R12, R8
+	ANDL R13, R8
+	MOVL R11, R14
+	ANDL R12, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 2400959708(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 48(SP), R9
-	MOVL R9, 176(R8)
+	MOVL 48(SP), DI
+	MOVL DI, 176(R8)
 
 	// ROUND3(45)
 	// SHUFFLE
-	MOVL 52(SP), R9
-	XORL 40(SP), R9
-	XORL 20(SP), R9
-	XORL 60(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 52(SP)
+	MOVL 52(SP), DI
+	XORL 40(SP), DI
+	XORL 20(SP), DI
+	XORL 60(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 52(SP)
 
 	// FUNC3
-	MOVL R11, R8
-	ORL  R12, R8
-	ANDL R13, R8
-	MOVL R11, R15
-	ANDL R12, R15
-	ORL  R8, R15
+	MOVL R10, R8
+	ORL  R11, R8
+	ANDL R12, R8
+	MOVL R10, R14
+	ANDL R11, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 2400959708(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 52(SP), R9
-	MOVL R9, 180(R8)
+	MOVL 52(SP), DI
+	MOVL DI, 180(R8)
 
 	// ROUND3(46)
 	// SHUFFLE
-	MOVL 56(SP), R9
-	XORL 44(SP), R9
-	XORL 24(SP), R9
-	XORL (SP), R9
-	ROLL $+1, R9
-	MOVL R9, 56(SP)
+	MOVL 56(SP), DI
+	XORL 44(SP), DI
+	XORL 24(SP), DI
+	XORL (SP), DI
+	ROLL $+1, DI
+	MOVL DI, 56(SP)
 
 	// FUNC3
-	MOVL R10, R8
-	ORL  R11, R8
-	ANDL R12, R8
-	MOVL R10, R15
-	ANDL R11, R15
-	ORL  R8, R15
+	MOVL R9, R8
+	ORL  R10, R8
+	ANDL R11, R8
+	MOVL R9, R14
+	ANDL R10, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 2400959708(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 56(SP), R9
-	MOVL R9, 184(R8)
+	MOVL 56(SP), DI
+	MOVL DI, 184(R8)
 
 	// ROUND3(47)
 	// SHUFFLE
-	MOVL 60(SP), R9
-	XORL 48(SP), R9
-	XORL 28(SP), R9
-	XORL 4(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 60(SP)
+	MOVL 60(SP), DI
+	XORL 48(SP), DI
+	XORL 28(SP), DI
+	XORL 4(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 60(SP)
 
 	// FUNC3
-	MOVL R14, R8
-	ORL  R10, R8
-	ANDL R11, R8
-	MOVL R14, R15
-	ANDL R10, R15
-	ORL  R8, R15
+	MOVL R13, R8
+	ORL  R9, R8
+	ANDL R10, R8
+	MOVL R13, R14
+	ANDL R9, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 2400959708(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 60(SP), R9
-	MOVL R9, 188(R8)
+	MOVL 60(SP), DI
+	MOVL DI, 188(R8)
 
 	// ROUND3(48)
 	// SHUFFLE
-	MOVL (SP), R9
-	XORL 52(SP), R9
-	XORL 32(SP), R9
-	XORL 8(SP), R9
-	ROLL $+1, R9
-	MOVL R9, (SP)
+	MOVL (SP), DI
+	XORL 52(SP), DI
+	XORL 32(SP), DI
+	XORL 8(SP), DI
+	ROLL $+1, DI
+	MOVL DI, (SP)
 
 	// FUNC3
-	MOVL R13, R8
-	ORL  R14, R8
-	ANDL R10, R8
-	MOVL R13, R15
-	ANDL R14, R15
-	ORL  R8, R15
+	MOVL R12, R8
+	ORL  R13, R8
+	ANDL R9, R8
+	MOVL R12, R14
+	ANDL R13, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 2400959708(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL (SP), R9
-	MOVL R9, 192(R8)
+	MOVL (SP), DI
+	MOVL DI, 192(R8)
 
 	// ROUND3(49)
 	// SHUFFLE
-	MOVL 4(SP), R9
-	XORL 56(SP), R9
-	XORL 36(SP), R9
-	XORL 12(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 4(SP)
+	MOVL 4(SP), DI
+	XORL 56(SP), DI
+	XORL 36(SP), DI
+	XORL 12(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 4(SP)
 
 	// FUNC3
-	MOVL R12, R8
-	ORL  R13, R8
-	ANDL R14, R8
-	MOVL R12, R15
-	ANDL R13, R15
-	ORL  R8, R15
+	MOVL R11, R8
+	ORL  R12, R8
+	ANDL R13, R8
+	MOVL R11, R14
+	ANDL R12, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 2400959708(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 4(SP), R9
-	MOVL R9, 196(R8)
+	MOVL 4(SP), DI
+	MOVL DI, 196(R8)
 
 	// ROUND3(50)
 	// SHUFFLE
-	MOVL 8(SP), R9
-	XORL 60(SP), R9
-	XORL 40(SP), R9
-	XORL 16(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 8(SP)
+	MOVL 8(SP), DI
+	XORL 60(SP), DI
+	XORL 40(SP), DI
+	XORL 16(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 8(SP)
 
 	// FUNC3
-	MOVL R11, R8
-	ORL  R12, R8
-	ANDL R13, R8
-	MOVL R11, R15
-	ANDL R12, R15
-	ORL  R8, R15
+	MOVL R10, R8
+	ORL  R11, R8
+	ANDL R12, R8
+	MOVL R10, R14
+	ANDL R11, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 2400959708(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 8(SP), R9
-	MOVL R9, 200(R8)
+	MOVL 8(SP), DI
+	MOVL DI, 200(R8)
 
 	// ROUND3(51)
 	// SHUFFLE
-	MOVL 12(SP), R9
-	XORL (SP), R9
-	XORL 44(SP), R9
-	XORL 20(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 12(SP)
+	MOVL 12(SP), DI
+	XORL (SP), DI
+	XORL 44(SP), DI
+	XORL 20(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 12(SP)
 
 	// FUNC3
-	MOVL R10, R8
-	ORL  R11, R8
-	ANDL R12, R8
-	MOVL R10, R15
-	ANDL R11, R15
-	ORL  R8, R15
-
-	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
-	ROLL $+5, R8
-	LEAL 2400959708(R13)(R9*1), R13
-	ADDL R8, R13
-
-	// Load m1
-	MOVQ m1_base+32(FP), R8
-	MOVL 12(SP), R9
-	MOVL R9, 204(R8)
-
-	// ROUND3(52)
-	// SHUFFLE
-	MOVL 16(SP), R9
-	XORL 4(SP), R9
-	XORL 48(SP), R9
-	XORL 24(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 16(SP)
-
-	// FUNC3
-	MOVL R14, R8
+	MOVL R9, R8
 	ORL  R10, R8
 	ANDL R11, R8
-	MOVL R14, R15
-	ANDL R10, R15
-	ORL  R8, R15
+	MOVL R9, R14
+	ANDL R10, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R12)(R9*1), R12
+	LEAL 2400959708(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 16(SP), R9
-	MOVL R9, 208(R8)
+	MOVL 12(SP), DI
+	MOVL DI, 204(R8)
 
-	// ROUND3(53)
+	// ROUND3(52)
 	// SHUFFLE
-	MOVL 20(SP), R9
-	XORL 8(SP), R9
-	XORL 52(SP), R9
-	XORL 28(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 20(SP)
+	MOVL 16(SP), DI
+	XORL 4(SP), DI
+	XORL 48(SP), DI
+	XORL 24(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 16(SP)
 
 	// FUNC3
 	MOVL R13, R8
-	ORL  R14, R8
+	ORL  R9, R8
 	ANDL R10, R8
-	MOVL R13, R15
-	ANDL R14, R15
-	ORL  R8, R15
+	MOVL R13, R14
+	ANDL R9, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R11)(R9*1), R11
+	LEAL 2400959708(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 20(SP), R9
-	MOVL R9, 212(R8)
+	MOVL 16(SP), DI
+	MOVL DI, 208(R8)
 
-	// ROUND3(54)
+	// ROUND3(53)
 	// SHUFFLE
-	MOVL 24(SP), R9
-	XORL 12(SP), R9
-	XORL 56(SP), R9
-	XORL 32(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 24(SP)
+	MOVL 20(SP), DI
+	XORL 8(SP), DI
+	XORL 52(SP), DI
+	XORL 28(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 20(SP)
 
 	// FUNC3
 	MOVL R12, R8
 	ORL  R13, R8
-	ANDL R14, R8
-	MOVL R12, R15
-	ANDL R13, R15
-	ORL  R8, R15
+	ANDL R9, R8
+	MOVL R12, R14
+	ANDL R13, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R10)(R9*1), R10
+	LEAL 2400959708(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 24(SP), R9
-	MOVL R9, 216(R8)
+	MOVL 20(SP), DI
+	MOVL DI, 212(R8)
 
-	// ROUND3(55)
+	// ROUND3(54)
 	// SHUFFLE
-	MOVL 28(SP), R9
-	XORL 16(SP), R9
-	XORL 60(SP), R9
-	XORL 36(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 28(SP)
+	MOVL 24(SP), DI
+	XORL 12(SP), DI
+	XORL 56(SP), DI
+	XORL 32(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 24(SP)
 
 	// FUNC3
 	MOVL R11, R8
 	ORL  R12, R8
 	ANDL R13, R8
-	MOVL R11, R15
-	ANDL R12, R15
-	ORL  R8, R15
+	MOVL R11, R14
+	ANDL R12, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R11
-	ADDL R15, R14
+	ADDL R14, R9
 	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 2400959708(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 28(SP), R9
-	MOVL R9, 220(R8)
+	MOVL 24(SP), DI
+	MOVL DI, 216(R8)
 
-	// ROUND3(56)
+	// ROUND3(55)
 	// SHUFFLE
-	MOVL 32(SP), R9
-	XORL 20(SP), R9
-	XORL (SP), R9
-	XORL 40(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 32(SP)
+	MOVL 28(SP), DI
+	XORL 16(SP), DI
+	XORL 60(SP), DI
+	XORL 36(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 28(SP)
 
 	// FUNC3
 	MOVL R10, R8
 	ORL  R11, R8
 	ANDL R12, R8
-	MOVL R10, R15
-	ANDL R11, R15
-	ORL  R8, R15
+	MOVL R10, R14
+	ANDL R11, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R13)(R9*1), R13
+	LEAL 2400959708(R13)(DI*1), R13
 	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 32(SP), R9
-	MOVL R9, 224(R8)
+	MOVL 28(SP), DI
+	MOVL DI, 220(R8)
 
-	// ROUND3(57)
+	// ROUND3(56)
 	// SHUFFLE
-	MOVL 36(SP), R9
-	XORL 24(SP), R9
-	XORL 4(SP), R9
-	XORL 44(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 36(SP)
+	MOVL 32(SP), DI
+	XORL 20(SP), DI
+	XORL (SP), DI
+	XORL 40(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 32(SP)
 
 	// FUNC3
-	MOVL R14, R8
+	MOVL R9, R8
 	ORL  R10, R8
 	ANDL R11, R8
-	MOVL R14, R15
-	ANDL R10, R15
-	ORL  R8, R15
+	MOVL R9, R14
+	ANDL R10, R14
+	ORL  R8, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R12)(R9*1), R12
+	LEAL 2400959708(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 36(SP), R9
-	MOVL R9, 228(R8)
+	MOVL 32(SP), DI
+	MOVL DI, 224(R8)
 
-	// Load cs
-	MOVQ cs_base+56(FP), R8
-	MOVL R12, 20(R8)
-	MOVL R13, 24(R8)
-	MOVL R14, 28(R8)
-	MOVL R10, 32(R8)
-	MOVL R11, 36(R8)
-
-	// ROUND3(58)
+	// ROUND3(57)
 	// SHUFFLE
-	MOVL 40(SP), R9
-	XORL 28(SP), R9
-	XORL 8(SP), R9
-	XORL 48(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 40(SP)
+	MOVL 36(SP), DI
+	XORL 24(SP), DI
+	XORL 4(SP), DI
+	XORL 44(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 36(SP)
 
 	// FUNC3
 	MOVL R13, R8
-	ORL  R14, R8
+	ORL  R9, R8
 	ANDL R10, R8
-	MOVL R13, R15
-	ANDL R14, R15
-	ORL  R8, R15
+	MOVL R13, R14
+	ANDL R9, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R11)(R9*1), R11
+	LEAL 2400959708(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 40(SP), R9
-	MOVL R9, 232(R8)
+	MOVL 36(SP), DI
+	MOVL DI, 228(R8)
 
-	// ROUND3(59)
+	// Load cs
+	MOVQ cs_base+56(FP), R8
+	MOVL R11, 20(R8)
+	MOVL R12, 24(R8)
+	MOVL R13, 28(R8)
+	MOVL R9, 32(R8)
+	MOVL R10, 36(R8)
+
+	// ROUND3(58)
 	// SHUFFLE
-	MOVL 44(SP), R9
-	XORL 32(SP), R9
-	XORL 12(SP), R9
-	XORL 52(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 44(SP)
+	MOVL 40(SP), DI
+	XORL 28(SP), DI
+	XORL 8(SP), DI
+	XORL 48(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 40(SP)
 
 	// FUNC3
 	MOVL R12, R8
 	ORL  R13, R8
-	ANDL R14, R8
-	MOVL R12, R15
-	ANDL R13, R15
-	ORL  R8, R15
+	ANDL R9, R8
+	MOVL R12, R14
+	ANDL R13, R14
+	ORL  R8, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 2400959708(R10)(R9*1), R10
+	LEAL 2400959708(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 44(SP), R9
-	MOVL R9, 236(R8)
+	MOVL 40(SP), DI
+	MOVL DI, 232(R8)
+
+	// ROUND3(59)
+	// SHUFFLE
+	MOVL 44(SP), DI
+	XORL 32(SP), DI
+	XORL 12(SP), DI
+	XORL 52(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 44(SP)
+
+	// FUNC3
+	MOVL R11, R8
+	ORL  R12, R8
+	ANDL R13, R8
+	MOVL R11, R14
+	ANDL R12, R14
+	ORL  R8, R14
+
+	// MIX
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
+	ROLL $+5, R8
+	LEAL 2400959708(R9)(DI*1), R9
+	ADDL R8, R9
+
+	// Load m1
+	MOVQ m1_base+32(FP), R8
+	MOVL 44(SP), DI
+	MOVL DI, 236(R8)
 
 	// ROUND4 (steps 60-79)
 	// ROUND4(60)
 	// SHUFFLE
-	MOVL 48(SP), R9
-	XORL 36(SP), R9
-	XORL 16(SP), R9
-	XORL 56(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 48(SP)
+	MOVL 48(SP), DI
+	XORL 36(SP), DI
+	XORL 16(SP), DI
+	XORL 56(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 48(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 3395469782(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 48(SP), R9
-	MOVL R9, 240(R8)
+	MOVL 48(SP), DI
+	MOVL DI, 240(R8)
 
 	// ROUND4(61)
 	// SHUFFLE
-	MOVL 52(SP), R9
-	XORL 40(SP), R9
-	XORL 20(SP), R9
-	XORL 60(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 52(SP)
+	MOVL 52(SP), DI
+	XORL 40(SP), DI
+	XORL 20(SP), DI
+	XORL 60(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 52(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 3395469782(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 52(SP), R9
-	MOVL R9, 244(R8)
+	MOVL 52(SP), DI
+	MOVL DI, 244(R8)
 
 	// ROUND4(62)
 	// SHUFFLE
-	MOVL 56(SP), R9
-	XORL 44(SP), R9
-	XORL 24(SP), R9
-	XORL (SP), R9
-	ROLL $+1, R9
-	MOVL R9, 56(SP)
+	MOVL 56(SP), DI
+	XORL 44(SP), DI
+	XORL 24(SP), DI
+	XORL (SP), DI
+	ROLL $+1, DI
+	MOVL DI, 56(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 3395469782(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 56(SP), R9
-	MOVL R9, 248(R8)
+	MOVL 56(SP), DI
+	MOVL DI, 248(R8)
 
 	// ROUND4(63)
 	// SHUFFLE
-	MOVL 60(SP), R9
-	XORL 48(SP), R9
-	XORL 28(SP), R9
-	XORL 4(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 60(SP)
+	MOVL 60(SP), DI
+	XORL 48(SP), DI
+	XORL 28(SP), DI
+	XORL 4(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 60(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 3395469782(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 60(SP), R9
-	MOVL R9, 252(R8)
+	MOVL 60(SP), DI
+	MOVL DI, 252(R8)
 
 	// ROUND4(64)
 	// SHUFFLE
-	MOVL (SP), R9
-	XORL 52(SP), R9
-	XORL 32(SP), R9
-	XORL 8(SP), R9
-	ROLL $+1, R9
-	MOVL R9, (SP)
+	MOVL (SP), DI
+	XORL 52(SP), DI
+	XORL 32(SP), DI
+	XORL 8(SP), DI
+	ROLL $+1, DI
+	MOVL DI, (SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 3395469782(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL (SP), R9
-	MOVL R9, 256(R8)
+	MOVL (SP), DI
+	MOVL DI, 256(R8)
 
 	// Load cs
 	MOVQ cs_base+56(FP), R8
-	MOVL R10, 40(R8)
-	MOVL R11, 44(R8)
-	MOVL R12, 48(R8)
-	MOVL R13, 52(R8)
-	MOVL R14, 56(R8)
+	MOVL R9, 40(R8)
+	MOVL R10, 44(R8)
+	MOVL R11, 48(R8)
+	MOVL R12, 52(R8)
+	MOVL R13, 56(R8)
 
 	// ROUND4(65)
 	// SHUFFLE
-	MOVL 4(SP), R9
-	XORL 56(SP), R9
-	XORL 36(SP), R9
-	XORL 12(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 4(SP)
+	MOVL 4(SP), DI
+	XORL 56(SP), DI
+	XORL 36(SP), DI
+	XORL 12(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 4(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 3395469782(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 4(SP), R9
-	MOVL R9, 260(R8)
+	MOVL 4(SP), DI
+	MOVL DI, 260(R8)
 
 	// ROUND4(66)
 	// SHUFFLE
-	MOVL 8(SP), R9
-	XORL 60(SP), R9
-	XORL 40(SP), R9
-	XORL 16(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 8(SP)
+	MOVL 8(SP), DI
+	XORL 60(SP), DI
+	XORL 40(SP), DI
+	XORL 16(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 8(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 3395469782(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 8(SP), R9
-	MOVL R9, 264(R8)
+	MOVL 8(SP), DI
+	MOVL DI, 264(R8)
 
 	// ROUND4(67)
 	// SHUFFLE
-	MOVL 12(SP), R9
-	XORL (SP), R9
-	XORL 44(SP), R9
-	XORL 20(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 12(SP)
+	MOVL 12(SP), DI
+	XORL (SP), DI
+	XORL 44(SP), DI
+	XORL 20(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 12(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
+	ROLL $+30, R13
+	ADDL R14, R11
+	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R12)(R9*1), R12
-	ADDL R8, R12
+	LEAL 3395469782(R11)(DI*1), R11
+	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 12(SP), R9
-	MOVL R9, 268(R8)
+	MOVL 12(SP), DI
+	MOVL DI, 268(R8)
 
 	// ROUND4(68)
 	// SHUFFLE
-	MOVL 16(SP), R9
-	XORL 4(SP), R9
-	XORL 48(SP), R9
-	XORL 24(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 16(SP)
+	MOVL 16(SP), DI
+	XORL 4(SP), DI
+	XORL 48(SP), DI
+	XORL 24(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 16(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
-	ROLL $+30, R13
-	ADDL R15, R11
-	MOVL R12, R8
+	ROLL $+30, R12
+	ADDL R14, R10
+	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R11)(R9*1), R11
-	ADDL R8, R11
+	LEAL 3395469782(R10)(DI*1), R10
+	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 16(SP), R9
-	MOVL R9, 272(R8)
+	MOVL 16(SP), DI
+	MOVL DI, 272(R8)
 
 	// ROUND4(69)
 	// SHUFFLE
-	MOVL 20(SP), R9
-	XORL 8(SP), R9
-	XORL 52(SP), R9
-	XORL 28(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 20(SP)
+	MOVL 20(SP), DI
+	XORL 8(SP), DI
+	XORL 52(SP), DI
+	XORL 28(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 20(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
-	ROLL $+30, R12
-	ADDL R15, R10
-	MOVL R11, R8
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R10)(R9*1), R10
-	ADDL R8, R10
+	LEAL 3395469782(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 20(SP), R9
-	MOVL R9, 276(R8)
+	MOVL 20(SP), DI
+	MOVL DI, 276(R8)
 
 	// ROUND4(70)
 	// SHUFFLE
-	MOVL 24(SP), R9
-	XORL 12(SP), R9
-	XORL 56(SP), R9
-	XORL 32(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 24(SP)
+	MOVL 24(SP), DI
+	XORL 12(SP), DI
+	XORL 56(SP), DI
+	XORL 32(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 24(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
-	ROLL $+30, R11
-	ADDL R15, R14
-	MOVL R10, R8
+	ROLL $+30, R10
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 3395469782(R13)(DI*1), R13
+	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 24(SP), R9
-	MOVL R9, 280(R8)
+	MOVL 24(SP), DI
+	MOVL DI, 280(R8)
 
 	// ROUND4(71)
 	// SHUFFLE
-	MOVL 28(SP), R9
-	XORL 16(SP), R9
-	XORL 60(SP), R9
-	XORL 36(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 28(SP)
+	MOVL 28(SP), DI
+	XORL 16(SP), DI
+	XORL 60(SP), DI
+	XORL 36(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 28(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ROLL $+30, R9
+	ADDL R14, R12
+	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R13)(R9*1), R13
-	ADDL R8, R13
+	LEAL 3395469782(R12)(DI*1), R12
+	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 28(SP), R9
-	MOVL R9, 284(R8)
+	MOVL 28(SP), DI
+	MOVL DI, 284(R8)
 
 	// ROUND4(72)
 	// SHUFFLE
-	MOVL 32(SP), R9
-	XORL 20(SP), R9
-	XORL (SP), R9
-	XORL 40(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 32(SP)
+	MOVL 32(SP), DI
+	XORL 20(SP), DI
+	XORL (SP), DI
+	XORL 40(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 32(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
-
-	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
-	MOVL R13, R8
-	ROLL $+5, R8
-	LEAL 3395469782(R12)(R9*1), R12
-	ADDL R8, R12
-
-	// Load m1
-	MOVQ m1_base+32(FP), R8
-	MOVL 32(SP), R9
-	MOVL R9, 288(R8)
-
-	// ROUND4(73)
-	// SHUFFLE
-	MOVL 36(SP), R9
-	XORL 24(SP), R9
-	XORL 4(SP), R9
-	XORL 44(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 36(SP)
-
-	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R11)(R9*1), R11
+	LEAL 3395469782(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 36(SP), R9
-	MOVL R9, 292(R8)
+	MOVL 32(SP), DI
+	MOVL DI, 288(R8)
 
-	// ROUND4(74)
+	// ROUND4(73)
 	// SHUFFLE
-	MOVL 40(SP), R9
-	XORL 28(SP), R9
-	XORL 8(SP), R9
-	XORL 48(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 40(SP)
+	MOVL 36(SP), DI
+	XORL 24(SP), DI
+	XORL 4(SP), DI
+	XORL 44(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 36(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R10)(R9*1), R10
+	LEAL 3395469782(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 40(SP), R9
-	MOVL R9, 296(R8)
+	MOVL 36(SP), DI
+	MOVL DI, 292(R8)
 
-	// ROUND4(75)
+	// ROUND4(74)
 	// SHUFFLE
-	MOVL 44(SP), R9
-	XORL 32(SP), R9
-	XORL 12(SP), R9
-	XORL 52(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 44(SP)
+	MOVL 40(SP), DI
+	XORL 28(SP), DI
+	XORL 8(SP), DI
+	XORL 48(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 40(SP)
 
 	// FUNC2
-	MOVL R11, R15
-	XORL R12, R15
-	XORL R13, R15
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
 
 	// MIX
 	ROLL $+30, R11
-	ADDL R15, R14
+	ADDL R14, R9
 	MOVL R10, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R14)(R9*1), R14
-	ADDL R8, R14
+	LEAL 3395469782(R9)(DI*1), R9
+	ADDL R8, R9
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 44(SP), R9
-	MOVL R9, 300(R8)
+	MOVL 40(SP), DI
+	MOVL DI, 296(R8)
 
-	// ROUND4(76)
+	// ROUND4(75)
 	// SHUFFLE
-	MOVL 48(SP), R9
-	XORL 36(SP), R9
-	XORL 16(SP), R9
-	XORL 56(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 48(SP)
+	MOVL 44(SP), DI
+	XORL 32(SP), DI
+	XORL 12(SP), DI
+	XORL 52(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 44(SP)
 
 	// FUNC2
-	MOVL R10, R15
-	XORL R11, R15
-	XORL R12, R15
+	MOVL R10, R14
+	XORL R11, R14
+	XORL R12, R14
 
 	// MIX
 	ROLL $+30, R10
-	ADDL R15, R13
-	MOVL R14, R8
+	ADDL R14, R13
+	MOVL R9, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R13)(R9*1), R13
+	LEAL 3395469782(R13)(DI*1), R13
 	ADDL R8, R13
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 48(SP), R9
-	MOVL R9, 304(R8)
+	MOVL 44(SP), DI
+	MOVL DI, 300(R8)
 
-	// ROUND4(77)
+	// ROUND4(76)
 	// SHUFFLE
-	MOVL 52(SP), R9
-	XORL 40(SP), R9
-	XORL 20(SP), R9
-	XORL 60(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 52(SP)
+	MOVL 48(SP), DI
+	XORL 36(SP), DI
+	XORL 16(SP), DI
+	XORL 56(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 48(SP)
 
 	// FUNC2
-	MOVL R14, R15
-	XORL R10, R15
-	XORL R11, R15
+	MOVL R9, R14
+	XORL R10, R14
+	XORL R11, R14
 
 	// MIX
-	ROLL $+30, R14
-	ADDL R15, R12
+	ROLL $+30, R9
+	ADDL R14, R12
 	MOVL R13, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R12)(R9*1), R12
+	LEAL 3395469782(R12)(DI*1), R12
 	ADDL R8, R12
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 52(SP), R9
-	MOVL R9, 308(R8)
+	MOVL 48(SP), DI
+	MOVL DI, 304(R8)
 
-	// ROUND4(78)
+	// ROUND4(77)
 	// SHUFFLE
-	MOVL 56(SP), R9
-	XORL 44(SP), R9
-	XORL 24(SP), R9
-	XORL (SP), R9
-	ROLL $+1, R9
-	MOVL R9, 56(SP)
+	MOVL 52(SP), DI
+	XORL 40(SP), DI
+	XORL 20(SP), DI
+	XORL 60(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 52(SP)
 
 	// FUNC2
-	MOVL R13, R15
-	XORL R14, R15
-	XORL R10, R15
+	MOVL R13, R14
+	XORL R9, R14
+	XORL R10, R14
 
 	// MIX
 	ROLL $+30, R13
-	ADDL R15, R11
+	ADDL R14, R11
 	MOVL R12, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R11)(R9*1), R11
+	LEAL 3395469782(R11)(DI*1), R11
 	ADDL R8, R11
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 56(SP), R9
-	MOVL R9, 312(R8)
+	MOVL 52(SP), DI
+	MOVL DI, 308(R8)
 
-	// ROUND4(79)
+	// ROUND4(78)
 	// SHUFFLE
-	MOVL 60(SP), R9
-	XORL 48(SP), R9
-	XORL 28(SP), R9
-	XORL 4(SP), R9
-	ROLL $+1, R9
-	MOVL R9, 60(SP)
+	MOVL 56(SP), DI
+	XORL 44(SP), DI
+	XORL 24(SP), DI
+	XORL (SP), DI
+	ROLL $+1, DI
+	MOVL DI, 56(SP)
 
 	// FUNC2
-	MOVL R12, R15
-	XORL R13, R15
-	XORL R14, R15
+	MOVL R12, R14
+	XORL R13, R14
+	XORL R9, R14
 
 	// MIX
 	ROLL $+30, R12
-	ADDL R15, R10
+	ADDL R14, R10
 	MOVL R11, R8
 	ROLL $+5, R8
-	LEAL 3395469782(R10)(R9*1), R10
+	LEAL 3395469782(R10)(DI*1), R10
 	ADDL R8, R10
 
 	// Load m1
 	MOVQ m1_base+32(FP), R8
-	MOVL 60(SP), R9
-	MOVL R9, 316(R8)
+	MOVL 56(SP), DI
+	MOVL DI, 312(R8)
+
+	// ROUND4(79)
+	// SHUFFLE
+	MOVL 60(SP), DI
+	XORL 48(SP), DI
+	XORL 28(SP), DI
+	XORL 4(SP), DI
+	ROLL $+1, DI
+	MOVL DI, 60(SP)
+
+	// FUNC2
+	MOVL R11, R14
+	XORL R12, R14
+	XORL R13, R14
+
+	// MIX
+	ROLL $+30, R11
+	ADDL R14, R9
+	MOVL R10, R8
+	ROLL $+5, R8
+	LEAL 3395469782(R9)(DI*1), R9
+	ADDL R8, R9
+
+	// Load m1
+	MOVQ m1_base+32(FP), R8
+	MOVL 60(SP), DI
+	MOVL DI, 316(R8)
 
 	// Add registers to temp hash.
-	ADDL R10, AX
-	ADDL R11, BX
-	ADDL R12, CX
-	ADDL R13, DX
-	ADDL R14, BP
-	ADDQ $+64, DI
-	CMPQ DI, SI
+	ADDL R9, AX
+	ADDL R10, BX
+	ADDL R11, CX
+	ADDL R12, DX
+	ADDL R13, BP
+	ADDQ $+64, SI
 	JB   loop
 
 end:
-	MOVQ dig+0(FP), SI
-	MOVL AX, (SI)
-	MOVL BX, 4(SI)
-	MOVL CX, 8(SI)
-	MOVL DX, 12(SI)
-	MOVL BP, 16(SI)
+	MOVQ dig+0(FP), DI
+	MOVL AX, (DI)
+	MOVL BX, 4(DI)
+	MOVL CX, 8(DI)
+	MOVL DX, 12(DI)
+	MOVL BP, 16(DI)
 	RET
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.go b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.go
new file mode 100644
index 00000000..f1edca0b
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.go
@@ -0,0 +1,44 @@
+//go:build !noasm && gc && arm64 && !amd64
+// +build !noasm,gc,arm64,!amd64
+
+package sha1cd
+
+import (
+	"math"
+	"unsafe"
+
+	shared "github.com/pjbgf/sha1cd/internal"
+)
+
+// blockARM64 hashes the message p into the current state in dig.
+// Both m1 and cs are used to store intermediate results which are used by the collision detection logic.
+//
+//go:noescape
+func blockARM64(dig *digest, p sliceHeader, m1 []uint32, cs [][5]uint32)
+
+func block(dig *digest, p []byte) {
+	m1 := [shared.Rounds]uint32{}
+	cs := [shared.PreStepState][shared.WordBuffers]uint32{}
+
+	for len(p) >= shared.Chunk {
+		// Only send a block to be processed, as the collission detection
+		// works on a block by block basis.
+		ips := sliceHeader{
+			base: uintptr(unsafe.Pointer(&p[0])),
+			len:  int(math.Min(float64(len(p)), float64(shared.Chunk))),
+			cap:  shared.Chunk,
+		}
+
+		blockARM64(dig, ips, m1[:], cs[:])
+
+		col := checkCollision(m1, cs, dig.h)
+		if col {
+			dig.col = true
+
+			blockARM64(dig, ips, m1[:], cs[:])
+			blockARM64(dig, ips, m1[:], cs[:])
+		}
+
+		p = p[shared.Chunk:]
+	}
+}
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.s b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.s
new file mode 100644
index 00000000..680d46df
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_arm64.s
@@ -0,0 +1,244 @@
+//go:build !noasm && gc && arm64 && !amd64
+
+#include "textflag.h"
+
+#define RoundConst0 $1518500249 // 0x5A827999
+#define RoundConst1 $1859775393 // 0x6ED9EBA1
+#define RoundConst2 $2400959708 // 0x8F1BBCDC
+#define RoundConst3 $3395469782 // 0xCA62C1D6
+
+// FUNC1 f = (b & c) | ((~b) & d)
+#define FUNC1(b, c, d) \
+	MOVW d, R15; \
+	EORW c, R15; \
+	ANDW b, R15; \
+	EORW d, R15
+
+// FUNC2 f = b ^ c ^ d
+#define FUNC2(b, c, d) \
+	MOVW b, R15; \
+	EORW c, R15; \
+	EORW d, R15
+
+// FUNC3 f = (b & c) | (b & d) | (c & d)
+#define FUNC3(b, c, d) \
+	MOVW b, R27; \
+	ORR c, R27, R27; \
+	ANDW d, R27, R27; \
+	MOVW b, R15; \
+	ANDW c, R15, R15; \
+	ORR R27, R15, R15
+
+#define FUNC4(b, c, d) FUNC2(b, c, d)
+	
+#define MIX(a, b, c, d, e, k) \
+	RORW $2, b, b; \
+	ADDW R15, e, e; \
+	MOVW a, R27; \
+	RORW $27, R27, R27; \
+	MOVW k, R19; \
+	ADDW R19, e, e; \
+	ADDW R9, e, e; \
+	ADDW R27, e, e
+
+#define LOAD(index) \
+	MOVWU (index*4)(R16), R9; \
+	REVW R9, R9; \
+	MOVW R9, (index*4)(RSP)
+
+#define LOADCS(a, b, c, d, e, index) \
+	MOVD cs_base+56(FP), R27; \
+	MOVW a, ((index*20))(R27); \
+	MOVW b, ((index*20)+4)(R27); \
+	MOVW c, ((index*20)+8)(R27); \
+	MOVW d, ((index*20)+12)(R27); \
+	MOVW e, ((index*20)+16)(R27)
+
+#define SHUFFLE(index) \
+	MOVW ((index&0xf)*4)(RSP), R9; \
+	MOVW (((index-3)&0xf)*4)(RSP), R20; \
+	EORW R20, R9; \
+	MOVW (((index-8)&0xf)*4)(RSP), R20; \
+	EORW R20, R9; \
+	MOVW (((index-14)&0xf)*4)(RSP), R20; \
+	EORW R20, R9; \
+	RORW $31, R9, R9; \
+	MOVW R9, ((index&0xf)*4)(RSP)
+
+// LOADM1 stores message word to m1 array.
+#define LOADM1(index) \
+	MOVD m1_base+32(FP), R27; \
+	MOVW ((index&0xf)*4)(RSP), R9; \
+	MOVW R9, (index*4)(R27)
+
+#define ROUND1(a, b, c, d, e, index) \
+	LOAD(index); \
+	FUNC1(b, c, d); \
+	MIX(a, b, c, d, e, RoundConst0); \
+	LOADM1(index)
+
+#define ROUND1x(a, b, c, d, e, index) \
+	SHUFFLE(index); \
+	FUNC1(b, c, d); \
+	MIX(a, b, c, d, e, RoundConst0); \
+	LOADM1(index)
+
+#define ROUND2(a, b, c, d, e, index) \
+	SHUFFLE(index); \
+	FUNC2(b, c, d); \
+	MIX(a, b, c, d, e, RoundConst1); \
+	LOADM1(index)
+
+#define ROUND3(a, b, c, d, e, index) \
+	SHUFFLE(index); \
+	FUNC3(b, c, d); \
+	MIX(a, b, c, d, e, RoundConst2); \
+	LOADM1(index)
+
+#define ROUND4(a, b, c, d, e, index) \
+	SHUFFLE(index); \
+	FUNC4(b, c, d); \
+	MIX(a, b, c, d, e, RoundConst3); \
+	LOADM1(index)
+
+// func blockARM64(dig *digest, p []byte, m1 []uint32, cs [][5]uint32)
+TEXT ·blockARM64(SB), NOSPLIT, $64-80
+    MOVD    dig+0(FP), R8
+    MOVD    p_base+8(FP), R16
+    MOVD    p_len+16(FP), R10
+
+    LSR     $6, R10, R10
+    LSL     $6, R10, R10
+    ADD     R16, R10, R21
+
+    // Load h0-h4 into R1–R5.
+    MOVW    (R8), R1                   // R1 = h0
+    MOVW    4(R8), R2                  // R2 = h1
+    MOVW    8(R8), R3                  // R3 = h2
+    MOVW    12(R8), R4                 // R4 = h3
+    MOVW    16(R8), R5                 // R5 = h4
+
+loop:
+    // len(p) >= chunk
+    CMP     R16, R21
+    BLS     end
+
+	// Initialize registers a, b, c, d, e.
+	MOVW R1, R10
+	MOVW R2, R11
+	MOVW R3, R12
+	MOVW R4, R13
+	MOVW R5, R14
+
+	// ROUND1 (steps 0-15)
+	LOADCS(R10, R11, R12, R13, R14, 0)
+	ROUND1(R10, R11, R12, R13, R14, 0)
+	ROUND1(R14, R10, R11, R12, R13, 1)
+	ROUND1(R13, R14, R10, R11, R12, 2)
+	ROUND1(R12, R13, R14, R10, R11, 3)
+	ROUND1(R11, R12, R13, R14, R10, 4)
+	ROUND1(R10, R11, R12, R13, R14, 5)
+	ROUND1(R14, R10, R11, R12, R13, 6)
+	ROUND1(R13, R14, R10, R11, R12, 7)
+	ROUND1(R12, R13, R14, R10, R11, 8)
+	ROUND1(R11, R12, R13, R14, R10, 9)
+	ROUND1(R10, R11, R12, R13, R14, 10)
+	ROUND1(R14, R10, R11, R12, R13, 11)
+	ROUND1(R13, R14, R10, R11, R12, 12)
+	ROUND1(R12, R13, R14, R10, R11, 13)
+	ROUND1(R11, R12, R13, R14, R10, 14)
+	ROUND1(R10, R11, R12, R13, R14, 15)
+
+	// ROUND1x (steps 16-19) - same as ROUND1 but with no data load.
+	ROUND1x(R14, R10, R11, R12, R13, 16)
+	ROUND1x(R13, R14, R10, R11, R12, 17)
+	ROUND1x(R12, R13, R14, R10, R11, 18)
+	ROUND1x(R11, R12, R13, R14, R10, 19)
+
+	// ROUND2 (steps 20-39)
+	ROUND2(R10, R11, R12, R13, R14, 20)
+	ROUND2(R14, R10, R11, R12, R13, 21)
+	ROUND2(R13, R14, R10, R11, R12, 22)
+	ROUND2(R12, R13, R14, R10, R11, 23)
+	ROUND2(R11, R12, R13, R14, R10, 24)
+	ROUND2(R10, R11, R12, R13, R14, 25)
+	ROUND2(R14, R10, R11, R12, R13, 26)
+	ROUND2(R13, R14, R10, R11, R12, 27)
+	ROUND2(R12, R13, R14, R10, R11, 28)
+	ROUND2(R11, R12, R13, R14, R10, 29)
+	ROUND2(R10, R11, R12, R13, R14, 30)
+	ROUND2(R14, R10, R11, R12, R13, 31)
+	ROUND2(R13, R14, R10, R11, R12, 32)
+	ROUND2(R12, R13, R14, R10, R11, 33)
+	ROUND2(R11, R12, R13, R14, R10, 34)
+	ROUND2(R10, R11, R12, R13, R14, 35)
+	ROUND2(R14, R10, R11, R12, R13, 36)
+	ROUND2(R13, R14, R10, R11, R12, 37)
+	ROUND2(R12, R13, R14, R10, R11, 38)
+	ROUND2(R11, R12, R13, R14, R10, 39)
+
+	// ROUND3 (steps 40-59)
+	ROUND3(R10, R11, R12, R13, R14, 40)
+	ROUND3(R14, R10, R11, R12, R13, 41)
+	ROUND3(R13, R14, R10, R11, R12, 42)
+	ROUND3(R12, R13, R14, R10, R11, 43)
+	ROUND3(R11, R12, R13, R14, R10, 44)
+	ROUND3(R10, R11, R12, R13, R14, 45)
+	ROUND3(R14, R10, R11, R12, R13, 46)
+	ROUND3(R13, R14, R10, R11, R12, 47)
+	ROUND3(R12, R13, R14, R10, R11, 48)
+	ROUND3(R11, R12, R13, R14, R10, 49)
+	ROUND3(R10, R11, R12, R13, R14, 50)
+	ROUND3(R14, R10, R11, R12, R13, 51)
+	ROUND3(R13, R14, R10, R11, R12, 52)
+	ROUND3(R12, R13, R14, R10, R11, 53)
+	ROUND3(R11, R12, R13, R14, R10, 54)
+	ROUND3(R10, R11, R12, R13, R14, 55)
+	ROUND3(R14, R10, R11, R12, R13, 56)
+	ROUND3(R13, R14, R10, R11, R12, 57)
+
+	LOADCS(R12, R13, R14, R10, R11, 1)
+	ROUND3(R12, R13, R14, R10, R11, 58)
+	ROUND3(R11, R12, R13, R14, R10, 59)
+
+	// ROUND4 (steps 60-79)
+	ROUND4(R10, R11, R12, R13, R14, 60)
+	ROUND4(R14, R10, R11, R12, R13, 61)
+	ROUND4(R13, R14, R10, R11, R12, 62)
+	ROUND4(R12, R13, R14, R10, R11, 63)
+	ROUND4(R11, R12, R13, R14, R10, 64)
+
+	LOADCS(R10, R11, R12, R13, R14, 2)
+	ROUND4(R10, R11, R12, R13, R14, 65)
+	ROUND4(R14, R10, R11, R12, R13, 66)
+	ROUND4(R13, R14, R10, R11, R12, 67)
+	ROUND4(R12, R13, R14, R10, R11, 68)
+	ROUND4(R11, R12, R13, R14, R10, 69)
+	ROUND4(R10, R11, R12, R13, R14, 70)
+	ROUND4(R14, R10, R11, R12, R13, 71)
+	ROUND4(R13, R14, R10, R11, R12, 72)
+	ROUND4(R12, R13, R14, R10, R11, 73)
+	ROUND4(R11, R12, R13, R14, R10, 74)
+	ROUND4(R10, R11, R12, R13, R14, 75)
+	ROUND4(R14, R10, R11, R12, R13, 76)
+	ROUND4(R13, R14, R10, R11, R12, 77)
+	ROUND4(R12, R13, R14, R10, R11, 78)
+	ROUND4(R11, R12, R13, R14, R10, 79)
+
+	// Add registers to temp hash.
+	ADDW R10, R1, R1
+	ADDW R11, R2, R2
+	ADDW R12, R3, R3
+	ADDW R13, R4, R4
+	ADDW R14, R5, R5
+
+	ADD  $64, R16, R16
+	B  loop
+
+end:
+	MOVW R1, (R8)
+	MOVW R2, 4(R8)
+	MOVW R3, 8(R8)
+	MOVW R4, 12(R8)
+	MOVW R5, 16(R8)
+	RET
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_asm.go b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_asm.go
new file mode 100644
index 00000000..a4c7c062
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_asm.go
@@ -0,0 +1,11 @@
+//go:build (!amd64 || !arm64) && !noasm
+// +build !amd64 !arm64
+// +build !noasm
+
+package sha1cd
+
+type sliceHeader struct {
+	base uintptr
+	len  int
+	cap  int
+}
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_noasm.go b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_noasm.go
index 15bae5a7..98c14ef4 100644
--- a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_noasm.go
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_noasm.go
@@ -1,5 +1,5 @@
-//go:build !amd64 || noasm || !gc
-// +build !amd64 noasm !gc
+//go:build (!amd64 && !arm64) || noasm || !gc
+// +build !amd64,!arm64 noasm !gc
 
 package sha1cd
 
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
index 09159bb5..2e088979 100644
--- a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
@@ -1,5 +1,5 @@
-//go:build !noasm && gc && amd64
-// +build !noasm,gc,amd64
+//go:build !noasm && gc && amd64 && !arm64
+// +build !noasm,gc,amd64,!arm64
 
 package ubc
 
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
index c77ea77e..f5260735 100644
--- a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
@@ -1,6 +1,6 @@
 // Code generated by command: go run asm.go -out ../ubc_amd64.s -pkg ubc. DO NOT EDIT.
 
-//go:build !noasm && gc && amd64
+//go:build !noasm && gc && amd64 && !arm64
 
 #include "textflag.h"
 
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.go
new file mode 100644
index 00000000..47b79fb1
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.go
@@ -0,0 +1,13 @@
+//go:build !noasm && gc && arm64 && !amd64
+// +build !noasm,gc,arm64,!amd64
+
+package ubc
+
+func CalculateDvMaskARM64(W [80]uint32) uint32
+
+// Check takes as input an expanded message block and verifies the unavoidable
+// bitconditions for all listed DVs. It returns a dvmask where each bit belonging
+// to a DV is set if all unavoidable bitconditions for that DV have been met.
+func CalculateDvMask(W [80]uint32) uint32 {
+	return CalculateDvMaskARM64(W)
+}
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.s b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.s
new file mode 100644
index 00000000..68ee8fe5
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_arm64.s
@@ -0,0 +1,1851 @@
+//go:build !noasm && gc && arm64 && !amd64
+// +build !noasm,gc,arm64,!amd64
+
+#include "textflag.h"
+
+// func CalculateDvMaskARM64(W [80]uint32) uint32
+TEXT ·CalculateDvMaskARM64(SB), NOSPLIT, $0-324
+	MOVW $0xffffffff, R0
+
+	// (((((W[44] ^ W[45]) >> 29) & 1) - 1) | ^(DV_I_48_0_bit | DV_I_51_0_bit | DV_I_52_0_bit | DV_II_45_0_bit | DV_II_46_0_bit | DV_II_50_0_bit | DV_II_51_0_bit))
+	MOVW W_44+176(FP), R1
+	MOVW W_45+180(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xfd7c5f7f, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[49] ^ W[50]) >> 29) & 1) - 1) | ^(DV_I_46_0_bit | DV_II_45_0_bit | DV_II_50_0_bit | DV_II_51_0_bit | DV_II_55_0_bit | DV_II_56_0_bit))
+	MOVW W_49+196(FP), R1
+	MOVW W_50+200(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x3d7efff7, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[48] ^ W[49]) >> 29) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_52_0_bit | DV_II_49_0_bit | DV_II_50_0_bit | DV_II_54_0_bit | DV_II_55_0_bit))
+	MOVW W_48+192(FP), R1
+	MOVW W_49+196(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x9f5f7ffb, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[47] ^ (W[50] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_51_0_bit | DV_II_56_0_bit))
+	MOVW W_47+188(FP), R1
+	MOVW W_50+200(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0x7dfedddf, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[47] ^ W[48]) >> 29) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_51_0_bit | DV_II_48_0_bit | DV_II_49_0_bit | DV_II_53_0_bit | DV_II_54_0_bit))
+	MOVW W_47+188(FP), R1
+	MOVW W_48+192(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xcfcfdffd, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[46] >> 4) ^ (W[49] >> 29)) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit | DV_II_50_0_bit | DV_II_55_0_bit))
+	MOVW W_46+184(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_49+196(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xbf7f7777, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[46] ^ W[47]) >> 29) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_50_0_bit | DV_II_47_0_bit | DV_II_48_0_bit | DV_II_52_0_bit | DV_II_53_0_bit))
+	MOVW W_46+184(FP), R1
+	MOVW W_47+188(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xe7e7f7fe, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[45] >> 4) ^ (W[48] >> 29)) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit | DV_II_49_0_bit | DV_II_54_0_bit))
+	MOVW W_45+180(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_48+192(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xdfdfdddb, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[45] ^ W[46]) >> 29) & 1) - 1) | ^(DV_I_49_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_47_0_bit | DV_II_51_0_bit | DV_II_52_0_bit))
+	MOVW W_45+180(FP), R1
+	MOVW W_46+184(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xf5f57dff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[44] >> 4) ^ (W[47] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit | DV_II_48_0_bit | DV_II_53_0_bit))
+	MOVW W_44+176(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_47+188(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xefeff775, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[43] >> 4) ^ (W[46] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit | DV_II_47_0_bit | DV_II_52_0_bit))
+	MOVW W_43+172(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_46+184(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xf7f7fdda, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[43] ^ W[44]) >> 29) & 1) - 1) | ^(DV_I_47_0_bit | DV_I_50_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_49_0_bit | DV_II_50_0_bit))
+	MOVW W_43+172(FP), R1
+	MOVW W_44+176(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xff5ed7df, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[42] >> 4) ^ (W[45] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_51_0_bit))
+	MOVW W_42+168(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_45+180(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xfdfd7f75, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[41] >> 4) ^ (W[44] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_50_0_bit))
+	MOVW W_41+164(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_44+176(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xff7edfda, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[40] ^ W[41]) >> 29) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_47_0_bit | DV_I_48_0_bit | DV_II_46_0_bit | DV_II_47_0_bit | DV_II_56_0_bit))
+	MOVW W_40+160(FP), R1
+	MOVW W_41+164(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x7ff5ff5d, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[54] ^ W[55]) >> 29) & 1) - 1) | ^(DV_I_51_0_bit | DV_II_47_0_bit | DV_II_50_0_bit | DV_II_55_0_bit | DV_II_56_0_bit))
+	MOVW W_54+216(FP), R1
+	MOVW W_55+220(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x3f77dfff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[53] ^ W[54]) >> 29) & 1) - 1) | ^(DV_I_50_0_bit | DV_II_46_0_bit | DV_II_49_0_bit | DV_II_54_0_bit | DV_II_55_0_bit))
+	MOVW W_53+212(FP), R1
+	MOVW W_54+216(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x9fddf7ff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[52] ^ W[53]) >> 29) & 1) - 1) | ^(DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit | DV_II_53_0_bit | DV_II_54_0_bit))
+	MOVW W_52+208(FP), R1
+	MOVW W_53+212(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xcfeefdff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[50] ^ (W[53] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_50_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_48_0_bit | DV_II_54_0_bit))
+	MOVW W_50+200(FP), R1
+	MOVW W_53+212(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xdfed77ff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[50] ^ W[51]) >> 29) & 1) - 1) | ^(DV_I_47_0_bit | DV_II_46_0_bit | DV_II_51_0_bit | DV_II_52_0_bit | DV_II_56_0_bit))
+	MOVW W_50+200(FP), R1
+	MOVW W_51+204(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x75fdffdf, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[49] ^ (W[52] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_47_0_bit | DV_II_53_0_bit))
+	MOVW W_49+196(FP), R1
+	MOVW W_52+208(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xeff6ddff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[48] ^ (W[51] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_52_0_bit))
+	MOVW W_48+192(FP), R1
+	MOVW W_51+204(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xf7fd777f, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[42] ^ W[43]) >> 29) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_49_0_bit | DV_I_50_0_bit | DV_II_48_0_bit | DV_II_49_0_bit))
+	MOVW W_42+168(FP), R1
+	MOVW W_43+172(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xffcff5f7, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[41] ^ W[42]) >> 29) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_48_0_bit | DV_I_49_0_bit | DV_II_47_0_bit | DV_II_48_0_bit))
+	MOVW W_41+164(FP), R1
+	MOVW W_42+168(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xffe7fd7b, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[40] >> 4) ^ (W[43] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_50_0_bit | DV_II_49_0_bit | DV_II_56_0_bit))
+	MOVW W_40+160(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_43+172(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x7fdff7f5, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[39] >> 4) ^ (W[42] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_49_0_bit | DV_II_48_0_bit | DV_II_55_0_bit))
+	MOVW W_39+156(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xbfeffdfa, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_44_0_bit | DV_I_48_0_bit | DV_II_47_0_bit | DV_II_54_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= (((((W[38] >> 4) ^ (W[41] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_48_0_bit | DV_II_47_0_bit | DV_II_54_0_bit | DV_II_56_0_bit))
+	// }
+	TST  $0xa0080082, R0
+	BEQ  f1
+	MOVW W_38+152(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x04, R1, R1
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x5ff7ff7d, R1, R1
+	AND  R1, R0, R0
+
+f1:
+	// mask &= (((((W[37] >> 4) ^ (W[40] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_47_0_bit | DV_II_46_0_bit | DV_II_53_0_bit | DV_II_55_0_bit))
+	MOVW W_37+148(FP), R1
+	MOVW W_40+160(FP), R2
+	LSR  $0x04, R1, R1
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xaffdffde, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_51_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= (((((W[55] ^ W[56]) >> 29) & 1) - 1) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_51_0_bit | DV_II_56_0_bit))
+	// }
+	TST  $0x82108000, R0
+	BEQ  f2
+	MOVW W_55+220(FP), R1
+	MOVW W_56+224(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0x7def7fff, R1, R1
+	AND  R1, R0, R0
+
+f2:
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_50_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= ((((W[52] ^ (W[55] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_50_0_bit | DV_II_56_0_bit))
+	// }
+	TST  $0x80908000, R0
+	BEQ  f3
+	MOVW W_52+208(FP), R1
+	MOVW W_55+220(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0x7f6f7fff, R1, R1
+	AND  R1, R0, R0
+
+f3:
+	// if (mask & (DV_I_51_0_bit | DV_II_47_0_bit | DV_II_49_0_bit | DV_II_55_0_bit)) != 0 {
+	//   mask &= ((((W[51] ^ (W[54] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_51_0_bit | DV_II_47_0_bit | DV_II_49_0_bit | DV_II_55_0_bit))
+	// }
+	TST  $0x40282000, R0
+	BEQ  f4
+	MOVW W_51+204(FP), R1
+	MOVW W_54+216(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xbfd7dfff, R1, R1
+	AND  R1, R0, R0
+
+f4:
+	// if (mask & (DV_I_48_0_bit | DV_II_47_0_bit | DV_II_52_0_bit | DV_II_53_0_bit)) != 0 {
+	//   mask &= (((((W[51] ^ W[52]) >> 29) & 1) - 1) | ^(DV_I_48_0_bit | DV_II_47_0_bit | DV_II_52_0_bit | DV_II_53_0_bit))
+	// }
+	TST  $0x18080080, R0
+	BEQ  f5
+	MOVW W_51+204(FP), R1
+	MOVW W_52+208(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xe7f7ff7f, R1, R1
+	AND  R1, R0, R0
+
+f5:
+	// if (mask & (DV_I_46_0_bit | DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit)) != 0 {
+	//   mask &= (((((W[36] >> 4) ^ (W[40] >> 29)) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit))
+	// }
+	TST  $0x00110208, R0
+	BEQ  f6
+	MOVW W_36+144(FP), R1
+	LSR  $0x04, R1, R1
+	MOVW W_40+160(FP), R2
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xffeefdf7, R1, R1
+	AND  R1, R0, R0
+
+f6:
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_49_0_bit)) != 0 {
+	//   mask &= ((0 - (((W[53] ^ W[56]) >> 29) & 1)) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_49_0_bit))
+	// }
+	TST  $0x00308000, R0
+	BEQ  f7
+	MOVW W_53+212(FP), R1
+	MOVW W_56+224(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffcf7fff, R1, R1
+	AND  R1, R0, R0
+
+f7:
+	// if (mask & (DV_I_50_0_bit | DV_II_46_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[51] ^ W[54]) >> 29) & 1)) | ^(DV_I_50_0_bit | DV_II_46_0_bit | DV_II_47_0_bit))
+	// }
+	TST  $0x000a0800, R0
+	BEQ  f8
+	MOVW W_51+204(FP), R1
+	MOVW W_54+216(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfff5f7ff, R1, R1
+	AND  R1, R0, R0
+
+f8:
+	// if (mask & (DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[50] ^ W[52]) >> 29) & 1)) | ^(DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit))
+	// }
+	TST  $0x00012200, R0
+	BEQ  f9
+	MOVW W_50+200(FP), R1
+	MOVW W_52+208(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffeddff, R1, R1
+	AND  R1, R0, R0
+
+f9:
+	// if (mask & (DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[49] ^ W[51]) >> 29) & 1)) | ^(DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit))
+	// }
+	TST  $0x00008880, R0
+	BEQ  f10
+	MOVW W_49+196(FP), R1
+	MOVW W_51+204(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffff777f, R1, R1
+	AND  R1, R0, R0
+
+f10:
+	// if (mask & (DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[48] ^ W[50]) >> 29) & 1)) | ^(DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit))
+	// }
+	TST  $0x00002220, R0
+	BEQ  f11
+	MOVW W_48+192(FP), R1
+	MOVW W_50+200(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffffdddf, R1, R1
+	AND  R1, R0, R0
+
+f11:
+	// if (mask & (DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[47] ^ W[49]) >> 29) & 1)) | ^(DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit))
+	// }
+	TST  $0x00000888, R0
+	BEQ  f12
+	MOVW W_47+188(FP), R1
+	MOVW W_49+196(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffff777, R1, R1
+	AND  R1, R0, R0
+
+f12:
+	// if (mask & (DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[46] ^ W[48]) >> 29) & 1)) | ^(DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit))
+	// }
+	TST  $0x00000224, R0
+	BEQ  f13
+	MOVW W_46+184(FP), R1
+	MOVW W_48+192(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffffddb, R1, R1
+	AND  R1, R0, R0
+
+f13:
+	// mask &= ((((W[45] ^ W[47]) & (1 << 6)) - (1 << 6)) | ^(DV_I_47_2_bit | DV_I_49_2_bit | DV_I_51_2_bit))
+	MOVW W_45+180(FP), R1
+	MOVW W_47+188(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	SUB  $0x00000040, R1, R1
+	ORR  $0xffffbbbf, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[45] ^ W[47]) >> 29) & 1)) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit))
+	// }
+	TST  $0x0000008a, R0
+	BEQ  f14
+	MOVW W_45+180(FP), R1
+	MOVW W_47+188(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffffff75, R1, R1
+	AND  R1, R0, R0
+
+f14:
+	// mask &= (((((W[44] ^ W[46]) >> 6) & 1) - 1) | ^(DV_I_46_2_bit | DV_I_48_2_bit | DV_I_50_2_bit))
+	MOVW W_44+176(FP), R1
+	MOVW W_46+184(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x06, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xffffeeef, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[44] ^ W[46]) >> 29) & 1)) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit))
+	// }
+	TST  $0x00000025, R0
+	BEQ  f15
+	MOVW W_44+176(FP), R1
+	MOVW W_46+184(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffffffda, R1, R1
+	AND  R1, R0, R0
+
+f15:
+	// mask &= ((0 - ((W[41] ^ (W[42] >> 5)) & (1 << 1))) | ^(DV_I_48_2_bit | DV_II_46_2_bit | DV_II_51_2_bit))
+	MOVW W_41+164(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xfbfbfeff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((0 - ((W[40] ^ (W[41] >> 5)) & (1 << 1))) | ^(DV_I_47_2_bit | DV_I_51_2_bit | DV_II_50_2_bit))
+	MOVW W_40+160(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xfeffbfbf, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_44_0_bit | DV_I_46_0_bit | DV_II_56_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[40] ^ W[42]) >> 4) & 1)) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_II_56_0_bit))
+	// }
+	TST  $0x8000000a, R0
+	BEQ  f16
+	MOVW W_40+160(FP), R1
+	MOVW W_42+168(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x04, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0x7ffffff5, R1, R1
+	AND  R1, R0, R0
+
+f16:
+	// mask &= ((0 - ((W[39] ^ (W[40] >> 5)) & (1 << 1))) | ^(DV_I_46_2_bit | DV_I_50_2_bit | DV_II_49_2_bit))
+	MOVW W_39+156(FP), R1
+	MOVW W_40+160(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xffbfefef, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_43_0_bit | DV_I_45_0_bit | DV_II_55_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[39] ^ W[41]) >> 4) & 1)) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_II_55_0_bit))
+	// }
+	TST  $0x40000005, R0
+	BEQ  f17
+	MOVW W_39+156(FP), R1
+	MOVW W_41+164(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x04, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xbffffffa, R1, R1
+	AND  R1, R0, R0
+
+f17:
+	// if (mask & (DV_I_44_0_bit | DV_II_54_0_bit | DV_II_56_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[38] ^ W[40]) >> 4) & 1)) | ^(DV_I_44_0_bit | DV_II_54_0_bit | DV_II_56_0_bit))
+	// }
+	TST  $0xa0000002, R0
+	BEQ  f18
+	MOVW W_38+152(FP), R1
+	MOVW W_40+160(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x04, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0x5ffffffd, R1, R1
+	AND  R1, R0, R0
+
+f18:
+	// if (mask & (DV_I_43_0_bit | DV_II_53_0_bit | DV_II_55_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[37] ^ W[39]) >> 4) & 1)) | ^(DV_I_43_0_bit | DV_II_53_0_bit | DV_II_55_0_bit))
+	// }
+	TST  $0x50000001, R0
+	BEQ  f19
+	MOVW W_37+148(FP), R1
+	MOVW W_39+156(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x04, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xaffffffe, R1, R1
+	AND  R1, R0, R0
+
+f19:
+	// mask &= ((0 - ((W[36] ^ (W[37] >> 5)) & (1 << 1))) | ^(DV_I_47_2_bit | DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVW W_36+144(FP), R1
+	MOVW W_37+148(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffbefbf, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_45_0_bit | DV_I_48_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= (((((W[35] >> 4) ^ (W[39] >> 29)) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_48_0_bit | DV_II_47_0_bit))
+	// }
+	TST  $0x00080084, R0
+	BEQ  f20
+	MOVW W_35+140(FP), R1
+	MOVW W_39+156(FP), R2
+	LSR  $0x04, R1, R1
+	LSR  $0x1d, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $0x00000001, R1, R1
+	ORR  $0xfff7ff7b, R1, R1
+	AND  R1, R0, R0
+
+f20:
+	// if (mask & (DV_I_48_0_bit | DV_II_48_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[63] ^ (W[64] >> 5)) & (1 << 0))) | ^(DV_I_48_0_bit | DV_II_48_0_bit))
+	// }
+	TST  $0x00100080, R0
+	BEQ  f21
+	MOVW W_63+252(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffefff7f, R1, R1
+	AND  R1, R0, R0
+
+f21:
+	// if (mask & (DV_I_45_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[63] ^ (W[64] >> 5)) & (1 << 1))) | ^(DV_I_45_0_bit | DV_II_45_0_bit))
+	// }
+	TST  $0x00010004, R0
+	BEQ  f22
+	MOVW W_63+252(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffefffb, R1, R1
+	AND  R1, R0, R0
+
+f22:
+	// if (mask & (DV_I_47_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[62] ^ (W[63] >> 5)) & (1 << 0))) | ^(DV_I_47_0_bit | DV_II_47_0_bit))
+	// }
+	TST  $0x00080020, R0
+	BEQ  f23
+	MOVW W_62+248(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfff7ffdf, R1, R1
+	AND  R1, R0, R0
+
+f23:
+	// if (mask & (DV_I_46_0_bit | DV_II_46_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[61] ^ (W[62] >> 5)) & (1 << 0))) | ^(DV_I_46_0_bit | DV_II_46_0_bit))
+	// }
+	TST  $0x00020008, R0
+	BEQ  f24
+	MOVW W_61+244(FP), R1
+	MOVW W_62+248(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffdfff7, R1, R1
+	AND  R1, R0, R0
+
+f24:
+	// mask &= ((0 - ((W[61] ^ (W[62] >> 5)) & (1 << 2))) | ^(DV_I_46_2_bit | DV_II_46_2_bit))
+	MOVW W_61+244(FP), R1
+	MOVW W_62+248(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000004, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffbffef, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_45_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[60] ^ (W[61] >> 5)) & (1 << 0))) | ^(DV_I_45_0_bit | DV_II_45_0_bit))
+	// }
+	TST  $0x00010004, R0
+	BEQ  f25
+	MOVW W_60+240(FP), R1
+	MOVW W_61+244(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffefffb, R1, R1
+	AND  R1, R0, R0
+
+f25:
+	// if (mask & (DV_II_51_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= (((((W[58] ^ W[59]) >> 29) & 1) - 1) | ^(DV_II_51_0_bit | DV_II_54_0_bit))
+	// }
+	TST  $0x22000000, R0
+	BEQ  f26
+	MOVW W_58+232(FP), R1
+	MOVW W_59+236(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xddffffff, R1, R1
+	AND  R1, R0, R0
+
+f26:
+	// if (mask & (DV_II_50_0_bit | DV_II_53_0_bit)) != 0 {
+	// 	mask &= (((((W[57] ^ W[58]) >> 29) & 1) - 1) | ^(DV_II_50_0_bit | DV_II_53_0_bit))
+	// }
+	TST  $0x10800000, R0
+	BEQ  f27
+	MOVW W_57+228(FP), R1
+	MOVW W_58+232(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $0x00000001, R1, R1
+	ORR  $0xef7fffff, R1, R1
+	AND  R1, R0, R0
+
+f27:
+	// if (mask & (DV_II_52_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= ((((W[56] ^ (W[59] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_52_0_bit | DV_II_54_0_bit))
+	// }
+	TST  $0x28000000, R0
+	BEQ  f28
+	MOVW W_56+224(FP), R1
+	MOVW W_59+236(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xd7ffffff, R1, R1
+	AND  R1, R0, R0
+
+f28:
+	// if (mask & (DV_II_51_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[56] ^ W[59]) >> 29) & 1)) | ^(DV_II_51_0_bit | DV_II_52_0_bit))
+	// }
+	TST  $0x0a000000, R0
+	BEQ  f29
+	MOVW W_56+224(FP), R1
+	MOVW W_59+236(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xf5ffffff, R1, R1
+	AND  R1, R0, R0
+
+f29:
+	// if (mask & (DV_II_49_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= (((((W[56] ^ W[57]) >> 29) & 1) - 1) | ^(DV_II_49_0_bit | DV_II_52_0_bit))
+	// }
+	TST  $0x08200000, R0
+	BEQ  f30
+	MOVW W_56+224(FP), R1
+	MOVW W_57+228(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $0x00000001, R1, R1
+	ORR  $0xf7dfffff, R1, R1
+	AND  R1, R0, R0
+
+f30:
+	// if (mask & (DV_II_51_0_bit | DV_II_53_0_bit)) != 0 {
+	// 	mask &= ((((W[55] ^ (W[58] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_51_0_bit | DV_II_53_0_bit))
+	// }
+	TST  $0x12000000, R0
+	BEQ  f31
+	MOVW W_55+220(FP), R1
+	MOVW W_58+232(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xedffffff, R1, R1
+	AND  R1, R0, R0
+
+f31:
+	// if (mask & (DV_II_50_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= ((((W[54] ^ (W[57] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_50_0_bit | DV_II_52_0_bit))
+	// }
+	TST  $0x08800000, R0
+	BEQ  f32
+	MOVW W_54+216(FP), R1
+	MOVW W_57+228(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xf77fffff, R1, R1
+	AND  R1, R0, R0
+
+f32:
+	// if (mask & (DV_II_49_0_bit | DV_II_51_0_bit)) != 0 {
+	// 	mask &= ((((W[53] ^ (W[56] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_49_0_bit | DV_II_51_0_bit))
+	// }
+	TST  $0x02200000, R0
+	BEQ  f33
+	MOVW W_53+212(FP), R1
+	MOVW W_56+224(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xfddfffff, R1, R1
+	AND  R1, R0, R0
+
+f33:
+	// mask &= ((((W[51] ^ (W[50] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVW W_51+204(FP), R1
+	MOVW W_50+200(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xfffbefff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[48] ^ W[50]) & (1 << 6)) - (1 << 6)) | ^(DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVW W_48+192(FP), R1
+	MOVW W_50+200(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	SUB  $0x00000040, R1, R1
+	ORR  $0xfffbefff, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_51_0_bit | DV_I_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[48] ^ W[55]) >> 29) & 1)) | ^(DV_I_51_0_bit | DV_I_52_0_bit))
+	// }
+	TST  $0x0000a000, R0
+	BEQ  f34
+	MOVW W_48+192(FP), R1
+	MOVW W_55+220(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x1d, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	ORR  $0xffff5fff, R1, R1
+	AND  R1, R0, R0
+
+f34:
+	// mask &= ((((W[47] ^ W[49]) & (1 << 6)) - (1 << 6)) | ^(DV_I_49_2_bit | DV_I_51_2_bit))
+	MOVW W_47+188(FP), R1
+	MOVW W_49+196(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	SUB  $0x00000040, R1, R1
+	ORR  $0xffffbbff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[48] ^ (W[47] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_47_2_bit | DV_II_51_2_bit))
+	MOVW W_48+192(FP), R1
+	MOVW W_47+188(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xfbffffbf, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[46] ^ W[48]) & (1 << 6)) - (1 << 6)) | ^(DV_I_48_2_bit | DV_I_50_2_bit))
+	MOVW W_46+184(FP), R1
+	MOVW W_48+192(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	SUB  $0x00000040, R1, R1
+	ORR  $0xffffeeff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[47] ^ (W[46] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_46_2_bit | DV_II_50_2_bit))
+	MOVW W_47+188(FP), R1
+	MOVW W_46+184(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xfeffffef, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((0 - ((W[44] ^ (W[45] >> 5)) & (1 << 1))) | ^(DV_I_51_2_bit | DV_II_49_2_bit))
+	MOVW W_44+176(FP), R1
+	MOVW W_45+180(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xffbfbfff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[43] ^ W[45]) & (1 << 6)) - (1 << 6)) | ^(DV_I_47_2_bit | DV_I_49_2_bit))
+	MOVW W_43+172(FP), R1
+	MOVW W_45+180(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	SUB  $0x00000040, R1, R1
+	ORR  $0xfffffbbf, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= (((((W[42] ^ W[44]) >> 6) & 1) - 1) | ^(DV_I_46_2_bit | DV_I_48_2_bit))
+	MOVW W_42+168(FP), R1
+	MOVW W_44+176(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x06, R1, R1
+	AND  $0x00000001, R1, R1
+	SUB  $1, R1, R1
+	ORR  $0xfffffeef, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[43] ^ (W[42] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_II_46_2_bit | DV_II_51_2_bit))
+	MOVW W_43+172(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xfbfbffff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[42] ^ (W[41] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_51_2_bit | DV_II_50_2_bit))
+	MOVW W_42+168(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xfeffbfff, R1, R1
+	AND  R1, R0, R0
+
+	// mask &= ((((W[41] ^ (W[40] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_50_2_bit | DV_II_49_2_bit))
+	MOVW W_41+164(FP), R1
+	MOVW W_40+160(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	SUB  $0x00000002, R1, R1
+	ORR  $0xffbfefff, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_52_0_bit | DV_II_51_0_bit)) != 0 {
+	// 	mask &= ((((W[39] ^ (W[43] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_52_0_bit | DV_II_51_0_bit))
+	// }
+	TST  $0x02008000, R0
+	BEQ  f35
+	MOVW W_39+156(FP), R1
+	MOVW W_43+172(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xfdff7fff, R1, R1
+	AND  R1, R0, R0
+
+f35:
+	// if (mask & (DV_I_51_0_bit | DV_II_50_0_bit)) != 0 {
+	// 	mask &= ((((W[38] ^ (W[42] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_51_0_bit | DV_II_50_0_bit))
+	// }
+	TST  $0x00802000, R0
+	BEQ  f36
+	MOVW W_38+152(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xff7fdfff, R1, R1
+	AND  R1, R0, R0
+
+f36:
+	// if (mask & (DV_I_48_2_bit | DV_I_51_2_bit)) != 0 {
+	// 	mask &= ((0 - ((W[37] ^ (W[38] >> 5)) & (1 << 1))) | ^(DV_I_48_2_bit | DV_I_51_2_bit))
+	// }
+	TST  $0x00004100, R0
+	BEQ  f37
+	MOVW W_37+148(FP), R1
+	MOVW W_38+152(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xffffbeff, R1, R1
+	AND  R1, R0, R0
+
+f37:
+	// if (mask & (DV_I_50_0_bit | DV_II_49_0_bit)) != 0 {
+	// 	mask &= ((((W[37] ^ (W[41] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_50_0_bit | DV_II_49_0_bit))
+	// }
+	TST  $0x00200800, R0
+	BEQ  f38
+	MOVW W_37+148(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	SUB  $0x00000010, R1, R1
+	ORR  $0xffdff7ff, R1, R1
+	AND  R1, R0, R0
+
+f38:
+	// if (mask & (DV_II_52_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[36] ^ W[38]) & (1 << 4))) | ^(DV_II_52_0_bit | DV_II_54_0_bit))
+	// }
+	TST  $0x28000000, R0
+	BEQ  f39
+	MOVW W_36+144(FP), R1
+	MOVW W_38+152(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	NEG  R1, R1
+	ORR  $0xd7ffffff, R1, R1
+	AND  R1, R0, R0
+
+f39:
+	// mask &= ((0 - ((W[35] ^ (W[36] >> 5)) & (1 << 1))) | ^(DV_I_46_2_bit | DV_I_49_2_bit))
+	MOVW W_35+140(FP), R1
+	MOVW W_36+144(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	ORR  $0xfffffbef, R1, R1
+	AND  R1, R0, R0
+
+	// if (mask & (DV_I_51_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((((W[35] ^ (W[39] >> 25)) & (1 << 3)) - (1 << 3)) | ^(DV_I_51_0_bit | DV_II_47_0_bit))
+	// }
+	TST  $0x00082000, R0
+	BEQ  f40
+	MOVW W_35+140(FP), R1
+	MOVW W_39+156(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	SUB  $0x00000008, R1, R1
+	ORR  $0xfff7dfff, R1, R1
+	AND  R1, R0, R0
+
+f40:
+	// if mask != 0
+	TST  $0x00000000, R0
+	BNE  end
+
+	// if (mask & DV_I_43_0_bit) != 0 {
+	// 	if not((W[61]^(W[62]>>5))&(1<<1)) != 0 ||
+	// 		not(not((W[59]^(W[63]>>25))&(1<<5))) != 0 ||
+	// 		not((W[58]^(W[63]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_I_43_0_bit
+	// 	}
+	// }
+	TBZ  $0, R0, f41_skip
+	MOVW W_61+244(FP), R1
+	MOVW W_62+248(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	CBZ R1, f41_in
+	MOVW W_59+236(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000020, R1, R1
+	CBNZ R1, f41_in
+	MOVW W_58+232(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x1e, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	CBZ R1, f41_in
+	B    f41_skip
+
+f41_in:
+	AND  $0xfffffffe, R0, R0
+
+f41_skip:
+	// if (mask & DV_I_44_0_bit) != 0 {
+	// 	if not((W[62]^(W[63]>>5))&(1<<1)) != 0 ||
+	// 		not(not((W[60]^(W[64]>>25))&(1<<5))) != 0 ||
+	// 		not((W[59]^(W[64]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_I_44_0_bit
+	// 	}
+	// }
+	TBZ  $0x01, R0, f42_skip
+	MOVW W_62+248(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000002, R1, R1
+	NEG  R1, R1
+	CBZ  R1, f42_in
+	MOVW W_60+240(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000020, R1, R1
+	CBNZ R1, f42_in
+	MOVW W_59+236(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x1e, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000001, R1, R1
+	NEG  R1, R1
+	CBZ  R1, f42_in
+	B    f42_skip
+
+f42_in:
+	AND  $0xfffffffd, R0, R0
+
+f42_skip:
+	// if (mask & DV_I_46_2_bit) != 0 {
+	// 	mask &= ((^((W[40] ^ W[42]) >> 2)) | ^DV_I_46_2_bit)
+	// }
+	TBZ  $0x04, R0, f43
+	MOVW W_40+160(FP), R1
+	MOVW W_42+168(FP), R2
+	EOR  R2, R1, R1
+	LSR  $0x02, R1, R1
+	MVN  R1, R1
+	ORR  $0xffffffef, R1, R1
+	AND  R1, R0, R0
+
+f43:
+	// if (mask & DV_I_47_2_bit) != 0 {
+	// 	if not((W[62]^(W[63]>>5))&(1<<2)) != 0 ||
+	// 		not(not((W[41]^W[43])&(1<<6))) != 0 {
+	// 		mask &= ^DV_I_47_2_bit
+	// 	}
+	// }
+	TBZ  $6, R0, f44_skip
+	MOVW W_62+248(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000004, R1, R1
+	NEG  R1, R1
+	CBZ  R1, f44_in
+	MOVW W_41+164(FP), R1
+	MOVW W_43+172(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	CBNZ R1, f44_in
+	B    f44_skip
+
+f44_in:
+	AND  $0xffffffbf, R0, R0
+
+f44_skip:
+	// if (mask & DV_I_48_2_bit) != 0 {
+	// 	if not((W[63]^(W[64]>>5))&(1<<2)) != 0 ||
+	// 		not(not((W[48]^(W[49]<<5))&(1<<6))) != 0 {
+	// 		mask &= ^DV_I_48_2_bit
+	// 	}
+	// }
+	TBZ  $0x08, R0, f45_skip
+	MOVW W_63+252(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000004, R1, R1
+	NEG  R1, R1
+	CBZ  R1, f45_in
+	MOVW W_48+192(FP), R1
+	MOVW W_49+196(FP), R2
+	LSL  $0x05, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000040, R1, R1
+	CBNZ R1, f45_in
+	B    f45_skip
+
+f45_in:
+	AND  $0xfffffeff, R0, R0
+
+f45_skip:
+	// if (mask & DV_I_49_2_bit) != 0 {
+	// 	if not(not((W[49]^(W[50]<<5))&(1<<6))) != 0 ||
+	// 		not((W[42]^W[50])&(1<<1)) != 0 ||
+	// 		not(not((W[39]^(W[40]<<5))&(1<<6))) != 0 ||
+	// 		not((W[38]^W[40])&(1<<1)) != 0 {
+	// 		mask &= ^DV_I_49_2_bit
+	// 	}
+	// }
+	TBZ   $0x0a, R0, f46_skip             // Test bit 10 of R0, skip if clear
+	MOVW  W_49+196(FP), R1              // R1 = W_49
+	MOVW  W_50+200(FP), R2              // R2 = W_50
+	LSL   $0x05, R2, R2                    // R2 = W_50 << 5
+	EOR   R2, R1, R1                    // R1 ^= R2
+	AND   $0x00000040, R1, R1           // R1 &= 0x40
+	CBNZ  R1, f46_in                    // If non-zero, jump to f46_in
+
+	MOVW  W_42+168(FP), R1
+	MOVW  W_50+200(FP), R2
+	EOR   R2, R1, R1
+	AND   $0x00000002, R1, R1
+	CBZ   R1, f46_in
+
+	MOVW  W_39+156(FP), R1
+	MOVW  W_40+160(FP), R2
+	LSL   $0x05, R2, R2
+	EOR   R2, R1, R1
+	AND   $0x00000040, R1, R1
+	CBNZ  R1, f46_in
+
+	MOVW  W_38+152(FP), R1
+	MOVW  W_40+160(FP), R2
+	EOR   R2, R1, R1
+	AND   $0x00000002, R1, R1
+	CBZ   R1, f46_in
+	B     f46_skip
+
+f46_in:
+	AND  $0xfffffbff, R0, R0
+
+f46_skip:
+    // if (mask & DV_I_50_0_bit) != 0 {
+    //     mask &= (((W[36] ^ W[37]) << 7) | ^DV_I_50_0_bit)
+    // }
+    TBZ   $0x0b, R0, f47                   // Test bit 11 (DV_I_50_0_bit)
+    MOVW  W_36+144(FP), R1
+    MOVW  W_37+148(FP), R2
+    EOR   R2, R1, R1                     // R1 = W[36] ^ W[37]
+    LSL   $0x07, R1, R1                     // R1 <<= 7
+    ORR   $0xfffff7ff, R1, R1            // R1 |= ~DV_I_50_0_bit
+    AND   R1, R0, R0                     // mask &= R1
+
+f47:
+    // if (mask & DV_I_50_2_bit) != 0 {
+    //     mask &= (((W[43] ^ W[51]) << 11) | ^DV_I_50_2_bit)
+    // }
+    TBZ   $0x0c, R0, f48                   // Test bit 12 (DV_I_50_2_bit)
+    MOVW  W_43+172(FP), R1
+    MOVW  W_51+204(FP), R2
+    EOR   R2, R1, R1                     // R1 = W[43] ^ W[51]
+    LSL   $0x0b, R1, R1                    // R1 <<= 11
+    ORR   $0xffffefff, R1, R1            // R1 |= ~DV_I_50_2_bit
+    AND   R1, R0, R0                     // mask &= R1
+
+f48:
+    // if (mask & DV_I_51_0_bit) != 0 {
+    //     mask &= (((W[37] ^ W[38]) << 9) | ^DV_I_51_0_bit)
+    // }
+    TBZ   $0x0d, R0, f49                   // Test bit 13 (DV_I_51_0_bit)
+    MOVW  W_37+148(FP), R1
+    MOVW  W_38+152(FP), R2
+    EOR   R2, R1, R1                     // R1 = W[37] ^ W[38]
+    LSL   $0x09, R1, R1                     // R1 <<= 9
+    ORR   $0xffffdfff, R1, R1            // R1 |= ~DV_I_51_0_bit
+    AND   R1, R0, R0                     // mask &= R1
+
+f49:
+    // if (mask & DV_I_51_2_bit) != 0 {
+    //     if not(not((W[51]^(W[52]<<5))&(1<<6))) != 0 ||
+    //         not(not((W[49]^W[51])&(1<<6))) != 0 ||
+    //         not(not((W[37]^(W[37]>>5))&(1<<1))) != 0 ||
+    //         not(not((W[35]^(W[39]>>25))&(1<<5))) != 0 {
+    //         mask &= ^DV_I_51_2_bit
+    //     }
+    // }
+    TBZ   $0x0e, R0, f50_skip                    // Test bit 14 (DV_I_51_2_bit)
+
+    MOVW  W_51+204(FP), R1
+    MOVW  W_52+208(FP), R2
+    LSL   $0x05, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x00000040, R1, R1
+    CBNZ  R1, f50_in
+
+    MOVW  W_49+196(FP), R1
+    MOVW  W_51+204(FP), R2
+    EOR   R2, R1, R1
+    AND   $0x00000040, R1, R1
+    CBNZ  R1, f50_in
+
+    MOVW  W_37+148(FP), R1
+    MOVW  W_37+148(FP), R2
+    LSR   $0x05, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x00000002, R1, R1
+    CBNZ  R1, f50_in
+
+    MOVW  W_35+140(FP), R1
+    MOVW  W_39+156(FP), R2
+    LSR   $0x19, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x00000020, R1, R1
+    CBNZ  R1, f50_in
+
+    B     f50_skip
+
+f50_in:
+    AND   $0xffffbfff, R0, R0                  // mask &= ~DV_I_51_2_bit
+
+f50_skip:
+    // if (mask & DV_I_52_0_bit) != 0 {
+    //     mask &= (((W[38] ^ W[39]) << 11) | ^DV_I_52_0_bit)
+    // }
+    TBZ   $0x0f, R0, f51                         // Test bit 15 (DV_I_52_0_bit)
+    MOVW  W_38+152(FP), R1
+    MOVW  W_39+156(FP), R2
+    EOR   R2, R1, R1
+    LSL   $0x0b, R1, R1
+    ORR   $0xffff7fff, R1, R1
+    AND   R1, R0, R0
+
+f51:
+    // if (mask & DV_II_46_2_bit) != 0 {
+    //     mask &= (((W[47] ^ W[51]) << 17) | ^DV_II_46_2_bit)
+    // }
+	TST   $0x00040000, R0
+	TBZ   $0x12, R0, f52
+	MOVW  W_47+188(FP), R1
+	MOVW  W_51+204(FP), R2
+	EOR   R2, R1, R1
+	LSL   $0x11, R1, R1
+	ORR   $0xfffbffff, R1, R1
+	AND   R1, R0, R0
+
+f52:
+    // if (mask & DV_II_48_0_bit) != 0 {
+    //     if not(not((W[36]^(W[40]>>25))&(1<<3))) != 0 ||
+    //         not((W[35]^(W[40]<<2))&(1<<30)) != 0 {
+    //         mask &= ^DV_II_48_0_bit
+    //     }
+    // }
+    TBZ   $0x14, R0, f53_skip                  // Test bit 20 (DV_II_48_0_bit)
+
+    MOVW  W_36+144(FP), R1
+    MOVW  W_40+160(FP), R2
+    LSR   $0x19, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x00000008, R1, R1
+    CBNZ  R1, f53_in
+
+    MOVW  W_35+140(FP), R1
+    MOVW  W_40+160(FP), R2
+    LSL   $0x02, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x40000000, R1, R1
+    CBNZ  R1, f53_in
+
+    B     f53_skip
+
+f53_in:
+	AND  $0xffefffff, R0, R0
+
+f53_skip:
+	// if (mask & DV_II_49_0_bit) != 0 {
+	// 	if not(not((W[37]^(W[41]>>25))&(1<<3))) != 0 ||
+	// 		not((W[36]^(W[41]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_49_0_bit
+	// 	}
+	// }
+    TBZ   $0x15, R0, f54_skip                  // Test bit 21 (DV_II_49_0_bit)
+
+    MOVW  W_37+148(FP), R1
+    MOVW  W_41+164(FP), R2
+    LSR   $0x19, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x00000008, R1, R1
+    CBNZ  R1, f54_in
+
+    MOVW  W_36+144(FP), R1
+    MOVW  W_41+164(FP), R2
+    LSL   $0x02, R2, R2
+    EOR   R2, R1, R1
+    AND   $0x40000000, R1, R1
+    CBNZ  R1, f54_in
+
+    B     f54_skip
+
+f54_in:
+    AND   $0xffdfffff, R0, R0               // mask &= ~DV_II_49_0_bit
+
+f54_skip:
+	// if (mask & DV_II_49_2_bit) != 0 {
+	// 	if not(not((W[53]^(W[54]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[51]^W[53])&(1<<6))) != 0 ||
+	// 		not((W[50]^W[54])&(1<<1)) != 0 ||
+	// 		not(not((W[45]^(W[46]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[37]^(W[41]>>25))&(1<<5))) != 0 ||
+	// 		not((W[36]^(W[41]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_49_2_bit
+	// 	}
+	// }
+	TBZ $0x16, R0, f55_skip
+
+	MOVW W_53+212(FP), R1
+	MOVW W_54+216(FP), R2
+	LSL  $0x05, R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f55_in
+	MOVW W_51+204(FP), R1
+	MOVW W_53+212(FP), R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f55_in
+	MOVW W_50+200(FP), R1
+	MOVW W_54+216(FP), R2
+	EOR  R2, R1
+	AND  $0x00000002, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f55_in
+	MOVW W_45+180(FP), R1
+	MOVW W_46+184(FP), R2
+	LSL  $0x05, R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f55_in
+	MOVW W_37+148(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x19, R2
+	EOR  R2, R1
+	AND  $0x00000020, R1
+	CMP  $0x00000000, R1
+	BNE  f55_in
+	MOVW W_36+144(FP), R1
+	MOVW W_41+164(FP), R2
+	LSR  $0x1e, R2
+	EOR  R2, R1
+	AND  $0x00000001, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f55_in
+	JMP  f55_skip
+
+f55_in:
+	AND  $0xffbfffff, R0
+
+f55_skip:
+	// if (mask & DV_II_50_0_bit) != 0 {
+	// 	if not((W[55]^W[58])&(1<<29)) != 0 ||
+	// 		not(not((W[38]^(W[42]>>25))&(1<<3))) != 0 ||
+	// 		not((W[37]^(W[42]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_50_0_bit
+	// 	}
+	// }
+	TBZ $0x17, R0, f56_skip
+
+	MOVW W_55+220(FP), R1
+	MOVW W_58+232(FP), R2
+	EOR  R2, R1
+	AND  $0x20000000, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f56_in
+	MOVW W_38+152(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x19, R2
+	EOR  R2, R1
+	AND  $0x00000008, R1
+	CMP  $0x00000000, R1
+	BNE  f56_in
+	MOVW W_37+148(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x02, R2
+	EOR  R2, R1
+	AND  $0x40000000, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f56_in
+	JMP  f56_skip
+
+f56_in:
+	AND  $0xff7fffff, R0
+
+f56_skip:
+	// if (mask & DV_II_50_2_bit) != 0 {
+	// 	if not(not((W[54]^(W[55]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[52]^W[54])&(1<<6))) != 0 ||
+	// 		not((W[51]^W[55])&(1<<1)) != 0 ||
+	// 		not((W[45]^W[47])&(1<<1)) != 0 ||
+	// 		not(not((W[38]^(W[42]>>25))&(1<<5))) != 0 ||
+	// 		not((W[37]^(W[42]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_50_2_bit
+	// 	}
+	// }
+	TBZ $0x18, R0, f57_skip
+
+	MOVW W_54+216(FP), R1
+	MOVW W_55+220(FP), R2
+	LSL  $0x05, R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f57_in
+	MOVW W_52+208(FP), R1
+	MOVW W_54+216(FP), R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f57_in
+	MOVW W_51+204(FP), R1
+	MOVW W_55+220(FP), R2
+	EOR  R2, R1
+	AND  $0x00000002, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f57_in
+	MOVW W_45+180(FP), R1
+	MOVW W_47+188(FP), R2
+	EOR  R2, R1
+	AND  $0x00000002, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f57_in
+	MOVW W_38+152(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x19, R2
+	EOR  R2, R1
+	AND  $0x00000020, R1
+	CMP  $0x00000000, R1
+	BNE  f57_in
+	MOVW W_37+148(FP), R1
+	MOVW W_42+168(FP), R2
+	LSR  $0x1e, R2
+	EOR  R2, R1
+	AND  $0x00000001, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f57_in
+	JMP  f57_skip
+
+f57_in:
+	AND  $0xfeffffff, R0
+
+f57_skip:
+	// if (mask & DV_II_51_0_bit) != 0 {
+	// 	if not(not((W[39]^(W[43]>>25))&(1<<3))) != 0 ||
+	// 		not((W[38]^(W[43]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_51_0_bit
+	// 	}
+	// }
+	TBZ $0x19, R0, f58_skip
+
+	MOVW W_39+156(FP), R1
+	MOVW W_43+172(FP), R2
+	LSR  $0x19, R2
+	EOR  R2, R1
+	AND  $0x00000008, R1
+	CMP  $0x00000000, R1
+	BNE  f58_in
+	MOVW W_38+152(FP), R1
+	MOVW W_43+172(FP), R2
+	LSL  $0x02, R2
+	EOR  R2, R1
+	AND  $0x40000000, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f58_in
+	JMP  f58_skip
+
+f58_in:
+	AND  $0xfdffffff, R0
+
+f58_skip:
+	// if (mask & DV_II_51_2_bit) != 0 {
+	// 	if not(not((W[55]^(W[56]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[53]^W[55])&(1<<6))) != 0 ||
+	// 		not((W[52]^W[56])&(1<<1)) != 0 ||
+	// 		not((W[46]^W[48])&(1<<1)) != 0 ||
+	// 		not(not((W[39]^(W[43]>>25))&(1<<5))) != 0 ||
+	// 		not((W[38]^(W[43]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_51_2_bit
+	// 	}
+	// }	
+	TBZ $0x1a, R0, f59_skip
+
+	MOVW W_55+220(FP), R1
+	MOVW W_56+224(FP), R2
+	LSL  $0x05, R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f59_in
+	MOVW W_53+212(FP), R1
+	MOVW W_55+220(FP), R2
+	EOR  R2, R1
+	AND  $0x00000040, R1
+	CMP  $0x00000000, R1
+	BNE  f59_in
+	MOVW W_52+208(FP), R1
+	MOVW W_56+224(FP), R2
+	EOR  R2, R1
+	AND  $0x00000002, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f59_in
+	MOVW W_46+184(FP), R1
+	MOVW W_48+192(FP), R2
+	EOR  R2, R1
+	AND  $0x00000002, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f59_in
+	MOVW W_39+156(FP), R1
+	MOVW W_43+172(FP), R2
+	LSR  $0x19, R2
+	EOR  R2, R1
+	AND  $0x00000020, R1
+	CMP  $0x00000000, R1
+	BNE  f59_in
+	MOVW W_38+152(FP), R1
+	MOVW W_43+172(FP), R2
+	LSR  $0x1e, R2
+	EOR  R2, R1
+	AND  $0x00000001, R1
+	NEG  R1, R1
+	CMP  $0x00000000, R1
+	BEQ  f59_in
+	JMP  f59_skip
+
+f59_in:
+	AND  $0xfbffffff, R0
+
+f59_skip:
+	// if (mask & DV_II_52_0_bit) != 0 {
+	// 	if not(not((W[59]^W[60])&(1<<29))) != 0 ||
+	// 		not(not((W[40]^(W[44]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[40]^(W[44]>>25))&(1<<4))) != 0 ||
+	// 		not((W[39]^(W[44]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_52_0_bit
+	// 	}
+	// }
+	TBZ  $0x1b, R0, f60_skip
+	MOVW W_59+236(FP), R1
+	MOVW W_60+240(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x20000000, R1, R1
+	CBNZ R1, f60_in
+	MOVW W_40+160(FP), R1
+	MOVW W_44+176(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	CBNZ R1, f60_in
+	MOVW W_40+160(FP), R1
+	MOVW W_44+176(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f60_in
+	MOVW W_39+156(FP), R1
+	MOVW W_44+176(FP), R2
+	LSL  $0x02, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x40000000, R1, R1
+	NEG  R1, R1
+	CBZ R1, f60_in
+	B    f60_skip
+
+f60_in:
+	AND  $0xf7ffffff, R0, R0
+
+f60_skip:
+	// if (mask & DV_II_53_0_bit) != 0 {
+	// 	if not((W[58]^W[61])&(1<<29)) != 0 ||
+	// 		not(not((W[57]^(W[61]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[41]^(W[45]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[41]^(W[45]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_53_0_bit
+	// 	}
+	// }
+	TBZ  $0x1c, R0, f61_skip
+	MOVW W_58+232(FP), R1
+	MOVW W_61+244(FP), R2
+	EOR  R2, R1, R1
+	AND  $0x20000000, R1, R1
+	NEG  R1, R1
+	CBZ R1, f61_in
+	MOVW W_57+228(FP), R1
+	MOVW W_61+244(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f61_in
+	MOVW W_41+164(FP), R1
+	MOVW W_45+180(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	CBNZ R1, f61_in
+	MOVW W_41+164(FP), R1
+	MOVW W_45+180(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f61_in
+	B    f61_skip
+
+f61_in:
+	AND  $0xefffffff, R0, R0
+
+f61_skip:
+	// if (mask & DV_II_54_0_bit) != 0 {
+	// 	if not(not((W[58]^(W[62]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[42]^(W[46]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[42]^(W[46]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_54_0_bit
+	// 	}
+	// }
+	TBZ  $0x1d, R0, f62_skip
+	MOVW W_58+232(FP), R1
+	MOVW W_62+248(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f62_in
+	MOVW W_42+168(FP), R1
+	MOVW W_46+184(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	CBNZ R1, f62_in
+	MOVW W_42+168(FP), R1
+	MOVW W_46+184(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f62_in
+	B    f62_skip
+
+f62_in:
+	AND  $0xdfffffff, R0, R0
+
+f62_skip:
+	// if (mask & DV_II_55_0_bit) != 0 {
+	// 	if not(not((W[59]^(W[63]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[57]^(W[59]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[43]^(W[47]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[43]^(W[47]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_55_0_bit
+	// 	}
+	// }
+	TBZ  $0x1e, R0, f63_skip
+	MOVW W_59+236(FP), R1
+	MOVW W_63+252(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f63_in
+	MOVW W_57+228(FP), R1
+	MOVW W_59+236(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f63_in
+	MOVW W_43+172(FP), R1
+	MOVW W_47+188(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	CBNZ R1, f63_in
+	MOVW W_43+172(FP), R1
+	MOVW W_47+188(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f63_in
+	B    f63_skip
+
+f63_in:
+	AND  $0xbfffffff, R0, R0
+
+f63_skip:
+	// if (mask & DV_II_56_0_bit) != 0 {
+	// 	if not(not((W[60]^(W[64]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[44]^(W[48]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[44]^(W[48]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_56_0_bit
+	// 	}
+	// }
+	TBZ  $0x1f, R0, f64_skip
+	MOVW W_60+240(FP), R1
+	MOVW W_64+256(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f64_in
+	MOVW W_44+176(FP), R1
+	MOVW W_48+192(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000008, R1, R1
+	CBNZ R1, f64_in
+	MOVW W_44+176(FP), R1
+	MOVW W_48+192(FP), R2
+	LSR  $0x19, R2, R2
+	EOR  R2, R1, R1
+	AND  $0x00000010, R1, R1
+	CBNZ R1, f64_in
+	B    f64_skip
+
+f64_in:
+	AND $0x7fffffff, R0, R0
+
+f64_skip:
+end:
+	MOVW R0, ret+320(FP)
+	RET
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
index 48d6dff1..b7cc826a 100644
--- a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
@@ -1,5 +1,5 @@
-//go:build !amd64 || noasm || !gc
-// +build !amd64 noasm !gc
+//go:build (!amd64 && !arm64) || noasm || !gc
+// +build !amd64,!arm64 noasm !gc
 
 package ubc
 
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/collectorfunc.go b/vendor/github.com/prometheus/client_golang/prometheus/collectorfunc.go
new file mode 100644
index 00000000..9a71a15d
--- /dev/null
+++ b/vendor/github.com/prometheus/client_golang/prometheus/collectorfunc.go
@@ -0,0 +1,30 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package prometheus
+
+// CollectorFunc is a convenient way to implement a Prometheus Collector
+// without interface boilerplate.
+// This implementation is based on DescribeByCollect method.
+// familiarize yourself to it before using.
+type CollectorFunc func(chan<- Metric)
+
+// Collect calls the defined CollectorFunc function with the provided Metrics channel
+func (f CollectorFunc) Collect(ch chan<- Metric) {
+	f(ch)
+}
+
+// Describe sends the descriptor information using DescribeByCollect
+func (f CollectorFunc) Describe(ch chan<- *Desc) {
+	DescribeByCollect(f, ch)
+}
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
index 8b016355..7bac0da3 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
@@ -453,7 +453,7 @@ func (m *SequenceMatcher) GetGroupedOpCodes(n int) [][]OpCode {
 		}
 		group = append(group, OpCode{c.Tag, i1, i2, j1, j2})
 	}
-	if len(group) > 0 && !(len(group) == 1 && group[0].Tag == 'e') {
+	if len(group) > 0 && (len(group) != 1 || group[0].Tag != 'e') {
 		groups = append(groups, group)
 	}
 	return groups
@@ -568,7 +568,7 @@ func WriteUnifiedDiff(writer io.Writer, diff UnifiedDiff) error {
 	buf := bufio.NewWriter(writer)
 	defer buf.Flush()
 	wf := func(format string, args ...interface{}) error {
-		_, err := buf.WriteString(fmt.Sprintf(format, args...))
+		_, err := fmt.Fprintf(buf, format, args...)
 		return err
 	}
 	ws := func(s string) error {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/metric.go b/vendor/github.com/prometheus/client_golang/prometheus/metric.go
index 592eec3e..76e59f12 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/metric.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/metric.go
@@ -186,21 +186,31 @@ func (m *withExemplarsMetric) Write(pb *dto.Metric) error {
 	case pb.Counter != nil:
 		pb.Counter.Exemplar = m.exemplars[len(m.exemplars)-1]
 	case pb.Histogram != nil:
+		h := pb.Histogram
 		for _, e := range m.exemplars {
-			// pb.Histogram.Bucket are sorted by UpperBound.
-			i := sort.Search(len(pb.Histogram.Bucket), func(i int) bool {
-				return pb.Histogram.Bucket[i].GetUpperBound() >= e.GetValue()
+			if (h.GetZeroThreshold() != 0 || h.GetZeroCount() != 0 ||
+				len(h.PositiveSpan) != 0 || len(h.NegativeSpan) != 0) &&
+				e.GetTimestamp() != nil {
+				h.Exemplars = append(h.Exemplars, e)
+				if len(h.Bucket) == 0 {
+					// Don't proceed to classic buckets if there are none.
+					continue
+				}
+			}
+			// h.Bucket are sorted by UpperBound.
+			i := sort.Search(len(h.Bucket), func(i int) bool {
+				return h.Bucket[i].GetUpperBound() >= e.GetValue()
 			})
-			if i < len(pb.Histogram.Bucket) {
-				pb.Histogram.Bucket[i].Exemplar = e
+			if i < len(h.Bucket) {
+				h.Bucket[i].Exemplar = e
 			} else {
 				// The +Inf bucket should be explicitly added if there is an exemplar for it, similar to non-const histogram logic in https://github.com/prometheus/client_golang/blob/main/prometheus/histogram.go#L357-L365.
 				b := &dto.Bucket{
-					CumulativeCount: proto.Uint64(pb.Histogram.GetSampleCount()),
+					CumulativeCount: proto.Uint64(h.GetSampleCount()),
 					UpperBound:      proto.Float64(math.Inf(1)),
 					Exemplar:        e,
 				}
-				pb.Histogram.Bucket = append(pb.Histogram.Bucket, b)
+				h.Bucket = append(h.Bucket, b)
 			}
 		}
 	default:
@@ -227,6 +237,7 @@ type Exemplar struct {
 // Only last applicable exemplar is injected from the list.
 // For example for Counter it means last exemplar is injected.
 // For Histogram, it means last applicable exemplar for each bucket is injected.
+// For a Native Histogram, all valid exemplars are injected.
 //
 // NewMetricWithExemplars works best with MustNewConstMetric and
 // MustNewConstHistogram, see example.
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
index 0a61b984..b32c95fa 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
@@ -25,9 +25,9 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-// notImplementedErr is returned by stub functions that replace cgo functions, when cgo
+// errNotImplemented is returned by stub functions that replace cgo functions, when cgo
 // isn't available.
-var notImplementedErr = errors.New("not implemented")
+var errNotImplemented = errors.New("not implemented")
 
 type memoryInfo struct {
 	vsize uint64 // Virtual memory size in bytes
@@ -101,7 +101,7 @@ func (c *processCollector) processCollect(ch chan<- Metric) {
 	if memInfo, err := getMemory(); err == nil {
 		ch <- MustNewConstMetric(c.rss, GaugeValue, float64(memInfo.rss))
 		ch <- MustNewConstMetric(c.vsize, GaugeValue, float64(memInfo.vsize))
-	} else if !errors.Is(err, notImplementedErr) {
+	} else if !errors.Is(err, errNotImplemented) {
 		// Don't report an error when support is not compiled in.
 		c.reportError(ch, c.rss, err)
 		c.reportError(ch, c.vsize, err)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
index 8ddb0995..37886512 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
@@ -16,7 +16,7 @@
 package prometheus
 
 func getMemory() (*memoryInfo, error) {
-	return nil, notImplementedErr
+	return nil, errNotImplemented
 }
 
 // describe returns all descriptions of the collector for Darwin.
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
index 9f4b130b..8074f70f 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
@@ -66,11 +66,11 @@ func (c *processCollector) processCollect(ch chan<- Metric) {
 
 	if netstat, err := p.Netstat(); err == nil {
 		var inOctets, outOctets float64
-		if netstat.IpExt.InOctets != nil {
-			inOctets = *netstat.IpExt.InOctets
+		if netstat.InOctets != nil {
+			inOctets = *netstat.InOctets
 		}
-		if netstat.IpExt.OutOctets != nil {
-			outOctets = *netstat.IpExt.OutOctets
+		if netstat.OutOctets != nil {
+			outOctets = *netstat.OutOctets
 		}
 		ch <- MustNewConstMetric(c.inBytes, CounterValue, inOctets)
 		ch <- MustNewConstMetric(c.outBytes, CounterValue, outOctets)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/http.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/http.go
index 28eed267..763d99e3 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/http.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/http.go
@@ -41,11 +41,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/klauspost/compress/zstd"
 	"github.com/prometheus/common/expfmt"
 
 	"github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp/internal"
 )
 
 const (
@@ -65,7 +65,13 @@ const (
 	Zstd     Compression = "zstd"
 )
 
-var defaultCompressionFormats = []Compression{Identity, Gzip, Zstd}
+func defaultCompressionFormats() []Compression {
+	if internal.NewZstdWriter != nil {
+		return []Compression{Identity, Gzip, Zstd}
+	} else {
+		return []Compression{Identity, Gzip}
+	}
+}
 
 var gzipPool = sync.Pool{
 	New: func() interface{} {
@@ -138,7 +144,7 @@ func HandlerForTransactional(reg prometheus.TransactionalGatherer, opts HandlerO
 	// Select compression formats to offer based on default or user choice.
 	var compressions []string
 	if !opts.DisableCompression {
-		offers := defaultCompressionFormats
+		offers := defaultCompressionFormats()
 		if len(opts.OfferedCompressions) > 0 {
 			offers = opts.OfferedCompressions
 		}
@@ -466,14 +472,12 @@ func negotiateEncodingWriter(r *http.Request, rw io.Writer, compressions []strin
 
 	switch selected {
 	case "zstd":
-		// TODO(mrueg): Replace klauspost/compress with stdlib implementation once https://github.com/golang/go/issues/62513 is implemented.
-		z, err := zstd.NewWriter(rw, zstd.WithEncoderLevel(zstd.SpeedFastest))
-		if err != nil {
-			return nil, "", func() {}, err
+		if internal.NewZstdWriter == nil {
+			// The content encoding was not implemented yet.
+			return nil, "", func() {}, fmt.Errorf("content compression format not recognized: %s. Valid formats are: %s", selected, defaultCompressionFormats())
 		}
-
-		z.Reset(rw)
-		return z, selected, func() { _ = z.Close() }, nil
+		writer, closeWriter, err := internal.NewZstdWriter(rw)
+		return writer, selected, closeWriter, err
 	case "gzip":
 		gz := gzipPool.Get().(*gzip.Writer)
 		gz.Reset(rw)
@@ -483,6 +487,6 @@ func negotiateEncodingWriter(r *http.Request, rw io.Writer, compressions []strin
 		return rw, selected, func() {}, nil
 	default:
 		// The content encoding was not implemented yet.
-		return nil, "", func() {}, fmt.Errorf("content compression format not recognized: %s. Valid formats are: %s", selected, defaultCompressionFormats)
+		return nil, "", func() {}, fmt.Errorf("content compression format not recognized: %s. Valid formats are: %s", selected, defaultCompressionFormats())
 	}
 }
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
index 356edb78..9332b024 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
@@ -392,7 +392,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool {
 func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels {
 	labels := prometheus.Labels{}
 
-	if !(code || method) {
+	if !code && !method {
 		return labels
 	}
 
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/internal/compression.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/internal/compression.go
new file mode 100644
index 00000000..c5039590
--- /dev/null
+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/internal/compression.go
@@ -0,0 +1,21 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package internal
+
+import (
+	"io"
+)
+
+// NewZstdWriter enables zstd write support if non-nil.
+var NewZstdWriter func(rw io.Writer) (_ io.Writer, closeWriter func(), _ error)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/vec.go b/vendor/github.com/prometheus/client_golang/prometheus/vec.go
index 2c808eec..487b4665 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/vec.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/vec.go
@@ -79,7 +79,7 @@ func (m *MetricVec) DeleteLabelValues(lvs ...string) bool {
 		return false
 	}
 
-	return m.metricMap.deleteByHashWithLabelValues(h, lvs, m.curry)
+	return m.deleteByHashWithLabelValues(h, lvs, m.curry)
 }
 
 // Delete deletes the metric where the variable labels are the same as those
@@ -101,7 +101,7 @@ func (m *MetricVec) Delete(labels Labels) bool {
 		return false
 	}
 
-	return m.metricMap.deleteByHashWithLabels(h, labels, m.curry)
+	return m.deleteByHashWithLabels(h, labels, m.curry)
 }
 
 // DeletePartialMatch deletes all metrics where the variable labels contain all of those
@@ -114,7 +114,7 @@ func (m *MetricVec) DeletePartialMatch(labels Labels) int {
 	labels, closer := constrainLabels(m.desc, labels)
 	defer closer()
 
-	return m.metricMap.deleteByLabels(labels, m.curry)
+	return m.deleteByLabels(labels, m.curry)
 }
 
 // Without explicit forwarding of Describe, Collect, Reset, those methods won't
@@ -216,7 +216,7 @@ func (m *MetricVec) GetMetricWithLabelValues(lvs ...string) (Metric, error) {
 		return nil, err
 	}
 
-	return m.metricMap.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil
+	return m.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil
 }
 
 // GetMetricWith returns the Metric for the given Labels map (the label names
@@ -244,7 +244,7 @@ func (m *MetricVec) GetMetricWith(labels Labels) (Metric, error) {
 		return nil, err
 	}
 
-	return m.metricMap.getOrCreateMetricWithLabels(h, labels, m.curry), nil
+	return m.getOrCreateMetricWithLabels(h, labels, m.curry), nil
 }
 
 func (m *MetricVec) hashLabelValues(vals []string) (uint64, error) {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
index 25da157f..2ed12850 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
@@ -63,7 +63,7 @@ func WrapRegistererWith(labels Labels, reg Registerer) Registerer {
 // metric names that are standardized across applications, as that would break
 // horizontal monitoring, for example the metrics provided by the Go collector
 // (see NewGoCollector) and the process collector (see NewProcessCollector). (In
-// fact, those metrics are already prefixed with “go_” or “process_”,
+// fact, those metrics are already prefixed with "go_" or "process_",
 // respectively.)
 //
 // Conflicts between Collectors registered through the original Registerer with
@@ -78,6 +78,40 @@ func WrapRegistererWithPrefix(prefix string, reg Registerer) Registerer {
 	}
 }
 
+// WrapCollectorWith returns a Collector wrapping the provided Collector. The
+// wrapped Collector will add the provided Labels to all Metrics it collects (as
+// ConstLabels). The Metrics collected by the unmodified Collector must not
+// duplicate any of those labels.
+//
+// WrapCollectorWith can be useful to work with multiple instances of a third
+// party library that does not expose enough flexibility on the lifecycle of its
+// registered metrics.
+// For example, let's say you have a foo.New(reg Registerer) constructor that
+// registers metrics but never unregisters them, and you want to create multiple
+// instances of foo.Foo with different labels.
+// The way to achieve that, is to create a new Registry, pass it to foo.New,
+// then use WrapCollectorWith to wrap that Registry with the desired labels and
+// register that as a collector in your main Registry.
+// Then you can un-register the wrapped collector effectively un-registering the
+// metrics registered by foo.New.
+func WrapCollectorWith(labels Labels, c Collector) Collector {
+	return &wrappingCollector{
+		wrappedCollector: c,
+		labels:           labels,
+	}
+}
+
+// WrapCollectorWithPrefix returns a Collector wrapping the provided Collector. The
+// wrapped Collector will add the provided prefix to the name of all Metrics it collects.
+//
+// See the documentation of WrapCollectorWith for more details on the use case.
+func WrapCollectorWithPrefix(prefix string, c Collector) Collector {
+	return &wrappingCollector{
+		wrappedCollector: c,
+		prefix:           prefix,
+	}
+}
+
 type wrappingRegisterer struct {
 	wrappedRegisterer Registerer
 	prefix            string
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index b4607fe4..4067978a 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -345,8 +345,8 @@ func (p *TextParser) startLabelName() stateFn {
 	}
 	// Special summary/histogram treatment. Don't add 'quantile' and 'le'
 	// labels to 'real' labels.
-	if !(p.currentMF.GetType() == dto.MetricType_SUMMARY && p.currentLabelPair.GetName() == model.QuantileLabel) &&
-		!(p.currentMF.GetType() == dto.MetricType_HISTOGRAM && p.currentLabelPair.GetName() == model.BucketLabel) {
+	if (p.currentMF.GetType() != dto.MetricType_SUMMARY || p.currentLabelPair.GetName() != model.QuantileLabel) &&
+		(p.currentMF.GetType() != dto.MetricType_HISTOGRAM || p.currentLabelPair.GetName() != model.BucketLabel) {
 		p.currentLabelPairs = append(p.currentLabelPairs, p.currentLabelPair)
 	}
 	// Check for duplicate label names.
diff --git a/vendor/github.com/prometheus/common/model/labels.go b/vendor/github.com/prometheus/common/model/labels.go
index f4a38760..de83afe9 100644
--- a/vendor/github.com/prometheus/common/model/labels.go
+++ b/vendor/github.com/prometheus/common/model/labels.go
@@ -122,7 +122,8 @@ func (ln LabelName) IsValidLegacy() bool {
 		return false
 	}
 	for i, b := range ln {
-		if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
+		// TODO: Apply De Morgan's law. Make sure there are tests for this.
+		if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) { //nolint:staticcheck
 			return false
 		}
 	}
diff --git a/vendor/github.com/prometheus/common/model/time.go b/vendor/github.com/prometheus/common/model/time.go
index 5727452c..fed9e87b 100644
--- a/vendor/github.com/prometheus/common/model/time.go
+++ b/vendor/github.com/prometheus/common/model/time.go
@@ -201,6 +201,7 @@ var unitMap = map[string]struct {
 
 // ParseDuration parses a string into a time.Duration, assuming that a year
 // always has 365d, a week always has 7d, and a day always has 24h.
+// Negative durations are not supported.
 func ParseDuration(s string) (Duration, error) {
 	switch s {
 	case "0":
@@ -253,18 +254,36 @@ func ParseDuration(s string) (Duration, error) {
 			return 0, errors.New("duration out of range")
 		}
 	}
+
 	return Duration(dur), nil
 }
 
+// ParseDurationAllowNegative is like ParseDuration but also accepts negative durations.
+func ParseDurationAllowNegative(s string) (Duration, error) {
+	if s == "" || s[0] != '-' {
+		return ParseDuration(s)
+	}
+
+	d, err := ParseDuration(s[1:])
+
+	return -d, err
+}
+
 func (d Duration) String() string {
 	var (
-		ms = int64(time.Duration(d) / time.Millisecond)
-		r  = ""
+		ms   = int64(time.Duration(d) / time.Millisecond)
+		r    = ""
+		sign = ""
 	)
+
 	if ms == 0 {
 		return "0s"
 	}
 
+	if ms < 0 {
+		sign, ms = "-", -ms
+	}
+
 	f := func(unit string, mult int64, exact bool) {
 		if exact && ms%mult != 0 {
 			return
@@ -286,7 +305,7 @@ func (d Duration) String() string {
 	f("s", 1000, false)
 	f("ms", 1, false)
 
-	return r
+	return sign + r
 }
 
 // MarshalJSON implements the json.Marshaler interface.
diff --git a/vendor/github.com/prometheus/procfs/.golangci.yml b/vendor/github.com/prometheus/procfs/.golangci.yml
index 126df9e6..3c3bf910 100644
--- a/vendor/github.com/prometheus/procfs/.golangci.yml
+++ b/vendor/github.com/prometheus/procfs/.golangci.yml
@@ -1,22 +1,45 @@
----
+version: "2"
 linters:
   enable:
-  - errcheck
-  - godot
-  - gosimple
-  - govet
-  - ineffassign
-  - misspell
-  - revive
-  - staticcheck
-  - testifylint
-  - unused
-
-linter-settings:
-  godot:
-    capital: true
-    exclude:
-    # Ignore "See: URL"
-    - 'See:'
-  misspell:
-    locale: US
+    - forbidigo
+    - godot
+    - misspell
+    - revive
+    - testifylint
+  settings:
+    forbidigo:
+      forbid:
+        - pattern: ^fmt\.Print.*$
+          msg: Do not commit print statements.
+    godot:
+      exclude:
+        # Ignore "See: URL".
+        - 'See:'
+      capital: true
+    misspell:
+      locale: US
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/prometheus/procfs
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/github.com/prometheus/procfs/Makefile.common b/vendor/github.com/prometheus/procfs/Makefile.common
index 16172923..4de21512 100644
--- a/vendor/github.com/prometheus/procfs/Makefile.common
+++ b/vendor/github.com/prometheus/procfs/Makefile.common
@@ -61,7 +61,8 @@ PROMU_URL     := https://github.com/prometheus/promu/releases/download/v$(PROMU_
 SKIP_GOLANGCI_LINT :=
 GOLANGCI_LINT :=
 GOLANGCI_LINT_OPTS ?=
-GOLANGCI_LINT_VERSION ?= v1.59.0
+GOLANGCI_LINT_VERSION ?= v2.1.5
+GOLANGCI_FMT_OPTS ?=
 # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64.
 # windows isn't included here because of the path separator being different.
 ifeq ($(GOHOSTOS),$(filter $(GOHOSTOS),linux darwin))
@@ -156,9 +157,13 @@ $(GOTEST_DIR):
 	@mkdir -p $@
 
 .PHONY: common-format
-common-format:
+common-format: $(GOLANGCI_LINT)
 	@echo ">> formatting code"
 	$(GO) fmt $(pkgs)
+ifdef GOLANGCI_LINT
+	@echo ">> formatting code with golangci-lint"
+	$(GOLANGCI_LINT) fmt $(GOLANGCI_FMT_OPTS)
+endif
 
 .PHONY: common-vet
 common-vet:
@@ -248,8 +253,8 @@ $(PROMU):
 	cp $(PROMU_TMP)/promu-$(PROMU_VERSION).$(GO_BUILD_PLATFORM)/promu $(FIRST_GOPATH)/bin/promu
 	rm -r $(PROMU_TMP)
 
-.PHONY: proto
-proto:
+.PHONY: common-proto
+common-proto:
 	@echo ">> generating code from proto files"
 	@./scripts/genproto.sh
 
@@ -275,3 +280,9 @@ $(1)_precheck:
 		exit 1; \
 	fi
 endef
+
+govulncheck: install-govulncheck
+	govulncheck ./...
+
+install-govulncheck:
+	command -v govulncheck > /dev/null || go install golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/vendor/github.com/prometheus/procfs/README.md b/vendor/github.com/prometheus/procfs/README.md
index 1224816c..0718239c 100644
--- a/vendor/github.com/prometheus/procfs/README.md
+++ b/vendor/github.com/prometheus/procfs/README.md
@@ -47,15 +47,15 @@ However, most of the API includes unit tests which can be run with `make test`.
 The procfs library includes a set of test fixtures which include many example files from
 the `/proc` and `/sys` filesystems.  These fixtures are included as a [ttar](https://github.com/ideaship/ttar) file
 which is extracted automatically during testing.  To add/update the test fixtures, first
-ensure the `fixtures` directory is up to date by removing the existing directory and then
-extracting the ttar file using `make fixtures/.unpacked` or just `make test`.
+ensure the `testdata/fixtures` directory is up to date by removing the existing directory and then
+extracting the ttar file using `make testdata/fixtures/.unpacked` or just `make test`.
 
 ```bash
 rm -rf testdata/fixtures
 make test
 ```
 
-Next, make the required changes to the extracted files in the `fixtures` directory.  When
+Next, make the required changes to the extracted files in the `testdata/fixtures` directory.  When
 the changes are complete, run `make update_fixtures` to create a new `fixtures.ttar` file
 based on the updated `fixtures` directory.  And finally, verify the changes using
 `git diff testdata/fixtures.ttar`.
diff --git a/vendor/github.com/prometheus/procfs/arp.go b/vendor/github.com/prometheus/procfs/arp.go
index cdcc8a7c..2e533441 100644
--- a/vendor/github.com/prometheus/procfs/arp.go
+++ b/vendor/github.com/prometheus/procfs/arp.go
@@ -23,9 +23,9 @@ import (
 
 // Learned from include/uapi/linux/if_arp.h.
 const (
-	// completed entry (ha valid).
+	// Completed entry (ha valid).
 	ATFComplete = 0x02
-	// permanent entry.
+	// Permanent entry.
 	ATFPermanent = 0x04
 	// Publish entry.
 	ATFPublish = 0x08
diff --git a/vendor/github.com/prometheus/procfs/fs.go b/vendor/github.com/prometheus/procfs/fs.go
index 4980c875..9bdaccc7 100644
--- a/vendor/github.com/prometheus/procfs/fs.go
+++ b/vendor/github.com/prometheus/procfs/fs.go
@@ -24,8 +24,14 @@ type FS struct {
 	isReal bool
 }
 
-// DefaultMountPoint is the common mount point of the proc filesystem.
-const DefaultMountPoint = fs.DefaultProcMountPoint
+const (
+	// DefaultMountPoint is the common mount point of the proc filesystem.
+	DefaultMountPoint = fs.DefaultProcMountPoint
+
+	// SectorSize represents the size of a sector in bytes.
+	// It is specific to Linux block I/O operations.
+	SectorSize = 512
+)
 
 // NewDefaultFS returns a new proc FS mounted under the default proc mountPoint.
 // It will error if the mount point directory can't be read or is a file.
diff --git a/vendor/github.com/prometheus/procfs/fs_statfs_notype.go b/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
index 134767d6..1b5bdbdf 100644
--- a/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
+++ b/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
@@ -17,7 +17,7 @@
 package procfs
 
 // isRealProc returns true on architectures that don't have a Type argument
-// in their Statfs_t struct
-func isRealProc(mountPoint string) (bool, error) {
+// in their Statfs_t struct.
+func isRealProc(_ string) (bool, error) {
 	return true, nil
 }
diff --git a/vendor/github.com/prometheus/procfs/fscache.go b/vendor/github.com/prometheus/procfs/fscache.go
index cf2e3eaa..7db86330 100644
--- a/vendor/github.com/prometheus/procfs/fscache.go
+++ b/vendor/github.com/prometheus/procfs/fscache.go
@@ -162,7 +162,7 @@ type Fscacheinfo struct {
 	ReleaseRequestsAgainstPagesStoredByTimeLockGranted uint64
 	// Number of release reqs ignored due to in-progress store
 	ReleaseRequestsIgnoredDueToInProgressStore uint64
-	// Number of page stores cancelled due to release req
+	// Number of page stores canceled due to release req
 	PageStoresCancelledByReleaseRequests uint64
 	VmscanWaiting                        uint64
 	// Number of times async ops added to pending queues
@@ -171,11 +171,11 @@ type Fscacheinfo struct {
 	OpsRunning uint64
 	// Number of times async ops queued for processing
 	OpsEnqueued uint64
-	// Number of async ops cancelled
+	// Number of async ops canceled
 	OpsCancelled uint64
 	// Number of async ops rejected due to object lookup/create failure
 	OpsRejected uint64
-	// Number of async ops initialised
+	// Number of async ops initialized
 	OpsInitialised uint64
 	// Number of async ops queued for deferred release
 	OpsDeferred uint64
diff --git a/vendor/github.com/prometheus/procfs/internal/fs/fs.go b/vendor/github.com/prometheus/procfs/internal/fs/fs.go
index 3c18c761..3a43e839 100644
--- a/vendor/github.com/prometheus/procfs/internal/fs/fs.go
+++ b/vendor/github.com/prometheus/procfs/internal/fs/fs.go
@@ -28,6 +28,9 @@ const (
 
 	// DefaultConfigfsMountPoint is the common mount point of the configfs.
 	DefaultConfigfsMountPoint = "/sys/kernel/config"
+
+	// DefaultSelinuxMountPoint is the common mount point of the selinuxfs.
+	DefaultSelinuxMountPoint = "/sys/fs/selinux"
 )
 
 // FS represents a pseudo-filesystem, normally /proc or /sys, which provides an
diff --git a/vendor/github.com/prometheus/procfs/internal/util/parse.go b/vendor/github.com/prometheus/procfs/internal/util/parse.go
index 14272dc7..5a7d2df0 100644
--- a/vendor/github.com/prometheus/procfs/internal/util/parse.go
+++ b/vendor/github.com/prometheus/procfs/internal/util/parse.go
@@ -14,6 +14,7 @@
 package util
 
 import (
+	"errors"
 	"os"
 	"strconv"
 	"strings"
@@ -110,3 +111,16 @@ func ParseBool(b string) *bool {
 	}
 	return &truth
 }
+
+// ReadHexFromFile reads a file and attempts to parse a uint64 from a hexadecimal format 0xXX.
+func ReadHexFromFile(path string) (uint64, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	hexString := strings.TrimSpace(string(data))
+	if !strings.HasPrefix(hexString, "0x") {
+		return 0, errors.New("invalid format: hex string does not start with '0x'")
+	}
+	return strconv.ParseUint(hexString[2:], 16, 64)
+}
diff --git a/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go b/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
index 1ab875ce..d5404a6d 100644
--- a/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
+++ b/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
@@ -20,6 +20,8 @@ package util
 import (
 	"bytes"
 	"os"
+	"strconv"
+	"strings"
 	"syscall"
 )
 
@@ -48,3 +50,21 @@ func SysReadFile(file string) (string, error) {
 
 	return string(bytes.TrimSpace(b[:n])), nil
 }
+
+// SysReadUintFromFile reads a file using SysReadFile and attempts to parse a uint64 from it.
+func SysReadUintFromFile(path string) (uint64, error) {
+	data, err := SysReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseUint(strings.TrimSpace(string(data)), 10, 64)
+}
+
+// SysReadIntFromFile reads a file using SysReadFile and attempts to parse a int64 from it.
+func SysReadIntFromFile(path string) (int64, error) {
+	data, err := SysReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseInt(strings.TrimSpace(string(data)), 10, 64)
+}
diff --git a/vendor/github.com/prometheus/procfs/mdstat.go b/vendor/github.com/prometheus/procfs/mdstat.go
index 67a9d2b4..1fd4381b 100644
--- a/vendor/github.com/prometheus/procfs/mdstat.go
+++ b/vendor/github.com/prometheus/procfs/mdstat.go
@@ -123,13 +123,16 @@ func parseMDStat(mdStatData []byte) ([]MDStat, error) {
 		finish := float64(0)
 		pct := float64(0)
 		recovering := strings.Contains(lines[syncLineIdx], "recovery")
+		reshaping := strings.Contains(lines[syncLineIdx], "reshape")
 		resyncing := strings.Contains(lines[syncLineIdx], "resync")
 		checking := strings.Contains(lines[syncLineIdx], "check")
 
 		// Append recovery and resyncing state info.
-		if recovering || resyncing || checking {
+		if recovering || resyncing || checking || reshaping {
 			if recovering {
 				state = "recovering"
+			} else if reshaping {
+				state = "reshaping"
 			} else if checking {
 				state = "checking"
 			} else {
diff --git a/vendor/github.com/prometheus/procfs/meminfo.go b/vendor/github.com/prometheus/procfs/meminfo.go
index 4b2c4050..937e1f96 100644
--- a/vendor/github.com/prometheus/procfs/meminfo.go
+++ b/vendor/github.com/prometheus/procfs/meminfo.go
@@ -66,6 +66,10 @@ type Meminfo struct {
 	// Memory which has been evicted from RAM, and is temporarily
 	// on the disk
 	SwapFree *uint64
+	// Memory consumed by the zswap backend (compressed size)
+	Zswap *uint64
+	// Amount of anonymous memory stored in zswap (original size)
+	Zswapped *uint64
 	// Memory which is waiting to get written back to the disk
 	Dirty *uint64
 	// Memory which is actively being written back to the disk
@@ -85,6 +89,8 @@ type Meminfo struct {
 	// amount of memory dedicated to the lowest level of page
 	// tables.
 	PageTables *uint64
+	// secondary page tables.
+	SecPageTables *uint64
 	// NFS pages sent to the server, but not yet committed to
 	// stable storage
 	NFSUnstable *uint64
@@ -129,15 +135,18 @@ type Meminfo struct {
 	Percpu            *uint64
 	HardwareCorrupted *uint64
 	AnonHugePages     *uint64
+	FileHugePages     *uint64
 	ShmemHugePages    *uint64
 	ShmemPmdMapped    *uint64
 	CmaTotal          *uint64
 	CmaFree           *uint64
+	Unaccepted        *uint64
 	HugePagesTotal    *uint64
 	HugePagesFree     *uint64
 	HugePagesRsvd     *uint64
 	HugePagesSurp     *uint64
 	Hugepagesize      *uint64
+	Hugetlb           *uint64
 	DirectMap4k       *uint64
 	DirectMap2M       *uint64
 	DirectMap1G       *uint64
@@ -161,6 +170,8 @@ type Meminfo struct {
 	MlockedBytes           *uint64
 	SwapTotalBytes         *uint64
 	SwapFreeBytes          *uint64
+	ZswapBytes             *uint64
+	ZswappedBytes          *uint64
 	DirtyBytes             *uint64
 	WritebackBytes         *uint64
 	AnonPagesBytes         *uint64
@@ -171,6 +182,7 @@ type Meminfo struct {
 	SUnreclaimBytes        *uint64
 	KernelStackBytes       *uint64
 	PageTablesBytes        *uint64
+	SecPageTablesBytes     *uint64
 	NFSUnstableBytes       *uint64
 	BounceBytes            *uint64
 	WritebackTmpBytes      *uint64
@@ -182,11 +194,14 @@ type Meminfo struct {
 	PercpuBytes            *uint64
 	HardwareCorruptedBytes *uint64
 	AnonHugePagesBytes     *uint64
+	FileHugePagesBytes     *uint64
 	ShmemHugePagesBytes    *uint64
 	ShmemPmdMappedBytes    *uint64
 	CmaTotalBytes          *uint64
 	CmaFreeBytes           *uint64
+	UnacceptedBytes        *uint64
 	HugepagesizeBytes      *uint64
+	HugetlbBytes           *uint64
 	DirectMap4kBytes       *uint64
 	DirectMap2MBytes       *uint64
 	DirectMap1GBytes       *uint64
@@ -287,6 +302,12 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) {
 		case "SwapFree:":
 			m.SwapFree = &val
 			m.SwapFreeBytes = &valBytes
+		case "Zswap:":
+			m.Zswap = &val
+			m.ZswapBytes = &valBytes
+		case "Zswapped:":
+			m.Zswapped = &val
+			m.ZswapBytes = &valBytes
 		case "Dirty:":
 			m.Dirty = &val
 			m.DirtyBytes = &valBytes
@@ -317,6 +338,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) {
 		case "PageTables:":
 			m.PageTables = &val
 			m.PageTablesBytes = &valBytes
+		case "SecPageTables:":
+			m.SecPageTables = &val
+			m.SecPageTablesBytes = &valBytes
 		case "NFS_Unstable:":
 			m.NFSUnstable = &val
 			m.NFSUnstableBytes = &valBytes
@@ -350,6 +374,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) {
 		case "AnonHugePages:":
 			m.AnonHugePages = &val
 			m.AnonHugePagesBytes = &valBytes
+		case "FileHugePages:":
+			m.FileHugePages = &val
+			m.FileHugePagesBytes = &valBytes
 		case "ShmemHugePages:":
 			m.ShmemHugePages = &val
 			m.ShmemHugePagesBytes = &valBytes
@@ -362,6 +389,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) {
 		case "CmaFree:":
 			m.CmaFree = &val
 			m.CmaFreeBytes = &valBytes
+		case "Unaccepted:":
+			m.Unaccepted = &val
+			m.UnacceptedBytes = &valBytes
 		case "HugePages_Total:":
 			m.HugePagesTotal = &val
 		case "HugePages_Free:":
@@ -373,6 +403,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) {
 		case "Hugepagesize:":
 			m.Hugepagesize = &val
 			m.HugepagesizeBytes = &valBytes
+		case "Hugetlb:":
+			m.Hugetlb = &val
+			m.HugetlbBytes = &valBytes
 		case "DirectMap4k:":
 			m.DirectMap4k = &val
 			m.DirectMap4kBytes = &valBytes
diff --git a/vendor/github.com/prometheus/procfs/mountstats.go b/vendor/github.com/prometheus/procfs/mountstats.go
index 75a3b6c8..50caa732 100644
--- a/vendor/github.com/prometheus/procfs/mountstats.go
+++ b/vendor/github.com/prometheus/procfs/mountstats.go
@@ -45,11 +45,11 @@ const (
 	fieldTransport11TCPLen = 13
 	fieldTransport11UDPLen = 10
 
-	// kernel version >= 4.14 MaxLen
+	// Kernel version >= 4.14 MaxLen
 	// See: https://elixir.bootlin.com/linux/v6.4.8/source/net/sunrpc/xprtrdma/xprt_rdma.h#L393
 	fieldTransport11RDMAMaxLen = 28
 
-	// kernel version <= 4.2 MinLen
+	// Kernel version <= 4.2 MinLen
 	// See: https://elixir.bootlin.com/linux/v4.2.8/source/net/sunrpc/xprtrdma/xprt_rdma.h#L331
 	fieldTransport11RDMAMinLen = 20
 )
@@ -601,11 +601,12 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 	switch statVersion {
 	case statVersion10:
 		var expectedLength int
-		if protocol == "tcp" {
+		switch protocol {
+		case "tcp":
 			expectedLength = fieldTransport10TCPLen
-		} else if protocol == "udp" {
+		case "udp":
 			expectedLength = fieldTransport10UDPLen
-		} else {
+		default:
 			return nil, fmt.Errorf("%w: Invalid NFS protocol \"%s\" in stats 1.0 statement: %v", ErrFileParse, protocol, ss)
 		}
 		if len(ss) != expectedLength {
@@ -613,13 +614,14 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 		}
 	case statVersion11:
 		var expectedLength int
-		if protocol == "tcp" {
+		switch protocol {
+		case "tcp":
 			expectedLength = fieldTransport11TCPLen
-		} else if protocol == "udp" {
+		case "udp":
 			expectedLength = fieldTransport11UDPLen
-		} else if protocol == "rdma" {
+		case "rdma":
 			expectedLength = fieldTransport11RDMAMinLen
-		} else {
+		default:
 			return nil, fmt.Errorf("%w: invalid NFS protocol \"%s\" in stats 1.1 statement: %v", ErrFileParse, protocol, ss)
 		}
 		if (len(ss) != expectedLength && (protocol == "tcp" || protocol == "udp")) ||
@@ -655,11 +657,12 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 	// For the udp RPC transport there is no connection count, connect idle time,
 	// or idle time (fields #3, #4, and #5); all other fields are the same. So
 	// we set them to 0 here.
-	if protocol == "udp" {
+	switch protocol {
+	case "udp":
 		ns = append(ns[:2], append(make([]uint64, 3), ns[2:]...)...)
-	} else if protocol == "tcp" {
+	case "tcp":
 		ns = append(ns[:fieldTransport11TCPLen], make([]uint64, fieldTransport11RDMAMaxLen-fieldTransport11TCPLen+3)...)
-	} else if protocol == "rdma" {
+	case "rdma":
 		ns = append(ns[:fieldTransport10TCPLen], append(make([]uint64, 3), ns[fieldTransport10TCPLen:]...)...)
 	}
 
diff --git a/vendor/github.com/prometheus/procfs/net_dev_snmp6.go b/vendor/github.com/prometheus/procfs/net_dev_snmp6.go
new file mode 100644
index 00000000..f50b38e3
--- /dev/null
+++ b/vendor/github.com/prometheus/procfs/net_dev_snmp6.go
@@ -0,0 +1,96 @@
+// Copyright 2018 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package procfs
+
+import (
+	"bufio"
+	"errors"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// NetDevSNMP6 is parsed from files in /proc/net/dev_snmp6/ or /proc/<PID>/net/dev_snmp6/.
+// The outer map's keys are interface names and the inner map's keys are stat names.
+//
+// If you'd like a total across all interfaces, please use the Snmp6() method of the Proc type.
+type NetDevSNMP6 map[string]map[string]uint64
+
+// Returns kernel/system statistics read from interface files within the /proc/net/dev_snmp6/
+// directory.
+func (fs FS) NetDevSNMP6() (NetDevSNMP6, error) {
+	return newNetDevSNMP6(fs.proc.Path("net/dev_snmp6"))
+}
+
+// Returns kernel/system statistics read from interface files within the /proc/<PID>/net/dev_snmp6/
+// directory.
+func (p Proc) NetDevSNMP6() (NetDevSNMP6, error) {
+	return newNetDevSNMP6(p.path("net/dev_snmp6"))
+}
+
+// newNetDevSNMP6 creates a new NetDevSNMP6 from the contents of the given directory.
+func newNetDevSNMP6(dir string) (NetDevSNMP6, error) {
+	netDevSNMP6 := make(NetDevSNMP6)
+
+	// The net/dev_snmp6 folders contain one file per interface
+	ifaceFiles, err := os.ReadDir(dir)
+	if err != nil {
+		// On systems with IPv6 disabled, this directory won't exist.
+		// Do nothing.
+		if errors.Is(err, os.ErrNotExist) {
+			return netDevSNMP6, err
+		}
+		return netDevSNMP6, err
+	}
+
+	for _, iFaceFile := range ifaceFiles {
+		f, err := os.Open(dir + "/" + iFaceFile.Name())
+		if err != nil {
+			return netDevSNMP6, err
+		}
+		defer f.Close()
+
+		netDevSNMP6[iFaceFile.Name()], err = parseNetDevSNMP6Stats(f)
+		if err != nil {
+			return netDevSNMP6, err
+		}
+	}
+
+	return netDevSNMP6, nil
+}
+
+func parseNetDevSNMP6Stats(r io.Reader) (map[string]uint64, error) {
+	m := make(map[string]uint64)
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		stat := strings.Fields(scanner.Text())
+		if len(stat) < 2 {
+			continue
+		}
+		key, val := stat[0], stat[1]
+
+		// Expect stat name to contain "6" or be "ifIndex"
+		if strings.Contains(key, "6") || key == "ifIndex" {
+			v, err := strconv.ParseUint(val, 10, 64)
+			if err != nil {
+				return m, err
+			}
+
+			m[key] = v
+		}
+	}
+	return m, scanner.Err()
+}
diff --git a/vendor/github.com/prometheus/procfs/net_ip_socket.go b/vendor/github.com/prometheus/procfs/net_ip_socket.go
index b70f1fc7..19e3378f 100644
--- a/vendor/github.com/prometheus/procfs/net_ip_socket.go
+++ b/vendor/github.com/prometheus/procfs/net_ip_socket.go
@@ -25,7 +25,7 @@ import (
 )
 
 const (
-	// readLimit is used by io.LimitReader while reading the content of the
+	// Maximum size limit used by io.LimitReader while reading the content of the
 	// /proc/net/udp{,6} files. The number of lines inside such a file is dynamic
 	// as each line represents a single used socket.
 	// In theory, the number of available sockets is 65535 (2^16 - 1) per IP.
@@ -50,12 +50,12 @@ type (
 		// UsedSockets shows the total number of parsed lines representing the
 		// number of used sockets.
 		UsedSockets uint64
-		// Drops shows the total number of dropped packets of all UPD sockets.
+		// Drops shows the total number of dropped packets of all UDP sockets.
 		Drops *uint64
 	}
 
-	// netIPSocketLine represents the fields parsed from a single line
-	// in /proc/net/{t,u}dp{,6}. Fields which are not used by IPSocket are skipped.
+	// A single line parser for fields from /proc/net/{t,u}dp{,6}.
+	// Fields which are not used by IPSocket are skipped.
 	// Drops is non-nil for udp{,6}, but nil for tcp{,6}.
 	// For the proc file format details, see https://linux.die.net/man/5/proc.
 	netIPSocketLine struct {
diff --git a/vendor/github.com/prometheus/procfs/net_protocols.go b/vendor/github.com/prometheus/procfs/net_protocols.go
index b6c77b70..8d4b1ac0 100644
--- a/vendor/github.com/prometheus/procfs/net_protocols.go
+++ b/vendor/github.com/prometheus/procfs/net_protocols.go
@@ -115,22 +115,24 @@ func (ps NetProtocolStats) parseLine(rawLine string) (*NetProtocolStatLine, erro
 	if err != nil {
 		return nil, err
 	}
-	if fields[4] == enabled {
+	switch fields[4] {
+	case enabled:
 		line.Pressure = 1
-	} else if fields[4] == disabled {
+	case disabled:
 		line.Pressure = 0
-	} else {
+	default:
 		line.Pressure = -1
 	}
 	line.MaxHeader, err = strconv.ParseUint(fields[5], 10, 64)
 	if err != nil {
 		return nil, err
 	}
-	if fields[6] == enabled {
+	switch fields[6] {
+	case enabled:
 		line.Slab = true
-	} else if fields[6] == disabled {
+	case disabled:
 		line.Slab = false
-	} else {
+	default:
 		return nil, fmt.Errorf("%w: capability for protocol: %s", ErrFileParse, line.Name)
 	}
 	line.ModuleName = fields[7]
@@ -168,11 +170,12 @@ func (pc *NetProtocolCapabilities) parseCapabilities(capabilities []string) erro
 	}
 
 	for i := 0; i < len(capabilities); i++ {
-		if capabilities[i] == "y" {
+		switch capabilities[i] {
+		case "y":
 			*capabilityFields[i] = true
-		} else if capabilities[i] == "n" {
+		case "n":
 			*capabilityFields[i] = false
-		} else {
+		default:
 			return fmt.Errorf("%w: capability block for protocol: position %d", ErrFileParse, i)
 		}
 	}
diff --git a/vendor/github.com/prometheus/procfs/net_tcp.go b/vendor/github.com/prometheus/procfs/net_tcp.go
index 52776295..0396d720 100644
--- a/vendor/github.com/prometheus/procfs/net_tcp.go
+++ b/vendor/github.com/prometheus/procfs/net_tcp.go
@@ -25,24 +25,28 @@ type (
 
 // NetTCP returns the IPv4 kernel/networking statistics for TCP datagrams
 // read from /proc/net/tcp.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET) instead.
 func (fs FS) NetTCP() (NetTCP, error) {
 	return newNetTCP(fs.proc.Path("net/tcp"))
 }
 
 // NetTCP6 returns the IPv6 kernel/networking statistics for TCP datagrams
 // read from /proc/net/tcp6.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET6) instead.
 func (fs FS) NetTCP6() (NetTCP, error) {
 	return newNetTCP(fs.proc.Path("net/tcp6"))
 }
 
 // NetTCPSummary returns already computed statistics like the total queue lengths
 // for TCP datagrams read from /proc/net/tcp.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET) instead.
 func (fs FS) NetTCPSummary() (*NetTCPSummary, error) {
 	return newNetTCPSummary(fs.proc.Path("net/tcp"))
 }
 
 // NetTCP6Summary returns already computed statistics like the total queue lengths
 // for TCP datagrams read from /proc/net/tcp6.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET6) instead.
 func (fs FS) NetTCP6Summary() (*NetTCPSummary, error) {
 	return newNetTCPSummary(fs.proc.Path("net/tcp6"))
 }
diff --git a/vendor/github.com/prometheus/procfs/net_unix.go b/vendor/github.com/prometheus/procfs/net_unix.go
index d868cebd..d7e0cacb 100644
--- a/vendor/github.com/prometheus/procfs/net_unix.go
+++ b/vendor/github.com/prometheus/procfs/net_unix.go
@@ -121,12 +121,12 @@ func parseNetUNIX(r io.Reader) (*NetUNIX, error) {
 	return &nu, nil
 }
 
-func (u *NetUNIX) parseLine(line string, hasInode bool, min int) (*NetUNIXLine, error) {
+func (u *NetUNIX) parseLine(line string, hasInode bool, minFields int) (*NetUNIXLine, error) {
 	fields := strings.Fields(line)
 
 	l := len(fields)
-	if l < min {
-		return nil, fmt.Errorf("%w: expected at least %d fields but got %d", ErrFileParse, min, l)
+	if l < minFields {
+		return nil, fmt.Errorf("%w: expected at least %d fields but got %d", ErrFileParse, minFields, l)
 	}
 
 	// Field offsets are as follows:
@@ -172,7 +172,7 @@ func (u *NetUNIX) parseLine(line string, hasInode bool, min int) (*NetUNIXLine,
 	}
 
 	// Path field is optional.
-	if l > min {
+	if l > minFields {
 		// Path occurs at either index 6 or 7 depending on whether inode is
 		// already present.
 		pathIdx := 7
diff --git a/vendor/github.com/prometheus/procfs/proc.go b/vendor/github.com/prometheus/procfs/proc.go
index 14279636..368187fa 100644
--- a/vendor/github.com/prometheus/procfs/proc.go
+++ b/vendor/github.com/prometheus/procfs/proc.go
@@ -37,9 +37,9 @@ type Proc struct {
 type Procs []Proc
 
 var (
-	ErrFileParse  = errors.New("Error Parsing File")
-	ErrFileRead   = errors.New("Error Reading File")
-	ErrMountPoint = errors.New("Error Accessing Mount point")
+	ErrFileParse  = errors.New("error parsing file")
+	ErrFileRead   = errors.New("error reading file")
+	ErrMountPoint = errors.New("error accessing mount point")
 )
 
 func (p Procs) Len() int           { return len(p) }
@@ -79,7 +79,7 @@ func (fs FS) Self() (Proc, error) {
 	if err != nil {
 		return Proc{}, err
 	}
-	pid, err := strconv.Atoi(strings.Replace(p, string(fs.proc), "", -1))
+	pid, err := strconv.Atoi(strings.ReplaceAll(p, string(fs.proc), ""))
 	if err != nil {
 		return Proc{}, err
 	}
diff --git a/vendor/github.com/prometheus/procfs/proc_cgroup.go b/vendor/github.com/prometheus/procfs/proc_cgroup.go
index daeed7f5..4a64347c 100644
--- a/vendor/github.com/prometheus/procfs/proc_cgroup.go
+++ b/vendor/github.com/prometheus/procfs/proc_cgroup.go
@@ -24,7 +24,7 @@ import (
 )
 
 // Cgroup models one line from /proc/[pid]/cgroup. Each Cgroup struct describes the placement of a PID inside a
-// specific control hierarchy. The kernel has two cgroup APIs, v1 and v2. v1 has one hierarchy per available resource
+// specific control hierarchy. The kernel has two cgroup APIs, v1 and v2. The v1 has one hierarchy per available resource
 // controller, while v2 has one unified hierarchy shared by all controllers. Regardless of v1 or v2, all hierarchies
 // contain all running processes, so the question answerable with a Cgroup struct is 'where is this process in
 // this hierarchy' (where==what path on the specific cgroupfs). By prefixing this path with the mount point of
diff --git a/vendor/github.com/prometheus/procfs/proc_io.go b/vendor/github.com/prometheus/procfs/proc_io.go
index 776f3497..d15b66dd 100644
--- a/vendor/github.com/prometheus/procfs/proc_io.go
+++ b/vendor/github.com/prometheus/procfs/proc_io.go
@@ -50,7 +50,7 @@ func (p Proc) IO() (ProcIO, error) {
 
 	ioFormat := "rchar: %d\nwchar: %d\nsyscr: %d\nsyscw: %d\n" +
 		"read_bytes: %d\nwrite_bytes: %d\n" +
-		"cancelled_write_bytes: %d\n"
+		"cancelled_write_bytes: %d\n" //nolint:misspell
 
 	_, err = fmt.Sscanf(string(data), ioFormat, &pio.RChar, &pio.WChar, &pio.SyscR,
 		&pio.SyscW, &pio.ReadBytes, &pio.WriteBytes, &pio.CancelledWriteBytes)
diff --git a/vendor/github.com/prometheus/procfs/proc_netstat.go b/vendor/github.com/prometheus/procfs/proc_netstat.go
index 8e3ff4d7..4248c171 100644
--- a/vendor/github.com/prometheus/procfs/proc_netstat.go
+++ b/vendor/github.com/prometheus/procfs/proc_netstat.go
@@ -209,232 +209,232 @@ func parseProcNetstat(r io.Reader, fileName string) (ProcNetstat, error) {
 			case "TcpExt":
 				switch key {
 				case "SyncookiesSent":
-					procNetstat.TcpExt.SyncookiesSent = &value
+					procNetstat.SyncookiesSent = &value
 				case "SyncookiesRecv":
-					procNetstat.TcpExt.SyncookiesRecv = &value
+					procNetstat.SyncookiesRecv = &value
 				case "SyncookiesFailed":
-					procNetstat.TcpExt.SyncookiesFailed = &value
+					procNetstat.SyncookiesFailed = &value
 				case "EmbryonicRsts":
-					procNetstat.TcpExt.EmbryonicRsts = &value
+					procNetstat.EmbryonicRsts = &value
 				case "PruneCalled":
-					procNetstat.TcpExt.PruneCalled = &value
+					procNetstat.PruneCalled = &value
 				case "RcvPruned":
-					procNetstat.TcpExt.RcvPruned = &value
+					procNetstat.RcvPruned = &value
 				case "OfoPruned":
-					procNetstat.TcpExt.OfoPruned = &value
+					procNetstat.OfoPruned = &value
 				case "OutOfWindowIcmps":
-					procNetstat.TcpExt.OutOfWindowIcmps = &value
+					procNetstat.OutOfWindowIcmps = &value
 				case "LockDroppedIcmps":
-					procNetstat.TcpExt.LockDroppedIcmps = &value
+					procNetstat.LockDroppedIcmps = &value
 				case "ArpFilter":
-					procNetstat.TcpExt.ArpFilter = &value
+					procNetstat.ArpFilter = &value
 				case "TW":
-					procNetstat.TcpExt.TW = &value
+					procNetstat.TW = &value
 				case "TWRecycled":
-					procNetstat.TcpExt.TWRecycled = &value
+					procNetstat.TWRecycled = &value
 				case "TWKilled":
-					procNetstat.TcpExt.TWKilled = &value
+					procNetstat.TWKilled = &value
 				case "PAWSActive":
-					procNetstat.TcpExt.PAWSActive = &value
+					procNetstat.PAWSActive = &value
 				case "PAWSEstab":
-					procNetstat.TcpExt.PAWSEstab = &value
+					procNetstat.PAWSEstab = &value
 				case "DelayedACKs":
-					procNetstat.TcpExt.DelayedACKs = &value
+					procNetstat.DelayedACKs = &value
 				case "DelayedACKLocked":
-					procNetstat.TcpExt.DelayedACKLocked = &value
+					procNetstat.DelayedACKLocked = &value
 				case "DelayedACKLost":
-					procNetstat.TcpExt.DelayedACKLost = &value
+					procNetstat.DelayedACKLost = &value
 				case "ListenOverflows":
-					procNetstat.TcpExt.ListenOverflows = &value
+					procNetstat.ListenOverflows = &value
 				case "ListenDrops":
-					procNetstat.TcpExt.ListenDrops = &value
+					procNetstat.ListenDrops = &value
 				case "TCPHPHits":
-					procNetstat.TcpExt.TCPHPHits = &value
+					procNetstat.TCPHPHits = &value
 				case "TCPPureAcks":
-					procNetstat.TcpExt.TCPPureAcks = &value
+					procNetstat.TCPPureAcks = &value
 				case "TCPHPAcks":
-					procNetstat.TcpExt.TCPHPAcks = &value
+					procNetstat.TCPHPAcks = &value
 				case "TCPRenoRecovery":
-					procNetstat.TcpExt.TCPRenoRecovery = &value
+					procNetstat.TCPRenoRecovery = &value
 				case "TCPSackRecovery":
-					procNetstat.TcpExt.TCPSackRecovery = &value
+					procNetstat.TCPSackRecovery = &value
 				case "TCPSACKReneging":
-					procNetstat.TcpExt.TCPSACKReneging = &value
+					procNetstat.TCPSACKReneging = &value
 				case "TCPSACKReorder":
-					procNetstat.TcpExt.TCPSACKReorder = &value
+					procNetstat.TCPSACKReorder = &value
 				case "TCPRenoReorder":
-					procNetstat.TcpExt.TCPRenoReorder = &value
+					procNetstat.TCPRenoReorder = &value
 				case "TCPTSReorder":
-					procNetstat.TcpExt.TCPTSReorder = &value
+					procNetstat.TCPTSReorder = &value
 				case "TCPFullUndo":
-					procNetstat.TcpExt.TCPFullUndo = &value
+					procNetstat.TCPFullUndo = &value
 				case "TCPPartialUndo":
-					procNetstat.TcpExt.TCPPartialUndo = &value
+					procNetstat.TCPPartialUndo = &value
 				case "TCPDSACKUndo":
-					procNetstat.TcpExt.TCPDSACKUndo = &value
+					procNetstat.TCPDSACKUndo = &value
 				case "TCPLossUndo":
-					procNetstat.TcpExt.TCPLossUndo = &value
+					procNetstat.TCPLossUndo = &value
 				case "TCPLostRetransmit":
-					procNetstat.TcpExt.TCPLostRetransmit = &value
+					procNetstat.TCPLostRetransmit = &value
 				case "TCPRenoFailures":
-					procNetstat.TcpExt.TCPRenoFailures = &value
+					procNetstat.TCPRenoFailures = &value
 				case "TCPSackFailures":
-					procNetstat.TcpExt.TCPSackFailures = &value
+					procNetstat.TCPSackFailures = &value
 				case "TCPLossFailures":
-					procNetstat.TcpExt.TCPLossFailures = &value
+					procNetstat.TCPLossFailures = &value
 				case "TCPFastRetrans":
-					procNetstat.TcpExt.TCPFastRetrans = &value
+					procNetstat.TCPFastRetrans = &value
 				case "TCPSlowStartRetrans":
-					procNetstat.TcpExt.TCPSlowStartRetrans = &value
+					procNetstat.TCPSlowStartRetrans = &value
 				case "TCPTimeouts":
-					procNetstat.TcpExt.TCPTimeouts = &value
+					procNetstat.TCPTimeouts = &value
 				case "TCPLossProbes":
-					procNetstat.TcpExt.TCPLossProbes = &value
+					procNetstat.TCPLossProbes = &value
 				case "TCPLossProbeRecovery":
-					procNetstat.TcpExt.TCPLossProbeRecovery = &value
+					procNetstat.TCPLossProbeRecovery = &value
 				case "TCPRenoRecoveryFail":
-					procNetstat.TcpExt.TCPRenoRecoveryFail = &value
+					procNetstat.TCPRenoRecoveryFail = &value
 				case "TCPSackRecoveryFail":
-					procNetstat.TcpExt.TCPSackRecoveryFail = &value
+					procNetstat.TCPSackRecoveryFail = &value
 				case "TCPRcvCollapsed":
-					procNetstat.TcpExt.TCPRcvCollapsed = &value
+					procNetstat.TCPRcvCollapsed = &value
 				case "TCPDSACKOldSent":
-					procNetstat.TcpExt.TCPDSACKOldSent = &value
+					procNetstat.TCPDSACKOldSent = &value
 				case "TCPDSACKOfoSent":
-					procNetstat.TcpExt.TCPDSACKOfoSent = &value
+					procNetstat.TCPDSACKOfoSent = &value
 				case "TCPDSACKRecv":
-					procNetstat.TcpExt.TCPDSACKRecv = &value
+					procNetstat.TCPDSACKRecv = &value
 				case "TCPDSACKOfoRecv":
-					procNetstat.TcpExt.TCPDSACKOfoRecv = &value
+					procNetstat.TCPDSACKOfoRecv = &value
 				case "TCPAbortOnData":
-					procNetstat.TcpExt.TCPAbortOnData = &value
+					procNetstat.TCPAbortOnData = &value
 				case "TCPAbortOnClose":
-					procNetstat.TcpExt.TCPAbortOnClose = &value
+					procNetstat.TCPAbortOnClose = &value
 				case "TCPDeferAcceptDrop":
-					procNetstat.TcpExt.TCPDeferAcceptDrop = &value
+					procNetstat.TCPDeferAcceptDrop = &value
 				case "IPReversePathFilter":
-					procNetstat.TcpExt.IPReversePathFilter = &value
+					procNetstat.IPReversePathFilter = &value
 				case "TCPTimeWaitOverflow":
-					procNetstat.TcpExt.TCPTimeWaitOverflow = &value
+					procNetstat.TCPTimeWaitOverflow = &value
 				case "TCPReqQFullDoCookies":
-					procNetstat.TcpExt.TCPReqQFullDoCookies = &value
+					procNetstat.TCPReqQFullDoCookies = &value
 				case "TCPReqQFullDrop":
-					procNetstat.TcpExt.TCPReqQFullDrop = &value
+					procNetstat.TCPReqQFullDrop = &value
 				case "TCPRetransFail":
-					procNetstat.TcpExt.TCPRetransFail = &value
+					procNetstat.TCPRetransFail = &value
 				case "TCPRcvCoalesce":
-					procNetstat.TcpExt.TCPRcvCoalesce = &value
+					procNetstat.TCPRcvCoalesce = &value
 				case "TCPRcvQDrop":
-					procNetstat.TcpExt.TCPRcvQDrop = &value
+					procNetstat.TCPRcvQDrop = &value
 				case "TCPOFOQueue":
-					procNetstat.TcpExt.TCPOFOQueue = &value
+					procNetstat.TCPOFOQueue = &value
 				case "TCPOFODrop":
-					procNetstat.TcpExt.TCPOFODrop = &value
+					procNetstat.TCPOFODrop = &value
 				case "TCPOFOMerge":
-					procNetstat.TcpExt.TCPOFOMerge = &value
+					procNetstat.TCPOFOMerge = &value
 				case "TCPChallengeACK":
-					procNetstat.TcpExt.TCPChallengeACK = &value
+					procNetstat.TCPChallengeACK = &value
 				case "TCPSYNChallenge":
-					procNetstat.TcpExt.TCPSYNChallenge = &value
+					procNetstat.TCPSYNChallenge = &value
 				case "TCPFastOpenActive":
-					procNetstat.TcpExt.TCPFastOpenActive = &value
+					procNetstat.TCPFastOpenActive = &value
 				case "TCPFastOpenActiveFail":
-					procNetstat.TcpExt.TCPFastOpenActiveFail = &value
+					procNetstat.TCPFastOpenActiveFail = &value
 				case "TCPFastOpenPassive":
-					procNetstat.TcpExt.TCPFastOpenPassive = &value
+					procNetstat.TCPFastOpenPassive = &value
 				case "TCPFastOpenPassiveFail":
-					procNetstat.TcpExt.TCPFastOpenPassiveFail = &value
+					procNetstat.TCPFastOpenPassiveFail = &value
 				case "TCPFastOpenListenOverflow":
-					procNetstat.TcpExt.TCPFastOpenListenOverflow = &value
+					procNetstat.TCPFastOpenListenOverflow = &value
 				case "TCPFastOpenCookieReqd":
-					procNetstat.TcpExt.TCPFastOpenCookieReqd = &value
+					procNetstat.TCPFastOpenCookieReqd = &value
 				case "TCPFastOpenBlackhole":
-					procNetstat.TcpExt.TCPFastOpenBlackhole = &value
+					procNetstat.TCPFastOpenBlackhole = &value
 				case "TCPSpuriousRtxHostQueues":
-					procNetstat.TcpExt.TCPSpuriousRtxHostQueues = &value
+					procNetstat.TCPSpuriousRtxHostQueues = &value
 				case "BusyPollRxPackets":
-					procNetstat.TcpExt.BusyPollRxPackets = &value
+					procNetstat.BusyPollRxPackets = &value
 				case "TCPAutoCorking":
-					procNetstat.TcpExt.TCPAutoCorking = &value
+					procNetstat.TCPAutoCorking = &value
 				case "TCPFromZeroWindowAdv":
-					procNetstat.TcpExt.TCPFromZeroWindowAdv = &value
+					procNetstat.TCPFromZeroWindowAdv = &value
 				case "TCPToZeroWindowAdv":
-					procNetstat.TcpExt.TCPToZeroWindowAdv = &value
+					procNetstat.TCPToZeroWindowAdv = &value
 				case "TCPWantZeroWindowAdv":
-					procNetstat.TcpExt.TCPWantZeroWindowAdv = &value
+					procNetstat.TCPWantZeroWindowAdv = &value
 				case "TCPSynRetrans":
-					procNetstat.TcpExt.TCPSynRetrans = &value
+					procNetstat.TCPSynRetrans = &value
 				case "TCPOrigDataSent":
-					procNetstat.TcpExt.TCPOrigDataSent = &value
+					procNetstat.TCPOrigDataSent = &value
 				case "TCPHystartTrainDetect":
-					procNetstat.TcpExt.TCPHystartTrainDetect = &value
+					procNetstat.TCPHystartTrainDetect = &value
 				case "TCPHystartTrainCwnd":
-					procNetstat.TcpExt.TCPHystartTrainCwnd = &value
+					procNetstat.TCPHystartTrainCwnd = &value
 				case "TCPHystartDelayDetect":
-					procNetstat.TcpExt.TCPHystartDelayDetect = &value
+					procNetstat.TCPHystartDelayDetect = &value
 				case "TCPHystartDelayCwnd":
-					procNetstat.TcpExt.TCPHystartDelayCwnd = &value
+					procNetstat.TCPHystartDelayCwnd = &value
 				case "TCPACKSkippedSynRecv":
-					procNetstat.TcpExt.TCPACKSkippedSynRecv = &value
+					procNetstat.TCPACKSkippedSynRecv = &value
 				case "TCPACKSkippedPAWS":
-					procNetstat.TcpExt.TCPACKSkippedPAWS = &value
+					procNetstat.TCPACKSkippedPAWS = &value
 				case "TCPACKSkippedSeq":
-					procNetstat.TcpExt.TCPACKSkippedSeq = &value
+					procNetstat.TCPACKSkippedSeq = &value
 				case "TCPACKSkippedFinWait2":
-					procNetstat.TcpExt.TCPACKSkippedFinWait2 = &value
+					procNetstat.TCPACKSkippedFinWait2 = &value
 				case "TCPACKSkippedTimeWait":
-					procNetstat.TcpExt.TCPACKSkippedTimeWait = &value
+					procNetstat.TCPACKSkippedTimeWait = &value
 				case "TCPACKSkippedChallenge":
-					procNetstat.TcpExt.TCPACKSkippedChallenge = &value
+					procNetstat.TCPACKSkippedChallenge = &value
 				case "TCPWinProbe":
-					procNetstat.TcpExt.TCPWinProbe = &value
+					procNetstat.TCPWinProbe = &value
 				case "TCPKeepAlive":
-					procNetstat.TcpExt.TCPKeepAlive = &value
+					procNetstat.TCPKeepAlive = &value
 				case "TCPMTUPFail":
-					procNetstat.TcpExt.TCPMTUPFail = &value
+					procNetstat.TCPMTUPFail = &value
 				case "TCPMTUPSuccess":
-					procNetstat.TcpExt.TCPMTUPSuccess = &value
+					procNetstat.TCPMTUPSuccess = &value
 				case "TCPWqueueTooBig":
-					procNetstat.TcpExt.TCPWqueueTooBig = &value
+					procNetstat.TCPWqueueTooBig = &value
 				}
 			case "IpExt":
 				switch key {
 				case "InNoRoutes":
-					procNetstat.IpExt.InNoRoutes = &value
+					procNetstat.InNoRoutes = &value
 				case "InTruncatedPkts":
-					procNetstat.IpExt.InTruncatedPkts = &value
+					procNetstat.InTruncatedPkts = &value
 				case "InMcastPkts":
-					procNetstat.IpExt.InMcastPkts = &value
+					procNetstat.InMcastPkts = &value
 				case "OutMcastPkts":
-					procNetstat.IpExt.OutMcastPkts = &value
+					procNetstat.OutMcastPkts = &value
 				case "InBcastPkts":
-					procNetstat.IpExt.InBcastPkts = &value
+					procNetstat.InBcastPkts = &value
 				case "OutBcastPkts":
-					procNetstat.IpExt.OutBcastPkts = &value
+					procNetstat.OutBcastPkts = &value
 				case "InOctets":
-					procNetstat.IpExt.InOctets = &value
+					procNetstat.InOctets = &value
 				case "OutOctets":
-					procNetstat.IpExt.OutOctets = &value
+					procNetstat.OutOctets = &value
 				case "InMcastOctets":
-					procNetstat.IpExt.InMcastOctets = &value
+					procNetstat.InMcastOctets = &value
 				case "OutMcastOctets":
-					procNetstat.IpExt.OutMcastOctets = &value
+					procNetstat.OutMcastOctets = &value
 				case "InBcastOctets":
-					procNetstat.IpExt.InBcastOctets = &value
+					procNetstat.InBcastOctets = &value
 				case "OutBcastOctets":
-					procNetstat.IpExt.OutBcastOctets = &value
+					procNetstat.OutBcastOctets = &value
 				case "InCsumErrors":
-					procNetstat.IpExt.InCsumErrors = &value
+					procNetstat.InCsumErrors = &value
 				case "InNoECTPkts":
-					procNetstat.IpExt.InNoECTPkts = &value
+					procNetstat.InNoECTPkts = &value
 				case "InECT1Pkts":
-					procNetstat.IpExt.InECT1Pkts = &value
+					procNetstat.InECT1Pkts = &value
 				case "InECT0Pkts":
-					procNetstat.IpExt.InECT0Pkts = &value
+					procNetstat.InECT0Pkts = &value
 				case "InCEPkts":
-					procNetstat.IpExt.InCEPkts = &value
+					procNetstat.InCEPkts = &value
 				case "ReasmOverlaps":
-					procNetstat.IpExt.ReasmOverlaps = &value
+					procNetstat.ReasmOverlaps = &value
 				}
 			}
 		}
diff --git a/vendor/github.com/prometheus/procfs/proc_smaps.go b/vendor/github.com/prometheus/procfs/proc_smaps.go
index 09060e82..9a297afc 100644
--- a/vendor/github.com/prometheus/procfs/proc_smaps.go
+++ b/vendor/github.com/prometheus/procfs/proc_smaps.go
@@ -19,7 +19,6 @@ package procfs
 import (
 	"bufio"
 	"errors"
-	"fmt"
 	"os"
 	"regexp"
 	"strconv"
@@ -29,7 +28,7 @@ import (
 )
 
 var (
-	// match the header line before each mapped zone in `/proc/pid/smaps`.
+	// Match the header line before each mapped zone in `/proc/pid/smaps`.
 	procSMapsHeaderLine = regexp.MustCompile(`^[a-f0-9].*$`)
 )
 
@@ -117,7 +116,6 @@ func (p Proc) procSMapsRollupManual() (ProcSMapsRollup, error) {
 func (s *ProcSMapsRollup) parseLine(line string) error {
 	kv := strings.SplitN(line, ":", 2)
 	if len(kv) != 2 {
-		fmt.Println(line)
 		return errors.New("invalid net/dev line, missing colon")
 	}
 
diff --git a/vendor/github.com/prometheus/procfs/proc_snmp.go b/vendor/github.com/prometheus/procfs/proc_snmp.go
index b9d2cf64..4bdc90b0 100644
--- a/vendor/github.com/prometheus/procfs/proc_snmp.go
+++ b/vendor/github.com/prometheus/procfs/proc_snmp.go
@@ -173,138 +173,138 @@ func parseSnmp(r io.Reader, fileName string) (ProcSnmp, error) {
 			case "Ip":
 				switch key {
 				case "Forwarding":
-					procSnmp.Ip.Forwarding = &value
+					procSnmp.Forwarding = &value
 				case "DefaultTTL":
-					procSnmp.Ip.DefaultTTL = &value
+					procSnmp.DefaultTTL = &value
 				case "InReceives":
-					procSnmp.Ip.InReceives = &value
+					procSnmp.InReceives = &value
 				case "InHdrErrors":
-					procSnmp.Ip.InHdrErrors = &value
+					procSnmp.InHdrErrors = &value
 				case "InAddrErrors":
-					procSnmp.Ip.InAddrErrors = &value
+					procSnmp.InAddrErrors = &value
 				case "ForwDatagrams":
-					procSnmp.Ip.ForwDatagrams = &value
+					procSnmp.ForwDatagrams = &value
 				case "InUnknownProtos":
-					procSnmp.Ip.InUnknownProtos = &value
+					procSnmp.InUnknownProtos = &value
 				case "InDiscards":
-					procSnmp.Ip.InDiscards = &value
+					procSnmp.InDiscards = &value
 				case "InDelivers":
-					procSnmp.Ip.InDelivers = &value
+					procSnmp.InDelivers = &value
 				case "OutRequests":
-					procSnmp.Ip.OutRequests = &value
+					procSnmp.OutRequests = &value
 				case "OutDiscards":
-					procSnmp.Ip.OutDiscards = &value
+					procSnmp.OutDiscards = &value
 				case "OutNoRoutes":
-					procSnmp.Ip.OutNoRoutes = &value
+					procSnmp.OutNoRoutes = &value
 				case "ReasmTimeout":
-					procSnmp.Ip.ReasmTimeout = &value
+					procSnmp.ReasmTimeout = &value
 				case "ReasmReqds":
-					procSnmp.Ip.ReasmReqds = &value
+					procSnmp.ReasmReqds = &value
 				case "ReasmOKs":
-					procSnmp.Ip.ReasmOKs = &value
+					procSnmp.ReasmOKs = &value
 				case "ReasmFails":
-					procSnmp.Ip.ReasmFails = &value
+					procSnmp.ReasmFails = &value
 				case "FragOKs":
-					procSnmp.Ip.FragOKs = &value
+					procSnmp.FragOKs = &value
 				case "FragFails":
-					procSnmp.Ip.FragFails = &value
+					procSnmp.FragFails = &value
 				case "FragCreates":
-					procSnmp.Ip.FragCreates = &value
+					procSnmp.FragCreates = &value
 				}
 			case "Icmp":
 				switch key {
 				case "InMsgs":
-					procSnmp.Icmp.InMsgs = &value
+					procSnmp.InMsgs = &value
 				case "InErrors":
 					procSnmp.Icmp.InErrors = &value
 				case "InCsumErrors":
 					procSnmp.Icmp.InCsumErrors = &value
 				case "InDestUnreachs":
-					procSnmp.Icmp.InDestUnreachs = &value
+					procSnmp.InDestUnreachs = &value
 				case "InTimeExcds":
-					procSnmp.Icmp.InTimeExcds = &value
+					procSnmp.InTimeExcds = &value
 				case "InParmProbs":
-					procSnmp.Icmp.InParmProbs = &value
+					procSnmp.InParmProbs = &value
 				case "InSrcQuenchs":
-					procSnmp.Icmp.InSrcQuenchs = &value
+					procSnmp.InSrcQuenchs = &value
 				case "InRedirects":
-					procSnmp.Icmp.InRedirects = &value
+					procSnmp.InRedirects = &value
 				case "InEchos":
-					procSnmp.Icmp.InEchos = &value
+					procSnmp.InEchos = &value
 				case "InEchoReps":
-					procSnmp.Icmp.InEchoReps = &value
+					procSnmp.InEchoReps = &value
 				case "InTimestamps":
-					procSnmp.Icmp.InTimestamps = &value
+					procSnmp.InTimestamps = &value
 				case "InTimestampReps":
-					procSnmp.Icmp.InTimestampReps = &value
+					procSnmp.InTimestampReps = &value
 				case "InAddrMasks":
-					procSnmp.Icmp.InAddrMasks = &value
+					procSnmp.InAddrMasks = &value
 				case "InAddrMaskReps":
-					procSnmp.Icmp.InAddrMaskReps = &value
+					procSnmp.InAddrMaskReps = &value
 				case "OutMsgs":
-					procSnmp.Icmp.OutMsgs = &value
+					procSnmp.OutMsgs = &value
 				case "OutErrors":
-					procSnmp.Icmp.OutErrors = &value
+					procSnmp.OutErrors = &value
 				case "OutDestUnreachs":
-					procSnmp.Icmp.OutDestUnreachs = &value
+					procSnmp.OutDestUnreachs = &value
 				case "OutTimeExcds":
-					procSnmp.Icmp.OutTimeExcds = &value
+					procSnmp.OutTimeExcds = &value
 				case "OutParmProbs":
-					procSnmp.Icmp.OutParmProbs = &value
+					procSnmp.OutParmProbs = &value
 				case "OutSrcQuenchs":
-					procSnmp.Icmp.OutSrcQuenchs = &value
+					procSnmp.OutSrcQuenchs = &value
 				case "OutRedirects":
-					procSnmp.Icmp.OutRedirects = &value
+					procSnmp.OutRedirects = &value
 				case "OutEchos":
-					procSnmp.Icmp.OutEchos = &value
+					procSnmp.OutEchos = &value
 				case "OutEchoReps":
-					procSnmp.Icmp.OutEchoReps = &value
+					procSnmp.OutEchoReps = &value
 				case "OutTimestamps":
-					procSnmp.Icmp.OutTimestamps = &value
+					procSnmp.OutTimestamps = &value
 				case "OutTimestampReps":
-					procSnmp.Icmp.OutTimestampReps = &value
+					procSnmp.OutTimestampReps = &value
 				case "OutAddrMasks":
-					procSnmp.Icmp.OutAddrMasks = &value
+					procSnmp.OutAddrMasks = &value
 				case "OutAddrMaskReps":
-					procSnmp.Icmp.OutAddrMaskReps = &value
+					procSnmp.OutAddrMaskReps = &value
 				}
 			case "IcmpMsg":
 				switch key {
 				case "InType3":
-					procSnmp.IcmpMsg.InType3 = &value
+					procSnmp.InType3 = &value
 				case "OutType3":
-					procSnmp.IcmpMsg.OutType3 = &value
+					procSnmp.OutType3 = &value
 				}
 			case "Tcp":
 				switch key {
 				case "RtoAlgorithm":
-					procSnmp.Tcp.RtoAlgorithm = &value
+					procSnmp.RtoAlgorithm = &value
 				case "RtoMin":
-					procSnmp.Tcp.RtoMin = &value
+					procSnmp.RtoMin = &value
 				case "RtoMax":
-					procSnmp.Tcp.RtoMax = &value
+					procSnmp.RtoMax = &value
 				case "MaxConn":
-					procSnmp.Tcp.MaxConn = &value
+					procSnmp.MaxConn = &value
 				case "ActiveOpens":
-					procSnmp.Tcp.ActiveOpens = &value
+					procSnmp.ActiveOpens = &value
 				case "PassiveOpens":
-					procSnmp.Tcp.PassiveOpens = &value
+					procSnmp.PassiveOpens = &value
 				case "AttemptFails":
-					procSnmp.Tcp.AttemptFails = &value
+					procSnmp.AttemptFails = &value
 				case "EstabResets":
-					procSnmp.Tcp.EstabResets = &value
+					procSnmp.EstabResets = &value
 				case "CurrEstab":
-					procSnmp.Tcp.CurrEstab = &value
+					procSnmp.CurrEstab = &value
 				case "InSegs":
-					procSnmp.Tcp.InSegs = &value
+					procSnmp.InSegs = &value
 				case "OutSegs":
-					procSnmp.Tcp.OutSegs = &value
+					procSnmp.OutSegs = &value
 				case "RetransSegs":
-					procSnmp.Tcp.RetransSegs = &value
+					procSnmp.RetransSegs = &value
 				case "InErrs":
-					procSnmp.Tcp.InErrs = &value
+					procSnmp.InErrs = &value
 				case "OutRsts":
-					procSnmp.Tcp.OutRsts = &value
+					procSnmp.OutRsts = &value
 				case "InCsumErrors":
 					procSnmp.Tcp.InCsumErrors = &value
 				}
diff --git a/vendor/github.com/prometheus/procfs/proc_snmp6.go b/vendor/github.com/prometheus/procfs/proc_snmp6.go
index 3059cc6a..fb7fd399 100644
--- a/vendor/github.com/prometheus/procfs/proc_snmp6.go
+++ b/vendor/github.com/prometheus/procfs/proc_snmp6.go
@@ -182,161 +182,161 @@ func parseSNMP6Stats(r io.Reader) (ProcSnmp6, error) {
 			case "Ip6":
 				switch key {
 				case "InReceives":
-					procSnmp6.Ip6.InReceives = &value
+					procSnmp6.InReceives = &value
 				case "InHdrErrors":
-					procSnmp6.Ip6.InHdrErrors = &value
+					procSnmp6.InHdrErrors = &value
 				case "InTooBigErrors":
-					procSnmp6.Ip6.InTooBigErrors = &value
+					procSnmp6.InTooBigErrors = &value
 				case "InNoRoutes":
-					procSnmp6.Ip6.InNoRoutes = &value
+					procSnmp6.InNoRoutes = &value
 				case "InAddrErrors":
-					procSnmp6.Ip6.InAddrErrors = &value
+					procSnmp6.InAddrErrors = &value
 				case "InUnknownProtos":
-					procSnmp6.Ip6.InUnknownProtos = &value
+					procSnmp6.InUnknownProtos = &value
 				case "InTruncatedPkts":
-					procSnmp6.Ip6.InTruncatedPkts = &value
+					procSnmp6.InTruncatedPkts = &value
 				case "InDiscards":
-					procSnmp6.Ip6.InDiscards = &value
+					procSnmp6.InDiscards = &value
 				case "InDelivers":
-					procSnmp6.Ip6.InDelivers = &value
+					procSnmp6.InDelivers = &value
 				case "OutForwDatagrams":
-					procSnmp6.Ip6.OutForwDatagrams = &value
+					procSnmp6.OutForwDatagrams = &value
 				case "OutRequests":
-					procSnmp6.Ip6.OutRequests = &value
+					procSnmp6.OutRequests = &value
 				case "OutDiscards":
-					procSnmp6.Ip6.OutDiscards = &value
+					procSnmp6.OutDiscards = &value
 				case "OutNoRoutes":
-					procSnmp6.Ip6.OutNoRoutes = &value
+					procSnmp6.OutNoRoutes = &value
 				case "ReasmTimeout":
-					procSnmp6.Ip6.ReasmTimeout = &value
+					procSnmp6.ReasmTimeout = &value
 				case "ReasmReqds":
-					procSnmp6.Ip6.ReasmReqds = &value
+					procSnmp6.ReasmReqds = &value
 				case "ReasmOKs":
-					procSnmp6.Ip6.ReasmOKs = &value
+					procSnmp6.ReasmOKs = &value
 				case "ReasmFails":
-					procSnmp6.Ip6.ReasmFails = &value
+					procSnmp6.ReasmFails = &value
 				case "FragOKs":
-					procSnmp6.Ip6.FragOKs = &value
+					procSnmp6.FragOKs = &value
 				case "FragFails":
-					procSnmp6.Ip6.FragFails = &value
+					procSnmp6.FragFails = &value
 				case "FragCreates":
-					procSnmp6.Ip6.FragCreates = &value
+					procSnmp6.FragCreates = &value
 				case "InMcastPkts":
-					procSnmp6.Ip6.InMcastPkts = &value
+					procSnmp6.InMcastPkts = &value
 				case "OutMcastPkts":
-					procSnmp6.Ip6.OutMcastPkts = &value
+					procSnmp6.OutMcastPkts = &value
 				case "InOctets":
-					procSnmp6.Ip6.InOctets = &value
+					procSnmp6.InOctets = &value
 				case "OutOctets":
-					procSnmp6.Ip6.OutOctets = &value
+					procSnmp6.OutOctets = &value
 				case "InMcastOctets":
-					procSnmp6.Ip6.InMcastOctets = &value
+					procSnmp6.InMcastOctets = &value
 				case "OutMcastOctets":
-					procSnmp6.Ip6.OutMcastOctets = &value
+					procSnmp6.OutMcastOctets = &value
 				case "InBcastOctets":
-					procSnmp6.Ip6.InBcastOctets = &value
+					procSnmp6.InBcastOctets = &value
 				case "OutBcastOctets":
-					procSnmp6.Ip6.OutBcastOctets = &value
+					procSnmp6.OutBcastOctets = &value
 				case "InNoECTPkts":
-					procSnmp6.Ip6.InNoECTPkts = &value
+					procSnmp6.InNoECTPkts = &value
 				case "InECT1Pkts":
-					procSnmp6.Ip6.InECT1Pkts = &value
+					procSnmp6.InECT1Pkts = &value
 				case "InECT0Pkts":
-					procSnmp6.Ip6.InECT0Pkts = &value
+					procSnmp6.InECT0Pkts = &value
 				case "InCEPkts":
-					procSnmp6.Ip6.InCEPkts = &value
+					procSnmp6.InCEPkts = &value
 
 				}
 			case "Icmp6":
 				switch key {
 				case "InMsgs":
-					procSnmp6.Icmp6.InMsgs = &value
+					procSnmp6.InMsgs = &value
 				case "InErrors":
 					procSnmp6.Icmp6.InErrors = &value
 				case "OutMsgs":
-					procSnmp6.Icmp6.OutMsgs = &value
+					procSnmp6.OutMsgs = &value
 				case "OutErrors":
-					procSnmp6.Icmp6.OutErrors = &value
+					procSnmp6.OutErrors = &value
 				case "InCsumErrors":
 					procSnmp6.Icmp6.InCsumErrors = &value
 				case "InDestUnreachs":
-					procSnmp6.Icmp6.InDestUnreachs = &value
+					procSnmp6.InDestUnreachs = &value
 				case "InPktTooBigs":
-					procSnmp6.Icmp6.InPktTooBigs = &value
+					procSnmp6.InPktTooBigs = &value
 				case "InTimeExcds":
-					procSnmp6.Icmp6.InTimeExcds = &value
+					procSnmp6.InTimeExcds = &value
 				case "InParmProblems":
-					procSnmp6.Icmp6.InParmProblems = &value
+					procSnmp6.InParmProblems = &value
 				case "InEchos":
-					procSnmp6.Icmp6.InEchos = &value
+					procSnmp6.InEchos = &value
 				case "InEchoReplies":
-					procSnmp6.Icmp6.InEchoReplies = &value
+					procSnmp6.InEchoReplies = &value
 				case "InGroupMembQueries":
-					procSnmp6.Icmp6.InGroupMembQueries = &value
+					procSnmp6.InGroupMembQueries = &value
 				case "InGroupMembResponses":
-					procSnmp6.Icmp6.InGroupMembResponses = &value
+					procSnmp6.InGroupMembResponses = &value
 				case "InGroupMembReductions":
-					procSnmp6.Icmp6.InGroupMembReductions = &value
+					procSnmp6.InGroupMembReductions = &value
 				case "InRouterSolicits":
-					procSnmp6.Icmp6.InRouterSolicits = &value
+					procSnmp6.InRouterSolicits = &value
 				case "InRouterAdvertisements":
-					procSnmp6.Icmp6.InRouterAdvertisements = &value
+					procSnmp6.InRouterAdvertisements = &value
 				case "InNeighborSolicits":
-					procSnmp6.Icmp6.InNeighborSolicits = &value
+					procSnmp6.InNeighborSolicits = &value
 				case "InNeighborAdvertisements":
-					procSnmp6.Icmp6.InNeighborAdvertisements = &value
+					procSnmp6.InNeighborAdvertisements = &value
 				case "InRedirects":
-					procSnmp6.Icmp6.InRedirects = &value
+					procSnmp6.InRedirects = &value
 				case "InMLDv2Reports":
-					procSnmp6.Icmp6.InMLDv2Reports = &value
+					procSnmp6.InMLDv2Reports = &value
 				case "OutDestUnreachs":
-					procSnmp6.Icmp6.OutDestUnreachs = &value
+					procSnmp6.OutDestUnreachs = &value
 				case "OutPktTooBigs":
-					procSnmp6.Icmp6.OutPktTooBigs = &value
+					procSnmp6.OutPktTooBigs = &value
 				case "OutTimeExcds":
-					procSnmp6.Icmp6.OutTimeExcds = &value
+					procSnmp6.OutTimeExcds = &value
 				case "OutParmProblems":
-					procSnmp6.Icmp6.OutParmProblems = &value
+					procSnmp6.OutParmProblems = &value
 				case "OutEchos":
-					procSnmp6.Icmp6.OutEchos = &value
+					procSnmp6.OutEchos = &value
 				case "OutEchoReplies":
-					procSnmp6.Icmp6.OutEchoReplies = &value
+					procSnmp6.OutEchoReplies = &value
 				case "OutGroupMembQueries":
-					procSnmp6.Icmp6.OutGroupMembQueries = &value
+					procSnmp6.OutGroupMembQueries = &value
 				case "OutGroupMembResponses":
-					procSnmp6.Icmp6.OutGroupMembResponses = &value
+					procSnmp6.OutGroupMembResponses = &value
 				case "OutGroupMembReductions":
-					procSnmp6.Icmp6.OutGroupMembReductions = &value
+					procSnmp6.OutGroupMembReductions = &value
 				case "OutRouterSolicits":
-					procSnmp6.Icmp6.OutRouterSolicits = &value
+					procSnmp6.OutRouterSolicits = &value
 				case "OutRouterAdvertisements":
-					procSnmp6.Icmp6.OutRouterAdvertisements = &value
+					procSnmp6.OutRouterAdvertisements = &value
 				case "OutNeighborSolicits":
-					procSnmp6.Icmp6.OutNeighborSolicits = &value
+					procSnmp6.OutNeighborSolicits = &value
 				case "OutNeighborAdvertisements":
-					procSnmp6.Icmp6.OutNeighborAdvertisements = &value
+					procSnmp6.OutNeighborAdvertisements = &value
 				case "OutRedirects":
-					procSnmp6.Icmp6.OutRedirects = &value
+					procSnmp6.OutRedirects = &value
 				case "OutMLDv2Reports":
-					procSnmp6.Icmp6.OutMLDv2Reports = &value
+					procSnmp6.OutMLDv2Reports = &value
 				case "InType1":
-					procSnmp6.Icmp6.InType1 = &value
+					procSnmp6.InType1 = &value
 				case "InType134":
-					procSnmp6.Icmp6.InType134 = &value
+					procSnmp6.InType134 = &value
 				case "InType135":
-					procSnmp6.Icmp6.InType135 = &value
+					procSnmp6.InType135 = &value
 				case "InType136":
-					procSnmp6.Icmp6.InType136 = &value
+					procSnmp6.InType136 = &value
 				case "InType143":
-					procSnmp6.Icmp6.InType143 = &value
+					procSnmp6.InType143 = &value
 				case "OutType133":
-					procSnmp6.Icmp6.OutType133 = &value
+					procSnmp6.OutType133 = &value
 				case "OutType135":
-					procSnmp6.Icmp6.OutType135 = &value
+					procSnmp6.OutType135 = &value
 				case "OutType136":
-					procSnmp6.Icmp6.OutType136 = &value
+					procSnmp6.OutType136 = &value
 				case "OutType143":
-					procSnmp6.Icmp6.OutType143 = &value
+					procSnmp6.OutType143 = &value
 				}
 			case "Udp6":
 				switch key {
@@ -355,7 +355,7 @@ func parseSNMP6Stats(r io.Reader) (ProcSnmp6, error) {
 				case "InCsumErrors":
 					procSnmp6.Udp6.InCsumErrors = &value
 				case "IgnoredMulti":
-					procSnmp6.Udp6.IgnoredMulti = &value
+					procSnmp6.IgnoredMulti = &value
 				}
 			case "UdpLite6":
 				switch key {
diff --git a/vendor/github.com/prometheus/procfs/proc_stat.go b/vendor/github.com/prometheus/procfs/proc_stat.go
index 06a8d931..3328556b 100644
--- a/vendor/github.com/prometheus/procfs/proc_stat.go
+++ b/vendor/github.com/prometheus/procfs/proc_stat.go
@@ -101,6 +101,12 @@ type ProcStat struct {
 	RSS int
 	// Soft limit in bytes on the rss of the process.
 	RSSLimit uint64
+	// The address above which program text can run.
+	StartCode uint64
+	// The address below which program text can run.
+	EndCode uint64
+	// The address of the start (i.e., bottom) of the stack.
+	StartStack uint64
 	// CPU number last executed on.
 	Processor uint
 	// Real-time scheduling priority, a number in the range 1 to 99 for processes
@@ -177,9 +183,9 @@ func (p Proc) Stat() (ProcStat, error) {
 		&s.VSize,
 		&s.RSS,
 		&s.RSSLimit,
-		&ignoreUint64,
-		&ignoreUint64,
-		&ignoreUint64,
+		&s.StartCode,
+		&s.EndCode,
+		&s.StartStack,
 		&ignoreUint64,
 		&ignoreUint64,
 		&ignoreUint64,
diff --git a/vendor/github.com/prometheus/procfs/proc_statm.go b/vendor/github.com/prometheus/procfs/proc_statm.go
new file mode 100644
index 00000000..ed579842
--- /dev/null
+++ b/vendor/github.com/prometheus/procfs/proc_statm.go
@@ -0,0 +1,116 @@
+// Copyright 2025 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package procfs
+
+import (
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/prometheus/procfs/internal/util"
+)
+
+// - https://man7.org/linux/man-pages/man5/proc_pid_statm.5.html
+
+// ProcStatm Provides memory usage information for a process, measured in memory pages.
+// Read from /proc/[pid]/statm.
+type ProcStatm struct {
+	// The process ID.
+	PID int
+	// total program size (same as VmSize in status)
+	Size uint64
+	// resident set size (same as VmRSS in status)
+	Resident uint64
+	// number of resident shared pages (i.e., backed by a file)
+	Shared uint64
+	// text (code)
+	Text uint64
+	// library (unused since Linux 2.6; always 0)
+	Lib uint64
+	// data + stack
+	Data uint64
+	// dirty pages (unused since Linux 2.6; always 0)
+	Dt uint64
+}
+
+// NewStatm returns the current status information of the process.
+// Deprecated: Use p.Statm() instead.
+func (p Proc) NewStatm() (ProcStatm, error) {
+	return p.Statm()
+}
+
+// Statm returns the current memory usage information of the process.
+func (p Proc) Statm() (ProcStatm, error) {
+	data, err := util.ReadFileNoStat(p.path("statm"))
+	if err != nil {
+		return ProcStatm{}, err
+	}
+
+	statmSlice, err := parseStatm(data)
+	if err != nil {
+		return ProcStatm{}, err
+	}
+
+	procStatm := ProcStatm{
+		PID:      p.PID,
+		Size:     statmSlice[0],
+		Resident: statmSlice[1],
+		Shared:   statmSlice[2],
+		Text:     statmSlice[3],
+		Lib:      statmSlice[4],
+		Data:     statmSlice[5],
+		Dt:       statmSlice[6],
+	}
+
+	return procStatm, nil
+}
+
+// parseStatm return /proc/[pid]/statm data to uint64 slice.
+func parseStatm(data []byte) ([]uint64, error) {
+	var statmSlice []uint64
+	statmItems := strings.Fields(string(data))
+	for i := 0; i < len(statmItems); i++ {
+		statmItem, err := strconv.ParseUint(statmItems[i], 10, 64)
+		if err != nil {
+			return nil, err
+		}
+		statmSlice = append(statmSlice, statmItem)
+	}
+	return statmSlice, nil
+}
+
+// SizeBytes returns the process of total program size in bytes.
+func (s ProcStatm) SizeBytes() uint64 {
+	return s.Size * uint64(os.Getpagesize())
+}
+
+// ResidentBytes returns the process of resident set size in bytes.
+func (s ProcStatm) ResidentBytes() uint64 {
+	return s.Resident * uint64(os.Getpagesize())
+}
+
+// SHRBytes returns the process of share memory size in bytes.
+func (s ProcStatm) SHRBytes() uint64 {
+	return s.Shared * uint64(os.Getpagesize())
+}
+
+// TextBytes returns the process of text (code) size in bytes.
+func (s ProcStatm) TextBytes() uint64 {
+	return s.Text * uint64(os.Getpagesize())
+}
+
+// DataBytes returns the process of data + stack size in bytes.
+func (s ProcStatm) DataBytes() uint64 {
+	return s.Data * uint64(os.Getpagesize())
+}
diff --git a/vendor/github.com/prometheus/procfs/proc_status.go b/vendor/github.com/prometheus/procfs/proc_status.go
index a055197c..dd8aa568 100644
--- a/vendor/github.com/prometheus/procfs/proc_status.go
+++ b/vendor/github.com/prometheus/procfs/proc_status.go
@@ -146,7 +146,11 @@ func (s *ProcStatus) fillStatus(k string, vString string, vUint uint64, vUintByt
 			}
 		}
 	case "NSpid":
-		s.NSpids = calcNSPidsList(vString)
+		nspids, err := calcNSPidsList(vString)
+		if err != nil {
+			return err
+		}
+		s.NSpids = nspids
 	case "VmPeak":
 		s.VmPeak = vUintBytes
 	case "VmSize":
@@ -222,17 +226,17 @@ func calcCpusAllowedList(cpuString string) []uint64 {
 	return g
 }
 
-func calcNSPidsList(nspidsString string) []uint64 {
-	s := strings.Split(nspidsString, " ")
+func calcNSPidsList(nspidsString string) ([]uint64, error) {
+	s := strings.Split(nspidsString, "\t")
 	var nspids []uint64
 
 	for _, nspid := range s {
-		nspid, _ := strconv.ParseUint(nspid, 10, 64)
-		if nspid == 0 {
-			continue
+		nspid, err := strconv.ParseUint(nspid, 10, 64)
+		if err != nil {
+			return nil, err
 		}
 		nspids = append(nspids, nspid)
 	}
 
-	return nspids
+	return nspids, nil
 }
diff --git a/vendor/github.com/prometheus/procfs/proc_sys.go b/vendor/github.com/prometheus/procfs/proc_sys.go
index 5eefbe2e..3810d1ac 100644
--- a/vendor/github.com/prometheus/procfs/proc_sys.go
+++ b/vendor/github.com/prometheus/procfs/proc_sys.go
@@ -21,7 +21,7 @@ import (
 )
 
 func sysctlToPath(sysctl string) string {
-	return strings.Replace(sysctl, ".", "/", -1)
+	return strings.ReplaceAll(sysctl, ".", "/")
 }
 
 func (fs FS) SysctlStrings(sysctl string) ([]string, error) {
diff --git a/vendor/github.com/prometheus/procfs/softirqs.go b/vendor/github.com/prometheus/procfs/softirqs.go
index 28708e07..403e6ae7 100644
--- a/vendor/github.com/prometheus/procfs/softirqs.go
+++ b/vendor/github.com/prometheus/procfs/softirqs.go
@@ -68,8 +68,8 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 		if len(parts) < 2 {
 			continue
 		}
-		switch {
-		case parts[0] == "HI:":
+		switch parts[0] {
+		case "HI:":
 			perCPU := parts[1:]
 			softirqs.Hi = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -77,7 +77,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (HI%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "TIMER:":
+		case "TIMER:":
 			perCPU := parts[1:]
 			softirqs.Timer = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -85,7 +85,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (TIMER%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "NET_TX:":
+		case "NET_TX:":
 			perCPU := parts[1:]
 			softirqs.NetTx = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -93,7 +93,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (NET_TX%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "NET_RX:":
+		case "NET_RX:":
 			perCPU := parts[1:]
 			softirqs.NetRx = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -101,7 +101,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (NET_RX%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "BLOCK:":
+		case "BLOCK:":
 			perCPU := parts[1:]
 			softirqs.Block = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -109,7 +109,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (BLOCK%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "IRQ_POLL:":
+		case "IRQ_POLL:":
 			perCPU := parts[1:]
 			softirqs.IRQPoll = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -117,7 +117,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (IRQ_POLL%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "TASKLET:":
+		case "TASKLET:":
 			perCPU := parts[1:]
 			softirqs.Tasklet = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -125,7 +125,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (TASKLET%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "SCHED:":
+		case "SCHED:":
 			perCPU := parts[1:]
 			softirqs.Sched = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -133,7 +133,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (SCHED%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "HRTIMER:":
+		case "HRTIMER:":
 			perCPU := parts[1:]
 			softirqs.HRTimer = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -141,7 +141,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (HRTIMER%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "RCU:":
+		case "RCU:":
 			perCPU := parts[1:]
 			softirqs.RCU = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
diff --git a/vendor/github.com/sergi/go-diff/diffmatchpatch/diff.go b/vendor/github.com/sergi/go-diff/diffmatchpatch/diff.go
index 915d5090..08c36e74 100644
--- a/vendor/github.com/sergi/go-diff/diffmatchpatch/diff.go
+++ b/vendor/github.com/sergi/go-diff/diffmatchpatch/diff.go
@@ -1146,13 +1146,28 @@ func (dmp *DiffMatchPatch) DiffPrettyText(diffs []Diff) string {
 
 		switch diff.Type {
 		case DiffInsert:
-			_, _ = buff.WriteString("\x1b[32m")
-			_, _ = buff.WriteString(text)
-			_, _ = buff.WriteString("\x1b[0m")
+			lines := strings.Split(text, "\n")
+			for i, line := range lines {
+				_, _ = buff.WriteString("\x1b[32m")
+				_, _ = buff.WriteString(line)
+				if i < len(lines)-1 {
+					_, _ = buff.WriteString("\x1b[0m\n")
+				} else {
+					_, _ = buff.WriteString("\x1b[0m")
+				}
+			}
+
 		case DiffDelete:
-			_, _ = buff.WriteString("\x1b[31m")
-			_, _ = buff.WriteString(text)
-			_, _ = buff.WriteString("\x1b[0m")
+			lines := strings.Split(text, "\n")
+			for i, line := range lines {
+				_, _ = buff.WriteString("\x1b[31m")
+				_, _ = buff.WriteString(line)
+				if i < len(lines)-1 {
+					_, _ = buff.WriteString("\x1b[0m\n")
+				} else {
+					_, _ = buff.WriteString("\x1b[0m")
+				}
+			}
 		case DiffEqual:
 			_, _ = buff.WriteString(text)
 		}
@@ -1305,7 +1320,6 @@ func (dmp *DiffMatchPatch) DiffFromDelta(text1 string, delta string) (diffs []Di
 
 // diffLinesToStrings splits two texts into a list of strings. Each string represents one line.
 func (dmp *DiffMatchPatch) diffLinesToStrings(text1, text2 string) (string, string, []string) {
-	// '\x00' is a valid character, but various debuggers don't like it. So we'll insert a junk entry to avoid generating a null character.
 	lineArray := []string{""} // e.g. lineArray[4] == 'Hello\n'
 
 	lineHash := make(map[string]int)
@@ -1316,12 +1330,11 @@ func (dmp *DiffMatchPatch) diffLinesToStrings(text1, text2 string) (string, stri
 	return intArrayToString(strIndexArray1), intArrayToString(strIndexArray2), lineArray
 }
 
-// diffLinesToStringsMunge splits a text into an array of strings, and reduces the texts to a []string.
-func (dmp *DiffMatchPatch) diffLinesToStringsMunge(text string, lineArray *[]string, lineHash map[string]int) []uint32 {
-	// Walk the text, pulling out a substring for each line. text.split('\n') would would temporarily double our memory footprint. Modifying text would create many large strings to garbage collect.
+// diffLinesToStringsMunge splits a text into an array of strings, and reduces the texts to a []index.
+func (dmp *DiffMatchPatch) diffLinesToStringsMunge(text string, lineArray *[]string, lineHash map[string]int) []index {
 	lineStart := 0
 	lineEnd := -1
-	strs := []uint32{}
+	strs := []index{}
 
 	for lineEnd < len(text)-1 {
 		lineEnd = indexOf(text, "\n", lineStart)
@@ -1335,11 +1348,11 @@ func (dmp *DiffMatchPatch) diffLinesToStringsMunge(text string, lineArray *[]str
 		lineValue, ok := lineHash[line]
 
 		if ok {
-			strs = append(strs, uint32(lineValue))
+			strs = append(strs, index(lineValue))
 		} else {
 			*lineArray = append(*lineArray, line)
 			lineHash[line] = len(*lineArray) - 1
-			strs = append(strs, uint32(len(*lineArray)-1))
+			strs = append(strs, index(len(*lineArray)-1))
 		}
 	}
 
diff --git a/vendor/github.com/sergi/go-diff/diffmatchpatch/index.go b/vendor/github.com/sergi/go-diff/diffmatchpatch/index.go
new file mode 100644
index 00000000..965a1c64
--- /dev/null
+++ b/vendor/github.com/sergi/go-diff/diffmatchpatch/index.go
@@ -0,0 +1,32 @@
+package diffmatchpatch
+
+type index uint32
+
+const runeSkipStart = 0xd800
+const runeSkipEnd = 0xdfff + 1
+const runeMax = 0x110000 // next invalid code point
+
+func stringToIndex(text string) []index {
+	runes := []rune(text)
+	indexes := make([]index, len(runes))
+	for i, r := range runes {
+		if r < runeSkipEnd {
+			indexes[i] = index(r)
+		} else {
+			indexes[i] = index(r) - (runeSkipEnd - runeSkipStart)
+		}
+	}
+	return indexes
+}
+
+func indexesToString(indexes []index) string {
+	runes := make([]rune, len(indexes))
+	for i, index := range indexes {
+		if index < runeSkipStart {
+			runes[i] = rune(index)
+		} else {
+			runes[i] = rune(index + (runeSkipEnd - runeSkipStart))
+		}
+	}
+	return string(runes)
+}
diff --git a/vendor/github.com/sergi/go-diff/diffmatchpatch/stringutil.go b/vendor/github.com/sergi/go-diff/diffmatchpatch/stringutil.go
index eb727bb5..573b6bf7 100644
--- a/vendor/github.com/sergi/go-diff/diffmatchpatch/stringutil.go
+++ b/vendor/github.com/sergi/go-diff/diffmatchpatch/stringutil.go
@@ -93,14 +93,14 @@ func runesIndex(r1, r2 []rune) int {
 	return -1
 }
 
-func intArrayToString(ns []uint32) string {
+func intArrayToString(ns []index) string {
 	if len(ns) == 0 {
 		return ""
 	}
 
 	b := []rune{}
 	for _, n := range ns {
-		b = append(b, intToRune(n))
+		b = append(b, intToRune(uint32(n)))
 	}
 	return string(b)
 }
diff --git a/vendor/github.com/spf13/pflag/README.md b/vendor/github.com/spf13/pflag/README.md
index 7eacc5bd..388c4e5e 100644
--- a/vendor/github.com/spf13/pflag/README.md
+++ b/vendor/github.com/spf13/pflag/README.md
@@ -284,6 +284,33 @@ func main() {
 }
 ```
 
+### Using pflag with go test
+`pflag` does not parse the shorthand versions of go test's built-in flags (i.e., those starting with `-test.`).
+For more context, see issues [#63](https://github.com/spf13/pflag/issues/63) and [#238](https://github.com/spf13/pflag/issues/238) for more details.
+
+For example, if you use pflag in your `TestMain` function and call `pflag.Parse()` after defining your custom flags, running a test like this:
+```bash
+go test /your/tests -run ^YourTest -v --your-test-pflags
+```
+will result in the `-v` flag being ignored. This happens because of the way pflag handles flag parsing, skipping over go test's built-in shorthand flags.
+To work around this, you can use the `ParseSkippedFlags` function, which ensures that go test's flags are parsed separately using the standard flag package.
+
+**Example**: You want to parse go test flags that are otherwise ignore by `pflag.Parse()`
+```go
+import (
+	goflag "flag"
+	flag "github.com/spf13/pflag"
+)
+
+var ip *int = flag.Int("flagname", 1234, "help message for flagname")
+
+func main() {
+	flag.CommandLine.AddGoFlagSet(goflag.CommandLine)
+    flag.ParseSkippedFlags(os.Args[1:], goflag.CommandLine)
+	flag.Parse()
+}
+```
+
 ## More info
 
 You can see the full reference documentation of the pflag package
diff --git a/vendor/github.com/spf13/pflag/bool_func.go b/vendor/github.com/spf13/pflag/bool_func.go
new file mode 100644
index 00000000..83d77afa
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/bool_func.go
@@ -0,0 +1,40 @@
+package pflag
+
+// -- func Value
+type boolfuncValue func(string) error
+
+func (f boolfuncValue) Set(s string) error { return f(s) }
+
+func (f boolfuncValue) Type() string { return "boolfunc" }
+
+func (f boolfuncValue) String() string { return "" } // same behavior as stdlib 'flag' package
+
+func (f boolfuncValue) IsBoolFlag() bool { return true }
+
+// BoolFunc defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed
+// on the command line.
+func (f *FlagSet) BoolFunc(name string, usage string, fn func(string) error) {
+	f.BoolFuncP(name, "", usage, fn)
+}
+
+// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) BoolFuncP(name, shorthand string, usage string, fn func(string) error) {
+	var val Value = boolfuncValue(fn)
+	flag := f.VarPF(val, name, shorthand, usage)
+	flag.NoOptDefVal = "true"
+}
+
+// BoolFunc defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed
+// on the command line.
+func BoolFunc(name string, usage string, fn func(string) error) {
+	CommandLine.BoolFuncP(name, "", usage, fn)
+}
+
+// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash.
+func BoolFuncP(name, shorthand string, usage string, fn func(string) error) {
+	CommandLine.BoolFuncP(name, shorthand, usage, fn)
+}
diff --git a/vendor/github.com/spf13/pflag/count.go b/vendor/github.com/spf13/pflag/count.go
index a0b2679f..d49c0143 100644
--- a/vendor/github.com/spf13/pflag/count.go
+++ b/vendor/github.com/spf13/pflag/count.go
@@ -85,7 +85,7 @@ func (f *FlagSet) CountP(name, shorthand string, usage string) *int {
 
 // Count defines a count flag with specified name, default value, and usage string.
 // The return value is the address of an int variable that stores the value of the flag.
-// A count flag will add 1 to its value evey time it is found on the command line
+// A count flag will add 1 to its value every time it is found on the command line
 func Count(name string, usage string) *int {
 	return CommandLine.CountP(name, "", usage)
 }
diff --git a/vendor/github.com/spf13/pflag/errors.go b/vendor/github.com/spf13/pflag/errors.go
new file mode 100644
index 00000000..ff11b66b
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/errors.go
@@ -0,0 +1,149 @@
+package pflag
+
+import "fmt"
+
+// notExistErrorMessageType specifies which flavor of "flag does not exist"
+// is printed by NotExistError. This allows the related errors to be grouped
+// under a single NotExistError struct without making a breaking change to
+// the error message text.
+type notExistErrorMessageType int
+
+const (
+	flagNotExistMessage notExistErrorMessageType = iota
+	flagNotDefinedMessage
+	flagNoSuchFlagMessage
+	flagUnknownFlagMessage
+	flagUnknownShorthandFlagMessage
+)
+
+// NotExistError is the error returned when trying to access a flag that
+// does not exist in the FlagSet.
+type NotExistError struct {
+	name                string
+	specifiedShorthands string
+	messageType         notExistErrorMessageType
+}
+
+// Error implements error.
+func (e *NotExistError) Error() string {
+	switch e.messageType {
+	case flagNotExistMessage:
+		return fmt.Sprintf("flag %q does not exist", e.name)
+
+	case flagNotDefinedMessage:
+		return fmt.Sprintf("flag accessed but not defined: %s", e.name)
+
+	case flagNoSuchFlagMessage:
+		return fmt.Sprintf("no such flag -%v", e.name)
+
+	case flagUnknownFlagMessage:
+		return fmt.Sprintf("unknown flag: --%s", e.name)
+
+	case flagUnknownShorthandFlagMessage:
+		c := rune(e.name[0])
+		return fmt.Sprintf("unknown shorthand flag: %q in -%s", c, e.specifiedShorthands)
+	}
+
+	panic(fmt.Errorf("unknown flagNotExistErrorMessageType: %v", e.messageType))
+}
+
+// GetSpecifiedName returns the name of the flag (without dashes) as it
+// appeared in the parsed arguments.
+func (e *NotExistError) GetSpecifiedName() string {
+	return e.name
+}
+
+// GetSpecifiedShortnames returns the group of shorthand arguments
+// (without dashes) that the flag appeared within. If the flag was not in a
+// shorthand group, this will return an empty string.
+func (e *NotExistError) GetSpecifiedShortnames() string {
+	return e.specifiedShorthands
+}
+
+// ValueRequiredError is the error returned when a flag needs an argument but
+// no argument was provided.
+type ValueRequiredError struct {
+	flag                *Flag
+	specifiedName       string
+	specifiedShorthands string
+}
+
+// Error implements error.
+func (e *ValueRequiredError) Error() string {
+	if len(e.specifiedShorthands) > 0 {
+		c := rune(e.specifiedName[0])
+		return fmt.Sprintf("flag needs an argument: %q in -%s", c, e.specifiedShorthands)
+	}
+
+	return fmt.Sprintf("flag needs an argument: --%s", e.specifiedName)
+}
+
+// GetFlag returns the flag for which the error occurred.
+func (e *ValueRequiredError) GetFlag() *Flag {
+	return e.flag
+}
+
+// GetSpecifiedName returns the name of the flag (without dashes) as it
+// appeared in the parsed arguments.
+func (e *ValueRequiredError) GetSpecifiedName() string {
+	return e.specifiedName
+}
+
+// GetSpecifiedShortnames returns the group of shorthand arguments
+// (without dashes) that the flag appeared within. If the flag was not in a
+// shorthand group, this will return an empty string.
+func (e *ValueRequiredError) GetSpecifiedShortnames() string {
+	return e.specifiedShorthands
+}
+
+// InvalidValueError is the error returned when an invalid value is used
+// for a flag.
+type InvalidValueError struct {
+	flag  *Flag
+	value string
+	cause error
+}
+
+// Error implements error.
+func (e *InvalidValueError) Error() string {
+	flag := e.flag
+	var flagName string
+	if flag.Shorthand != "" && flag.ShorthandDeprecated == "" {
+		flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name)
+	} else {
+		flagName = fmt.Sprintf("--%s", flag.Name)
+	}
+	return fmt.Sprintf("invalid argument %q for %q flag: %v", e.value, flagName, e.cause)
+}
+
+// Unwrap implements errors.Unwrap.
+func (e *InvalidValueError) Unwrap() error {
+	return e.cause
+}
+
+// GetFlag returns the flag for which the error occurred.
+func (e *InvalidValueError) GetFlag() *Flag {
+	return e.flag
+}
+
+// GetValue returns the invalid value that was provided.
+func (e *InvalidValueError) GetValue() string {
+	return e.value
+}
+
+// InvalidSyntaxError is the error returned when a bad flag name is passed on
+// the command line.
+type InvalidSyntaxError struct {
+	specifiedFlag string
+}
+
+// Error implements error.
+func (e *InvalidSyntaxError) Error() string {
+	return fmt.Sprintf("bad flag syntax: %s", e.specifiedFlag)
+}
+
+// GetSpecifiedName returns the exact flag (with dashes) as it
+// appeared in the parsed arguments.
+func (e *InvalidSyntaxError) GetSpecifiedFlag() string {
+	return e.specifiedFlag
+}
diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go
index 7c058de3..d4dfbc5e 100644
--- a/vendor/github.com/spf13/pflag/flag.go
+++ b/vendor/github.com/spf13/pflag/flag.go
@@ -27,23 +27,32 @@ unaffected.
 Define flags using flag.String(), Bool(), Int(), etc.
 
 This declares an integer flag, -flagname, stored in the pointer ip, with type *int.
+
 	var ip = flag.Int("flagname", 1234, "help message for flagname")
+
 If you like, you can bind the flag to a variable using the Var() functions.
+
 	var flagvar int
 	func init() {
 		flag.IntVar(&flagvar, "flagname", 1234, "help message for flagname")
 	}
+
 Or you can create custom flags that satisfy the Value interface (with
 pointer receivers) and couple them to flag parsing by
+
 	flag.Var(&flagVal, "name", "help message for flagname")
+
 For such flags, the default value is just the initial value of the variable.
 
 After all flags are defined, call
+
 	flag.Parse()
+
 to parse the command line into the defined flags.
 
 Flags may then be used directly. If you're using the flags themselves,
 they are all pointers; if you bind to variables, they're values.
+
 	fmt.Println("ip has value ", *ip)
 	fmt.Println("flagvar has value ", flagvar)
 
@@ -54,22 +63,26 @@ The arguments are indexed from 0 through flag.NArg()-1.
 The pflag package also defines some new functions that are not in flag,
 that give one-letter shorthands for flags. You can use these by appending
 'P' to the name of any function that defines a flag.
+
 	var ip = flag.IntP("flagname", "f", 1234, "help message")
 	var flagvar bool
 	func init() {
 		flag.BoolVarP(&flagvar, "boolname", "b", true, "help message")
 	}
 	flag.VarP(&flagval, "varname", "v", "help message")
+
 Shorthand letters can be used with single dashes on the command line.
 Boolean shorthand flags can be combined with other shorthand flags.
 
 Command line flag syntax:
+
 	--flag    // boolean flags only
 	--flag=x
 
 Unlike the flag package, a single dash before an option means something
 different than a double dash. Single dashes signify a series of shorthand
 letters for flags. All but the last shorthand letter must be boolean flags.
+
 	// boolean flags
 	-f
 	-abc
@@ -381,7 +394,7 @@ func (f *FlagSet) lookup(name NormalizedName) *Flag {
 func (f *FlagSet) getFlagType(name string, ftype string, convFunc func(sval string) (interface{}, error)) (interface{}, error) {
 	flag := f.Lookup(name)
 	if flag == nil {
-		err := fmt.Errorf("flag accessed but not defined: %s", name)
+		err := &NotExistError{name: name, messageType: flagNotDefinedMessage}
 		return nil, err
 	}
 
@@ -411,7 +424,7 @@ func (f *FlagSet) ArgsLenAtDash() int {
 func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	if usageMessage == "" {
 		return fmt.Errorf("deprecated message for flag %q must be set", name)
@@ -427,7 +440,7 @@ func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error {
 func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	if usageMessage == "" {
 		return fmt.Errorf("deprecated message for flag %q must be set", name)
@@ -441,7 +454,7 @@ func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) erro
 func (f *FlagSet) MarkHidden(name string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	flag.Hidden = true
 	return nil
@@ -464,18 +477,16 @@ func (f *FlagSet) Set(name, value string) error {
 	normalName := f.normalizeFlagName(name)
 	flag, ok := f.formal[normalName]
 	if !ok {
-		return fmt.Errorf("no such flag -%v", name)
+		return &NotExistError{name: name, messageType: flagNoSuchFlagMessage}
 	}
 
 	err := flag.Value.Set(value)
 	if err != nil {
-		var flagName string
-		if flag.Shorthand != "" && flag.ShorthandDeprecated == "" {
-			flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name)
-		} else {
-			flagName = fmt.Sprintf("--%s", flag.Name)
+		return &InvalidValueError{
+			flag:  flag,
+			value: value,
+			cause: err,
 		}
-		return fmt.Errorf("invalid argument %q for %q flag: %v", value, flagName, err)
 	}
 
 	if !flag.Changed {
@@ -501,7 +512,7 @@ func (f *FlagSet) SetAnnotation(name, key string, values []string) error {
 	normalName := f.normalizeFlagName(name)
 	flag, ok := f.formal[normalName]
 	if !ok {
-		return fmt.Errorf("no such flag -%v", name)
+		return &NotExistError{name: name, messageType: flagNoSuchFlagMessage}
 	}
 	if flag.Annotations == nil {
 		flag.Annotations = map[string][]string{}
@@ -538,7 +549,7 @@ func (f *FlagSet) PrintDefaults() {
 func (f *Flag) defaultIsZeroValue() bool {
 	switch f.Value.(type) {
 	case boolFlag:
-		return f.DefValue == "false"
+		return f.DefValue == "false" || f.DefValue == ""
 	case *durationValue:
 		// Beginning in Go 1.7, duration zero values are "0s"
 		return f.DefValue == "0" || f.DefValue == "0s"
@@ -551,7 +562,7 @@ func (f *Flag) defaultIsZeroValue() bool {
 	case *intSliceValue, *stringSliceValue, *stringArrayValue:
 		return f.DefValue == "[]"
 	default:
-		switch f.Value.String() {
+		switch f.DefValue {
 		case "false":
 			return true
 		case "<nil>":
@@ -588,8 +599,10 @@ func UnquoteUsage(flag *Flag) (name string, usage string) {
 
 	name = flag.Value.Type()
 	switch name {
-	case "bool":
+	case "bool", "boolfunc":
 		name = ""
+	case "func":
+		name = "value"
 	case "float64":
 		name = "float"
 	case "int64":
@@ -707,7 +720,7 @@ func (f *FlagSet) FlagUsagesWrapped(cols int) string {
 			switch flag.Value.Type() {
 			case "string":
 				line += fmt.Sprintf("[=\"%s\"]", flag.NoOptDefVal)
-			case "bool":
+			case "bool", "boolfunc":
 				if flag.NoOptDefVal != "true" {
 					line += fmt.Sprintf("[=%s]", flag.NoOptDefVal)
 				}
@@ -911,10 +924,9 @@ func VarP(value Value, name, shorthand, usage string) {
 	CommandLine.VarP(value, name, shorthand, usage)
 }
 
-// failf prints to standard error a formatted error and usage message and
+// fail prints an error message and usage message to standard error and
 // returns the error.
-func (f *FlagSet) failf(format string, a ...interface{}) error {
-	err := fmt.Errorf(format, a...)
+func (f *FlagSet) fail(err error) error {
 	if f.errorHandling != ContinueOnError {
 		fmt.Fprintln(f.Output(), err)
 		f.usage()
@@ -934,9 +946,9 @@ func (f *FlagSet) usage() {
 	}
 }
 
-//--unknown (args will be empty)
-//--unknown --next-flag ... (args will be --next-flag ...)
-//--unknown arg ... (args will be arg ...)
+// --unknown (args will be empty)
+// --unknown --next-flag ... (args will be --next-flag ...)
+// --unknown arg ... (args will be arg ...)
 func stripUnknownFlagValue(args []string) []string {
 	if len(args) == 0 {
 		//--unknown
@@ -960,7 +972,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 	a = args
 	name := s[2:]
 	if len(name) == 0 || name[0] == '-' || name[0] == '=' {
-		err = f.failf("bad flag syntax: %s", s)
+		err = f.fail(&InvalidSyntaxError{specifiedFlag: s})
 		return
 	}
 
@@ -982,7 +994,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 
 			return stripUnknownFlagValue(a), nil
 		default:
-			err = f.failf("unknown flag: --%s", name)
+			err = f.fail(&NotExistError{name: name, messageType: flagUnknownFlagMessage})
 			return
 		}
 	}
@@ -1000,13 +1012,16 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 		a = a[1:]
 	} else {
 		// '--flag' (arg was required)
-		err = f.failf("flag needs an argument: %s", s)
+		err = f.fail(&ValueRequiredError{
+			flag:          flag,
+			specifiedName: name,
+		})
 		return
 	}
 
 	err = fn(flag, value)
 	if err != nil {
-		f.failf(err.Error())
+		f.fail(err)
 	}
 	return
 }
@@ -1014,7 +1029,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parseFunc) (outShorts string, outArgs []string, err error) {
 	outArgs = args
 
-	if strings.HasPrefix(shorthands, "test.") {
+	if isGotestShorthandFlag(shorthands) {
 		return
 	}
 
@@ -1039,7 +1054,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 			outArgs = stripUnknownFlagValue(outArgs)
 			return
 		default:
-			err = f.failf("unknown shorthand flag: %q in -%s", c, shorthands)
+			err = f.fail(&NotExistError{
+				name:                string(c),
+				specifiedShorthands: shorthands,
+				messageType:         flagUnknownShorthandFlagMessage,
+			})
 			return
 		}
 	}
@@ -1062,7 +1081,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 		outArgs = args[1:]
 	} else {
 		// '-f' (arg was required)
-		err = f.failf("flag needs an argument: %q in -%s", c, shorthands)
+		err = f.fail(&ValueRequiredError{
+			flag:                flag,
+			specifiedName:       string(c),
+			specifiedShorthands: shorthands,
+		})
 		return
 	}
 
@@ -1072,7 +1095,7 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 
 	err = fn(flag, value)
 	if err != nil {
-		f.failf(err.Error())
+		f.fail(err)
 	}
 	return
 }
@@ -1135,7 +1158,7 @@ func (f *FlagSet) Parse(arguments []string) error {
 	}
 	f.parsed = true
 
-	if len(arguments) < 0 {
+	if len(arguments) == 0 {
 		return nil
 	}
 
diff --git a/vendor/github.com/spf13/pflag/func.go b/vendor/github.com/spf13/pflag/func.go
new file mode 100644
index 00000000..9f4d88f2
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/func.go
@@ -0,0 +1,37 @@
+package pflag
+
+// -- func Value
+type funcValue func(string) error
+
+func (f funcValue) Set(s string) error { return f(s) }
+
+func (f funcValue) Type() string { return "func" }
+
+func (f funcValue) String() string { return "" } // same behavior as stdlib 'flag' package
+
+// Func defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}={value}" (or equivalent) is
+// parsed on the command line, with "{value}" as an argument.
+func (f *FlagSet) Func(name string, usage string, fn func(string) error) {
+	f.FuncP(name, "", usage, fn)
+}
+
+// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) FuncP(name string, shorthand string, usage string, fn func(string) error) {
+	var val Value = funcValue(fn)
+	f.VarP(val, name, shorthand, usage)
+}
+
+// Func defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}={value}" (or equivalent) is
+// parsed on the command line, with "{value}" as an argument.
+func Func(name string, usage string, fn func(string) error) {
+	CommandLine.FuncP(name, "", usage, fn)
+}
+
+// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash.
+func FuncP(name, shorthand string, usage string, fn func(string) error) {
+	CommandLine.FuncP(name, shorthand, usage, fn)
+}
diff --git a/vendor/github.com/spf13/pflag/golangflag.go b/vendor/github.com/spf13/pflag/golangflag.go
index d3dd72b7..f563907e 100644
--- a/vendor/github.com/spf13/pflag/golangflag.go
+++ b/vendor/github.com/spf13/pflag/golangflag.go
@@ -10,6 +10,15 @@ import (
 	"strings"
 )
 
+// go test flags prefixes
+func isGotestFlag(flag string) bool {
+	return strings.HasPrefix(flag, "-test.")
+}
+
+func isGotestShorthandFlag(flag string) bool {
+	return strings.HasPrefix(flag, "test.")
+}
+
 // flagValueWrapper implements pflag.Value around a flag.Value.  The main
 // difference here is the addition of the Type method that returns a string
 // name of the type.  As this is generally unknown, we approximate that with
@@ -103,3 +112,16 @@ func (f *FlagSet) AddGoFlagSet(newSet *goflag.FlagSet) {
 	}
 	f.addedGoFlagSets = append(f.addedGoFlagSets, newSet)
 }
+
+// ParseSkippedFlags explicitly Parses go test flags (i.e. the one starting with '-test.') with goflag.Parse(),
+// since by default those are skipped by pflag.Parse().
+// Typical usage example: `ParseGoTestFlags(os.Args[1:], goflag.CommandLine)`
+func ParseSkippedFlags(osArgs []string, goFlagSet *goflag.FlagSet) error {
+	var skippedFlags []string
+	for _, f := range osArgs {
+		if isGotestFlag(f) {
+			skippedFlags = append(skippedFlags, f)
+		}
+	}
+	return goFlagSet.Parse(skippedFlags)
+}
diff --git a/vendor/github.com/spf13/pflag/ipnet_slice.go b/vendor/github.com/spf13/pflag/ipnet_slice.go
index 6b541aa8..c6e89da1 100644
--- a/vendor/github.com/spf13/pflag/ipnet_slice.go
+++ b/vendor/github.com/spf13/pflag/ipnet_slice.go
@@ -73,7 +73,7 @@ func (s *ipNetSliceValue) String() string {
 
 func ipNetSliceConv(val string) (interface{}, error) {
 	val = strings.Trim(val, "[]")
-	// Emtpy string would cause a slice with one (empty) entry
+	// Empty string would cause a slice with one (empty) entry
 	if len(val) == 0 {
 		return []net.IPNet{}, nil
 	}
diff --git a/vendor/github.com/spf13/pflag/text.go b/vendor/github.com/spf13/pflag/text.go
new file mode 100644
index 00000000..886d5a3d
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/text.go
@@ -0,0 +1,81 @@
+package pflag
+
+import (
+	"encoding"
+	"fmt"
+	"reflect"
+)
+
+// following is copied from go 1.23.4 flag.go
+type textValue struct{ p encoding.TextUnmarshaler }
+
+func newTextValue(val encoding.TextMarshaler, p encoding.TextUnmarshaler) textValue {
+	ptrVal := reflect.ValueOf(p)
+	if ptrVal.Kind() != reflect.Ptr {
+		panic("variable value type must be a pointer")
+	}
+	defVal := reflect.ValueOf(val)
+	if defVal.Kind() == reflect.Ptr {
+		defVal = defVal.Elem()
+	}
+	if defVal.Type() != ptrVal.Type().Elem() {
+		panic(fmt.Sprintf("default type does not match variable type: %v != %v", defVal.Type(), ptrVal.Type().Elem()))
+	}
+	ptrVal.Elem().Set(defVal)
+	return textValue{p}
+}
+
+func (v textValue) Set(s string) error {
+	return v.p.UnmarshalText([]byte(s))
+}
+
+func (v textValue) Get() interface{} {
+	return v.p
+}
+
+func (v textValue) String() string {
+	if m, ok := v.p.(encoding.TextMarshaler); ok {
+		if b, err := m.MarshalText(); err == nil {
+			return string(b)
+		}
+	}
+	return ""
+}
+
+//end of copy
+
+func (v textValue) Type() string {
+	return reflect.ValueOf(v.p).Type().Name()
+}
+
+// GetText set out, which implements encoding.UnmarshalText, to the value of a flag with given name
+func (f *FlagSet) GetText(name string, out encoding.TextUnmarshaler) error {
+	flag := f.Lookup(name)
+	if flag == nil {
+		return fmt.Errorf("flag accessed but not defined: %s", name)
+	}
+	if flag.Value.Type() != reflect.TypeOf(out).Name() {
+		return fmt.Errorf("trying to get %s value of flag of type %s", reflect.TypeOf(out).Name(), flag.Value.Type())
+	}
+	return out.UnmarshalText([]byte(flag.Value.String()))
+}
+
+// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p.
+func (f *FlagSet) TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) {
+	f.VarP(newTextValue(value, p), name, "", usage)
+}
+
+// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) {
+	f.VarP(newTextValue(value, p), name, shorthand, usage)
+}
+
+// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p.
+func TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) {
+	CommandLine.VarP(newTextValue(value, p), name, "", usage)
+}
+
+// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash.
+func TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) {
+	CommandLine.VarP(newTextValue(value, p), name, shorthand, usage)
+}
diff --git a/vendor/github.com/spf13/pflag/time.go b/vendor/github.com/spf13/pflag/time.go
new file mode 100644
index 00000000..dc024807
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/time.go
@@ -0,0 +1,118 @@
+package pflag
+
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+// TimeValue adapts time.Time for use as a flag.
+type timeValue struct {
+	*time.Time
+	formats []string
+}
+
+func newTimeValue(val time.Time, p *time.Time, formats []string) *timeValue {
+	*p = val
+	return &timeValue{
+		Time:    p,
+		formats: formats,
+	}
+}
+
+// Set time.Time value from string based on accepted formats.
+func (d *timeValue) Set(s string) error {
+	s = strings.TrimSpace(s)
+	for _, f := range d.formats {
+		v, err := time.Parse(f, s)
+		if err != nil {
+			continue
+		}
+		*d.Time = v
+		return nil
+	}
+
+	formatsString := ""
+	for i, f := range d.formats {
+		if i > 0 {
+			formatsString += ", "
+		}
+		formatsString += fmt.Sprintf("`%s`", f)
+	}
+
+	return fmt.Errorf("invalid time format `%s` must be one of: %s", s, formatsString)
+}
+
+// Type name for time.Time flags.
+func (d *timeValue) Type() string {
+	return "time"
+}
+
+func (d *timeValue) String() string { return d.Time.Format(time.RFC3339Nano) }
+
+// GetTime return the time value of a flag with the given name
+func (f *FlagSet) GetTime(name string) (time.Time, error) {
+	flag := f.Lookup(name)
+	if flag == nil {
+		err := fmt.Errorf("flag accessed but not defined: %s", name)
+		return time.Time{}, err
+	}
+
+	if flag.Value.Type() != "time" {
+		err := fmt.Errorf("trying to get %s value of flag of type %s", "time", flag.Value.Type())
+		return time.Time{}, err
+	}
+
+	val, ok := flag.Value.(*timeValue)
+	if !ok {
+		return time.Time{}, fmt.Errorf("value %s is not a time", flag.Value)
+	}
+
+	return *val.Time, nil
+}
+
+// TimeVar defines a time.Time flag with specified name, default value, and usage string.
+// The argument p points to a time.Time variable in which to store the value of the flag.
+func (f *FlagSet) TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) {
+	f.TimeVarP(p, name, "", value, formats, usage)
+}
+
+// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) {
+	f.VarP(newTimeValue(value, p, formats), name, shorthand, usage)
+}
+
+// TimeVar defines a time.Time flag with specified name, default value, and usage string.
+// The argument p points to a time.Time variable in which to store the value of the flag.
+func TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) {
+	CommandLine.TimeVarP(p, name, "", value, formats, usage)
+}
+
+// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash.
+func TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) {
+	CommandLine.VarP(newTimeValue(value, p, formats), name, shorthand, usage)
+}
+
+// Time defines a time.Time flag with specified name, default value, and usage string.
+// The return value is the address of a time.Time variable that stores the value of the flag.
+func (f *FlagSet) Time(name string, value time.Time, formats []string, usage string) *time.Time {
+	return f.TimeP(name, "", value, formats, usage)
+}
+
+// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time {
+	p := new(time.Time)
+	f.TimeVarP(p, name, shorthand, value, formats, usage)
+	return p
+}
+
+// Time defines a time.Time flag with specified name, default value, and usage string.
+// The return value is the address of a time.Time variable that stores the value of the flag.
+func Time(name string, value time.Time, formats []string, usage string) *time.Time {
+	return CommandLine.TimeP(name, "", value, formats, usage)
+}
+
+// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash.
+func TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time {
+	return CommandLine.TimeP(name, shorthand, value, formats, usage)
+}
diff --git a/vendor/github.com/theupdateframework/notary/.gitignore b/vendor/github.com/theupdateframework/notary/.gitignore
deleted file mode 100644
index 36422d00..00000000
--- a/vendor/github.com/theupdateframework/notary/.gitignore
+++ /dev/null
@@ -1,17 +0,0 @@
-/.vscode
-/cmd/notary-server/notary-server
-/cmd/notary-server/local.config.*
-/cmd/notary-signer/notary-signer
-/cmd/notary-signer/local.config.*
-/cmd/escrow/escrow
-/cmd/escrow/local.config.*
-cover
-bin
-cross
-.cover
-*.swp
-.idea
-*.iml
-*.test
-coverage*.txt
-gosec_output.csv
diff --git a/vendor/github.com/theupdateframework/notary/CHANGELOG.md b/vendor/github.com/theupdateframework/notary/CHANGELOG.md
deleted file mode 100644
index 0aa0f72d..00000000
--- a/vendor/github.com/theupdateframework/notary/CHANGELOG.md
+++ /dev/null
@@ -1,156 +0,0 @@
-# Changelog
-
-## [v0.7.0](https://github.com/docker/notary/releases/tag/v0.7.0) 12/01/2021
-+ Switch to Go modules [#1523](https://github.com/theupdateframework/notary/pull/1523)
-+ Use golang/x/crypto for ed25519 [#1344](https://github.com/theupdateframework/notary/pull/1344)
-+ Update Go version
-+ Update dependency versions
-+ Fixes from using Gosec for source analysis
-
-## [v0.6.1](https://github.com/docker/notary/releases/tag/v0.6.0) 04/10/2018
-+ Fixed bug where CLI requested admin privileges for all metadata operations, including listing targets on a repo [#1315](https://github.com/theupdateframework/notary/pull/1315)
-+ Prevented notary signer from being dumpable or ptraceable in Linux, except in debug mode [#1327](https://github.com/theupdateframework/notary/pull/1327)
-+ Bumped JWT dependency to fix potential Invalid Curve Attack on NIST curves within ECDH key management [#1334](https://github.com/theupdateframework/notary/pull/1334)
-+ If the home directory cannot be found, log a warning instead of erroring out [#1318](https://github.com/theupdateframework/notary/pull/1318)
-+ Bumped go version and various dependencies [#1323](https://github.com/theupdateframework/notary/pull/1323) [#1332](https://github.com/theupdateframework/notary/pull/1332) [#1335](https://github.com/theupdateframework/notary/pull/1335) [#1336](https://github.com/theupdateframework/notary/pull/1336)
-+ Various internal and documentation fixes [#1312](https://github.com/theupdateframework/notary/pull/1312) [#1313](https://github.com/theupdateframework/notary/pull/1313) [#1319](https://github.com/theupdateframework/notary/pull/1319) [#1320](https://github.com/theupdateframework/notary/pull/1320) [#1324](https://github.com/theupdateframework/notary/pull/1324) [#1326](https://github.com/theupdateframework/notary/pull/1326) [#1328](https://github.com/theupdateframework/notary/pull/1328) [#1329](https://github.com/theupdateframework/notary/pull/1329) [#1333](https://github.com/theupdateframework/notary/pull/1333)
-
-## [v0.6.0](https://github.com/docker/notary/releases/tag/v0.6.0) 02/28/2018
-+ **The project has been moved from https://github.com/docker/notary to https://github.com/theupdateframework/notary, as it has been accepted into the CNCF.  Downstream users should update their go imports.**
-+ Removed support for RSA-key exchange ciphers supported by the server and signer and require TLS >= 1.2 for the server and signer. [#1307](https://github.com/theupdateframework/notary/pull/1307)
-+ `libykcs11` can be found in several additional locations on Fedora.  [#1286](https://github.com/theupdateframework/notary/pull/1286/)
-+ If a certificate is used as a delegation public key, notary no longer warns if the certificate has expired, since notary should be relying on the role expiry instead. [#1263](https://github.com/theupdateframework/notary/pull/1263)
-+ An error is now returned when importing keys if there were invalid PEM blocks. [#1260](https://github.com/theupdateframework/notary/pull/1260)
-+ Notary server authentication credentials can now be provided as an environment variable `NOTARY_AUTH`, which should contain a base64-encoded "username:password" value.  [#1246](https://github.com/theupdateframework/notary/pull/1246)
-+ Changefeeds are now supported for RethinkDB as well as SQL servers.  [#1214](https://github.com/theupdateframework/notary/pull/1214)
-+ Notary CLI will now time out after 30 seconds if a username and password are not provided when authenticating to anotary server, fixing an issue where scripts for the notary CLI may hang forever. [#1200](https://github.com/theupdateframework/notary/pull/1200)
-+ Fixed potential race condition in the signer keystore.  [#1198](https://github.com/theupdateframework/notary/pull/1198)
-+ Notary now no longer provides the option to generate RSA keys for a repository, but externally generated RSA keys can still be imported as keys for a repository.  [#1191](https://github.com/theupdateframework/notary/pull/1191)
-+ Fixed bug where the notary client would `ioutil.ReadAll` responses from the server without limiting the size.  [#1186](https://github.com/theupdateframework/notary/pull/1186)
-+ Default notary CLI log level is now `warn`, and if the `-v` option is passed, it is at `info`.  [#1179](https://github.com/theupdateframework/notary/pull/1179)
-+ Example Postgres config now includes an example of mutual TLS authentication between the server/signer and Postgres.  [#1160](https://github.com/theupdateframework/notary/pull/1160) [#1163](https://github.com/theupdateframework/notary/pull/1163/)
-+ Fixed an error where piping the server authentication credentials via STDIN when scripting the notary CLI did not work.  [#1155](https://github.com/theupdateframework/notary/pull/1155)
-+ If the server and signer configurations forget to specify `parseTime=true` when using MySQL, notary server and signer will automatically add the option.  [#1150](https://github.com/theupdateframework/notary/pull/1150)
-+ Custom metadata can now be provided and read on a target when using the notary client as a library (not yet exposed on the CLI).  [#1146](https://github.com/theupdateframework/notary/pull/1146)
-+ `notary init` now accepts a `--root-cert` and `--root-key` flag for use with privately generated certificates and keys.  [#1144](https://github.com/theupdateframework/notary/pull/1144)
-+ `notary key generate` now accepts a `--role` flag as well as a `--output` flag.  This means it can generate new targets or delegation keys, and it can also output keys to a file instead of storing it in the default notary key store.  [#1134](https://github.com/theupdateframework/notary/pull/1134)
-+ Newly generated keys are now stored encrypted and encoded in PKCS#8 format. **This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0.**. [#1130](https://github.com/theupdateframework/notary/pull/1130) [#1201](https://github.com/theupdateframework/notary/pull/1201)
-+ Added support for wildcarded certificate IDs in the trustpinning configuration [#1126](https://github.com/theupdateframework/notary/pull/1126)
-+ Added support using the client against notary servers which are hosted as subpath under another server (e.g. https://domain.com/notary instead of https://notary.com) [#1108](https://github.com/theupdateframework/notary/pull/1108)
-+ If no changes were made to the targets file, you are no longer required to sign the target [#1104](https://github.com/theupdateframework/notary/pull/1104)
-+ escrow placeholder [#1096](https://github.com/theupdateframework/notary/pull/1096)
-+ Added support for wildcard suffixes for root certificates CNs for root keys, so that a single root certificate would be valid for multiple repositories [#1088](https://github.com/theupdateframework/notary/pull/1088)
-+ Root key rotations now do not require all previous root keys sign new root metadata.  [#942](https://github.com/theupdateframework/notary/pull/942).
-    + New keys are trusted if the root metadata file specifying the new key was signed by the previous root key/threshold
-    + Root metadata can now be requested by version from the server, allowing clients with older root metadata to validate each new version one by one up to the current metadata
-+ `notary key rotate` now accepts a flag specifying which key to rotate to [#942](https://github.com/theupdateframework/notary/pull/942)
-+ Refactoring of the client to make it easier to use as a library and to inject dependencies:
-    + References to GUN have now been changed to "imagename". [#1081](https://github.com/theupdateframework/notary/pull/1081)
-    + `NewNotaryRepository` can now be provided with a remote store and changelist, as opposed to always constructing its own. [#1094](https://github.com/theupdateframework/notary/pull/1094)
-    + If needed, the notary repository will be initialized first when publishing. [#1105](https://github.com/theupdateframework/notary/pull/1105)
-    + `NewNotaryReository` now requires a non-nil cache store.  [#1185](https://github.com/theupdateframework/notary/pull/1185)
-    + The "No valid trust data" error is now typed.  [#1212](https://github.com/theupdateframework/notary/pull/1212)
-    + `TUFClient` was previously mistakenly exported, and is now unexported.  [#1215](https://github.com/theupdateframework/notary/pull/1215)
-    + The notary client now has a `Repository` interface type to standardize `client.NotaryRepository`.  [#1220](https://github.com/theupdateframework/notary/pull/1220)
-    + The constructor functions `NewFileCachedNotaryRepository` and `NewNotaryRepository` have been renamed, respectively, to `NewFileCachedRepository` and `NewRepository` to reduce redundancy. [#1226](https://github.com/theupdateframework/notary/pull/1226)
-    + `NewRepository` returns an interface as opposed to the concrete type `NotaryRepository` it previously did.  `NotaryRepository` is also now an unexported concrete type. [#1226](https://github.com/theupdateframework/notary/pull/1226)
-    + Key import/export logic has been moved from the `utils` package to the `trustmanager` package.  [#1250](https://github.com/theupdateframework/notary/pull/1250)
-
-
-## [v0.5.0](https://github.com/docker/notary/releases/tag/v0.5.0) 11/14/2016
-+ Non-certificate public keys in PEM format can now be added to delegation roles [#965](https://github.com/docker/notary/pull/965)
-+ PostgreSQL support as a storage backend for Server and Signer [#920](https://github.com/docker/notary/pull/920)
-+ Notary server's health check now fails if it cannot connect to the signer, since no new repositories can be created and existing repositories cannot be updated if the server cannot reach the signer [#952](https://github.com/docker/notary/pull/952)
-+ Server runs its connectivity healthcheck to the server once every 10 seconds instead of once every minute. [#902](https://github.com/docker/notary/pull/902)
-+ The keys on disk are now stored in the `~/.notary/private` directory, rather than in a key hierarchy that separates them by GUN and by role.  Notary will automatically migrate old-style directory layouts to the new style.  **This is not forwards-compatible against notary<0.4.2 and docker<=1.12** [#872](https://github.com/docker/notary/pull/872)
-+ A new changefeed API has been added to Notary Server. It is only supported when using one of the relational database backends: MySQL, PostgreSQL, or SQLite.[#1019](https://github.com/docker/notary/pull/1019)
-
-## [v0.4.3](https://github.com/docker/notary/releases/tag/v0.4.3) 1/3/2017
-+ Fix build tags for static notary client binaries in linux [#1039](https://github.com/docker/notary/pull/1039)
-+ Fix key import for exported delegation keys [#1067](https://github.com/docker/notary/pull/1067)
-
-## [v0.4.2](https://github.com/docker/notary/releases/tag/v0.4.2) 9/30/2016
-+ Bump the cross compiler to golang 1.7.1, since [1.6.3 builds binaries that could have non-deterministic bugs in OS X Sierra](https://groups.google.com/forum/#!msg/golang-dev/Jho5sBHZgAg/cq6d97S1AwAJ) [#984](https://github.com/docker/notary/pull/984)
-
-## [v0.4.1](https://github.com/docker/notary/releases/tag/v0.4.1) 9/27/2016
-+ Preliminary Windows support for notary client [#970](https://github.com/docker/notary/pull/970)
-+ Output message to CLI when repo changes have been successfully published [#974](https://github.com/docker/notary/pull/974)
-+ Improved error messages for client authentication errors and for the witness command [#972](https://github.com/docker/notary/pull/972)
-+ Support for finding keys that are anywhere in the notary directory's "private" directory, not just under "private/root_keys" or "private/tuf_keys" [#981](https://github.com/docker/notary/pull/981)
-+ Previously, on any error updating, the client would fall back on the cache.  Now we only do so if there is a network error or if the server is unavailable or missing the TUF data. Invalid TUF data will cause the update to fail - for example if there was an invalid root rotation. [#884](https://github.com/docker/notary/pull/884) [#982](https://github.com/docker/notary/pull/982)
-
-## [v0.4.0](https://github.com/docker/notary/releases/tag/v0.4.0) 9/21/2016
-+ Server-managed key rotations [#889](https://github.com/docker/notary/pull/889)
-+ Remove `timestamp_keys` table, which stored redundant information [#889](https://github.com/docker/notary/pull/889)
-+ Introduce `notary delete` command to delete local and/or remote repo data [#895](https://github.com/docker/notary/pull/895)
-+ Introduce `notary witness` command to stage signatures for specified roles [#875](https://github.com/docker/notary/pull/875)
-+ Add `-p` flag to offline commands to attempt auto-publish [#886](https://github.com/docker/notary/pull/886) [#912](https://github.com/docker/notary/pull/912) [#923](https://github.com/docker/notary/pull/923)
-+ Introduce `notary reset` command to manage staged changes [#959](https://github.com/docker/notary/pull/959) [#856](https://github.com/docker/notary/pull/856)
-+ Add `--rootkey` flag to `notary init` to provide a private root key for a repo [#801](https://github.com/docker/notary/pull/801)
-+ Introduce `notary delegation purge` command to remove a specified key from all delegations [#855](https://github.com/docker/notary/pull/855)
-+ Removed HTTP endpoint from notary-signer [#870](https://github.com/docker/notary/pull/870)
-+ Refactored and unified key storage [#825](https://github.com/docker/notary/pull/825)
-+ Batched key import and export now operate on PEM files (potentially with multiple blocks) instead of ZIP [#825](https://github.com/docker/notary/pull/825) [#882](https://github.com/docker/notary/pull/882)
-+ Add full database integration test-suite [#824](https://github.com/docker/notary/pull/824) [#854](https://github.com/docker/notary/pull/854) [#863](https://github.com/docker/notary/pull/863)
-+ Improve notary-server, trust pinning, and yubikey logging [#798](https://github.com/docker/notary/pull/798) [#858](https://github.com/docker/notary/pull/858) [#891](https://github.com/docker/notary/pull/891)
-+ Warn if certificates for root or delegations are near expiry [#802](https://github.com/docker/notary/pull/802)
-+ Warn if role metadata is near expiry [#786](https://github.com/docker/notary/pull/786)
-+ Reformat CLI table output to use the `text/tabwriter` package [#809](https://github.com/docker/notary/pull/809)
-+ Fix passphrase retrieval attempt counting and terminal detection [#906](https://github.com/docker/notary/pull/906)
-+ Fix listing nested delegations [#864](https://github.com/docker/notary/pull/864)
-+ Bump go version to 1.6.3, fix go1.7 compatibility [#851](https://github.com/docker/notary/pull/851) [#793](https://github.com/docker/notary/pull/793)
-+ Convert docker-compose files to v2 format [#755](https://github.com/docker/notary/pull/755)
-+ Validate root rotations against trust pinning [#800](https://github.com/docker/notary/pull/800)
-+ Update fixture certificates for two-year expiry window [#951](https://github.com/docker/notary/pull/951)
-
-## [v0.3.0](https://github.com/docker/notary/releases/tag/v0.3.0) 5/11/2016
-+ Root rotations
-+ RethinkDB support as a storage backend for Server and Signer
-+ A new TUF repo builder that merges server and client validation
-+ Trust Pinning: configure known good key IDs and CAs to replace TOFU.
-+ Add --input, --output, and --quiet flags to notary verify command
-+ Remove local certificate store. It was redundant as all certs were also stored in the cached root.json
-+ Cleanup of dead code in client side key storage logic
-+ Update project to Go 1.6.1
-+ Reorganize vendoring to meet Go 1.6+ standard. Still using Godeps to manage vendored packages
-+ Add targets by hash, no longer necessary to have the original target data available
-+ Active Key ID verification during signature verification
-+ Switch all testing from assert to require, reduces noise in test runs
-+ Use alpine based images for smaller downloads and faster setup times
-+ Clean up out of data signatures when re-signing content
-+ Set cache control headers on HTTP responses from Notary Server
-+ Add sha512 support for targets
-+ Add environment variable for delegation key passphrase
-+ Reduce permissions requested by client from token server
-+ Update formatting for delegation list output
-+ Move SQLite dependency to tests only so it doesn't get built into official images
-+ Fixed asking for password to list private repositories
-+ Enable using notary client with username/password in a scripted fashion
-+ Fix static compilation of client
-+ Enforce TUF version to be >= 1, previously 0 was acceptable although unused
-+ json.RawMessage should always be used as *json.RawMessage due to concepts of addressability in Go and effects on encoding
-
-## [v0.2](https://github.com/docker/notary/releases/tag/v0.2.0) 2/24/2016
-+ Add support for delegation roles in `notary` server and client
-+ Add `notary CLI` commands for managing delegation roles: `notary delegation`
-    + `add`, `list` and `remove` subcommands
-+ Enhance `notary CLI` commands for adding targets to delegation roles
-    + `notary add --roles` and `notary remove --roles` to manipulate targets for delegations
-+ Support for rotating the snapshot key to one managed by the `notary` server
-+ Add consistent download functionality to download metadata and content by checksum
-+ Update `docker-compose` configuration to use official mariadb image
-    + deprecate `notarymysql`
-    + default to using a volume for `data` directory
-    + use separate databases for `notary-server` and `notary-signer` with separate users
-+ Add `notary CLI` command for changing private key passphrases: `notary key passwd`
-+ Enhance `notary CLI` commands for importing and exporting keys
-+ Change default `notary CLI` log level to fatal, introduce new verbose (error-level) and debug-level settings
-+ Store roles as PEM headers in private keys, incompatible with previous notary v0.1 key format
-    + No longer store keys as `<KEY_ID>_role.key`, instead store as `<KEY_ID>.key`; new private keys from new notary clients will crash old notary clients
-+ Support logging as JSON format on server and signer
-+ Support mutual TLS between notary client and notary server
-
-## [v0.1](https://github.com/docker/notary/releases/tag/v0.1) 11/15/2015
-+ Initial non-alpha `notary` version
-+ Implement TUF (the update framework) with support for root, targets, snapshot, and timestamp roles
-+ Add PKCS11 interface to store and sign with keys in HSMs (i.e. Yubikey)
diff --git a/vendor/github.com/theupdateframework/notary/CODE_OF_CONDUCT.md b/vendor/github.com/theupdateframework/notary/CODE_OF_CONDUCT.md
deleted file mode 100644
index 1f37909f..00000000
--- a/vendor/github.com/theupdateframework/notary/CODE_OF_CONDUCT.md
+++ /dev/null
@@ -1,43 +0,0 @@
-## CNCF Community Code of Conduct v1.0
-
-### Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
-
-This Code of Conduct is adapted from the Contributor Covenant
-(https://contributor-covenant.org), version 1.2.0, available at
-https://contributor-covenant.org/version/1/2/0/
-
-### CNCF Events Code of Conduct
-
-CNCF events are governed by the Linux Foundation [Code of Conduct](https://events.linuxfoundation.org/events/cloudnativecon/attend/code-of-conduct) available on the event page. This is designed to be compatible with the above policy and also includes more details on responding to incidents.
diff --git a/vendor/github.com/theupdateframework/notary/CONTRIBUTING.md b/vendor/github.com/theupdateframework/notary/CONTRIBUTING.md
deleted file mode 100644
index 64d2326f..00000000
--- a/vendor/github.com/theupdateframework/notary/CONTRIBUTING.md
+++ /dev/null
@@ -1,95 +0,0 @@
-# Contributing to notary
-
-## Before reporting an issue...
-
-### If your problem is with...
-
- - automated builds
- - your account on the [Docker Hub](https://hub.docker.com/)
- - any other [Docker Hub](https://hub.docker.com/) issue
-
-Then please do not report your issue here - you should instead report it to [https://support.docker.com](https://support.docker.com)
-
-### If you...
-
- - need help setting up notary
- - can't figure out something
- - are not sure what's going on or what your problem is
-
-Then please do not open an issue here yet - you should first try one of the following support forums:
-
- - irc: #docker-trust on freenode
-
-## Reporting an issue properly
-
-By following these simple rules you will get better and faster feedback on your issue.
-
- - search the bugtracker for an already reported issue
-
-### If you found an issue that describes your problem:
-
- - please read other user comments first, and confirm this is the same issue: a given error condition might be indicative of different problems - you may also find a workaround in the comments
- - please refrain from adding "same thing here" or "+1" comments
- - you don't need to comment on an issue to get notified of updates: just hit the "subscribe" button
- - comment if you have some new, technical and relevant information to add to the case
-
-### If you have not found an existing issue that describes your problem:
-
- 1. create a new issue, with a succinct title that describes your issue:
-   - bad title: "It doesn't work with my docker"
-   - good title: "Publish fail: 400 error with E_INVALID_DIGEST"
- 2. copy the output of:
-   - `notary version` or `docker version`
- 3. Run `notary` or `docker` with the `-D` option for debug output, and please include a copy of the command and the output.
- 4. If relevant, copy your `notaryserver` and `notarysigner` logs that show the error (this is likely the output from running `docker-compose up`)
-
-## Contributing a patch for a known bug, or a small correction
-
-You should follow the basic GitHub workflow:
-
- 1. fork
- 2. commit a change
- 3. make sure the tests pass
- 4. PR
-
-Additionally, you must [sign your commits](https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work). It's very simple:
-
- - configure your name with git: `git config user.name "Real Name" && git config user.email mail@example.com`
- - sign your commits using `-s`: `git commit -s -m "My commit"`
-
-Some simple rules to ensure quick merge:
-
- - clearly point to the issue(s) you want to fix in your PR comment (e.g., `closes #12345`)
- - prefer multiple (smaller) PRs addressing individual issues over a big one trying to address multiple issues at once
- - if you need to amend your PR following comments, please squash instead of adding more commits
- - if fixing a bug or adding a feature, please add or update the relevant `CHANGELOG.md` entry with your pull request number
-   and a description of the change
-
-## Contributing new features
-
-You are heavily encouraged to first discuss what you want to do. You can do so on the irc channel, or by opening an issue that clearly describes the use case you want to fulfill, or the problem you are trying to solve.
-
-If this is a major new feature, you should then submit a proposal that describes your technical solution and reasoning.
-If you did discuss it first, this will likely be greenlighted very fast. It's advisable to address all feedback on this proposal before starting actual work
-
-Then you should submit your implementation, clearly linking to the issue (and possible proposal).
-
-Your PR will be reviewed by the community, then ultimately by the project maintainers, before being merged.
-
-It's mandatory to:
-
- - interact respectfully with other community members and maintainers - more generally, you are expected to abide by the [Docker community rules](https://github.com/docker/docker/blob/master/CONTRIBUTING.md#docker-community-guidelines)
- - address maintainers' comments and modify your submission accordingly
- - write tests for any new code
-
-Complying to these simple rules will greatly accelerate the review process, and will ensure you have a pleasant experience in contributing code to the Registry.
-
-## Review and Development notes
-
-- All merges require LGTMs from any 2 maintainers.
-- We use the git flow model (as best we can) using the `releases` branch as the stable branch, and the `master` branch as the development branch.  When we get near a potential release, a release branch (`release/<semver>`) will be created from `master`.  Any PRs that should go into the release should be made against that branch.  Hotfixes for a minor release will be added to the branch `hotfix/<semver>`.
-
-## Vendoring new dependency versions
-
-We use [VNDR](https://github.com/LK4D4/vndr); please update `vendor.conf` with the new dependency or the new version, and run
-`vndr <top level package name>`.
\ No newline at end of file
diff --git a/vendor/github.com/theupdateframework/notary/CONTRIBUTORS b/vendor/github.com/theupdateframework/notary/CONTRIBUTORS
deleted file mode 100644
index 4bc6c096..00000000
--- a/vendor/github.com/theupdateframework/notary/CONTRIBUTORS
+++ /dev/null
@@ -1,4 +0,0 @@
-David Williamson <david.williamson@docker.com> (github: davidwilliamson)
-Aaron Lehmann <aaron.lehmann@docker.com> (github: aaronlehmann)
-Lewis Marshall <lewis@flynn.io> (github: lmars)
-Jonathan Rudenberg <jonathan@flynn.io> (github: titanous)
diff --git a/vendor/github.com/theupdateframework/notary/Dockerfile b/vendor/github.com/theupdateframework/notary/Dockerfile
deleted file mode 100644
index 8d0eb3e3..00000000
--- a/vendor/github.com/theupdateframework/notary/Dockerfile
+++ /dev/null
@@ -1,27 +0,0 @@
-FROM golang:1.14.1
-
-RUN apt-get update && apt-get install -y \
-	curl \
-	clang \
-	libsqlite3-dev \
-	patch \
-	tar \
-	xz-utils \
-	python \
-	python-pip \
-	python-setuptools \
-	--no-install-recommends \
-	&& rm -rf /var/lib/apt/lists/*
-
-RUN useradd -ms /bin/bash notary \
-	&& pip install codecov \
-	&& go get golang.org/x/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/securego/gosec/cmd/gosec/...
-
-ENV NOTARYDIR /go/src/github.com/theupdateframework/notary
-
-COPY . ${NOTARYDIR}
-RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/*
-
-ENV GO111MODULE=on
-
-WORKDIR ${NOTARYDIR}
diff --git a/vendor/github.com/theupdateframework/notary/Jenkinsfile b/vendor/github.com/theupdateframework/notary/Jenkinsfile
deleted file mode 100644
index ef323b0e..00000000
--- a/vendor/github.com/theupdateframework/notary/Jenkinsfile
+++ /dev/null
@@ -1,7 +0,0 @@
-// Only run on Linux atm
-wrappedNode(label: 'ubuntu && ec2 && docker-edge') {
-  deleteDir()
-  stage "checkout"
-  checkout scm
-
-}
diff --git a/vendor/github.com/theupdateframework/notary/MAINTAINERS b/vendor/github.com/theupdateframework/notary/MAINTAINERS
deleted file mode 100644
index 998ab3e3..00000000
--- a/vendor/github.com/theupdateframework/notary/MAINTAINERS
+++ /dev/null
@@ -1,70 +0,0 @@
-# Notary maintainers file
-#
-# This file describes who runs the theupdateframework/notary project and how.
-# This is a living document - if you see something out of date or missing, speak up!
-#
-# It is structured to be consumable by both humans and programs.
-# To extract its contents programmatically, use any TOML-compliant parser.
-#
-# This file is compiled into the MAINTAINERS file in docker/opensource.
-#
-[Org]
-	[Org."Core maintainers"]
-		people = [
-			"cyli",
-			"diogomonica",
-			"endophage",
-			"ecordell",
-			"hukeping",
-			"justincormack",
-			"nathanmccauley",
-			"riyazdf",
-		]
-
-[people]
-
-# A reference list of all people associated with the project.
-# All other sections should refer to people by their canonical key
-# in the people section.
-
-	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
-
-	[people.cyli]
-	Name = "Ying Li"
-	Email = "ying.li@docker.com"
-	GitHub = "cyli"
-
-	[people.diogomonica]
-	Name = "Diogo Monica"
-	Email = "diogo@docker.com"
-	GitHub = "diogomonica"
-
-	[people.endophage]
-	Name = "David Lawrence"
-	Email = "david.lawrence@docker.com"
-	GitHub = "endophage"
-
-	[people.ecordell]
-	Name = "Evan Cordell"
-	Email = "evan.cordell@coreos.com"
-	GitHub = "ecordell"
-
-	[people.hukeping]
-	Name = "Hu Keping"
-	Email = "hukeping@huawei.com"
-	GitHub = "hukeping"
-
-	[people.justincormack]
-	Name = "Justin Cormack"
-	Email = "justin.cormack@docker.com"
-	GitHub = "justincormack"
-
-	[people.nathanmccauley]
-	Name = "Nathan McCauley"
-	Email = "nathan.mccauley@docker.com"
-	GitHub = "nathanmccauley"
-
-	[people.riyazdf]
-	Name = "Riyaz Faizullabhoy"
-	Email = "riyazdf@berkeley.edu"
-	GitHub = "riyazdf"
diff --git a/vendor/github.com/theupdateframework/notary/MAINTAINERS.ALUMNI b/vendor/github.com/theupdateframework/notary/MAINTAINERS.ALUMNI
deleted file mode 100644
index 986fa880..00000000
--- a/vendor/github.com/theupdateframework/notary/MAINTAINERS.ALUMNI
+++ /dev/null
@@ -1,22 +0,0 @@
-# Notary maintainers alumni file
-#
-# This file describes past maintainers who have stepped down from the role.
-# This is a living document - if you see something out of date or missing, speak up!
-#
-# It is structured to be consumable by both humans and programs.
-# To extract its contents programmatically, use any TOML-compliant parser.
-#
-[Org]
-	[Org."Notary Alumni"]
-		people = [
-			"dmcgowan",
-		]
-
-[people]
-
-	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
-
-	[people.dmcgowan]
-	Name = "Derek McGowan"
-	Email = "derek@docker.com"
-	GitHub = "dmcgowan"
diff --git a/vendor/github.com/theupdateframework/notary/MAINTAINERS_RULES.md b/vendor/github.com/theupdateframework/notary/MAINTAINERS_RULES.md
deleted file mode 100644
index be76d910..00000000
--- a/vendor/github.com/theupdateframework/notary/MAINTAINERS_RULES.md
+++ /dev/null
@@ -1,39 +0,0 @@
-# Maintainers Rules
-
-This document lays out some basic rules and guidelines all maintainers are expected to follow.
-Changes to the [Acceptance Criteria](#hard-acceptance-criteria-for-merging-a-pr) for merging PRs require a ceiling(two-thirds) supermajority from the maintainers.
-Changes to the [Repo Guidelines](#repo-guidelines) require a simple majority.
-
-## Hard Acceptance Criteria for merging a PR:
-
-- 2 LGTMs are required when merging a PR
-- If there is obviously still discussion going on in the PR, even with 2 LGTMs, let the discussion resolve before merging. If you’re not sure, reach out to the maintainers involved in the discussion.
-- All checks must be green 
-    - There are limited mitigating circumstances for this, like if the docs builds are just broken and that’s the only test failing.
-    - Adding or removing a check requires simple majority approval from the maintainers.
-
-## Repo Guidelines:
-
-- Consistency is vital to keep complexity low and understandable.
-- Automate as much as possible (we don’t have guidelines about coding style for example because we’ve automated fmt, vet, lint, etc…).
-- Try to keep PRs small and focussed (this is not always possible, i.e. builder refactor, storage refactor, etc… but a good target).
-
-## Process for becoming a maintainer:
-
-- Invitation is proposed by an existing maintainer.
-- Ceiling(two-thirds) supermajority approval from existing maintainers (including vote of proposing maintainer) required to accept proposal.
-- Newly approved maintainer submits PR adding themselves to the MAINTAINERS file.
-- Existing maintainers publicly mark their approval on the PR.
-- Existing maintainer updates repository permissions to grant write access to new maintainer.
-- New maintainer merges their PR.
-
-## Removing maintainers
-
-It is preferrable that a maintainer gracefully removes themselves from the MAINTAINERS file if they are
-aware they will no longer have the time or motivation to contribute to the project. Maintainers that
-have been inactive in the repo for a period of at least one year should be contacted to ask if they
-wish to be removed.
-
-In the case that an inactive maintainer is unresponsive for any reason, a ceiling(two-thirds) supermajority
-vote of the existing maintainers can be used to approve their removal from the MAINTAINERS file, and revoke
-their merge permissions on the repository.
\ No newline at end of file
diff --git a/vendor/github.com/theupdateframework/notary/Makefile b/vendor/github.com/theupdateframework/notary/Makefile
deleted file mode 100644
index 5fb9eabd..00000000
--- a/vendor/github.com/theupdateframework/notary/Makefile
+++ /dev/null
@@ -1,205 +0,0 @@
-# Set an output prefix, which is the local directory if not specified
-PREFIX?=$(shell pwd)
-
-GOFLAGS := -mod=vendor
-
-# Populate version variables
-# Add to compile time flags
-NOTARY_PKG := github.com/theupdateframework/notary
-NOTARY_VERSION := $(shell cat NOTARY_VERSION)
-GITCOMMIT := $(shell git rev-parse --short HEAD)
-GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no)
-ifneq ($(GITUNTRACKEDCHANGES),)
-GITCOMMIT := $(GITCOMMIT)-dirty
-endif
-CTIMEVAR=-X $(NOTARY_PKG)/version.GitCommit=$(GITCOMMIT) -X $(NOTARY_PKG)/version.NotaryVersion=$(NOTARY_VERSION)
-GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"
-GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static"
-GOOSES = darwin linux windows
-NOTARY_BUILDTAGS ?= pkcs11
-NOTARYDIR := /go/src/github.com/theupdateframework/notary
-
-# check to be sure pkcs11 lib is always imported with a build tag
-GO_LIST_PKCS11 := $(shell go list -tags "${NOTARY_BUILDTAGS}" -e -f '{{join .Deps "\n"}}' ./... | grep -v /vendor/ | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)
-ifeq ($(GO_LIST_PKCS11),)
-$(info pkcs11 import was not found anywhere without a build tag, yay)
-else
-$(error You are importing pkcs11 somewhere and not using a build tag)
-endif
-
-_empty :=
-_space := $(empty) $(empty)
-
-# go cover test variables
-COVERPROFILE?=coverage.txt
-COVERMODE=atomic
-PKGS ?= $(shell go list -tags "${NOTARY_BUILDTAGS}" ./... | grep -v /vendor/ | tr '\n' ' ')
-
-.PHONY: clean all lint build test binaries cross cover docker-images notary-dockerfile
-.DELETE_ON_ERROR: cover
-.DEFAULT: default
-
-all: clean lint build test binaries
-
-# This only needs to be generated by hand when cutting full releases.
-version/version.go:
-	./version/version.sh > $@
-
-${PREFIX}/bin/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server
-
-${PREFIX}/bin/notary: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary
-
-${PREFIX}/bin/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer
-
-${PREFIX}/bin/escrow: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/escrow
-
-ifeq ($(shell uname -s),Darwin)
-${PREFIX}/bin/static/notary-server:
-	@echo "notary-server: static builds not supported on OS X"
-
-${PREFIX}/bin/static/notary-signer:
-	@echo "notary-signer: static builds not supported on OS X"
-
-${PREFIX}/bin/static/notary:
-	@echo "notary: static builds not supported on OS X"
-else
-${PREFIX}/bin/static/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@(export CGO_ENABLED=0; go build -tags "${NOTARY_BUILDTAGS} netgo" -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-server)
-
-${PREFIX}/bin/static/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')
-	@echo "+ $@"
-	@(export CGO_ENABLED=0; go build -tags "${NOTARY_BUILDTAGS} netgo" -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-signer)
-
-${PREFIX}/bin/static/notary:
-	@echo "+ $@"
-	@go build -tags "${NOTARY_BUILDTAGS} netgo" -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary
-endif
-
-
-# run all lint functionality - excludes Godep directory, vendoring, binaries, python tests, and git files
-lint:
-	@echo "+ $@: golint, go vet, go fmt, gocycle, misspell, ineffassign"
-	# golint
-	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)"
-	# gofmt
-	@test -z "$$(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr)"
-	# govet
-ifeq ($(shell uname -s), Darwin)
-	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v vendor | xargs echo "This file should end with '_test':"  | tee /dev/stderr)"
-else
-	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v vendor | xargs -r echo "This file should end with '_test':"  | tee /dev/stderr)"
-endif
-	@test -z "$$(go vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)"
-	# gocyclo - we require cyclomatic complexity to be < 16
-	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec gocyclo -over 15 {} \; | tee /dev/stderr)"
-	# misspell - requires that the following be run first:
-	#    go get -u github.com/client9/misspell/cmd/misspell
-	@test -z "$$(find . -type f | grep -v vendor/ | grep -v bin/ | grep -v misc/ | grep -v .git/ | grep -v \.pdf | xargs misspell | tee /dev/stderr)"
-	# ineffassign - requires that the following be run first:
-	#    go get -u github.com/gordonklaus/ineffassign
-	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec ineffassign {} \; | tee /dev/stderr)"
-	# gosec - requires that the following be run first:
-	#    go get -u github.com/securego/gosec/cmd/gosec/...
-	@rm -f gosec_output.csv
-	@gosec -fmt=csv -out=gosec_output.csv -exclude=G104,G304 ./... || (cat gosec_output.csv >&2; exit 1)
-
-build:
-	@echo "+ $@"
-	@go build -tags "${NOTARY_BUILDTAGS}" -v ${GO_LDFLAGS} $(PKGS)
-
-# When running `go test ./...`, it runs all the suites in parallel, which causes
-# problems when running with a yubikey
-test: TESTOPTS =
-test:
-	@echo Note: when testing with a yubikey plugged in, make sure to include 'TESTOPTS="-p 1"'
-	@echo "+ $@ $(TESTOPTS)"
-	@echo
-	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) $(PKGS)
-
-integration: TESTDB = mysql
-integration: clean
-	buildscripts/integrationtest.sh $(TESTDB)
-
-testdb: TESTDB = mysql
-testdb:
-	buildscripts/dbtests.sh $(TESTDB)
-
-protos:
-	@protoc --go_out=plugins=grpc:. proto/*.proto
-
-# This allows coverage for a package to come from tests in different package.
-# Requires that the following:
-# go get github.com/wadey/gocovmerge; go install github.com/wadey/gocovmerge
-#
-# be run first
-gen-cover:
-gen-cover:
-	@python -u buildscripts/covertest.py --tags "$(NOTARY_BUILDTAGS)" --pkgs="$(PKGS)" --testopts="${TESTOPTS}"
-
-# Generates the cover binaries and runs them all in serial, so this can be used
-# run all tests with a yubikey without any problems
-cover: gen-cover covmerge
-	@go tool cover -html="$(COVERPROFILE)"
-
-# Generates the cover binaries and runs them all in serial, so this can be used
-# run all tests with a yubikey without any problems
-ci: override TESTOPTS = -race
-# Codecov knows how to merge multiple coverage files, so covmerge is not needed
-ci: gen-cover
-
-yubikey-tests: override PKGS = github.com/theupdateframework/notary/cmd/notary github.com/theupdateframework/notary/trustmanager/yubikey
-yubikey-tests: ci
-
-covmerge:
-	@gocovmerge $(shell find . -name coverage*.txt | tr "\n" " ") > $(COVERPROFILE)
-	@go tool cover -func="$(COVERPROFILE)"
-
-clean-protos:
-	@rm proto/*.pb.go
-
-client: ${PREFIX}/bin/notary
-	@echo "+ $@"
-
-binaries: ${PREFIX}/bin/notary-server ${PREFIX}/bin/notary ${PREFIX}/bin/notary-signer
-	@echo "+ $@"
-
-escrow: ${PREFIX}/bin/escrow
-	@echo "+ $@"
-
-static: ${PREFIX}/bin/static/notary-server ${PREFIX}/bin/static/notary-signer ${PREFIX}/bin/static/notary
-	@echo "+ $@"
-
-notary-dockerfile:
-	@docker build --rm --force-rm -t notary .
-
-server-dockerfile:
-	@docker build --rm --force-rm -f server.Dockerfile -t notary-server .
-
-signer-dockerfile:
-	@docker build --rm --force-rm -f signer.Dockerfile -t notary-signer .
-
-docker-images: notary-dockerfile server-dockerfile signer-dockerfile
-
-shell: notary-dockerfile
-	docker run --rm -it -v $(CURDIR)/cross:$(NOTARYDIR)/cross -v $(CURDIR)/bin:$(NOTARYDIR)/bin notary bash
-
-cross:
-	@rm -rf $(CURDIR)/cross
-	@docker build --rm --force-rm -t notary -f cross.Dockerfile .
-	docker run --rm -v $(CURDIR)/cross:$(NOTARYDIR)/cross -e CTIMEVAR="${CTIMEVAR}" -e NOTARY_BUILDTAGS=$(NOTARY_BUILDTAGS) notary buildscripts/cross.sh $(GOOSES)
-
-clean:
-	@echo "+ $@"
-	@rm -rf .cover cross
-	find . -name coverage.txt -delete
-	@rm -rf "${PREFIX}/bin/notary-server" "${PREFIX}/bin/notary" "${PREFIX}/bin/notary-signer"
-	@rm -rf "${PREFIX}/bin/static"
diff --git a/vendor/github.com/theupdateframework/notary/NOTARY_VERSION b/vendor/github.com/theupdateframework/notary/NOTARY_VERSION
deleted file mode 100644
index ee6cdce3..00000000
--- a/vendor/github.com/theupdateframework/notary/NOTARY_VERSION
+++ /dev/null
@@ -1 +0,0 @@
-0.6.1
diff --git a/vendor/github.com/theupdateframework/notary/README.md b/vendor/github.com/theupdateframework/notary/README.md
deleted file mode 100644
index 77bc4b3b..00000000
--- a/vendor/github.com/theupdateframework/notary/README.md
+++ /dev/null
@@ -1,135 +0,0 @@
-<img src="docs/images/notary-blk.svg" alt="Notary" width="400px"/>
-
-[![GoDoc](https://godoc.org/github.com/theupdateframework/notary?status.svg)](https://godoc.org/github.com/theupdateframework/notary)
-[![Circle CI](https://circleci.com/gh/theupdateframework/notary/tree/master.svg?style=shield)](https://circleci.com/gh/theupdateframework/notary/tree/master) [![CodeCov](https://codecov.io/github/theupdateframework/notary/coverage.svg?branch=master)](https://codecov.io/github/theupdateframework/notary) [![GoReportCard](https://goreportcard.com/badge/theupdateframework/notary)](https://goreportcard.com/report/github.com/theupdateframework/notary)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_shield)
-
-# Notice
-
-The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF).
-It has moved to https://github.com/theupdateframework/notary. Any downstream consumers should update
-their Go imports to use this new location, which will be the canonical location going forward.
-
-We have moved the repo in GitHub, which will allow existing importers to continue using the old
-location via GitHub's redirect.
-
-# Overview
-
-The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting
-with trusted collections. See the [service architecture](docs/service_architecture.md) documentation
-for more information.
-
-Notary aims to make the internet more secure by making it easy for people to
-publish and verify content. We often rely on TLS to secure our communications
-with a web server, which is inherently flawed, as any compromise of the server
-enables malicious content to be substituted for the legitimate content.
-
-With Notary, publishers can sign their content offline using keys kept highly
-secure. Once the publisher is ready to make the content available, they can
-push their signed trusted collection to a Notary Server.
-
-Consumers, having acquired the publisher's public key through a secure channel,
-can then communicate with any Notary server or (insecure) mirror, relying
-only on the publisher's key to determine the validity and integrity of the
-received content.
-
-## Goals
-
-Notary is based on [The Update Framework](https://www.theupdateframework.com/), a secure general design for the problem of software distribution and updates. By using TUF, Notary achieves a number of key advantages:
-
-* **Survivable Key Compromise**: Content publishers must manage keys in order to sign their content. Signing keys may be compromised or lost so systems must be designed in order to be flexible and recoverable in the case of key compromise. TUF's notion of key roles is utilized to separate responsibilities across a hierarchy of keys such that loss of any particular key (except the root role) by itself is not fatal to the security of the system.
-* **Freshness Guarantees**: Replay attacks are a common problem in designing secure systems, where previously valid payloads are replayed to trick another system. The same problem exists in the software update systems, where old signed can be presented as the most recent. Notary makes use of timestamping on publishing so that consumers can know that they are receiving the most up to date content. This is particularly important when dealing with software update where old vulnerable versions could be used to attack users.
-* **Configurable Trust Thresholds**: Oftentimes there are a large number of publishers that are allowed to publish a particular piece of content. For example, open source projects where there are a number of core maintainers. Trust thresholds can be used so that content consumers require a configurable number of signatures on a piece of content in order to trust it. Using thresholds increases security so that loss of individual signing keys doesn't allow publishing of malicious content.
-* **Signing Delegation**: To allow for flexible publishing of trusted collections, a content publisher can delegate part of their collection to another signer. This delegation is represented as signed metadata so that a consumer of the content can verify both the content and the delegation.
-* **Use of Existing Distribution**: Notary's trust guarantees are not tied at all to particular distribution channels from which content is delivered. Therefore, trust can be added to any existing content delivery mechanism.
-* **Untrusted Mirrors and Transport**: All of the notary metadata can be mirrored and distributed via arbitrary channels.
-
-## Security
-
-Any security vulnerabilities can be reported to security@docker.com.
-
-See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
-
-### Security Audits
-
-Notary has had two public security audits:
-
-* [August 7, 2018 by Cure53](docs/resources/cure53_tuf_notary_audit_2018_08_07.pdf) covering TUF and Notary
-* [July 31, 2015 by NCC](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf) covering Notary
-
-# Getting started with the Notary CLI
-
-Get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary).
-The version of the Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
-
-To use the Notary CLI with Docker hub images, have a look at Notary's
-[getting started docs](docs/getting_started.md).
-
-For more advanced usage, see the
-[advanced usage docs](docs/advanced_usage.md).
-
-To use the CLI against a local Notary server rather than against Docker Hub:
-
-1. Ensure that you have [docker and docker-compose](https://docs.docker.com/compose/install/) installed.
-1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path,
-    start up a local Notary server and signer and copy the config file and testing certs to your
-    local Notary config directory:
-
-    ```sh
-    $ docker-compose build
-    $ docker-compose up -d
-    $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
-    ```
-
-1. Add `127.0.0.1 notary-server` to your `/etc/hosts`, or if using docker-machine,
-    add `$(docker-machine ip) notary-server`).
-
-You can run through the examples in the
-[getting started docs](docs/getting_started.md) and
-[advanced usage docs](docs/advanced_usage.md), but
-without the `-s` (server URL) argument to the `notary` command since the server
-URL is specified already in the configuration, file you copied.
-
-You can also leave off the `-d ~/.docker/trust` argument if you do not care
-to use `notary` with Docker images.
-
-## Upgrading dependencies
-
-To prevent mistakes in vendoring the go modules a buildscript has been added to properly vendor the modules using the correct version of Go to mitigate differences in CI and development environment.
-
-Following procedure should be executed to upgrade a dependency. Preferably keep dependency upgrades in a separate commit from your code changes.
-
-```bash
-go get -u github.com/spf13/viper
-buildscripts/circle-validate-vendor.sh
-git add .
-git commit -m "Upgraded github.com/spf13/viper"
-```
-
-The `buildscripts/circle-validate-vendor.sh` runs `go mod tidy` and `go mod vendor` using the given version of Go to prevent differences if you are for example running on a different version of Go.
-
-## Building Notary
-
-Note that Notary's [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the
-[releases branch](https://github.com/theupdateframework/notary/tree/releases).  The master branch is the development
-branch and contains features for the next release.
-
-Prerequisites:
-
-* Go >= 1.12
-
-Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run:
-
-```bash
-$ export GO111MODULE=on
-$ go get github.com/theupdateframework/notary
-# build with pkcs11 support by default to support yubikey
-$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
-$ notary
-```
-
-To build the server and signer, run `docker-compose build`.
-
-## License
-
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large)
diff --git a/vendor/github.com/theupdateframework/notary/client/changelist/change.go b/vendor/github.com/theupdateframework/notary/client/changelist/change.go
deleted file mode 100644
index 8242ec00..00000000
--- a/vendor/github.com/theupdateframework/notary/client/changelist/change.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package changelist
-
-import (
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// Scopes for TUFChanges are simply the TUF roles.
-// Unfortunately because of targets delegations, we can only
-// cover the base roles.
-const (
-	ScopeRoot    = "root"
-	ScopeTargets = "targets"
-)
-
-// Types for TUFChanges are namespaced by the Role they
-// are relevant for. The Root and Targets roles are the
-// only ones for which user action can cause a change, as
-// all changes in Snapshot and Timestamp are programmatically
-// generated base on Root and Targets changes.
-const (
-	TypeBaseRole          = "role"
-	TypeTargetsTarget     = "target"
-	TypeTargetsDelegation = "delegation"
-	TypeWitness           = "witness"
-)
-
-// TUFChange represents a change to a TUF repo
-type TUFChange struct {
-	// Abbreviated because Go doesn't permit a field and method of the same name
-	Actn       string        `json:"action"`
-	Role       data.RoleName `json:"role"`
-	ChangeType string        `json:"type"`
-	ChangePath string        `json:"path"`
-	Data       []byte        `json:"data"`
-}
-
-// TUFRootData represents a modification of the keys associated
-// with a role that appears in the root.json
-type TUFRootData struct {
-	Keys     data.KeyList  `json:"keys"`
-	RoleName data.RoleName `json:"role"`
-}
-
-// NewTUFChange initializes a TUFChange object
-func NewTUFChange(action string, role data.RoleName, changeType, changePath string, content []byte) *TUFChange {
-	return &TUFChange{
-		Actn:       action,
-		Role:       role,
-		ChangeType: changeType,
-		ChangePath: changePath,
-		Data:       content,
-	}
-}
-
-// Action return c.Actn
-func (c TUFChange) Action() string {
-	return c.Actn
-}
-
-// Scope returns c.Role
-func (c TUFChange) Scope() data.RoleName {
-	return c.Role
-}
-
-// Type returns c.ChangeType
-func (c TUFChange) Type() string {
-	return c.ChangeType
-}
-
-// Path return c.ChangePath
-func (c TUFChange) Path() string {
-	return c.ChangePath
-}
-
-// Content returns c.Data
-func (c TUFChange) Content() []byte {
-	return c.Data
-}
-
-// TUFDelegation represents a modification to a target delegation
-// this includes creating a delegations. This format is used to avoid
-// unexpected race conditions between humans modifying the same delegation
-type TUFDelegation struct {
-	NewName       data.RoleName `json:"new_name,omitempty"`
-	NewThreshold  int           `json:"threshold,omitempty"`
-	AddKeys       data.KeyList  `json:"add_keys,omitempty"`
-	RemoveKeys    []string      `json:"remove_keys,omitempty"`
-	AddPaths      []string      `json:"add_paths,omitempty"`
-	RemovePaths   []string      `json:"remove_paths,omitempty"`
-	ClearAllPaths bool          `json:"clear_paths,omitempty"`
-}
-
-// ToNewRole creates a fresh role object from the TUFDelegation data
-func (td TUFDelegation) ToNewRole(scope data.RoleName) (*data.Role, error) {
-	name := scope
-	if td.NewName != "" {
-		name = td.NewName
-	}
-	return data.NewRole(name, td.NewThreshold, td.AddKeys.IDs(), td.AddPaths)
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/changelist/changelist.go b/vendor/github.com/theupdateframework/notary/client/changelist/changelist.go
deleted file mode 100644
index 30cf6945..00000000
--- a/vendor/github.com/theupdateframework/notary/client/changelist/changelist.go
+++ /dev/null
@@ -1,82 +0,0 @@
-package changelist
-
-// memChangeList implements a simple in memory change list.
-type memChangelist struct {
-	changes []Change
-}
-
-// NewMemChangelist instantiates a new in-memory changelist
-func NewMemChangelist() Changelist {
-	return &memChangelist{}
-}
-
-// List returns a list of Changes
-func (cl memChangelist) List() []Change {
-	return cl.changes
-}
-
-// Add adds a change to the in-memory change list
-func (cl *memChangelist) Add(c Change) error {
-	cl.changes = append(cl.changes, c)
-	return nil
-}
-
-// Location returns the string "memory"
-func (cl memChangelist) Location() string {
-	return "memory"
-}
-
-// Remove deletes the changes found at the given indices
-func (cl *memChangelist) Remove(idxs []int) error {
-	remove := make(map[int]struct{})
-	for _, i := range idxs {
-		remove[i] = struct{}{}
-	}
-	var keep []Change
-
-	for i, c := range cl.changes {
-		if _, ok := remove[i]; ok {
-			continue
-		}
-		keep = append(keep, c)
-	}
-	cl.changes = keep
-	return nil
-}
-
-// Clear empties the changelist file.
-func (cl *memChangelist) Clear(archive string) error {
-	// appending to a nil list initializes it.
-	cl.changes = nil
-	return nil
-}
-
-// Close is a no-op in this in-memory change-list
-func (cl *memChangelist) Close() error {
-	return nil
-}
-
-func (cl *memChangelist) NewIterator() (ChangeIterator, error) {
-	return &MemChangeListIterator{index: 0, collection: cl.changes}, nil
-}
-
-// MemChangeListIterator is a concrete instance of ChangeIterator
-type MemChangeListIterator struct {
-	index      int
-	collection []Change // Same type as memChangeList.changes
-}
-
-// Next returns the next Change
-func (m *MemChangeListIterator) Next() (item Change, err error) {
-	if m.index >= len(m.collection) {
-		return nil, IteratorBoundsError(m.index)
-	}
-	item = m.collection[m.index]
-	m.index++
-	return item, err
-}
-
-// HasNext indicates whether the iterator is exhausted
-func (m *MemChangeListIterator) HasNext() bool {
-	return m.index < len(m.collection)
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/changelist/file_changelist.go b/vendor/github.com/theupdateframework/notary/client/changelist/file_changelist.go
deleted file mode 100644
index 2c7b3bfa..00000000
--- a/vendor/github.com/theupdateframework/notary/client/changelist/file_changelist.go
+++ /dev/null
@@ -1,208 +0,0 @@
-package changelist
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"sort"
-	"time"
-
-	"github.com/docker/distribution/uuid"
-	"github.com/sirupsen/logrus"
-)
-
-// FileChangelist stores all the changes as files
-type FileChangelist struct {
-	dir string
-}
-
-// NewFileChangelist is a convenience method for returning FileChangeLists
-func NewFileChangelist(dir string) (*FileChangelist, error) {
-	logrus.Debug("Making dir path: ", dir)
-	err := os.MkdirAll(dir, 0700)
-	if err != nil {
-		return nil, err
-	}
-	return &FileChangelist{dir: dir}, nil
-}
-
-// getFileNames reads directory, filtering out child directories
-func getFileNames(dirName string) ([]os.FileInfo, error) {
-	var dirListing, fileInfos []os.FileInfo
-	dir, err := os.Open(dirName)
-	if err != nil {
-		return fileInfos, err
-	}
-	defer func() {
-		_ = dir.Close()
-	}()
-
-	dirListing, err = dir.Readdir(0)
-	if err != nil {
-		return fileInfos, err
-	}
-	for _, f := range dirListing {
-		if f.IsDir() {
-			continue
-		}
-		fileInfos = append(fileInfos, f)
-	}
-	sort.Sort(fileChanges(fileInfos))
-	return fileInfos, nil
-}
-
-// Read a JSON formatted file from disk; convert to TUFChange struct
-func unmarshalFile(dirname string, f os.FileInfo) (*TUFChange, error) {
-	c := &TUFChange{}
-	raw, err := ioutil.ReadFile(filepath.Join(dirname, f.Name()))
-	if err != nil {
-		return c, err
-	}
-	err = json.Unmarshal(raw, c)
-	if err != nil {
-		return c, err
-	}
-	return c, nil
-}
-
-// List returns a list of sorted changes
-func (cl FileChangelist) List() []Change {
-	var changes []Change
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return changes
-	}
-	for _, f := range fileInfos {
-		c, err := unmarshalFile(cl.dir, f)
-		if err != nil {
-			logrus.Warn(err.Error())
-			continue
-		}
-		changes = append(changes, c)
-	}
-	return changes
-}
-
-// Add adds a change to the file change list
-func (cl FileChangelist) Add(c Change) error {
-	cJSON, err := json.Marshal(c)
-	if err != nil {
-		return err
-	}
-	filename := fmt.Sprintf("%020d_%s.change", time.Now().UnixNano(), uuid.Generate())
-	return ioutil.WriteFile(filepath.Join(cl.dir, filename), cJSON, 0600)
-}
-
-// Remove deletes the changes found at the given indices
-func (cl FileChangelist) Remove(idxs []int) error {
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return err
-	}
-	remove := make(map[int]struct{})
-	for _, i := range idxs {
-		remove[i] = struct{}{}
-	}
-	for i, c := range fileInfos {
-		if _, ok := remove[i]; ok {
-			file := filepath.Join(cl.dir, c.Name())
-			if err := os.Remove(file); err != nil {
-				logrus.Errorf("could not remove change %d: %s", i, err.Error())
-			}
-		}
-	}
-	return nil
-}
-
-// Clear clears the change list
-// N.B. archiving not currently implemented
-func (cl FileChangelist) Clear(archive string) error {
-	dir, err := os.Open(cl.dir)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		_ = dir.Close()
-	}()
-
-	files, err := dir.Readdir(0)
-	if err != nil {
-		return err
-	}
-	for _, f := range files {
-		os.Remove(filepath.Join(cl.dir, f.Name()))
-	}
-	return nil
-}
-
-// Close is a no-op
-func (cl FileChangelist) Close() error {
-	// Nothing to do here
-	return nil
-}
-
-// Location returns the file path to the changelist
-func (cl FileChangelist) Location() string {
-	return cl.dir
-}
-
-// NewIterator creates an iterator from FileChangelist
-func (cl FileChangelist) NewIterator() (ChangeIterator, error) {
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return &FileChangeListIterator{}, err
-	}
-	return &FileChangeListIterator{dirname: cl.dir, collection: fileInfos}, nil
-}
-
-// IteratorBoundsError is an Error type used by Next()
-type IteratorBoundsError int
-
-// Error implements the Error interface
-func (e IteratorBoundsError) Error() string {
-	return fmt.Sprintf("Iterator index (%d) out of bounds", e)
-}
-
-// FileChangeListIterator is a concrete instance of ChangeIterator
-type FileChangeListIterator struct {
-	index      int
-	dirname    string
-	collection []os.FileInfo
-}
-
-// Next returns the next Change in the FileChangeList
-func (m *FileChangeListIterator) Next() (item Change, err error) {
-	if m.index >= len(m.collection) {
-		return nil, IteratorBoundsError(m.index)
-	}
-	f := m.collection[m.index]
-	m.index++
-	item, err = unmarshalFile(m.dirname, f)
-	return
-}
-
-// HasNext indicates whether iterator is exhausted
-func (m *FileChangeListIterator) HasNext() bool {
-	return m.index < len(m.collection)
-}
-
-type fileChanges []os.FileInfo
-
-// Len returns the length of a file change list
-func (cs fileChanges) Len() int {
-	return len(cs)
-}
-
-// Less compares the names of two different file changes
-func (cs fileChanges) Less(i, j int) bool {
-	return cs[i].Name() < cs[j].Name()
-}
-
-// Swap swaps the position of two file changes
-func (cs fileChanges) Swap(i, j int) {
-	tmp := cs[i]
-	cs[i] = cs[j]
-	cs[j] = tmp
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/changelist/interface.go b/vendor/github.com/theupdateframework/notary/client/changelist/interface.go
deleted file mode 100644
index b957dd34..00000000
--- a/vendor/github.com/theupdateframework/notary/client/changelist/interface.go
+++ /dev/null
@@ -1,78 +0,0 @@
-package changelist
-
-import "github.com/theupdateframework/notary/tuf/data"
-
-// Changelist is the interface for all TUF change lists
-type Changelist interface {
-	// List returns the ordered list of changes
-	// currently stored
-	List() []Change
-
-	// Add change appends the provided change to
-	// the list of changes
-	Add(Change) error
-
-	// Clear empties the current change list.
-	// Archive may be provided as a directory path
-	// to save a copy of the changelist in that location
-	Clear(archive string) error
-
-	// Remove deletes the changes corresponding with the indices given
-	Remove(idxs []int) error
-
-	// Close synchronizes any pending writes to the underlying
-	// storage and closes the file/connection
-	Close() error
-
-	// NewIterator returns an iterator for walking through the list
-	// of changes currently stored
-	NewIterator() (ChangeIterator, error)
-
-	// Location returns the place the changelist is stores
-	Location() string
-}
-
-const (
-	// ActionCreate represents a Create action
-	ActionCreate = "create"
-	// ActionUpdate represents an Update action
-	ActionUpdate = "update"
-	// ActionDelete represents a Delete action
-	ActionDelete = "delete"
-)
-
-// Change is the interface for a TUF Change
-type Change interface {
-	// "create","update", or "delete"
-	Action() string
-
-	// Where the change should be made.
-	// For TUF this will be the role
-	Scope() data.RoleName
-
-	// The content type being affected.
-	// For TUF this will be "target", or "delegation".
-	// If the type is "delegation", the Scope will be
-	// used to determine if a root role is being updated
-	// or a target delegation.
-	Type() string
-
-	// Path indicates the entry within a role to be affected by the
-	// change. For targets, this is simply the target's path,
-	// for delegations it's the delegated role name.
-	Path() string
-
-	// Serialized content that the interpreter of a changelist
-	// can use to apply the change.
-	// For TUF this will be the serialized JSON that needs
-	// to be inserted or merged. In the case of a "delete"
-	// action, it will be nil.
-	Content() []byte
-}
-
-// ChangeIterator is the interface for iterating across collections of
-// TUF Change items
-type ChangeIterator interface {
-	Next() (Change, error)
-	HasNext() bool
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/client.go b/vendor/github.com/theupdateframework/notary/client/client.go
deleted file mode 100644
index cfaa6146..00000000
--- a/vendor/github.com/theupdateframework/notary/client/client.go
+++ /dev/null
@@ -1,998 +0,0 @@
-//Package client implements everything required for interacting with a Notary repository.
-package client
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"path/filepath"
-	"time"
-
-	canonicaljson "github.com/docker/go/canonical/json"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/client/changelist"
-	"github.com/theupdateframework/notary/cryptoservice"
-	store "github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/trustpinning"
-	"github.com/theupdateframework/notary/tuf"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-const (
-	tufDir = "tuf"
-
-	// SignWithAllOldVersions is a sentinel constant for LegacyVersions flag
-	SignWithAllOldVersions = -1
-)
-
-func init() {
-	data.SetDefaultExpiryTimes(data.NotaryDefaultExpiries)
-}
-
-// repository stores all the information needed to operate on a notary repository.
-type repository struct {
-	gun            data.GUN
-	baseURL        string
-	changelist     changelist.Changelist
-	cache          store.MetadataStore
-	remoteStore    store.RemoteStore
-	cryptoService  signed.CryptoService
-	tufRepo        *tuf.Repo
-	invalid        *tuf.Repo // known data that was parsable but deemed invalid
-	roundTrip      http.RoundTripper
-	trustPinning   trustpinning.TrustPinConfig
-	LegacyVersions int // number of versions back to fetch roots to sign with
-}
-
-// NewFileCachedRepository is a wrapper for NewRepository that initializes
-// a file cache from the provided repository, local config information and a crypto service.
-// It also retrieves the remote store associated to the base directory under where all the
-// trust files will be stored (This is normally defaults to "~/.notary" or "~/.docker/trust"
-// when enabling Docker content trust) and the specified GUN.
-//
-// In case of a nil RoundTripper, a default offline store is used instead.
-func NewFileCachedRepository(baseDir string, gun data.GUN, baseURL string, rt http.RoundTripper,
-	retriever notary.PassRetriever, trustPinning trustpinning.TrustPinConfig) (Repository, error) {
-
-	cache, err := store.NewFileStore(
-		filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()), "metadata"),
-		"json",
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	keyStores, err := getKeyStores(baseDir, retriever)
-	if err != nil {
-		return nil, err
-	}
-
-	cryptoService := cryptoservice.NewCryptoService(keyStores...)
-
-	remoteStore, err := getRemoteStore(baseURL, gun, rt)
-	if err != nil {
-		// baseURL is syntactically invalid
-		return nil, err
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(
-		filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()), "changelist"),
-	))
-	if err != nil {
-		return nil, err
-	}
-
-	return NewRepository(gun, baseURL, remoteStore, cache, trustPinning, cryptoService, cl)
-}
-
-// NewRepository is the base method that returns a new notary repository.
-// It expects an initialized cache. In case of a nil remote store, a default
-// offline store is used.
-func NewRepository(gun data.GUN, baseURL string, remoteStore store.RemoteStore, cache store.MetadataStore,
-	trustPinning trustpinning.TrustPinConfig, cryptoService signed.CryptoService, cl changelist.Changelist) (Repository, error) {
-
-	// Repo's remote store is either a valid remote store or an OfflineStore
-	if remoteStore == nil {
-		remoteStore = store.OfflineStore{}
-	}
-
-	if cache == nil {
-		return nil, fmt.Errorf("got an invalid cache (nil metadata store)")
-	}
-
-	nRepo := &repository{
-		gun:            gun,
-		baseURL:        baseURL,
-		changelist:     cl,
-		cache:          cache,
-		remoteStore:    remoteStore,
-		cryptoService:  cryptoService,
-		trustPinning:   trustPinning,
-		LegacyVersions: 0, // By default, don't sign with legacy roles
-	}
-
-	return nRepo, nil
-}
-
-// GetGUN is a getter for the GUN object from a Repository
-func (r *repository) GetGUN() data.GUN {
-	return r.gun
-}
-
-func (r *repository) updateTUF(forWrite bool) error {
-	repo, invalid, err := LoadTUFRepo(TUFLoadOptions{
-		GUN:                    r.gun,
-		TrustPinning:           r.trustPinning,
-		CryptoService:          r.cryptoService,
-		Cache:                  r.cache,
-		RemoteStore:            r.remoteStore,
-		AlwaysCheckInitialized: forWrite,
-	})
-	if err != nil {
-		return err
-	}
-	r.tufRepo = repo
-	r.invalid = invalid
-	return nil
-}
-
-// ListTargets calls update first before listing targets
-func (r *repository) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
-	if err := r.updateTUF(false); err != nil {
-		return nil, err
-	}
-	return NewReadOnly(r.tufRepo).ListTargets(roles...)
-}
-
-// GetTargetByName calls update first before getting target by name
-func (r *repository) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
-	if err := r.updateTUF(false); err != nil {
-		return nil, err
-	}
-	return NewReadOnly(r.tufRepo).GetTargetByName(name, roles...)
-}
-
-// GetAllTargetMetadataByName calls update first before getting targets by name
-func (r *repository) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
-	if err := r.updateTUF(false); err != nil {
-		return nil, err
-	}
-	return NewReadOnly(r.tufRepo).GetAllTargetMetadataByName(name)
-
-}
-
-// ListRoles calls update first before getting roles
-func (r *repository) ListRoles() ([]RoleWithSignatures, error) {
-	if err := r.updateTUF(false); err != nil {
-		return nil, err
-	}
-	return NewReadOnly(r.tufRepo).ListRoles()
-}
-
-// GetDelegationRoles calls update first before getting all delegation roles
-func (r *repository) GetDelegationRoles() ([]data.Role, error) {
-	if err := r.updateTUF(false); err != nil {
-		return nil, err
-	}
-	return NewReadOnly(r.tufRepo).GetDelegationRoles()
-}
-
-// NewTarget is a helper method that returns a Target
-func NewTarget(targetName, targetPath string, targetCustom *canonicaljson.RawMessage) (*Target, error) {
-	b, err := ioutil.ReadFile(targetPath)
-	if err != nil {
-		return nil, err
-	}
-
-	meta, err := data.NewFileMeta(bytes.NewBuffer(b), data.NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Target{Name: targetName, Hashes: meta.Hashes, Length: meta.Length, Custom: targetCustom}, nil
-}
-
-// rootCertKey generates the corresponding certificate for the private key given the privKey and repo's GUN
-func rootCertKey(gun data.GUN, privKey data.PrivateKey) (data.PublicKey, error) {
-	// Hard-coded policy: the generated certificate expires in 10 years.
-	startTime := time.Now()
-	cert, err := cryptoservice.GenerateCertificate(
-		privKey, gun, startTime, startTime.Add(notary.Year*10))
-	if err != nil {
-		return nil, err
-	}
-
-	x509PublicKey := utils.CertToKey(cert)
-	if x509PublicKey == nil {
-		return nil, fmt.Errorf("cannot generate public key from private key with id: %v and algorithm: %v", privKey.ID(), privKey.Algorithm())
-	}
-
-	return x509PublicKey, nil
-}
-
-// GetCryptoService is the getter for the repository's CryptoService
-func (r *repository) GetCryptoService() signed.CryptoService {
-	return r.cryptoService
-}
-
-// initialize initializes the notary repository with a set of rootkeys, root certificates and roles.
-func (r *repository) initialize(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
-
-	// currently we only support server managing timestamps and snapshots, and
-	// nothing else - timestamps are always managed by the server, and implicit
-	// (do not have to be passed in as part of `serverManagedRoles`, so that
-	// the API of Initialize doesn't change).
-	var serverManagesSnapshot bool
-	locallyManagedKeys := []data.RoleName{
-		data.CanonicalTargetsRole,
-		data.CanonicalSnapshotRole,
-		// root is also locally managed, but that should have been created
-		// already
-	}
-	remotelyManagedKeys := []data.RoleName{data.CanonicalTimestampRole}
-	for _, role := range serverManagedRoles {
-		switch role {
-		case data.CanonicalTimestampRole:
-			continue // timestamp is already in the right place
-		case data.CanonicalSnapshotRole:
-			// because we put Snapshot last
-			locallyManagedKeys = []data.RoleName{data.CanonicalTargetsRole}
-			remotelyManagedKeys = append(
-				remotelyManagedKeys, data.CanonicalSnapshotRole)
-			serverManagesSnapshot = true
-		default:
-			return ErrInvalidRemoteRole{Role: role}
-		}
-	}
-
-	// gets valid public keys corresponding to the rootKeyIDs or generate if necessary
-	var publicKeys []data.PublicKey
-	var err error
-	if len(rootCerts) == 0 {
-		publicKeys, err = r.createNewPublicKeyFromKeyIDs(rootKeyIDs)
-	} else {
-		publicKeys, err = r.publicKeysOfKeyIDs(rootKeyIDs, rootCerts)
-	}
-	if err != nil {
-		return err
-	}
-
-	//initialize repo with public keys
-	rootRole, targetsRole, snapshotRole, timestampRole, err := r.initializeRoles(
-		publicKeys,
-		locallyManagedKeys,
-		remotelyManagedKeys,
-	)
-	if err != nil {
-		return err
-	}
-
-	r.tufRepo = tuf.NewRepo(r.GetCryptoService())
-
-	if err := r.tufRepo.InitRoot(
-		rootRole,
-		timestampRole,
-		snapshotRole,
-		targetsRole,
-		false,
-	); err != nil {
-		logrus.Debug("Error on InitRoot: ", err.Error())
-		return err
-	}
-	if _, err := r.tufRepo.InitTargets(data.CanonicalTargetsRole); err != nil {
-		logrus.Debug("Error on InitTargets: ", err.Error())
-		return err
-	}
-	if err := r.tufRepo.InitSnapshot(); err != nil {
-		logrus.Debug("Error on InitSnapshot: ", err.Error())
-		return err
-	}
-
-	return r.saveMetadata(serverManagesSnapshot)
-}
-
-// createNewPublicKeyFromKeyIDs generates a set of public keys corresponding to the given list of
-// key IDs existing in the repository's CryptoService.
-// the public keys returned are ordered to correspond to the keyIDs
-func (r *repository) createNewPublicKeyFromKeyIDs(keyIDs []string) ([]data.PublicKey, error) {
-	publicKeys := []data.PublicKey{}
-
-	privKeys, err := getAllPrivKeys(keyIDs, r.GetCryptoService())
-	if err != nil {
-		return nil, err
-	}
-
-	for _, privKey := range privKeys {
-		rootKey, err := rootCertKey(r.gun, privKey)
-		if err != nil {
-			return nil, err
-		}
-		publicKeys = append(publicKeys, rootKey)
-	}
-	return publicKeys, nil
-}
-
-// publicKeysOfKeyIDs confirms that the public key and private keys (by Key IDs) forms valid, strictly ordered key pairs
-// (eg. keyIDs[0] must match pubKeys[0] and keyIDs[1] must match certs[1] and so on).
-// Or throw error when they mismatch.
-func (r *repository) publicKeysOfKeyIDs(keyIDs []string, pubKeys []data.PublicKey) ([]data.PublicKey, error) {
-	if len(keyIDs) != len(pubKeys) {
-		err := fmt.Errorf("require matching number of keyIDs and public keys but got %d IDs and %d public keys", len(keyIDs), len(pubKeys))
-		return nil, err
-	}
-
-	if err := matchKeyIdsWithPubKeys(r, keyIDs, pubKeys); err != nil {
-		return nil, fmt.Errorf("could not obtain public key from IDs: %v", err)
-	}
-	return pubKeys, nil
-}
-
-// matchKeyIdsWithPubKeys validates that the private keys (represented by their IDs) and the public keys
-// forms matching key pairs
-func matchKeyIdsWithPubKeys(r *repository, ids []string, pubKeys []data.PublicKey) error {
-	for i := 0; i < len(ids); i++ {
-		privKey, _, err := r.GetCryptoService().GetPrivateKey(ids[i])
-		if err != nil {
-			return fmt.Errorf("could not get the private key matching id %v: %v", ids[i], err)
-		}
-
-		pubKey := pubKeys[i]
-		err = signed.VerifyPublicKeyMatchesPrivateKey(privKey, pubKey)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// Initialize creates a new repository by using rootKey as the root Key for the
-// TUF repository. The server must be reachable (and is asked to generate a
-// timestamp key and possibly other serverManagedRoles), but the created repository
-// result is only stored on local disk, not published to the server. To do that,
-// use r.Publish() eventually.
-func (r *repository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
-	return r.initialize(rootKeyIDs, nil, serverManagedRoles...)
-}
-
-type errKeyNotFound struct{}
-
-func (errKeyNotFound) Error() string {
-	return fmt.Sprintf("cannot find matching private key id")
-}
-
-// keyExistsInList returns the id of the private key in ids that matches the public key
-// otherwise return empty string
-func keyExistsInList(cert data.PublicKey, ids map[string]bool) error {
-	pubKeyID, err := utils.CanonicalKeyID(cert)
-	if err != nil {
-		return fmt.Errorf("failed to obtain the public key id from the given certificate: %v", err)
-	}
-	if _, ok := ids[pubKeyID]; ok {
-		return nil
-	}
-	return errKeyNotFound{}
-}
-
-// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
-func (r *repository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey,
-	serverManagedRoles ...data.RoleName) error {
-
-	// If we explicitly pass in certificate(s) but not key, then look keys up using certificate
-	if len(rootKeyIDs) == 0 && len(rootCerts) != 0 {
-		rootKeyIDs = []string{}
-		availableRootKeyIDs := make(map[string]bool)
-		for _, k := range r.GetCryptoService().ListKeys(data.CanonicalRootRole) {
-			availableRootKeyIDs[k] = true
-		}
-
-		for _, cert := range rootCerts {
-			if err := keyExistsInList(cert, availableRootKeyIDs); err != nil {
-				return fmt.Errorf("error initializing repository with certificate: %v", err)
-			}
-			keyID, _ := utils.CanonicalKeyID(cert)
-			rootKeyIDs = append(rootKeyIDs, keyID)
-		}
-	}
-	return r.initialize(rootKeyIDs, rootCerts, serverManagedRoles...)
-}
-
-func (r *repository) initializeRoles(rootKeys []data.PublicKey, localRoles, remoteRoles []data.RoleName) (
-	root, targets, snapshot, timestamp data.BaseRole, err error) {
-	root = data.NewBaseRole(
-		data.CanonicalRootRole,
-		notary.MinThreshold,
-		rootKeys...,
-	)
-
-	// we want to create all the local keys first so we don't have to
-	// make unnecessary network calls
-	for _, role := range localRoles {
-		// This is currently hardcoding the keys to ECDSA.
-		var key data.PublicKey
-		key, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
-		if err != nil {
-			return
-		}
-		switch role {
-		case data.CanonicalSnapshotRole:
-			snapshot = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		case data.CanonicalTargetsRole:
-			targets = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		}
-	}
-
-	remote := r.getRemoteStore()
-
-	for _, role := range remoteRoles {
-		// This key is generated by the remote server.
-		var key data.PublicKey
-		key, err = getRemoteKey(role, remote)
-		if err != nil {
-			return
-		}
-		logrus.Debugf("got remote %s %s key with keyID: %s",
-			role, key.Algorithm(), key.ID())
-		switch role {
-		case data.CanonicalSnapshotRole:
-			snapshot = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		case data.CanonicalTimestampRole:
-			timestamp = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		}
-	}
-	return root, targets, snapshot, timestamp, nil
-}
-
-// adds a TUF Change template to the given roles
-func addChange(cl changelist.Changelist, c changelist.Change, roles ...data.RoleName) error {
-	if len(roles) == 0 {
-		roles = []data.RoleName{data.CanonicalTargetsRole}
-	}
-
-	var changes []changelist.Change
-	for _, role := range roles {
-		// Ensure we can only add targets to the CanonicalTargetsRole,
-		// or a Delegation role (which is <CanonicalTargetsRole>/something else)
-		if role != data.CanonicalTargetsRole && !data.IsDelegation(role) && !data.IsWildDelegation(role) {
-			return data.ErrInvalidRole{
-				Role:   role,
-				Reason: "cannot add targets to this role",
-			}
-		}
-
-		changes = append(changes, changelist.NewTUFChange(
-			c.Action(),
-			role,
-			c.Type(),
-			c.Path(),
-			c.Content(),
-		))
-	}
-
-	for _, c := range changes {
-		if err := cl.Add(c); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// AddTarget creates new changelist entries to add a target to the given roles
-// in the repository when the changelist gets applied at publish time.
-// If roles are unspecified, the default role is "targets"
-func (r *repository) AddTarget(target *Target, roles ...data.RoleName) error {
-	if len(target.Hashes) == 0 {
-		return fmt.Errorf("no hashes specified for target \"%s\"", target.Name)
-	}
-	logrus.Debugf("Adding target \"%s\" with sha256 \"%x\" and size %d bytes.\n", target.Name, target.Hashes["sha256"], target.Length)
-
-	meta := data.FileMeta{Length: target.Length, Hashes: target.Hashes, Custom: target.Custom}
-	metaJSON, err := json.Marshal(meta)
-	if err != nil {
-		return err
-	}
-
-	template := changelist.NewTUFChange(
-		changelist.ActionCreate, "", changelist.TypeTargetsTarget,
-		target.Name, metaJSON)
-	return addChange(r.changelist, template, roles...)
-}
-
-// RemoveTarget creates new changelist entries to remove a target from the given
-// roles in the repository when the changelist gets applied at publish time.
-// If roles are unspecified, the default role is "target".
-func (r *repository) RemoveTarget(targetName string, roles ...data.RoleName) error {
-	logrus.Debugf("Removing target \"%s\"", targetName)
-	template := changelist.NewTUFChange(changelist.ActionDelete, "",
-		changelist.TypeTargetsTarget, targetName, nil)
-	return addChange(r.changelist, template, roles...)
-}
-
-// GetChangelist returns the list of the repository's unpublished changes
-func (r *repository) GetChangelist() (changelist.Changelist, error) {
-	return r.changelist, nil
-}
-
-// getRemoteStore returns the remoteStore of a repository if valid or
-// or an OfflineStore otherwise
-func (r *repository) getRemoteStore() store.RemoteStore {
-	if r.remoteStore != nil {
-		return r.remoteStore
-	}
-
-	r.remoteStore = &store.OfflineStore{}
-
-	return r.remoteStore
-}
-
-// Publish pushes the local changes in signed material to the remote notary-server
-// Conceptually it performs an operation similar to a `git rebase`
-func (r *repository) Publish() error {
-	if err := r.publish(r.changelist); err != nil {
-		return err
-	}
-	if err := r.changelist.Clear(""); err != nil {
-		// This is not a critical problem when only a single host is pushing
-		// but will cause weird behaviour if changelist cleanup is failing
-		// and there are multiple hosts writing to the repo.
-		logrus.Warn("Unable to clear changelist. You may want to manually delete the folder ", r.changelist.Location())
-	}
-	return nil
-}
-
-// publish pushes the changes in the given changelist to the remote notary-server
-// Conceptually it performs an operation similar to a `git rebase`
-func (r *repository) publish(cl changelist.Changelist) error {
-	var initialPublish bool
-	// update first before publishing
-	if err := r.updateTUF(true); err != nil {
-		// If the remote is not aware of the repo, then this is being published
-		// for the first time.  Try to initialize the repository before publishing.
-		if _, ok := err.(ErrRepositoryNotExist); ok {
-			err := r.bootstrapRepo()
-			if _, ok := err.(store.ErrMetaNotFound); ok {
-				logrus.Infof("No TUF data found locally or remotely - initializing repository %s for the first time", r.gun.String())
-				err = r.Initialize(nil)
-			}
-
-			if err != nil {
-				logrus.WithError(err).Debugf("Unable to load or initialize repository during first publish: %s", err.Error())
-				return err
-			}
-
-			// Ensure we will push the initial root and targets file.  Either or
-			// both of the root and targets may not be marked as Dirty, since
-			// there may not be any changes that update them, so use a
-			// different boolean.
-			initialPublish = true
-		} else {
-			// We could not update, so we cannot publish.
-			logrus.Error("Could not publish Repository since we could not update: ", err.Error())
-			return err
-		}
-	}
-	// apply the changelist to the repo
-	if err := applyChangelist(r.tufRepo, r.invalid, cl); err != nil {
-		logrus.Debug("Error applying changelist")
-		return err
-	}
-
-	// these are the TUF files we will need to update, serialized as JSON before
-	// we send anything to remote
-	updatedFiles := make(map[data.RoleName][]byte)
-
-	// Fetch old keys to support old clients
-	legacyKeys, err := r.oldKeysForLegacyClientSupport(r.LegacyVersions, initialPublish)
-	if err != nil {
-		return err
-	}
-
-	// check if our root file is nearing expiry or dirty. Resign if it is.  If
-	// root is not dirty but we are publishing for the first time, then just
-	// publish the existing root we have.
-	if err := signRootIfNecessary(updatedFiles, r.tufRepo, legacyKeys, initialPublish); err != nil {
-		return err
-	}
-
-	if err := signTargets(updatedFiles, r.tufRepo, initialPublish); err != nil {
-		return err
-	}
-
-	// if we initialized the repo while designating the server as the snapshot
-	// signer, then there won't be a snapshots file.  However, we might now
-	// have a local key (if there was a rotation), so initialize one.
-	if r.tufRepo.Snapshot == nil {
-		if err := r.tufRepo.InitSnapshot(); err != nil {
-			return err
-		}
-	}
-
-	if snapshotJSON, err := serializeCanonicalRole(
-		r.tufRepo, data.CanonicalSnapshotRole, nil); err == nil {
-		// Only update the snapshot if we've successfully signed it.
-		updatedFiles[data.CanonicalSnapshotRole] = snapshotJSON
-	} else if signErr, ok := err.(signed.ErrInsufficientSignatures); ok && signErr.FoundKeys == 0 {
-		// If signing fails due to us not having the snapshot key, then
-		// assume the server is going to sign, and do not include any snapshot
-		// data.
-		logrus.Debugf("Client does not have the key to sign snapshot. " +
-			"Assuming that server should sign the snapshot.")
-	} else {
-		logrus.Debugf("Client was unable to sign the snapshot: %s", err.Error())
-		return err
-	}
-
-	remote := r.getRemoteStore()
-
-	return remote.SetMulti(data.MetadataRoleMapToStringMap(updatedFiles))
-}
-
-func signRootIfNecessary(updates map[data.RoleName][]byte, repo *tuf.Repo, extraSigningKeys data.KeyList, initialPublish bool) error {
-	if len(extraSigningKeys) > 0 {
-		repo.Root.Dirty = true
-	}
-	if nearExpiry(repo.Root.Signed.SignedCommon) || repo.Root.Dirty {
-		rootJSON, err := serializeCanonicalRole(repo, data.CanonicalRootRole, extraSigningKeys)
-		if err != nil {
-			return err
-		}
-		updates[data.CanonicalRootRole] = rootJSON
-	} else if initialPublish {
-		rootJSON, err := repo.Root.MarshalJSON()
-		if err != nil {
-			return err
-		}
-		updates[data.CanonicalRootRole] = rootJSON
-	}
-	return nil
-}
-
-// Fetch back a `legacyVersions` number of roots files, collect the root public keys
-// This includes old `root` roles as well as legacy versioned root roles, e.g. `1.root`
-func (r *repository) oldKeysForLegacyClientSupport(legacyVersions int, initialPublish bool) (data.KeyList, error) {
-	if initialPublish {
-		return nil, nil
-	}
-
-	var oldestVersion int
-	prevVersion := r.tufRepo.Root.Signed.Version
-
-	if legacyVersions == SignWithAllOldVersions {
-		oldestVersion = 1
-	} else {
-		oldestVersion = r.tufRepo.Root.Signed.Version - legacyVersions
-	}
-
-	if oldestVersion < 1 {
-		oldestVersion = 1
-	}
-
-	if prevVersion <= 1 || oldestVersion == prevVersion {
-		return nil, nil
-	}
-	oldKeys := make(map[string]data.PublicKey)
-
-	c, err := bootstrapClient(TUFLoadOptions{
-		GUN:                    r.gun,
-		TrustPinning:           r.trustPinning,
-		CryptoService:          r.cryptoService,
-		Cache:                  r.cache,
-		RemoteStore:            r.remoteStore,
-		AlwaysCheckInitialized: true,
-	})
-	// require a server connection to fetch old roots
-	if err != nil {
-		return nil, err
-	}
-
-	for v := prevVersion; v >= oldestVersion; v-- {
-		logrus.Debugf("fetching old keys from version %d", v)
-		// fetch old root version
-		versionedRole := fmt.Sprintf("%d.%s", v, data.CanonicalRootRole.String())
-
-		raw, err := c.remote.GetSized(versionedRole, -1)
-		if err != nil {
-			logrus.Debugf("error downloading %s: %s", versionedRole, err)
-			continue
-		}
-
-		signedOldRoot := &data.Signed{}
-		if err := json.Unmarshal(raw, signedOldRoot); err != nil {
-			return nil, err
-		}
-		oldRootVersion, err := data.RootFromSigned(signedOldRoot)
-		if err != nil {
-			return nil, err
-		}
-
-		// extract legacy versioned root keys
-		oldRootVersionKeys := getOldRootPublicKeys(oldRootVersion)
-		for _, oldKey := range oldRootVersionKeys {
-			oldKeys[oldKey.ID()] = oldKey
-		}
-	}
-	oldKeyList := make(data.KeyList, 0, len(oldKeys))
-	for _, key := range oldKeys {
-		oldKeyList = append(oldKeyList, key)
-	}
-	return oldKeyList, nil
-}
-
-// get all the saved previous roles keys < the current root version
-func getOldRootPublicKeys(root *data.SignedRoot) data.KeyList {
-	rootRole, err := root.BuildBaseRole(data.CanonicalRootRole)
-	if err != nil {
-		return nil
-	}
-	return rootRole.ListKeys()
-}
-
-func signTargets(updates map[data.RoleName][]byte, repo *tuf.Repo, initialPublish bool) error {
-	// iterate through all the targets files - if they are dirty, sign and update
-	for roleName, roleObj := range repo.Targets {
-		if roleObj.Dirty || (roleName == data.CanonicalTargetsRole && initialPublish) {
-			targetsJSON, err := serializeCanonicalRole(repo, roleName, nil)
-			if err != nil {
-				return err
-			}
-			updates[roleName] = targetsJSON
-		}
-	}
-	return nil
-}
-
-// bootstrapRepo loads the repository from the local file system (i.e.
-// a not yet published repo or a possibly obsolete local copy) into
-// r.tufRepo.  This attempts to load metadata for all roles.  Since server
-// snapshots are supported, if the snapshot metadata fails to load, that's ok.
-// This assumes that bootstrapRepo is only used by Publish() or RotateKey()
-func (r *repository) bootstrapRepo() error {
-	b := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), r.trustPinning)
-
-	logrus.Debugf("Loading trusted collection.")
-
-	for _, role := range data.BaseRoles {
-		jsonBytes, err := r.cache.GetSized(role.String(), store.NoSizeLimit)
-		if err != nil {
-			if _, ok := err.(store.ErrMetaNotFound); ok &&
-				// server snapshots are supported, and server timestamp management
-				// is required, so if either of these fail to load that's ok - especially
-				// if the repo is new
-				role == data.CanonicalSnapshotRole || role == data.CanonicalTimestampRole {
-				continue
-			}
-			return err
-		}
-		if err := b.Load(role, jsonBytes, 1, true); err != nil {
-			return err
-		}
-	}
-
-	tufRepo, _, err := b.Finish()
-	if err == nil {
-		r.tufRepo = tufRepo
-	}
-	return nil
-}
-
-// saveMetadata saves contents of r.tufRepo onto the local disk, creating
-// signatures as necessary, possibly prompting for passphrases.
-func (r *repository) saveMetadata(ignoreSnapshot bool) error {
-	logrus.Debugf("Saving changes to Trusted Collection.")
-
-	rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole, nil)
-	if err != nil {
-		return err
-	}
-	err = r.cache.Set(data.CanonicalRootRole.String(), rootJSON)
-	if err != nil {
-		return err
-	}
-
-	targetsToSave := make(map[data.RoleName][]byte)
-	for t := range r.tufRepo.Targets {
-		signedTargets, err := r.tufRepo.SignTargets(t, data.DefaultExpires(data.CanonicalTargetsRole))
-		if err != nil {
-			return err
-		}
-		targetsJSON, err := json.Marshal(signedTargets)
-		if err != nil {
-			return err
-		}
-		targetsToSave[t] = targetsJSON
-	}
-
-	for role, blob := range targetsToSave {
-		// If the parent directory does not exist, the cache.Set will create it
-		r.cache.Set(role.String(), blob)
-	}
-
-	if ignoreSnapshot {
-		return nil
-	}
-
-	snapshotJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalSnapshotRole, nil)
-	if err != nil {
-		return err
-	}
-
-	return r.cache.Set(data.CanonicalSnapshotRole.String(), snapshotJSON)
-}
-
-// RotateKey removes all existing keys associated with the role. If no keys are
-// specified in keyList, then this creates and adds one new key or delegates
-// managing the key to the server. If key(s) are specified by keyList, then they are
-// used for signing the role.
-// These changes are staged in a changelist until publish is called.
-func (r *repository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
-	if err := checkRotationInput(role, serverManagesKey); err != nil {
-		return err
-	}
-
-	pubKeyList, err := r.pubKeyListForRotation(role, serverManagesKey, keyList)
-	if err != nil {
-		return err
-	}
-
-	cl := changelist.NewMemChangelist()
-	if err := r.rootFileKeyChange(cl, role, changelist.ActionCreate, pubKeyList); err != nil {
-		return err
-	}
-	return r.publish(cl)
-}
-
-// Given a set of new keys to rotate to and a set of keys to drop, returns the list of current keys to use
-func (r *repository) pubKeyListForRotation(role data.RoleName, serverManaged bool, newKeys []string) (pubKeyList data.KeyList, err error) {
-	var pubKey data.PublicKey
-
-	// If server manages the key being rotated, request a rotation and return the new key
-	if serverManaged {
-		remote := r.getRemoteStore()
-		pubKey, err = rotateRemoteKey(role, remote)
-		pubKeyList = make(data.KeyList, 0, 1)
-		pubKeyList = append(pubKeyList, pubKey)
-		if err != nil {
-			return nil, fmt.Errorf("unable to rotate remote key: %s", err)
-		}
-		return pubKeyList, nil
-	}
-
-	// If no new keys are passed in, we generate one
-	if len(newKeys) == 0 {
-		pubKeyList = make(data.KeyList, 0, 1)
-		pubKey, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
-		pubKeyList = append(pubKeyList, pubKey)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("unable to generate key: %s", err)
-	}
-
-	// If a list of keys to rotate to are provided, we add those
-	if len(newKeys) > 0 {
-		pubKeyList = make(data.KeyList, 0, len(newKeys))
-		for _, keyID := range newKeys {
-			pubKey = r.GetCryptoService().GetKey(keyID)
-			if pubKey == nil {
-				return nil, fmt.Errorf("unable to find key: %s", keyID)
-			}
-			pubKeyList = append(pubKeyList, pubKey)
-		}
-	}
-
-	// Convert to certs (for root keys)
-	if pubKeyList, err = r.pubKeysToCerts(role, pubKeyList); err != nil {
-		return nil, err
-	}
-
-	return pubKeyList, nil
-}
-
-func (r *repository) pubKeysToCerts(role data.RoleName, pubKeyList data.KeyList) (data.KeyList, error) {
-	// only generate certs for root keys
-	if role != data.CanonicalRootRole {
-		return pubKeyList, nil
-	}
-
-	for i, pubKey := range pubKeyList {
-		privKey, loadedRole, err := r.GetCryptoService().GetPrivateKey(pubKey.ID())
-		if err != nil {
-			return nil, err
-		}
-		if loadedRole != role {
-			return nil, fmt.Errorf("attempted to load root key but given %s key instead", loadedRole)
-		}
-		pubKey, err = rootCertKey(r.gun, privKey)
-		if err != nil {
-			return nil, err
-		}
-		pubKeyList[i] = pubKey
-	}
-	return pubKeyList, nil
-}
-
-func checkRotationInput(role data.RoleName, serverManaged bool) error {
-	// We currently support remotely managing timestamp and snapshot keys
-	canBeRemoteKey := role == data.CanonicalTimestampRole || role == data.CanonicalSnapshotRole
-	// And locally managing root, targets, and snapshot keys
-	canBeLocalKey := role == data.CanonicalSnapshotRole || role == data.CanonicalTargetsRole ||
-		role == data.CanonicalRootRole
-
-	switch {
-	case !data.ValidRole(role) || data.IsDelegation(role):
-		return fmt.Errorf("notary does not currently permit rotating the %s key", role)
-	case serverManaged && !canBeRemoteKey:
-		return ErrInvalidRemoteRole{Role: role}
-	case !serverManaged && !canBeLocalKey:
-		return ErrInvalidLocalRole{Role: role}
-	}
-	return nil
-}
-
-func (r *repository) rootFileKeyChange(cl changelist.Changelist, role data.RoleName, action string, keyList []data.PublicKey) error {
-	meta := changelist.TUFRootData{
-		RoleName: role,
-		Keys:     keyList,
-	}
-	metaJSON, err := json.Marshal(meta)
-	if err != nil {
-		return err
-	}
-
-	c := changelist.NewTUFChange(
-		action,
-		changelist.ScopeRoot,
-		changelist.TypeBaseRole,
-		role.String(),
-		metaJSON,
-	)
-	return cl.Add(c)
-}
-
-// DeleteTrustData removes the trust data stored for this repo in the TUF cache on the client side
-// Note that we will not delete any private key material from local storage
-func DeleteTrustData(baseDir string, gun data.GUN, URL string, rt http.RoundTripper, deleteRemote bool) error {
-	localRepo := filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()))
-	// Remove the tufRepoPath directory, which includes local TUF metadata files and changelist information
-	if err := os.RemoveAll(localRepo); err != nil {
-		return fmt.Errorf("error clearing TUF repo data: %v", err)
-	}
-	// Note that this will require admin permission for the gun in the roundtripper
-	if deleteRemote {
-		remote, err := getRemoteStore(URL, gun, rt)
-		if err != nil {
-			logrus.Errorf("unable to instantiate a remote store: %v", err)
-			return err
-		}
-		if err := remote.RemoveAll(); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// SetLegacyVersions allows the number of legacy versions of the root
-// to be inspected for old signing keys to be configured.
-func (r *repository) SetLegacyVersions(n int) {
-	r.LegacyVersions = n
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/delegations.go b/vendor/github.com/theupdateframework/notary/client/delegations.go
deleted file mode 100644
index 59497cba..00000000
--- a/vendor/github.com/theupdateframework/notary/client/delegations.go
+++ /dev/null
@@ -1,226 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/client/changelist"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// AddDelegation creates changelist entries to add provided delegation public keys and paths.
-// This method composes AddDelegationRoleAndKeys and AddDelegationPaths (each creates one changelist if called).
-func (r *repository) AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error {
-	if len(delegationKeys) > 0 {
-		err := r.AddDelegationRoleAndKeys(name, delegationKeys)
-		if err != nil {
-			return err
-		}
-	}
-	if len(paths) > 0 {
-		err := r.AddDelegationPaths(name, paths)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
-// This method is the simplest way to create a new delegation, because the delegation must have at least
-// one key upon creation to be valid since we will reject the changelist while validating the threshold.
-func (r *repository) AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Adding delegation "%s" with threshold %d, and %d keys\n`,
-		name, notary.MinThreshold, len(delegationKeys))
-
-	// Defaulting to threshold of 1, since we don't allow for larger thresholds at the moment.
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		NewThreshold: notary.MinThreshold,
-		AddKeys:      data.KeyList(delegationKeys),
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newCreateDelegationChange(name, tdJSON)
-	return addChange(r.changelist, template, name)
-}
-
-// AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
-// This method cannot create a new delegation itself because the role must meet the key threshold upon creation.
-func (r *repository) AddDelegationPaths(name data.RoleName, paths []string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Adding %s paths to delegation %s\n`, paths, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		AddPaths: paths,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newCreateDelegationChange(name, tdJSON)
-	return addChange(r.changelist, template, name)
-}
-
-// RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and paths.
-// This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one changelist entry if called).
-func (r *repository) RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error {
-	if len(paths) > 0 {
-		err := r.RemoveDelegationPaths(name, paths)
-		if err != nil {
-			return err
-		}
-	}
-	if len(keyIDs) > 0 {
-		err := r.RemoveDelegationKeys(name, keyIDs)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the role in its entirety.
-func (r *repository) RemoveDelegationRole(name data.RoleName) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Removing delegation "%s"\n`, name)
-
-	template := newDeleteDelegationChange(name, nil)
-	return addChange(r.changelist, template, name)
-}
-
-// RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
-func (r *repository) RemoveDelegationPaths(name data.RoleName, paths []string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Removing %s paths from delegation "%s"\n`, paths, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		RemovePaths: paths,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(r.changelist, template, name)
-}
-
-// RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
-// When this changelist is applied, if the specified keys are the only keys left in the role,
-// the role itself will be deleted in its entirety.
-// It can also delete a key from all delegations under a parent using a name
-// with a wildcard at the end.
-func (r *repository) RemoveDelegationKeys(name data.RoleName, keyIDs []string) error {
-
-	if !data.IsDelegation(name) && !data.IsWildDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Removing %s keys from delegation "%s"\n`, keyIDs, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		RemoveKeys: keyIDs,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(r.changelist, template, name)
-}
-
-// ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
-func (r *repository) ClearDelegationPaths(name data.RoleName) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	logrus.Debugf(`Removing all paths from delegation "%s"\n`, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		ClearAllPaths: true,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(r.changelist, template, name)
-}
-
-func newUpdateDelegationChange(name data.RoleName, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionUpdate,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-func newCreateDelegationChange(name data.RoleName, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionCreate,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-func newDeleteDelegationChange(name data.RoleName, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionDelete,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-func translateDelegationsToCanonicalIDs(delegationInfo data.Delegations) ([]data.Role, error) {
-	canonicalDelegations := make([]data.Role, len(delegationInfo.Roles))
-	// Do a copy by value to ensure local delegation metadata is untouched
-	for idx, origRole := range delegationInfo.Roles {
-		canonicalDelegations[idx] = *origRole
-	}
-	delegationKeys := delegationInfo.Keys
-	for i, delegation := range canonicalDelegations {
-		canonicalKeyIDs := []string{}
-		for _, keyID := range delegation.KeyIDs {
-			pubKey, ok := delegationKeys[keyID]
-			if !ok {
-				return []data.Role{}, fmt.Errorf("Could not translate canonical key IDs for %s", delegation.Name)
-			}
-			canonicalKeyID, err := utils.CanonicalKeyID(pubKey)
-			if err != nil {
-				return []data.Role{}, fmt.Errorf("Could not translate canonical key IDs for %s: %v", delegation.Name, err)
-			}
-			canonicalKeyIDs = append(canonicalKeyIDs, canonicalKeyID)
-		}
-		canonicalDelegations[i].KeyIDs = canonicalKeyIDs
-	}
-	return canonicalDelegations, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/errors.go b/vendor/github.com/theupdateframework/notary/client/errors.go
deleted file mode 100644
index a2d4970e..00000000
--- a/vendor/github.com/theupdateframework/notary/client/errors.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package client
-
-import (
-	"fmt"
-
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// ErrRepoNotInitialized is returned when trying to publish an uninitialized
-// notary repository
-type ErrRepoNotInitialized struct{}
-
-func (err ErrRepoNotInitialized) Error() string {
-	return "repository has not been initialized"
-}
-
-// ErrInvalidRemoteRole is returned when the server is requested to manage
-// a key type that is not permitted
-type ErrInvalidRemoteRole struct {
-	Role data.RoleName
-}
-
-func (err ErrInvalidRemoteRole) Error() string {
-	return fmt.Sprintf(
-		"notary does not permit the server managing the %s key", err.Role.String())
-}
-
-// ErrInvalidLocalRole is returned when the client wants to manage
-// a key type that is not permitted
-type ErrInvalidLocalRole struct {
-	Role data.RoleName
-}
-
-func (err ErrInvalidLocalRole) Error() string {
-	return fmt.Sprintf(
-		"notary does not permit the client managing the %s key", err.Role)
-}
-
-// ErrRepositoryNotExist is returned when an action is taken on a remote
-// repository that doesn't exist
-type ErrRepositoryNotExist struct {
-	remote string
-	gun    data.GUN
-}
-
-func (err ErrRepositoryNotExist) Error() string {
-	return fmt.Sprintf("%s does not have trust data for %s", err.remote, err.gun.String())
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/helpers.go b/vendor/github.com/theupdateframework/notary/client/helpers.go
deleted file mode 100644
index 179d27ec..00000000
--- a/vendor/github.com/theupdateframework/notary/client/helpers.go
+++ /dev/null
@@ -1,306 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/client/changelist"
-	store "github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/tuf"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// Use this to initialize remote HTTPStores from the config settings
-func getRemoteStore(baseURL string, gun data.GUN, rt http.RoundTripper) (store.RemoteStore, error) {
-	s, err := store.NewHTTPStore(
-		baseURL+"/v2/"+gun.String()+"/_trust/tuf/",
-		"",
-		"json",
-		"key",
-		rt,
-	)
-	if err != nil {
-		return store.OfflineStore{}, err
-	}
-	return s, nil
-}
-
-func applyChangelist(repo *tuf.Repo, invalid *tuf.Repo, cl changelist.Changelist) error {
-	it, err := cl.NewIterator()
-	if err != nil {
-		return err
-	}
-	index := 0
-	for it.HasNext() {
-		c, err := it.Next()
-		if err != nil {
-			return err
-		}
-		isDel := data.IsDelegation(c.Scope()) || data.IsWildDelegation(c.Scope())
-		switch {
-		case c.Scope() == changelist.ScopeTargets || isDel:
-			err = applyTargetsChange(repo, invalid, c)
-		case c.Scope() == changelist.ScopeRoot:
-			err = applyRootChange(repo, c)
-		default:
-			return fmt.Errorf("scope not supported: %s", c.Scope().String())
-		}
-		if err != nil {
-			logrus.Debugf("error attempting to apply change #%d: %s, on scope: %s path: %s type: %s", index, c.Action(), c.Scope(), c.Path(), c.Type())
-			return err
-		}
-		index++
-	}
-	logrus.Debugf("applied %d change(s)", index)
-	return nil
-}
-
-func applyTargetsChange(repo *tuf.Repo, invalid *tuf.Repo, c changelist.Change) error {
-	switch c.Type() {
-	case changelist.TypeTargetsTarget:
-		return changeTargetMeta(repo, c)
-	case changelist.TypeTargetsDelegation:
-		return changeTargetsDelegation(repo, c)
-	case changelist.TypeWitness:
-		return witnessTargets(repo, invalid, c.Scope())
-	default:
-		return fmt.Errorf("only target meta and delegations changes supported")
-	}
-}
-
-func changeTargetsDelegation(repo *tuf.Repo, c changelist.Change) error {
-	switch c.Action() {
-	case changelist.ActionCreate:
-		td := changelist.TUFDelegation{}
-		err := json.Unmarshal(c.Content(), &td)
-		if err != nil {
-			return err
-		}
-
-		// Try to create brand new role or update one
-		// First add the keys, then the paths.  We can only add keys and paths in this scenario
-		err = repo.UpdateDelegationKeys(c.Scope(), td.AddKeys, []string{}, td.NewThreshold)
-		if err != nil {
-			return err
-		}
-		return repo.UpdateDelegationPaths(c.Scope(), td.AddPaths, []string{}, false)
-	case changelist.ActionUpdate:
-		td := changelist.TUFDelegation{}
-		err := json.Unmarshal(c.Content(), &td)
-		if err != nil {
-			return err
-		}
-		if data.IsWildDelegation(c.Scope()) {
-			return repo.PurgeDelegationKeys(c.Scope(), td.RemoveKeys)
-		}
-
-		delgRole, err := repo.GetDelegationRole(c.Scope())
-		if err != nil {
-			return err
-		}
-
-		// We need to translate the keys from canonical ID to TUF ID for compatibility
-		canonicalToTUFID := make(map[string]string)
-		for tufID, pubKey := range delgRole.Keys {
-			canonicalID, err := utils.CanonicalKeyID(pubKey)
-			if err != nil {
-				return err
-			}
-			canonicalToTUFID[canonicalID] = tufID
-		}
-
-		removeTUFKeyIDs := []string{}
-		for _, canonID := range td.RemoveKeys {
-			removeTUFKeyIDs = append(removeTUFKeyIDs, canonicalToTUFID[canonID])
-		}
-
-		err = repo.UpdateDelegationKeys(c.Scope(), td.AddKeys, removeTUFKeyIDs, td.NewThreshold)
-		if err != nil {
-			return err
-		}
-		return repo.UpdateDelegationPaths(c.Scope(), td.AddPaths, td.RemovePaths, td.ClearAllPaths)
-	case changelist.ActionDelete:
-		return repo.DeleteDelegation(c.Scope())
-	default:
-		return fmt.Errorf("unsupported action against delegations: %s", c.Action())
-	}
-
-}
-
-func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {
-	var err error
-	switch c.Action() {
-	case changelist.ActionCreate:
-		logrus.Debug("changelist add: ", c.Path())
-		meta := &data.FileMeta{}
-		err = json.Unmarshal(c.Content(), meta)
-		if err != nil {
-			return err
-		}
-		files := data.Files{c.Path(): *meta}
-
-		// Attempt to add the target to this role
-		if _, err = repo.AddTargets(c.Scope(), files); err != nil {
-			logrus.Errorf("couldn't add target to %s: %s", c.Scope(), err.Error())
-		}
-
-	case changelist.ActionDelete:
-		logrus.Debug("changelist remove: ", c.Path())
-
-		// Attempt to remove the target from this role
-		if err = repo.RemoveTargets(c.Scope(), c.Path()); err != nil {
-			logrus.Errorf("couldn't remove target from %s: %s", c.Scope(), err.Error())
-		}
-
-	default:
-		err = fmt.Errorf("action not yet supported: %s", c.Action())
-	}
-	return err
-}
-
-func applyRootChange(repo *tuf.Repo, c changelist.Change) error {
-	var err error
-	switch c.Type() {
-	case changelist.TypeBaseRole:
-		err = applyRootRoleChange(repo, c)
-	default:
-		err = fmt.Errorf("type of root change not yet supported: %s", c.Type())
-	}
-	return err // might be nil
-}
-
-func applyRootRoleChange(repo *tuf.Repo, c changelist.Change) error {
-	switch c.Action() {
-	case changelist.ActionCreate:
-		// replaces all keys for a role
-		d := &changelist.TUFRootData{}
-		err := json.Unmarshal(c.Content(), d)
-		if err != nil {
-			return err
-		}
-		err = repo.ReplaceBaseKeys(d.RoleName, d.Keys...)
-		if err != nil {
-			return err
-		}
-	default:
-		return fmt.Errorf("action not yet supported for root: %s", c.Action())
-	}
-	return nil
-}
-
-func nearExpiry(r data.SignedCommon) bool {
-	plus6mo := time.Now().AddDate(0, 6, 0)
-	return r.Expires.Before(plus6mo)
-}
-
-func warnRolesNearExpiry(r *tuf.Repo) {
-	//get every role and its respective signed common and call nearExpiry on it
-	//Root check
-	if nearExpiry(r.Root.Signed.SignedCommon) {
-		logrus.Warn("root is nearing expiry, you should re-sign the role metadata")
-	}
-	//Targets and delegations check
-	for role, signedTOrD := range r.Targets {
-		//signedTOrD is of type *data.SignedTargets
-		if nearExpiry(signedTOrD.Signed.SignedCommon) {
-			logrus.Warn(role, " metadata is nearing expiry, you should re-sign the role metadata")
-		}
-	}
-	//Snapshot check
-	if nearExpiry(r.Snapshot.Signed.SignedCommon) {
-		logrus.Warn("snapshot is nearing expiry, you should re-sign the role metadata")
-	}
-	//do not need to worry about Timestamp, notary signer will re-sign with the timestamp key
-}
-
-// Fetches a public key from a remote store, given a gun and role
-func getRemoteKey(role data.RoleName, remote store.RemoteStore) (data.PublicKey, error) {
-	rawPubKey, err := remote.GetKey(role)
-	if err != nil {
-		return nil, err
-	}
-
-	pubKey, err := data.UnmarshalPublicKey(rawPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return pubKey, nil
-}
-
-// Rotates a private key in a remote store and returns the public key component
-func rotateRemoteKey(role data.RoleName, remote store.RemoteStore) (data.PublicKey, error) {
-	rawPubKey, err := remote.RotateKey(role)
-	if err != nil {
-		return nil, err
-	}
-
-	pubKey, err := data.UnmarshalPublicKey(rawPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return pubKey, nil
-}
-
-// signs and serializes the metadata for a canonical role in a TUF repo to JSON
-func serializeCanonicalRole(tufRepo *tuf.Repo, role data.RoleName, extraSigningKeys data.KeyList) (out []byte, err error) {
-	var s *data.Signed
-	switch {
-	case role == data.CanonicalRootRole:
-		s, err = tufRepo.SignRoot(data.DefaultExpires(role), extraSigningKeys)
-	case role == data.CanonicalSnapshotRole:
-		s, err = tufRepo.SignSnapshot(data.DefaultExpires(role))
-	case tufRepo.Targets[role] != nil:
-		s, err = tufRepo.SignTargets(
-			role, data.DefaultExpires(data.CanonicalTargetsRole))
-	default:
-		err = fmt.Errorf("%s not supported role to sign on the client", role)
-	}
-
-	if err != nil {
-		return
-	}
-
-	return json.Marshal(s)
-}
-
-func getAllPrivKeys(rootKeyIDs []string, cryptoService signed.CryptoService) ([]data.PrivateKey, error) {
-	if cryptoService == nil {
-		return nil, fmt.Errorf("no crypto service available to get private keys from")
-	}
-
-	privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
-	for _, keyID := range rootKeyIDs {
-		privKey, _, err := cryptoService.GetPrivateKey(keyID)
-		if err != nil {
-			return nil, err
-		}
-		privKeys = append(privKeys, privKey)
-	}
-	if len(privKeys) == 0 {
-		var rootKeyID string
-		rootKeyList := cryptoService.ListKeys(data.CanonicalRootRole)
-		if len(rootKeyList) == 0 {
-			rootPublicKey, err := cryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
-			if err != nil {
-				return nil, err
-			}
-			rootKeyID = rootPublicKey.ID()
-		} else {
-			rootKeyID = rootKeyList[0]
-		}
-		privKey, _, err := cryptoService.GetPrivateKey(rootKeyID)
-		if err != nil {
-			return nil, err
-		}
-		privKeys = append(privKeys, privKey)
-	}
-
-	return privKeys, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/interface.go b/vendor/github.com/theupdateframework/notary/client/interface.go
deleted file mode 100644
index 9d107db0..00000000
--- a/vendor/github.com/theupdateframework/notary/client/interface.go
+++ /dev/null
@@ -1,150 +0,0 @@
-package client
-
-import (
-	"github.com/theupdateframework/notary/client/changelist"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-)
-
-// ReadOnly represents the set of options that must be supported over a TUF repo for
-// reading
-type ReadOnly interface {
-	// ListTargets lists all targets for the current repository. The list of
-	// roles should be passed in order from highest to lowest priority.
-	//
-	// IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
-	// "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
-	// its entries will be strictly shadowed by those in other parts of the "targets/a"
-	// subtree and also the "targets/x" subtree, as we will defer parsing it until
-	// we explicitly reach it in our iteration of the provided list of roles.
-	ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error)
-
-	// GetTargetByName returns a target by the given name. If no roles are passed
-	// it uses the targets role and does a search of the entire delegation
-	// graph, finding the first entry in a breadth first search of the delegations.
-	// If roles are passed, they should be passed in descending priority and
-	// the target entry found in the subtree of the highest priority role
-	// will be returned.
-	// See the IMPORTANT section on ListTargets above. Those roles also apply here.
-	GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error)
-
-	// GetAllTargetMetadataByName searches the entire delegation role tree to find
-	// the specified target by name for all roles, and returns a list of
-	// TargetSignedStructs for each time it finds the specified target.
-	// If given an empty string for a target name, it will return back all targets
-	// signed into the repository in every role
-	GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error)
-
-	// ListRoles returns a list of RoleWithSignatures objects for this repo
-	// This represents the latest metadata for each role in this repo
-	ListRoles() ([]RoleWithSignatures, error)
-
-	// GetDelegationRoles returns the keys and roles of the repository's delegations
-	// Also converts key IDs to canonical key IDs to keep consistent with signing prompts
-	GetDelegationRoles() ([]data.Role, error)
-}
-
-// Repository represents the set of options that must be supported over a TUF repo
-// for both reading and writing.
-type Repository interface {
-	ReadOnly
-
-	// ------------------- Publishing operations -------------------
-
-	// GetGUN returns the GUN associated with the repository
-	GetGUN() data.GUN
-
-	// SetLegacyVersion sets the number of versions back to fetch roots to sign with
-	SetLegacyVersions(int)
-
-	// ----- General management operations -----
-
-	// Initialize creates a new repository by using rootKey as the root Key for the
-	// TUF repository. The remote store/server must be reachable (and is asked to
-	// generate a timestamp key and possibly other serverManagedRoles), but the
-	// created repository result is only stored on local cache, not published to
-	// the remote store. To do that, use r.Publish() eventually.
-	Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error
-
-	// InitializeWithCertificate initializes the repository with root keys and their
-	// corresponding certificates
-	InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error
-
-	// Publish pushes the local changes in signed material to the remote notary-server
-	// Conceptually it performs an operation similar to a `git rebase`
-	Publish() error
-
-	// ----- Target Operations -----
-
-	// AddTarget creates new changelist entries to add a target to the given roles
-	// in the repository when the changelist gets applied at publish time.
-	// If roles are unspecified, the default role is "targets"
-	AddTarget(target *Target, roles ...data.RoleName) error
-
-	// RemoveTarget creates new changelist entries to remove a target from the given
-	// roles in the repository when the changelist gets applied at publish time.
-	// If roles are unspecified, the default role is "target".
-	RemoveTarget(targetName string, roles ...data.RoleName) error
-
-	// ----- Changelist operations -----
-
-	// GetChangelist returns the list of the repository's unpublished changes
-	GetChangelist() (changelist.Changelist, error)
-
-	// ----- Role operations -----
-
-	// AddDelegation creates changelist entries to add provided delegation public keys and paths.
-	// This method composes AddDelegationRoleAndKeys and AddDelegationPaths (each creates one changelist if called).
-	AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error
-
-	// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
-	// This method is the simplest way to create a new delegation, because the delegation must have at least
-	// one key upon creation to be valid since we will reject the changelist while validating the threshold.
-	AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error
-
-	// AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
-	// This method cannot create a new delegation itself because the role must meet the key threshold upon
-	// creation.
-	AddDelegationPaths(name data.RoleName, paths []string) error
-
-	// RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and
-	// paths. This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one
-	// changelist entry if called).
-	RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error
-
-	// RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the
-	// role in its entirety.
-	RemoveDelegationRole(name data.RoleName) error
-
-	// RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
-	RemoveDelegationPaths(name data.RoleName, paths []string) error
-
-	// RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
-	// When this changelist is applied, if the specified keys are the only keys left in the role,
-	// the role itself will be deleted in its entirety.
-	// It can also delete a key from all delegations under a parent using a name
-	// with a wildcard at the end.
-	RemoveDelegationKeys(name data.RoleName, keyIDs []string) error
-
-	// ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
-	ClearDelegationPaths(name data.RoleName) error
-
-	// ----- Witness and other re-signing operations -----
-
-	// Witness creates change objects to witness (i.e. re-sign) the given
-	// roles on the next publish. One change is created per role
-	Witness(roles ...data.RoleName) ([]data.RoleName, error)
-
-	// ----- Key Operations -----
-
-	// RotateKey removes all existing keys associated with the role. If no keys are
-	// specified in keyList, then this creates and adds one new key or delegates
-	// managing the key to the server. If key(s) are specified by keyList, then they are
-	// used for signing the role.
-	// These changes are staged in a changelist until publish is called.
-	RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error
-
-	// GetCryptoService is the getter for the repository's CryptoService, which is used
-	// to sign all updates.
-	GetCryptoService() signed.CryptoService
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/reader.go b/vendor/github.com/theupdateframework/notary/client/reader.go
deleted file mode 100644
index df966ee3..00000000
--- a/vendor/github.com/theupdateframework/notary/client/reader.go
+++ /dev/null
@@ -1,257 +0,0 @@
-package client
-
-import (
-	"fmt"
-
-	canonicaljson "github.com/docker/go/canonical/json"
-	store "github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/tuf"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// Target represents a simplified version of the data TUF operates on, so external
-// applications don't have to depend on TUF data types.
-type Target struct {
-	Name   string                    // the name of the target
-	Hashes data.Hashes               // the hash of the target
-	Length int64                     // the size in bytes of the target
-	Custom *canonicaljson.RawMessage // the custom data provided to describe the file at TARGETPATH
-}
-
-// TargetWithRole represents a Target that exists in a particular role - this is
-// produced by ListTargets and GetTargetByName
-type TargetWithRole struct {
-	Target
-	Role data.RoleName
-}
-
-// TargetSignedStruct is a struct that contains a Target, the role it was found in, and the list of signatures for that role
-type TargetSignedStruct struct {
-	Role       data.DelegationRole
-	Target     Target
-	Signatures []data.Signature
-}
-
-//ErrNoSuchTarget is returned when no valid trust data is found.
-type ErrNoSuchTarget string
-
-func (f ErrNoSuchTarget) Error() string {
-	return fmt.Sprintf("No valid trust data for %s", string(f))
-}
-
-// RoleWithSignatures is a Role with its associated signatures
-type RoleWithSignatures struct {
-	Signatures []data.Signature
-	data.Role
-}
-
-// NewReadOnly is the base method that returns a new notary repository for reading.
-// It expects an initialized cache. In case of a nil remote store, a default
-// offline store is used.
-func NewReadOnly(repo *tuf.Repo) ReadOnly {
-	return &reader{tufRepo: repo}
-}
-
-type reader struct {
-	tufRepo *tuf.Repo
-}
-
-// ListTargets lists all targets for the current repository. The list of
-// roles should be passed in order from highest to lowest priority.
-//
-// IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
-// "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
-// its entries will be strictly shadowed by those in other parts of the "targets/a"
-// subtree and also the "targets/x" subtree, as we will defer parsing it until
-// we explicitly reach it in our iteration of the provided list of roles.
-func (r *reader) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
-	if len(roles) == 0 {
-		roles = []data.RoleName{data.CanonicalTargetsRole}
-	}
-	targets := make(map[string]*TargetWithRole)
-	for _, role := range roles {
-		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
-		skipRoles := utils.RoleNameSliceRemove(roles, role)
-
-		// Define a visitor function to populate the targets map in priority order
-		listVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We found targets so we should try to add them to our targets map
-			for targetName, targetMeta := range tgt.Signed.Targets {
-				// Follow the priority by not overriding previously set targets
-				// and check that this path is valid with this role
-				if _, ok := targets[targetName]; ok || !validRole.CheckPaths(targetName) {
-					continue
-				}
-				targets[targetName] = &TargetWithRole{
-					Target: Target{
-						Name:   targetName,
-						Hashes: targetMeta.Hashes,
-						Length: targetMeta.Length,
-						Custom: targetMeta.Custom,
-					},
-					Role: validRole.Name,
-				}
-			}
-			return nil
-		}
-
-		r.tufRepo.WalkTargets("", role, listVisitorFunc, skipRoles...)
-	}
-
-	var targetList []*TargetWithRole
-	for _, v := range targets {
-		targetList = append(targetList, v)
-	}
-
-	return targetList, nil
-}
-
-// GetTargetByName returns a target by the given name. If no roles are passed
-// it uses the targets role and does a search of the entire delegation
-// graph, finding the first entry in a breadth first search of the delegations.
-// If roles are passed, they should be passed in descending priority and
-// the target entry found in the subtree of the highest priority role
-// will be returned.
-// See the IMPORTANT section on ListTargets above. Those roles also apply here.
-func (r *reader) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
-	if len(roles) == 0 {
-		roles = append(roles, data.CanonicalTargetsRole)
-	}
-	var resultMeta data.FileMeta
-	var resultRoleName data.RoleName
-	var foundTarget bool
-	for _, role := range roles {
-		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
-		skipRoles := utils.RoleNameSliceRemove(roles, role)
-
-		// Define a visitor function to find the specified target
-		getTargetVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			if tgt == nil {
-				return nil
-			}
-			// We found the target and validated path compatibility in our walk,
-			// so we should stop our walk and set the resultMeta and resultRoleName variables
-			if resultMeta, foundTarget = tgt.Signed.Targets[name]; foundTarget {
-				resultRoleName = validRole.Name
-				return tuf.StopWalk{}
-			}
-			return nil
-		}
-		// Check that we didn't error, and that we assigned to our target
-		if err := r.tufRepo.WalkTargets(name, role, getTargetVisitorFunc, skipRoles...); err == nil && foundTarget {
-			return &TargetWithRole{Target: Target{Name: name, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom}, Role: resultRoleName}, nil
-		}
-	}
-	return nil, ErrNoSuchTarget(name)
-
-}
-
-// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
-// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
-// If given an empty string for a target name, it will return back all targets signed into the repository in every role
-func (r *reader) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
-	var targetInfoList []TargetSignedStruct
-
-	// Define a visitor function to find the specified target
-	getAllTargetInfoByNameVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		if tgt == nil {
-			return nil
-		}
-		// We found a target and validated path compatibility in our walk,
-		// so add it to our list if we have a match
-		// if we have an empty name, add all targets, else check if we have it
-		var targetMetaToAdd data.Files
-		if name == "" {
-			targetMetaToAdd = tgt.Signed.Targets
-		} else {
-			if meta, ok := tgt.Signed.Targets[name]; ok {
-				targetMetaToAdd = data.Files{name: meta}
-			}
-		}
-
-		for targetName, resultMeta := range targetMetaToAdd {
-			targetInfo := TargetSignedStruct{
-				Role:       validRole,
-				Target:     Target{Name: targetName, Hashes: resultMeta.Hashes, Length: resultMeta.Length, Custom: resultMeta.Custom},
-				Signatures: tgt.Signatures,
-			}
-			targetInfoList = append(targetInfoList, targetInfo)
-		}
-		// continue walking to all child roles
-		return nil
-	}
-
-	// Check that we didn't error, and that we found the target at least once
-	if err := r.tufRepo.WalkTargets(name, "", getAllTargetInfoByNameVisitorFunc); err != nil {
-		return nil, err
-	}
-	if len(targetInfoList) == 0 {
-		return nil, ErrNoSuchTarget(name)
-	}
-	return targetInfoList, nil
-}
-
-// ListRoles returns a list of RoleWithSignatures objects for this repo
-// This represents the latest metadata for each role in this repo
-func (r *reader) ListRoles() ([]RoleWithSignatures, error) {
-	// Get all role info from our updated keysDB, can be empty
-	roles := r.tufRepo.GetAllLoadedRoles()
-
-	var roleWithSigs []RoleWithSignatures
-
-	// Populate RoleWithSignatures with Role from keysDB and signatures from TUF metadata
-	for _, role := range roles {
-		roleWithSig := RoleWithSignatures{Role: *role, Signatures: nil}
-		switch role.Name {
-		case data.CanonicalRootRole:
-			roleWithSig.Signatures = r.tufRepo.Root.Signatures
-		case data.CanonicalTargetsRole:
-			roleWithSig.Signatures = r.tufRepo.Targets[data.CanonicalTargetsRole].Signatures
-		case data.CanonicalSnapshotRole:
-			roleWithSig.Signatures = r.tufRepo.Snapshot.Signatures
-		case data.CanonicalTimestampRole:
-			roleWithSig.Signatures = r.tufRepo.Timestamp.Signatures
-		default:
-			if !data.IsDelegation(role.Name) {
-				continue
-			}
-			if _, ok := r.tufRepo.Targets[role.Name]; ok {
-				// We'll only find a signature if we've published any targets with this delegation
-				roleWithSig.Signatures = r.tufRepo.Targets[role.Name].Signatures
-			}
-		}
-		roleWithSigs = append(roleWithSigs, roleWithSig)
-	}
-	return roleWithSigs, nil
-}
-
-// GetDelegationRoles returns the keys and roles of the repository's delegations
-// Also converts key IDs to canonical key IDs to keep consistent with signing prompts
-func (r *reader) GetDelegationRoles() ([]data.Role, error) {
-	// All top level delegations (ex: targets/level1) are stored exclusively in targets.json
-	_, ok := r.tufRepo.Targets[data.CanonicalTargetsRole]
-	if !ok {
-		return nil, store.ErrMetaNotFound{Resource: data.CanonicalTargetsRole.String()}
-	}
-
-	// make a copy for traversing nested delegations
-	allDelegations := []data.Role{}
-
-	// Define a visitor function to populate the delegations list and translate their key IDs to canonical IDs
-	delegationCanonicalListVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		// For the return list, update with a copy that includes canonicalKeyIDs
-		// These aren't validated by the validRole
-		canonicalDelegations, err := translateDelegationsToCanonicalIDs(tgt.Signed.Delegations)
-		if err != nil {
-			return err
-		}
-		allDelegations = append(allDelegations, canonicalDelegations...)
-		return nil
-	}
-	err := r.tufRepo.WalkTargets("", "", delegationCanonicalListVisitor)
-	if err != nil {
-		return nil, err
-	}
-	return allDelegations, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/repo.go b/vendor/github.com/theupdateframework/notary/client/repo.go
deleted file mode 100644
index cf2242b7..00000000
--- a/vendor/github.com/theupdateframework/notary/client/repo.go
+++ /dev/null
@@ -1,18 +0,0 @@
-// +build !pkcs11
-
-package client
-
-import (
-	"fmt"
-
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/trustmanager"
-)
-
-func getKeyStores(baseDir string, retriever notary.PassRetriever) ([]trustmanager.KeyStore, error) {
-	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
-	}
-	return []trustmanager.KeyStore{fileKeyStore}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/repo_pkcs11.go b/vendor/github.com/theupdateframework/notary/client/repo_pkcs11.go
deleted file mode 100644
index a24d3e60..00000000
--- a/vendor/github.com/theupdateframework/notary/client/repo_pkcs11.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// +build pkcs11
-
-package client
-
-import (
-	"fmt"
-
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/trustmanager/yubikey"
-)
-
-func getKeyStores(baseDir string, retriever notary.PassRetriever) ([]trustmanager.KeyStore, error) {
-	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
-	}
-
-	keyStores := []trustmanager.KeyStore{fileKeyStore}
-	yubiKeyStore, _ := yubikey.NewYubiStore(fileKeyStore, retriever)
-	if yubiKeyStore != nil {
-		keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore}
-	}
-	return keyStores, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/tufclient.go b/vendor/github.com/theupdateframework/notary/client/tufclient.go
deleted file mode 100644
index 07b67c9c..00000000
--- a/vendor/github.com/theupdateframework/notary/client/tufclient.go
+++ /dev/null
@@ -1,463 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-	"fmt"
-	"regexp"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/cryptoservice"
-	store "github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/trustpinning"
-	"github.com/theupdateframework/notary/tuf"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-)
-
-// tufClient is a usability wrapper around a raw TUF repo
-type tufClient struct {
-	remote     store.RemoteStore
-	cache      store.MetadataStore
-	oldBuilder tuf.RepoBuilder
-	newBuilder tuf.RepoBuilder
-}
-
-// Update performs an update to the TUF repo as defined by the TUF spec
-func (c *tufClient) Update() (*tuf.Repo, *tuf.Repo, error) {
-	// 1. Get timestamp
-	//   a. If timestamp error (verification, expired, etc...) download new root and return to 1.
-	// 2. Check if local snapshot is up to date
-	//   a. If out of date, get updated snapshot
-	//     i. If snapshot error, download new root and return to 1.
-	// 3. Check if root correct against snapshot
-	//   a. If incorrect, download new root and return to 1.
-	// 4. Iteratively download and search targets and delegations to find target meta
-	logrus.Debug("updating TUF client")
-	err := c.update()
-	if err != nil {
-		logrus.Debug("Error occurred. Root will be downloaded and another update attempted")
-		logrus.Debug("Resetting the TUF builder...")
-
-		c.newBuilder = c.newBuilder.BootstrapNewBuilder()
-
-		if err := c.updateRoot(); err != nil {
-			logrus.Debug("Client Update (Root): ", err)
-			return nil, nil, err
-		}
-		// If we error again, we now have the latest root and just want to fail
-		// out as there's no expectation the problem can be resolved automatically
-		logrus.Debug("retrying TUF client update")
-		if err := c.update(); err != nil {
-			return nil, nil, err
-		}
-	}
-	return c.newBuilder.Finish()
-}
-
-func (c *tufClient) update() error {
-	if err := c.downloadTimestamp(); err != nil {
-		logrus.Debugf("Client Update (Timestamp): %s", err.Error())
-		return err
-	}
-	if err := c.downloadSnapshot(); err != nil {
-		logrus.Debugf("Client Update (Snapshot): %s", err.Error())
-		return err
-	}
-	// will always need top level targets at a minimum
-	if err := c.downloadTargets(); err != nil {
-		logrus.Debugf("Client Update (Targets): %s", err.Error())
-		return err
-	}
-	return nil
-}
-
-// updateRoot checks if there is a newer version of the root available, and if so
-// downloads all intermediate root files to allow proper key rotation.
-func (c *tufClient) updateRoot() error {
-	// Get current root version
-	currentRootConsistentInfo := c.oldBuilder.GetConsistentInfo(data.CanonicalRootRole)
-	currentVersion := c.oldBuilder.GetLoadedVersion(currentRootConsistentInfo.RoleName)
-
-	// Get new root version
-	raw, err := c.downloadRoot()
-
-	switch err.(type) {
-	case *trustpinning.ErrRootRotationFail:
-		// Rotation errors are okay since we haven't yet downloaded
-		// all intermediate root files
-		break
-	case nil:
-		// No error updating root - we were at most 1 version behind
-		return nil
-	default:
-		// Return any non-rotation error.
-		return err
-	}
-
-	// Load current version into newBuilder
-	currentRaw, err := c.cache.GetSized(data.CanonicalRootRole.String(), -1)
-	if err != nil {
-		logrus.Debugf("error loading %d.%s: %s", currentVersion, data.CanonicalRootRole, err)
-		return err
-	}
-	if err := c.newBuilder.LoadRootForUpdate(currentRaw, currentVersion, false); err != nil {
-		logrus.Debugf("%d.%s is invalid: %s", currentVersion, data.CanonicalRootRole, err)
-		return err
-	}
-
-	// Extract newest version number
-	signedRoot := &data.Signed{}
-	if err := json.Unmarshal(raw, signedRoot); err != nil {
-		return err
-	}
-	newestRoot, err := data.RootFromSigned(signedRoot)
-	if err != nil {
-		return err
-	}
-	newestVersion := newestRoot.Signed.SignedCommon.Version
-
-	// Update from current + 1 (current already loaded) to newest - 1 (newest loaded below)
-	if err := c.updateRootVersions(currentVersion+1, newestVersion-1); err != nil {
-		return err
-	}
-
-	// Already downloaded newest, verify it against newest - 1
-	if err := c.newBuilder.LoadRootForUpdate(raw, newestVersion, true); err != nil {
-		logrus.Debugf("downloaded %d.%s is invalid: %s", newestVersion, data.CanonicalRootRole, err)
-		return err
-	}
-	logrus.Debugf("successfully verified downloaded %d.%s", newestVersion, data.CanonicalRootRole)
-
-	// Write newest to cache
-	if err := c.cache.Set(data.CanonicalRootRole.String(), raw); err != nil {
-		logrus.Debugf("unable to write %d.%s to cache: %s", newestVersion, data.CanonicalRootRole, err)
-	}
-	logrus.Debugf("finished updating root files")
-	return nil
-}
-
-// updateRootVersions updates the root from it's current version to a target, rotating keys
-// as they are found
-func (c *tufClient) updateRootVersions(fromVersion, toVersion int) error {
-	for v := fromVersion; v <= toVersion; v++ {
-		logrus.Debugf("updating root from version %d to version %d, currently fetching %d", fromVersion, toVersion, v)
-
-		versionedRole := fmt.Sprintf("%d.%s", v, data.CanonicalRootRole)
-
-		raw, err := c.remote.GetSized(versionedRole, -1)
-		if err != nil {
-			logrus.Debugf("error downloading %s: %s", versionedRole, err)
-			return err
-		}
-		if err := c.newBuilder.LoadRootForUpdate(raw, v, false); err != nil {
-			logrus.Debugf("downloaded %s is invalid: %s", versionedRole, err)
-			return err
-		}
-		logrus.Debugf("successfully verified downloaded %s", versionedRole)
-	}
-	return nil
-}
-
-// downloadTimestamp is responsible for downloading the timestamp.json
-// Timestamps are special in that we ALWAYS attempt to download and only
-// use cache if the download fails (and the cache is still valid).
-func (c *tufClient) downloadTimestamp() error {
-	logrus.Debug("Loading timestamp...")
-	role := data.CanonicalTimestampRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	// always get the remote timestamp, since it supersedes the local one
-	cachedTS, cachedErr := c.cache.GetSized(role.String(), notary.MaxTimestampSize)
-	_, remoteErr := c.tryLoadRemote(consistentInfo, cachedTS)
-
-	// check that there was no remote error, or if there was a network problem
-	// If there was a validation error, we should error out so we can download a new root or fail the update
-	switch remoteErr.(type) {
-	case nil:
-		return nil
-	case store.ErrMetaNotFound, store.ErrServerUnavailable, store.ErrOffline, store.NetworkError:
-		break
-	default:
-		return remoteErr
-	}
-
-	// since it was a network error: get the cached timestamp, if it exists
-	if cachedErr != nil {
-		logrus.Debug("no cached or remote timestamp available")
-		return remoteErr
-	}
-
-	logrus.Warn("Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely")
-	err := c.newBuilder.Load(role, cachedTS, 1, false)
-	if err == nil {
-		logrus.Debug("successfully verified cached timestamp")
-	}
-	return err
-
-}
-
-// downloadSnapshot is responsible for downloading the snapshot.json
-func (c *tufClient) downloadSnapshot() error {
-	logrus.Debug("Loading snapshot...")
-	role := data.CanonicalSnapshotRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	_, err := c.tryLoadCacheThenRemote(consistentInfo)
-	return err
-}
-
-// downloadTargets downloads all targets and delegated targets for the repository.
-// It uses a pre-order tree traversal as it's necessary to download parents first
-// to obtain the keys to validate children.
-func (c *tufClient) downloadTargets() error {
-	toDownload := []data.DelegationRole{{
-		BaseRole: data.BaseRole{Name: data.CanonicalTargetsRole},
-		Paths:    []string{""},
-	}}
-
-	for len(toDownload) > 0 {
-		role := toDownload[0]
-		toDownload = toDownload[1:]
-
-		consistentInfo := c.newBuilder.GetConsistentInfo(role.Name)
-		if !consistentInfo.ChecksumKnown() {
-			logrus.Debugf("skipping %s because there is no checksum for it", role.Name)
-			continue
-		}
-
-		children, err := c.getTargetsFile(role, consistentInfo)
-		switch err.(type) {
-		case signed.ErrExpired, signed.ErrRoleThreshold:
-			if role.Name == data.CanonicalTargetsRole {
-				return err
-			}
-			logrus.Warnf("Error getting %s: %s", role.Name, err)
-			break
-		case nil:
-			toDownload = append(children, toDownload...)
-		default:
-			return err
-		}
-	}
-	return nil
-}
-
-func (c tufClient) getTargetsFile(role data.DelegationRole, ci tuf.ConsistentInfo) ([]data.DelegationRole, error) {
-	logrus.Debugf("Loading %s...", role.Name)
-	tgs := &data.SignedTargets{}
-
-	raw, err := c.tryLoadCacheThenRemote(ci)
-	if err != nil {
-		return nil, err
-	}
-
-	// we know it unmarshals because if `tryLoadCacheThenRemote` didn't fail, then
-	// the raw has already been loaded into the builder
-	json.Unmarshal(raw, tgs)
-	return tgs.GetValidDelegations(role), nil
-}
-
-// downloadRoot is responsible for downloading the root.json
-func (c *tufClient) downloadRoot() ([]byte, error) {
-	role := data.CanonicalRootRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	// We can't read an exact size for the root metadata without risking getting stuck in the TUF update cycle
-	// since it's possible that downloading timestamp/snapshot metadata may fail due to a signature mismatch
-	if !consistentInfo.ChecksumKnown() {
-		logrus.Debugf("Loading root with no expected checksum")
-
-		// get the cached root, if it exists, just for version checking
-		cachedRoot, _ := c.cache.GetSized(role.String(), -1)
-		// prefer to download a new root
-		return c.tryLoadRemote(consistentInfo, cachedRoot)
-	}
-	return c.tryLoadCacheThenRemote(consistentInfo)
-}
-
-func (c *tufClient) tryLoadCacheThenRemote(consistentInfo tuf.ConsistentInfo) ([]byte, error) {
-	cachedTS, err := c.cache.GetSized(consistentInfo.RoleName.String(), consistentInfo.Length())
-	if err != nil {
-		logrus.Debugf("no %s in cache, must download", consistentInfo.RoleName)
-		return c.tryLoadRemote(consistentInfo, nil)
-	}
-
-	if err = c.newBuilder.Load(consistentInfo.RoleName, cachedTS, 1, false); err == nil {
-		logrus.Debugf("successfully verified cached %s", consistentInfo.RoleName)
-		return cachedTS, nil
-	}
-
-	logrus.Debugf("cached %s is invalid (must download): %s", consistentInfo.RoleName, err)
-	return c.tryLoadRemote(consistentInfo, cachedTS)
-}
-
-func (c *tufClient) tryLoadRemote(consistentInfo tuf.ConsistentInfo, old []byte) ([]byte, error) {
-	consistentName := consistentInfo.ConsistentName()
-	raw, err := c.remote.GetSized(consistentName, consistentInfo.Length())
-	if err != nil {
-		logrus.Debugf("error downloading %s: %s", consistentName, err)
-		return old, err
-	}
-
-	// try to load the old data into the old builder - only use it to validate
-	// versions if it loads successfully.  If it errors, then the loaded version
-	// will be 1
-	c.oldBuilder.Load(consistentInfo.RoleName, old, 1, true)
-	minVersion := c.oldBuilder.GetLoadedVersion(consistentInfo.RoleName)
-	if err := c.newBuilder.Load(consistentInfo.RoleName, raw, minVersion, false); err != nil {
-		logrus.Debugf("downloaded %s is invalid: %s", consistentName, err)
-		return raw, err
-	}
-	logrus.Debugf("successfully verified downloaded %s", consistentName)
-	if err := c.cache.Set(consistentInfo.RoleName.String(), raw); err != nil {
-		logrus.Debugf("Unable to write %s to cache: %s", consistentInfo.RoleName, err)
-	}
-	return raw, nil
-}
-
-// TUFLoadOptions are provided to LoadTUFRepo, which loads a TUF repo from cache,
-// from a remote store, or both
-type TUFLoadOptions struct {
-	GUN                    data.GUN
-	TrustPinning           trustpinning.TrustPinConfig
-	CryptoService          signed.CryptoService
-	Cache                  store.MetadataStore
-	RemoteStore            store.RemoteStore
-	AlwaysCheckInitialized bool
-}
-
-// bootstrapClient attempts to bootstrap a root.json to be used as the trust
-// anchor for a repository. The checkInitialized argument indicates whether
-// we should always attempt to contact the server to determine if the repository
-// is initialized or not. If set to true, we will always attempt to download
-// and return an error if the remote repository errors.
-//
-// Populates a tuf.RepoBuilder with this root metadata. If the root metadata
-// downloaded is a newer version than what is on disk, then intermediate
-// versions will be downloaded and verified in order to rotate trusted keys
-// properly. Newer root metadata must always be signed with the previous
-// threshold and keys.
-//
-// Fails if the remote server is reachable and does not know the repo
-// (i.e. before any metadata has been published), in which case the error is
-// store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
-// is not trusted.
-//
-// Returns a TUFClient for the remote server, which may not be actually
-// operational (if the URL is invalid but a root.json is cached).
-func bootstrapClient(l TUFLoadOptions) (*tufClient, error) {
-	minVersion := 1
-	// the old root on disk should not be validated against any trust pinning configuration
-	// because if we have an old root, it itself is the thing that pins trust
-	oldBuilder := tuf.NewRepoBuilder(l.GUN, l.CryptoService, trustpinning.TrustPinConfig{})
-
-	// by default, we want to use the trust pinning configuration on any new root that we download
-	newBuilder := tuf.NewRepoBuilder(l.GUN, l.CryptoService, l.TrustPinning)
-
-	// Try to read root from cache first. We will trust this root until we detect a problem
-	// during update which will cause us to download a new root and perform a rotation.
-	// If we have an old root, and it's valid, then we overwrite the newBuilder to be one
-	// preloaded with the old root or one which uses the old root for trust bootstrapping.
-	if rootJSON, err := l.Cache.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit); err == nil {
-		// if we can't load the cached root, fail hard because that is how we pin trust
-		if err := oldBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, true); err != nil {
-			return nil, err
-		}
-
-		// again, the root on disk is the source of trust pinning, so use an empty trust
-		// pinning configuration
-		newBuilder = tuf.NewRepoBuilder(l.GUN, l.CryptoService, trustpinning.TrustPinConfig{})
-
-		if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
-			// Ok, the old root is expired - we want to download a new one.  But we want to use the
-			// old root to verify the new root, so bootstrap a new builder with the old builder
-			// but use the trustpinning to validate the new root
-			minVersion = oldBuilder.GetLoadedVersion(data.CanonicalRootRole)
-			newBuilder = oldBuilder.BootstrapNewBuilderWithNewTrustpin(l.TrustPinning)
-		}
-	}
-
-	if !newBuilder.IsLoaded(data.CanonicalRootRole) || l.AlwaysCheckInitialized {
-		// remoteErr was nil and we were not able to load a root from cache or
-		// are specifically checking for initialization of the repo.
-
-		// if remote store successfully set up, try and get root from remote
-		// We don't have any local data to determine the size of root, so try the maximum (though it is restricted at 100MB)
-		tmpJSON, err := l.RemoteStore.GetSized(data.CanonicalRootRole.String(), store.NoSizeLimit)
-		if err != nil {
-			// we didn't have a root in cache and were unable to load one from
-			// the server. Nothing we can do but error.
-			return nil, err
-		}
-
-		if !newBuilder.IsLoaded(data.CanonicalRootRole) {
-			// we always want to use the downloaded root if we couldn't load from cache
-			if err := newBuilder.Load(data.CanonicalRootRole, tmpJSON, minVersion, false); err != nil {
-				return nil, err
-			}
-
-			err = l.Cache.Set(data.CanonicalRootRole.String(), tmpJSON)
-			if err != nil {
-				// if we can't write cache we should still continue, just log error
-				logrus.Errorf("could not save root to cache: %s", err.Error())
-			}
-		}
-	}
-
-	// We can only get here if remoteErr != nil (hence we don't download any new root),
-	// and there was no root on disk
-	if !newBuilder.IsLoaded(data.CanonicalRootRole) {
-		return nil, ErrRepoNotInitialized{}
-	}
-
-	return &tufClient{
-		oldBuilder: oldBuilder,
-		newBuilder: newBuilder,
-		remote:     l.RemoteStore,
-		cache:      l.Cache,
-	}, nil
-}
-
-// LoadTUFRepo bootstraps a trust anchor (root.json) from cache (if provided) before updating
-// all the metadata for the repo from the remote (if provided). It loads a TUF repo from cache,
-// from a remote store, or both.
-func LoadTUFRepo(options TUFLoadOptions) (*tuf.Repo, *tuf.Repo, error) {
-	// set some sane defaults, so nothing has to be provided necessarily
-	if options.RemoteStore == nil {
-		options.RemoteStore = store.OfflineStore{}
-	}
-	if options.Cache == nil {
-		options.Cache = store.NewMemoryStore(nil)
-	}
-	if options.CryptoService == nil {
-		options.CryptoService = cryptoservice.EmptyService
-	}
-
-	c, err := bootstrapClient(options)
-	if err != nil {
-		if _, ok := err.(store.ErrMetaNotFound); ok {
-			return nil, nil, ErrRepositoryNotExist{
-				remote: options.RemoteStore.Location(),
-				gun:    options.GUN,
-			}
-		}
-		return nil, nil, err
-	}
-	repo, invalid, err := c.Update()
-	if err != nil {
-		// notFound.Resource may include a version or checksum so when the role is root,
-		// it will be root, <version>.root or root.<checksum>.
-		notFound, ok := err.(store.ErrMetaNotFound)
-		isRoot, _ := regexp.MatchString(`\.?`+data.CanonicalRootRole.String()+`\.?`, notFound.Resource)
-		if ok && isRoot {
-			return nil, nil, ErrRepositoryNotExist{
-				remote: options.RemoteStore.Location(),
-				gun:    options.GUN,
-			}
-		}
-		return nil, nil, err
-	}
-	warnRolesNearExpiry(repo)
-	return repo, invalid, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/client/witness.go b/vendor/github.com/theupdateframework/notary/client/witness.go
deleted file mode 100644
index ea6caa1b..00000000
--- a/vendor/github.com/theupdateframework/notary/client/witness.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package client
-
-import (
-	"github.com/theupdateframework/notary/client/changelist"
-	"github.com/theupdateframework/notary/tuf"
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// Witness creates change objects to witness (i.e. re-sign) the given
-// roles on the next publish. One change is created per role
-func (r *repository) Witness(roles ...data.RoleName) ([]data.RoleName, error) {
-	var err error
-	successful := make([]data.RoleName, 0, len(roles))
-	for _, role := range roles {
-		// scope is role
-		c := changelist.NewTUFChange(
-			changelist.ActionUpdate,
-			role,
-			changelist.TypeWitness,
-			"",
-			nil,
-		)
-		err = r.changelist.Add(c)
-		if err != nil {
-			break
-		}
-		successful = append(successful, role)
-	}
-	return successful, err
-}
-
-func witnessTargets(repo *tuf.Repo, invalid *tuf.Repo, role data.RoleName) error {
-	if r, ok := repo.Targets[role]; ok {
-		// role is already valid, mark for re-signing/updating
-		r.Dirty = true
-		return nil
-	}
-
-	if roleObj, err := repo.GetDelegationRole(role); err == nil && invalid != nil {
-		// A role with a threshold > len(keys) is technically invalid, but we let it build in the builder because
-		// we want to be able to download the role (which may still have targets on it), add more keys, and then
-		// witness the role, thus bringing it back to valid.  However, if no keys have been added before witnessing,
-		// then it is still an invalid role, and can't be witnessed because nothing can bring it back to valid.
-		if roleObj.Threshold > len(roleObj.Keys) {
-			return data.ErrInvalidRole{
-				Role:   role,
-				Reason: "role does not specify enough valid signing keys to meet its required threshold",
-			}
-		}
-		if r, ok := invalid.Targets[role]; ok {
-			// role is recognized but invalid, move to valid data and mark for re-signing
-			repo.Targets[role] = r
-			r.Dirty = true
-			return nil
-		}
-	}
-	// role isn't recognized, even as invalid
-	return data.ErrInvalidRole{
-		Role:   role,
-		Reason: "this role is not known",
-	}
-}
diff --git a/vendor/github.com/theupdateframework/notary/codecov.yml b/vendor/github.com/theupdateframework/notary/codecov.yml
deleted file mode 100644
index d1d7b993..00000000
--- a/vendor/github.com/theupdateframework/notary/codecov.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-codecov:
-  notify:
-    # 2 builds on circleci, 1 jenkins build
-    after_n_builds: 3
-coverage:
-  range: "50...100"
-  status:
-    # project will give us the diff in the total code coverage between a commit
-    # and its parent
-    project:
-      default:
-        target: auto
-        threshold: "0.05%"
-    # patch would give us the code coverage of the diff only
-    patch: false
-    # changes tells us if there are unexpected code coverage changes in other files
-    # which were not changed by the diff
-    changes: false
-  ignore:  # ignore testutils for coverage
-    - "tuf/testutils/*"
-    - "vendor/*"
-    - "proto/*.pb.go"
-    - "trustmanager/remoteks/*.pb.go"
-comment: off
-
diff --git a/vendor/github.com/theupdateframework/notary/const.go b/vendor/github.com/theupdateframework/notary/const.go
deleted file mode 100644
index a1bf3588..00000000
--- a/vendor/github.com/theupdateframework/notary/const.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package notary
-
-import (
-	"time"
-)
-
-// application wide constants
-const (
-	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
-	MaxDownloadSize int64 = 100 << 20
-	// MaxTimestampSize is the maximum size of timestamp metadata - 1MiB.
-	MaxTimestampSize int64 = 1 << 20
-	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
-	MinRSABitSize = 2048
-	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
-	MinThreshold = 1
-	// SHA256HexSize is how big a SHA256 hex is in number of characters
-	SHA256HexSize = 64
-	// SHA512HexSize is how big a SHA512 hex is in number of characters
-	SHA512HexSize = 128
-	// SHA256 is the name of SHA256 hash algorithm
-	SHA256 = "sha256"
-	// SHA512 is the name of SHA512 hash algorithm
-	SHA512 = "sha512"
-	// TrustedCertsDir is the directory, under the notary repo base directory, where trusted certs are stored
-	TrustedCertsDir = "trusted_certificates"
-	// PrivDir is the directory, under the notary repo base directory, where private keys are stored
-	PrivDir = "private"
-	// RootKeysSubdir is the subdirectory under PrivDir where root private keys are stored
-	// DEPRECATED: The only reason we need this constant is compatibility with older versions
-	RootKeysSubdir = "root_keys"
-	// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
-	// DEPRECATED: The only reason we need this constant is compatibility with older versions
-	NonRootKeysSubdir = "tuf_keys"
-	// KeyExtension is the file extension to use for private key files
-	KeyExtension = "key"
-
-	// Day is a duration of one day
-	Day  = 24 * time.Hour
-	Year = 365 * Day
-
-	// NotaryRootExpiry is the duration representing the expiry time of the Root role
-	NotaryRootExpiry      = 10 * Year
-	NotaryTargetsExpiry   = 3 * Year
-	NotarySnapshotExpiry  = 3 * Year
-	NotaryTimestampExpiry = 14 * Day
-
-	ConsistentMetadataCacheMaxAge = 30 * Day
-	CurrentMetadataCacheMaxAge    = 5 * time.Minute
-	// CacheMaxAgeLimit is the generally recommended maximum age for Cache-Control headers
-	// (one year, in seconds, since one year is forever in terms of internet
-	// content)
-	CacheMaxAgeLimit = 1 * Year
-
-	MySQLBackend     = "mysql"
-	MemoryBackend    = "memory"
-	PostgresBackend  = "postgres"
-	SQLiteBackend    = "sqlite3"
-	RethinkDBBackend = "rethinkdb"
-	FileBackend      = "file"
-
-	DefaultImportRole = "delegation"
-
-	// HealthCheckKeyManagement and HealthCheckSigner are the grpc service name
-	// for "KeyManagement" and "Signer" respectively which used for health check.
-	// The "Overall" indicates the querying for overall status of the server.
-	HealthCheckKeyManagement = "grpc.health.v1.Health.KeyManagement"
-	HealthCheckSigner        = "grpc.health.v1.Health.Signer"
-	HealthCheckOverall       = "grpc.health.v1.Health.Overall"
-
-	// PrivExecPerms indicates the file permissions for directory
-	// and PrivNoExecPerms for file.
-	PrivExecPerms   = 0700
-	PrivNoExecPerms = 0600
-
-	// DefaultPageSize is the default number of records to return from the changefeed
-	DefaultPageSize = 100
-)
-
-// enum to use for setting and retrieving values from contexts
-const (
-	CtxKeyMetaStore CtxKey = iota
-	CtxKeyKeyAlgo
-	CtxKeyCryptoSvc
-	CtxKeyRepo
-)
-
-// NotarySupportedBackends contains the backends we would like to support at present
-var NotarySupportedBackends = []string{
-	MemoryBackend,
-	MySQLBackend,
-	SQLiteBackend,
-	RethinkDBBackend,
-	PostgresBackend,
-}
diff --git a/vendor/github.com/theupdateframework/notary/const_nowindows.go b/vendor/github.com/theupdateframework/notary/const_nowindows.go
deleted file mode 100644
index 67551717..00000000
--- a/vendor/github.com/theupdateframework/notary/const_nowindows.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// +build !windows
-
-package notary
-
-import (
-	"os"
-	"syscall"
-)
-
-// NotarySupportedSignals contains the signals we would like to capture:
-// - SIGUSR1, indicates a increment of the log level.
-// - SIGUSR2, indicates a decrement of the log level.
-var NotarySupportedSignals = []os.Signal{
-	syscall.SIGUSR1,
-	syscall.SIGUSR2,
-}
diff --git a/vendor/github.com/theupdateframework/notary/const_windows.go b/vendor/github.com/theupdateframework/notary/const_windows.go
deleted file mode 100644
index e2dff0e4..00000000
--- a/vendor/github.com/theupdateframework/notary/const_windows.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// +build windows
-
-package notary
-
-import "os"
-
-// NotarySupportedSignals does not contain any signals, because SIGUSR1/2 are not supported on windows
-var NotarySupportedSignals = []os.Signal{}
diff --git a/vendor/github.com/theupdateframework/notary/cross.Dockerfile b/vendor/github.com/theupdateframework/notary/cross.Dockerfile
deleted file mode 100644
index 0139edfe..00000000
--- a/vendor/github.com/theupdateframework/notary/cross.Dockerfile
+++ /dev/null
@@ -1,29 +0,0 @@
-FROM dockercore/golang-cross:1.12.15
-
-RUN apt-get update && apt-get install -y \
-	curl \
-	clang \
-	file \
-	libsqlite3-dev \
-	patch \
-	tar \
-	xz-utils \
-	python \
-	python-pip \
-	--no-install-recommends \
-	&& rm -rf /var/lib/apt/lists/*
-
-RUN useradd -ms /bin/bash notary \
-	&& pip install codecov \
-	&& go get golang.org/x/lint/golint github.com/fzipp/gocyclo github.com/client9/misspell/cmd/misspell github.com/gordonklaus/ineffassign github.com/securego/gosec/cmd/gosec/...
-
-ENV NOTARYDIR /go/src/github.com/theupdateframework/notary
-ENV GO111MODULE=on
-ENV GOFLAGS=-mod=vendor
-
-COPY . ${NOTARYDIR}
-RUN chmod -R a+rw /go
-
-WORKDIR ${NOTARYDIR}
-
-# Note this cannot use alpine because of the MacOSX Cross SDK: the cctools there uses sys/cdefs.h and that cannot be used in alpine: http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h
diff --git a/vendor/github.com/theupdateframework/notary/cryptoservice/certificate.go b/vendor/github.com/theupdateframework/notary/cryptoservice/certificate.go
deleted file mode 100644
index 0270e89f..00000000
--- a/vendor/github.com/theupdateframework/notary/cryptoservice/certificate.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package cryptoservice
-
-import (
-	"crypto"
-	"crypto/rand"
-	"crypto/x509"
-	"fmt"
-	"time"
-
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// GenerateCertificate generates an X509 Certificate from a template, given a GUN and validity interval
-func GenerateCertificate(rootKey data.PrivateKey, gun data.GUN, startTime, endTime time.Time) (*x509.Certificate, error) {
-	signer := rootKey.CryptoSigner()
-	if signer == nil {
-		return nil, fmt.Errorf("key type not supported for Certificate generation: %s", rootKey.Algorithm())
-	}
-
-	return generateCertificate(signer, gun, startTime, endTime)
-}
-
-func generateCertificate(signer crypto.Signer, gun data.GUN, startTime, endTime time.Time) (*x509.Certificate, error) {
-	template, err := utils.NewCertificate(gun.String(), startTime, endTime)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the certificate template for: %s (%v)", gun, err)
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, signer.Public(), signer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the certificate for: %s (%v)", gun, err)
-	}
-
-	cert, err := x509.ParseCertificate(derBytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse the certificate for key: %s (%v)", gun, err)
-	}
-
-	return cert, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/cryptoservice/crypto_service.go b/vendor/github.com/theupdateframework/notary/cryptoservice/crypto_service.go
deleted file mode 100644
index 7f569995..00000000
--- a/vendor/github.com/theupdateframework/notary/cryptoservice/crypto_service.go
+++ /dev/null
@@ -1,162 +0,0 @@
-package cryptoservice
-
-import (
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"fmt"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-var (
-	// ErrNoValidPrivateKey is returned if a key being imported doesn't
-	// look like a private key
-	ErrNoValidPrivateKey = errors.New("no valid private key found")
-
-	// ErrRootKeyNotEncrypted is returned if a root key being imported is
-	// unencrypted
-	ErrRootKeyNotEncrypted = errors.New("only encrypted root keys may be imported")
-
-	// EmptyService is an empty crypto service
-	EmptyService = NewCryptoService()
-)
-
-// CryptoService implements Sign and Create, holding a specific GUN and keystore to
-// operate on
-type CryptoService struct {
-	keyStores []trustmanager.KeyStore
-}
-
-// NewCryptoService returns an instance of CryptoService
-func NewCryptoService(keyStores ...trustmanager.KeyStore) *CryptoService {
-	return &CryptoService{keyStores: keyStores}
-}
-
-// Create is used to generate keys for targets, snapshots and timestamps
-func (cs *CryptoService) Create(role data.RoleName, gun data.GUN, algorithm string) (data.PublicKey, error) {
-	if algorithm == data.RSAKey {
-		return nil, fmt.Errorf("%s keys can only be imported", data.RSAKey)
-	}
-
-	privKey, err := utils.GenerateKey(algorithm)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate %s key: %v", algorithm, err)
-	}
-	logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role.String(), privKey.ID())
-	pubKey := data.PublicKeyFromPrivate(privKey)
-
-	return pubKey, cs.AddKey(role, gun, privKey)
-}
-
-// GetPrivateKey returns a private key and role if present by ID.
-func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role data.RoleName, err error) {
-	for _, ks := range cs.keyStores {
-		if k, role, err = ks.GetKey(keyID); err == nil {
-			return
-		}
-		switch err.(type) {
-		case trustmanager.ErrPasswordInvalid, trustmanager.ErrAttemptsExceeded:
-			return
-		default:
-			continue
-		}
-	}
-	return // returns whatever the final values were
-}
-
-// GetKey returns a key by ID
-func (cs *CryptoService) GetKey(keyID string) data.PublicKey {
-	privKey, _, err := cs.GetPrivateKey(keyID)
-	if err != nil {
-		return nil
-	}
-	return data.PublicKeyFromPrivate(privKey)
-}
-
-// GetKeyInfo returns role and GUN info of a key by ID
-func (cs *CryptoService) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {
-	for _, store := range cs.keyStores {
-		if info, err := store.GetKeyInfo(keyID); err == nil {
-			return info, nil
-		}
-	}
-	return trustmanager.KeyInfo{}, fmt.Errorf("Could not find info for keyID %s", keyID)
-}
-
-// RemoveKey deletes a key by ID
-func (cs *CryptoService) RemoveKey(keyID string) (err error) {
-	for _, ks := range cs.keyStores {
-		ks.RemoveKey(keyID)
-	}
-	return // returns whatever the final values were
-}
-
-// AddKey adds a private key to a specified role.
-// The GUN is inferred from the cryptoservice itself for non-root roles
-func (cs *CryptoService) AddKey(role data.RoleName, gun data.GUN, key data.PrivateKey) (err error) {
-	// First check if this key already exists in any of our keystores
-	for _, ks := range cs.keyStores {
-		if keyInfo, err := ks.GetKeyInfo(key.ID()); err == nil {
-			if keyInfo.Role != role {
-				return fmt.Errorf("key with same ID already exists for role: %s", keyInfo.Role.String())
-			}
-			logrus.Debugf("key with same ID %s and role %s already exists", key.ID(), keyInfo.Role.String())
-			return nil
-		}
-	}
-	// If the key didn't exist in any of our keystores, add and return on the first successful keystore
-	for _, ks := range cs.keyStores {
-		// Try to add to this keystore, return if successful
-		if err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, key); err == nil {
-			return nil
-		}
-	}
-	return // returns whatever the final values were
-}
-
-// ListKeys returns a list of key IDs valid for the given role
-func (cs *CryptoService) ListKeys(role data.RoleName) []string {
-	var res []string
-	for _, ks := range cs.keyStores {
-		for k, r := range ks.ListKeys() {
-			if r.Role == role {
-				res = append(res, k)
-			}
-		}
-	}
-	return res
-}
-
-// ListAllKeys returns a map of key IDs to role
-func (cs *CryptoService) ListAllKeys() map[string]data.RoleName {
-	res := make(map[string]data.RoleName)
-	for _, ks := range cs.keyStores {
-		for k, r := range ks.ListKeys() {
-			res[k] = r.Role // keys are content addressed so don't care about overwrites
-		}
-	}
-	return res
-}
-
-// CheckRootKeyIsEncrypted makes sure the root key is encrypted. We have
-// internal assumptions that depend on this.
-func CheckRootKeyIsEncrypted(pemBytes []byte) error {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return ErrNoValidPrivateKey
-	}
-
-	if block.Type == "ENCRYPTED PRIVATE KEY" {
-		return nil
-	}
-	if !notary.FIPSEnabled() && x509.IsEncryptedPEMBlock(block) {
-		return nil
-	}
-
-	return ErrRootKeyNotEncrypted
-}
diff --git a/vendor/github.com/theupdateframework/notary/development.mysql.yml b/vendor/github.com/theupdateframework/notary/development.mysql.yml
deleted file mode 100644
index c005cfe6..00000000
--- a/vendor/github.com/theupdateframework/notary/development.mysql.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-version: "2"
-services:
-  server:
-    build:
-      context: .
-      dockerfile: server.Dockerfile
-    networks:
-      mdb:
-      sig:
-      srv:
-        aliases:
-          - notary-server
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.json"
-    depends_on:
-      - mysql
-      - signer
-  signer:
-    build:
-      context: .
-      dockerfile: signer.Dockerfile
-    networks:
-      mdb:
-      sig:
-        aliases:
-          - notarysigner
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.json"
-    depends_on:
-      - mysql
-  mysql:
-    networks:
-      - mdb
-    volumes:
-      - ./notarysql/mysql-initdb.d:/docker-entrypoint-initdb.d
-    image: mariadb:10.4
-    environment:
-      - TERM=dumb
-      - MYSQL_ALLOW_EMPTY_PASSWORD="true"
-    command: mysqld --innodb_file_per_table
-  client:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    env_file: buildscripts/env.list
-    command: buildscripts/testclient.py
-    volumes:
-      - ./test_output:/test_output
-    networks:
-      - mdb
-      - srv
-    depends_on:
-      - server
-networks:
-  mdb:
-    external: false
-  sig:
-    external: false
-  srv:
-    external: false
diff --git a/vendor/github.com/theupdateframework/notary/development.postgresql.yml b/vendor/github.com/theupdateframework/notary/development.postgresql.yml
deleted file mode 100644
index 2106b377..00000000
--- a/vendor/github.com/theupdateframework/notary/development.postgresql.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-version: "2"
-services:
-  server:
-    build:
-      context: .
-      dockerfile: server.Dockerfile
-    networks:
-      mdb:
-      sig:
-      srv:
-        aliases:
-          - notary-server
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
-    environment:
-      MIGRATIONS_PATH: migrations/server/postgresql
-      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/theupdateframework/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-server-key.pem
-    depends_on:
-      - postgresql
-      - signer
-  signer:
-    build:
-      context: .
-      dockerfile: signer.Dockerfile
-    networks:
-      mdb:
-      sig:
-        aliases:
-          - notarysigner
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
-    environment:
-      MIGRATIONS_PATH: migrations/signer/postgresql
-      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/theupdateframework/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-signer-key.pem
-    depends_on:
-      - postgresql
-  postgresql:
-    image: postgres:9.5.4
-    networks:
-      - mdb 
-    volumes:
-      - ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d
-    command: -l
-  client:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    env_file: buildscripts/env.list
-    command: buildscripts/testclient.py
-    volumes:
-      - ./test_output:/test_output
-    networks:
-      - mdb
-      - srv
-    depends_on:
-      - server
-networks:
-  mdb:
-    external: false
-  sig:
-    external: false
-  srv:
-    external: false
diff --git a/vendor/github.com/theupdateframework/notary/development.rethink.yml b/vendor/github.com/theupdateframework/notary/development.rethink.yml
deleted file mode 100644
index 08b1e855..00000000
--- a/vendor/github.com/theupdateframework/notary/development.rethink.yml
+++ /dev/null
@@ -1,110 +0,0 @@
-version: "2"
-services:
-    server:
-      build:
-        context: .
-        dockerfile: server.Dockerfile
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        - rdb
-      links:
-        - rdb-proxy:rdb-proxy.rdb
-        - signer
-      ports:
-        - "8080"
-        - "4443:4443"
-      entrypoint: /usr/bin/env sh
-      command: -c "sh migrations/rethink_migrate.sh && notary-server -config=fixtures/server-config.rethink.json"
-      depends_on:
-        - rdb-proxy
-    signer:
-      build:
-        context: .
-        dockerfile: signer.Dockerfile
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        rdb:
-            aliases:
-                - notarysigner
-      links:
-        - rdb-proxy:rdb-proxy.rdb
-      entrypoint: /usr/bin/env sh
-      command: -c "sh migrations/rethink_migrate.sh && notary-signer -config=fixtures/signer-config.rethink.json"
-      depends_on:
-        - rdb-proxy
-    rdb-01:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-01-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb
-            - rdb.rdb
-            - rdb-01.rdb
-      command: "--bind all --no-http-admin --server-name rdb_01 --canonical-address rdb-01.rdb --directory /var/data/rethinkdb --join rdb.rdb --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-    rdb-02:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-02-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb
-            - rdb.rdb
-            - rdb-02.rdb
-      command: "--bind all --no-http-admin --server-name rdb_02 --canonical-address rdb-02.rdb --directory /var/data/rethinkdb --join rdb.rdb --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-    rdb-03:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-03-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb
-            - rdb.rdb
-            - rdb-03.rdb
-      command: "--bind all --no-http-admin --server-name rdb_03 --canonical-address rdb-03.rdb --directory /var/data/rethinkdb --join rdb.rdb --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-    rdb-proxy:
-      image: jlhawn/rethinkdb:2.3.4
-      ports:
-        - "8080:8080"
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        rdb:
-          aliases:
-            - rdb-proxy
-            - rdb-proxy.rdp
-      command: "proxy --bind all --join rdb.rdb --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-      depends_on:
-        - rdb-01
-        - rdb-02
-        - rdb-03
-    client:
-      build:
-        context: .
-        dockerfile: Dockerfile
-      volumes:
-        - ./test_output:/test_output
-      networks:
-        - rdb
-      env_file: buildscripts/env.list
-      links:
-        - server:notary-server
-      command: buildscripts/testclient.py
-volumes:
-    rdb-01-data:
-        external: false
-    rdb-02-data:
-        external: false
-    rdb-03-data:
-        external: false
-networks:
-    rdb:
-        external: false
diff --git a/vendor/github.com/theupdateframework/notary/docker-compose.postgresql.yml b/vendor/github.com/theupdateframework/notary/docker-compose.postgresql.yml
deleted file mode 100644
index 4146238e..00000000
--- a/vendor/github.com/theupdateframework/notary/docker-compose.postgresql.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-version: "2"
-services:
-  server:
-    build:
-      context: .
-      dockerfile: server.Dockerfile
-    networks:
-      - mdb
-      - sig
-    ports:
-      - "8080"
-      - "4443:4443"
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
-    environment:
-      MIGRATIONS_PATH: migrations/server/postgresql
-      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/theupdateframework/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-server-key.pem
-    depends_on:
-      - postgresql
-      - signer
-  signer:
-    build:
-      context: .
-      dockerfile: signer.Dockerfile
-    networks:
-      mdb:
-      sig:
-        aliases:
-          - notarysigner
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
-    environment:
-      MIGRATIONS_PATH: migrations/signer/postgresql
-      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/theupdateframework/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/theupdateframework/notary/fixtures/database/notary-signer-key.pem
-    depends_on:
-      - postgresql
-  postgresql:
-    image: postgres:9.5.4
-    networks:
-      - mdb
-    volumes:
-      - ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d
-      - notary_data:/var/lib/postgresql
-    ports:
-      - 5432:5432
-    command: -l
-volumes:
-  notary_data:
-    external: false
-networks:
-  mdb:
-    external: false
-  sig:
-    external: false
diff --git a/vendor/github.com/theupdateframework/notary/docker-compose.rethink.yml b/vendor/github.com/theupdateframework/notary/docker-compose.rethink.yml
deleted file mode 100644
index 5a88ec99..00000000
--- a/vendor/github.com/theupdateframework/notary/docker-compose.rethink.yml
+++ /dev/null
@@ -1,96 +0,0 @@
-version: "2"
-services:
-    server:
-      build:
-        context: .
-        dockerfile: server.Dockerfile
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        - rdb
-      links:
-        - rdb-proxy:rdb-proxy.rdb
-        - signer
-      ports:
-        - "4443:4443"
-      entrypoint: /usr/bin/env sh
-      command: -c "sh migrations/rethink_migrate.sh && notary-server -config=fixtures/server-config.rethink.json"
-      depends_on:
-        - rdb-proxy
-    signer:
-      build:
-        context: .
-        dockerfile: signer.Dockerfile
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        rdb:
-            aliases:
-                - notarysigner
-      links:
-        - rdb-proxy:rdb-proxy.rdb
-      entrypoint: /usr/bin/env sh
-      command: -c "sh migrations/rethink_migrate.sh && notary-signer -config=fixtures/signer-config.rethink.json"
-      depends_on:
-        - rdb-proxy
-    rdb-01:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-01-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb-01.rdb
-      command: "--bind all --no-http-admin --server-name rdb_01 --canonical-address rdb-01.rdb --directory /var/data/rethinkdb --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-    rdb-02:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-02-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb-02.rdb
-      command: "--bind all --no-http-admin --server-name rdb_02 --canonical-address rdb-02.rdb --directory /var/data/rethinkdb --join rdb-01 --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-      depends_on:
-        - rdb-01
-    rdb-03:
-      image: jlhawn/rethinkdb:2.3.4
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-        - rdb-03-data:/var/data
-      networks:
-        rdb:
-          aliases:
-            - rdb-03.rdb
-      command: "--bind all --no-http-admin --server-name rdb_03 --canonical-address rdb-03.rdb --directory /var/data/rethinkdb --join rdb-02 --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-      depends_on:
-        - rdb-01
-        - rdb-02
-    rdb-proxy:
-      image: jlhawn/rethinkdb:2.3.4
-      ports:
-        - "8080:8080"
-      volumes:
-        - ./fixtures/rethinkdb:/tls
-      networks:
-        rdb:
-          aliases:
-            - rdb-proxy
-            - rdb-proxy.rdp
-      command: "proxy --bind all --join rdb-03 --driver-tls-ca /tls/ca.pem --driver-tls-key /tls/key.pem --driver-tls-cert /tls/cert.pem --cluster-tls-key /tls/key.pem --cluster-tls-cert /tls/cert.pem --cluster-tls-ca /tls/ca.pem"
-      depends_on:
-        - rdb-01
-        - rdb-02
-        - rdb-03
-volumes:
-    rdb-01-data:
-        external: false
-    rdb-02-data:
-        external: false
-    rdb-03-data:
-        external: false
-networks:
-    rdb:
-        external: false
diff --git a/vendor/github.com/theupdateframework/notary/docker-compose.yml b/vendor/github.com/theupdateframework/notary/docker-compose.yml
deleted file mode 100644
index 99c1798f..00000000
--- a/vendor/github.com/theupdateframework/notary/docker-compose.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-version: "2"
-services:
-  server:
-    build:
-      context: .
-      dockerfile: server.Dockerfile
-    networks:
-      - mdb
-      - sig
-    ports:
-      - "8080"
-      - "4443:4443"
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.json"
-    depends_on:
-      - mysql
-      - signer
-  signer:
-    build:
-      context: .
-      dockerfile: signer.Dockerfile
-    networks:
-      mdb:
-      sig:
-        aliases:
-          - notarysigner
-    entrypoint: /usr/bin/env sh
-    command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.json"
-    depends_on:
-      - mysql
-  mysql:
-    networks:
-      - mdb
-    volumes:
-      - ./notarysql/mysql-initdb.d:/docker-entrypoint-initdb.d
-      - notary_data:/var/lib/mysql
-    image: mariadb:10.4
-    environment:
-      - TERM=dumb
-      - MYSQL_ALLOW_EMPTY_PASSWORD="true"
-    command: mysqld --innodb_file_per_table
-volumes:
-  notary_data:
-    external: false
-networks:
-  mdb:
-    external: false
-  sig:
-    external: false
diff --git a/vendor/github.com/theupdateframework/notary/escrow.Dockerfile b/vendor/github.com/theupdateframework/notary/escrow.Dockerfile
deleted file mode 100644
index 3ac17f68..00000000
--- a/vendor/github.com/theupdateframework/notary/escrow.Dockerfile
+++ /dev/null
@@ -1,17 +0,0 @@
-FROM golang:1.14.1-alpine
-
-ENV NOTARYPKG github.com/theupdateframework/notary
-ENV GO111MODULE=on
-
-# Copy the local repo to the expected go path
-COPY . /go/src/${NOTARYPKG}
-
-WORKDIR /go/src/${NOTARYPKG}
-
-EXPOSE 4450
-
-# Install escrow
-RUN go install ${NOTARYPKG}/cmd/escrow
-
-ENTRYPOINT [ "escrow" ]
-CMD [ "-config=cmd/escrow/config.toml" ]
diff --git a/vendor/github.com/theupdateframework/notary/fips.go b/vendor/github.com/theupdateframework/notary/fips.go
deleted file mode 100644
index 240ca2c6..00000000
--- a/vendor/github.com/theupdateframework/notary/fips.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package notary
-
-import (
-	"crypto"
-	// Need to import md5 so can test availability.
-	_ "crypto/md5" // #nosec
-)
-
-// FIPSEnabled returns true if running in FIPS mode.
-// If compiled in FIPS mode the md5 hash function is never available
-// even when imported. This seems to be the best test we have for it.
-func FIPSEnabled() bool {
-	return !crypto.MD5.Available()
-}
diff --git a/vendor/github.com/theupdateframework/notary/notary.go b/vendor/github.com/theupdateframework/notary/notary.go
deleted file mode 100644
index 7d6747f5..00000000
--- a/vendor/github.com/theupdateframework/notary/notary.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package notary
-
-// PassRetriever is a callback function that should retrieve a passphrase
-// for a given named key. If it should be treated as new passphrase (e.g. with
-// confirmation), createNew will be true. Attempts is passed in so that implementers
-// decide how many chances to give to a human, for example.
-type PassRetriever func(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error)
-
-// CtxKey is a wrapper type for use in context.WithValue() to satisfy golint
-// https://github.com/golang/go/issues/17293
-// https://github.com/golang/lint/pull/245
-type CtxKey int
diff --git a/vendor/github.com/theupdateframework/notary/passphrase/passphrase.go b/vendor/github.com/theupdateframework/notary/passphrase/passphrase.go
deleted file mode 100644
index 38bc568c..00000000
--- a/vendor/github.com/theupdateframework/notary/passphrase/passphrase.go
+++ /dev/null
@@ -1,210 +0,0 @@
-// Package passphrase is a utility function for managing passphrase
-// for TUF and Notary keys.
-package passphrase
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/theupdateframework/notary"
-	"golang.org/x/term"
-)
-
-const (
-	idBytesToDisplay            = 7
-	tufRootAlias                = "root"
-	tufRootKeyGenerationWarning = `You are about to create a new root signing key passphrase. This passphrase
-will be used to protect the most sensitive key in your signing system. Please
-choose a long, complex passphrase and be careful to keep the password and the
-key file itself secure and backed up. It is highly recommended that you use a
-password manager to generate the passphrase and keep it safe. There will be no
-way to recover this key. You can find the key in your config directory.`
-)
-
-var (
-	// ErrTooShort is returned if the passphrase entered for a new key is
-	// below the minimum length
-	ErrTooShort = errors.New("Passphrase too short")
-
-	// ErrDontMatch is returned if the two entered passphrases don't match.
-	// new key is below the minimum length
-	ErrDontMatch = errors.New("The entered passphrases do not match")
-
-	// ErrTooManyAttempts is returned if the maximum number of passphrase
-	// entry attempts is reached.
-	ErrTooManyAttempts = errors.New("Too many attempts")
-
-	// ErrNoInput is returned if we do not have a valid input method for passphrases
-	ErrNoInput = errors.New("Please either use environment variables or STDIN with a terminal to provide key passphrases")
-)
-
-// PromptRetriever returns a new Retriever which will provide a prompt on stdin
-// and stdout to retrieve a passphrase. stdin will be checked if it is a terminal,
-// else the PromptRetriever will error when attempting to retrieve a passphrase.
-// Upon successful passphrase retrievals, the passphrase will be cached such that
-// subsequent prompts will produce the same passphrase.
-func PromptRetriever() notary.PassRetriever {
-	if !term.IsTerminal(int(os.Stdin.Fd())) {
-		return func(string, string, bool, int) (string, bool, error) {
-			return "", false, ErrNoInput
-		}
-	}
-	return PromptRetrieverWithInOut(os.Stdin, os.Stdout, nil)
-}
-
-type boundRetriever struct {
-	in              io.Reader
-	out             io.Writer
-	aliasMap        map[string]string
-	passphraseCache map[string]string
-}
-
-func (br *boundRetriever) getPassphrase(keyName, alias string, createNew bool, numAttempts int) (string, bool, error) {
-	if numAttempts == 0 {
-		if alias == tufRootAlias && createNew {
-			fmt.Fprintln(br.out, tufRootKeyGenerationWarning)
-		}
-
-		if pass, ok := br.passphraseCache[alias]; ok {
-			return pass, false, nil
-		}
-	} else if !createNew { // per `if`, numAttempts > 0 if we're at this `else`
-		if numAttempts > 3 {
-			return "", true, ErrTooManyAttempts
-		}
-		fmt.Fprintln(br.out, "Passphrase incorrect. Please retry.")
-	}
-
-	// passphrase not cached and we're not aborting, get passphrase from user!
-	return br.requestPassphrase(keyName, alias, createNew, numAttempts)
-}
-
-func (br *boundRetriever) requestPassphrase(keyName, alias string, createNew bool, numAttempts int) (string, bool, error) {
-	// Figure out if we should display a different string for this alias
-	displayAlias := alias
-	if val, ok := br.aliasMap[alias]; ok {
-		displayAlias = val
-	}
-
-	indexOfLastSeparator := strings.LastIndex(keyName, string(filepath.Separator))
-	if indexOfLastSeparator == -1 {
-		indexOfLastSeparator = 0
-	}
-
-	var shortName string
-	if len(keyName) > indexOfLastSeparator+idBytesToDisplay {
-		if indexOfLastSeparator > 0 {
-			keyNamePrefix := keyName[:indexOfLastSeparator]
-			keyNameID := keyName[indexOfLastSeparator+1 : indexOfLastSeparator+idBytesToDisplay+1]
-			shortName = keyNameID + " (" + keyNamePrefix + ")"
-		} else {
-			shortName = keyName[indexOfLastSeparator : indexOfLastSeparator+idBytesToDisplay]
-		}
-	}
-
-	withID := fmt.Sprintf(" with ID %s", shortName)
-	if shortName == "" {
-		withID = ""
-	}
-
-	switch {
-	case createNew:
-		fmt.Fprintf(br.out, "Enter passphrase for new %s key%s: ", displayAlias, withID)
-	case displayAlias == "yubikey":
-		fmt.Fprintf(br.out, "Enter the %s for the attached Yubikey: ", keyName)
-	default:
-		fmt.Fprintf(br.out, "Enter passphrase for %s key%s: ", displayAlias, withID)
-	}
-
-	stdin := bufio.NewReader(br.in)
-	passphrase, err := GetPassphrase(stdin)
-	fmt.Fprintln(br.out)
-	if err != nil {
-		return "", false, err
-	}
-
-	retPass := strings.TrimSpace(string(passphrase))
-
-	if createNew {
-		err = br.verifyAndConfirmPassword(stdin, retPass, displayAlias, withID)
-		if err != nil {
-			return "", false, err
-		}
-	}
-
-	br.cachePassword(alias, retPass)
-
-	return retPass, false, nil
-}
-
-func (br *boundRetriever) verifyAndConfirmPassword(stdin *bufio.Reader, retPass, displayAlias, withID string) error {
-	if len(retPass) < 8 {
-		fmt.Fprintln(br.out, "Passphrase is too short. Please use a password manager to generate and store a good random passphrase.")
-		return ErrTooShort
-	}
-
-	fmt.Fprintf(br.out, "Repeat passphrase for new %s key%s: ", displayAlias, withID)
-
-	confirmation, err := GetPassphrase(stdin)
-	fmt.Fprintln(br.out)
-	if err != nil {
-		return err
-	}
-	confirmationStr := strings.TrimSpace(string(confirmation))
-
-	if retPass != confirmationStr {
-		fmt.Fprintln(br.out, "Passphrases do not match. Please retry.")
-		return ErrDontMatch
-	}
-	return nil
-}
-
-func (br *boundRetriever) cachePassword(alias, retPass string) {
-	br.passphraseCache[alias] = retPass
-}
-
-// PromptRetrieverWithInOut returns a new Retriever which will provide a
-// prompt using the given in and out readers. The passphrase will be cached
-// such that subsequent prompts will produce the same passphrase.
-// aliasMap can be used to specify display names for TUF key aliases. If aliasMap
-// is nil, a sensible default will be used.
-func PromptRetrieverWithInOut(in io.Reader, out io.Writer, aliasMap map[string]string) notary.PassRetriever {
-	bound := &boundRetriever{
-		in:              in,
-		out:             out,
-		aliasMap:        aliasMap,
-		passphraseCache: make(map[string]string),
-	}
-
-	return bound.getPassphrase
-}
-
-// ConstantRetriever returns a new Retriever which will return a constant string
-// as a passphrase.
-func ConstantRetriever(constantPassphrase string) notary.PassRetriever {
-	return func(k, a string, c bool, n int) (string, bool, error) {
-		return constantPassphrase, false, nil
-	}
-}
-
-// GetPassphrase get the passphrase from bufio.Reader or from terminal.
-// If typing on the terminal, we disable terminal to echo the passphrase.
-func GetPassphrase(in *bufio.Reader) ([]byte, error) {
-	var (
-		passphrase []byte
-		err        error
-	)
-
-	if term.IsTerminal(int(os.Stdin.Fd())) {
-		passphrase, err = term.ReadPassword(int(os.Stdin.Fd()))
-	} else {
-		passphrase, err = in.ReadBytes('\n')
-	}
-
-	return passphrase, err
-}
diff --git a/vendor/github.com/theupdateframework/notary/server.Dockerfile b/vendor/github.com/theupdateframework/notary/server.Dockerfile
deleted file mode 100644
index aaaea009..00000000
--- a/vendor/github.com/theupdateframework/notary/server.Dockerfile
+++ /dev/null
@@ -1,30 +0,0 @@
-FROM golang:1.14.1-alpine
-
-RUN apk add --update git gcc libc-dev
-
-ENV GO111MODULE=on
-
-ARG MIGRATE_VER=v4.6.2
-RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
-
-ENV GOFLAGS=-mod=vendor
-ENV NOTARYPKG github.com/theupdateframework/notary
-
-# Copy the local repo to the expected go path
-COPY . /go/src/${NOTARYPKG}
-
-WORKDIR /go/src/${NOTARYPKG}
-
-RUN chmod 0600 ./fixtures/database/*
-
-ENV SERVICE_NAME=notary_server
-EXPOSE 4443
-
-# Install notary-server
-RUN go install \
-    -tags pkcs11 \
-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \
-    ${NOTARYPKG}/cmd/notary-server && apk del git gcc libc-dev && rm -rf /var/cache/apk/*
-
-ENTRYPOINT [ "notary-server" ]
-CMD [ "-config=fixtures/server-config-local.json" ]
diff --git a/vendor/github.com/theupdateframework/notary/server.minimal.Dockerfile b/vendor/github.com/theupdateframework/notary/server.minimal.Dockerfile
deleted file mode 100644
index 6fbac423..00000000
--- a/vendor/github.com/theupdateframework/notary/server.minimal.Dockerfile
+++ /dev/null
@@ -1,42 +0,0 @@
-FROM golang:1.14.1-alpine AS build-env
-
-RUN apk add --update git gcc libc-dev
-
-ENV GO111MODULE=on
-
-ARG MIGRATE_VER=v4.6.2
-RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
-
-ENV GOFLAGS=-mod=vendor
-ENV NOTARYPKG github.com/theupdateframework/notary
-
-# Copy the local repo to the expected go path
-COPY . /go/src/${NOTARYPKG}
-WORKDIR /go/src/${NOTARYPKG}
-
-# Build notary-server
-RUN go install \
-    -tags pkcs11 \
-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \
-    ${NOTARYPKG}/cmd/notary-server
-
-
-FROM busybox:latest
-
-# the ln is for compatibility with the docker-compose.yml, making these
-# images a straight swap for the those built in the compose file.
-RUN mkdir -p /usr/bin /var/lib && ln -s /bin/env /usr/bin/env
-
-COPY --from=build-env /go/bin/notary-server /usr/bin/notary-server
-COPY --from=build-env /go/bin/migrate /usr/bin/migrate
-COPY --from=build-env /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
-COPY --from=build-env /go/src/github.com/theupdateframework/notary/migrations/ /var/lib/notary/migrations
-COPY --from=build-env /go/src/github.com/theupdateframework/notary/fixtures /var/lib/notary/fixtures
-RUN chmod 0600 /var/lib/notary/fixtures/database/*
-
-WORKDIR /var/lib/notary
-# SERVICE_NAME needed for migration script
-ENV SERVICE_NAME=notary_server
-EXPOSE 4443
-ENTRYPOINT [ "/usr/bin/notary-server" ]
-CMD [ "-config=/var/lib/notary/fixtures/server-config-local.json" ]
diff --git a/vendor/github.com/theupdateframework/notary/signer.Dockerfile b/vendor/github.com/theupdateframework/notary/signer.Dockerfile
deleted file mode 100644
index c044487b..00000000
--- a/vendor/github.com/theupdateframework/notary/signer.Dockerfile
+++ /dev/null
@@ -1,31 +0,0 @@
-FROM golang:1.14.1-alpine
-
-RUN apk add --update git gcc libc-dev
-
-ENV GO111MODULE=on
-
-ARG MIGRATE_VER=v4.6.2
-RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
-
-ENV GOFLAGS=-mod=vendor
-ENV NOTARYPKG github.com/theupdateframework/notary
-
-# Copy the local repo to the expected go path
-COPY . /go/src/${NOTARYPKG}
-
-WORKDIR /go/src/${NOTARYPKG}
-
-RUN chmod 0600 ./fixtures/database/*
-
-ENV SERVICE_NAME=notary_signer
-ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
-ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"
-
-# Install notary-signer
-RUN go install \
-    -tags pkcs11 \
-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \
-    ${NOTARYPKG}/cmd/notary-signer && apk del git gcc libc-dev && rm -rf /var/cache/apk/*
-
-ENTRYPOINT [ "notary-signer" ]
-CMD [ "-config=fixtures/signer-config-local.json" ]
diff --git a/vendor/github.com/theupdateframework/notary/signer.minimal.Dockerfile b/vendor/github.com/theupdateframework/notary/signer.minimal.Dockerfile
deleted file mode 100644
index b5700255..00000000
--- a/vendor/github.com/theupdateframework/notary/signer.minimal.Dockerfile
+++ /dev/null
@@ -1,44 +0,0 @@
-FROM golang:1.14.1-alpine AS build-env
-
-RUN apk add --update git gcc libc-dev
-
-ENV GO111MODULE=on
-
-ARG MIGRATE_VER=v4.6.2
-RUN go get -tags 'mysql postgres file' github.com/golang-migrate/migrate/v4/cli@${MIGRATE_VER} && mv /go/bin/cli /go/bin/migrate
-
-ENV GOFLAGS=-mod=vendor
-ENV NOTARYPKG github.com/theupdateframework/notary
-
-# Copy the local repo to the expected go path
-COPY . /go/src/${NOTARYPKG}
-WORKDIR /go/src/${NOTARYPKG}
-
-# Build notary-signer
-RUN go install \
-    -tags pkcs11 \
-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \
-    ${NOTARYPKG}/cmd/notary-signer
-
-
-FROM busybox:latest
-
-# the ln is for compatibility with the docker-compose.yml, making these
-# images a straight swap for the those built in the compose file.
-RUN mkdir -p /usr/bin /var/lib && ln -s /bin/env /usr/bin/env
-
-COPY --from=build-env /go/bin/notary-signer /usr/bin/notary-signer
-COPY --from=build-env /go/bin/migrate /usr/bin/migrate
-COPY --from=build-env /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
-COPY --from=build-env /go/src/github.com/theupdateframework/notary/migrations/ /var/lib/notary/migrations
-COPY --from=build-env /go/src/github.com/theupdateframework/notary/fixtures /var/lib/notary/fixtures
-RUN chmod 0600 /var/lib/notary/fixtures/database/*
-
-WORKDIR /var/lib/notary
-# SERVICE_NAME needed for migration script
-ENV SERVICE_NAME=notary_signer
-ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
-ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"
-
-ENTRYPOINT [ "/usr/bin/notary-signer" ]
-CMD [ "-config=/var/lib/notary/fixtures/signer-config-local.json" ]
diff --git a/vendor/github.com/theupdateframework/notary/storage/errors.go b/vendor/github.com/theupdateframework/notary/storage/errors.go
deleted file mode 100644
index 2c7b8764..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/errors.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package storage
-
-import (
-	"errors"
-	"fmt"
-)
-
-var (
-	// ErrPathOutsideStore indicates that the returned path would be
-	// outside the store
-	ErrPathOutsideStore = errors.New("path outside file store")
-)
-
-// ErrMetaNotFound indicates we did not find a particular piece
-// of metadata in the store
-type ErrMetaNotFound struct {
-	Resource string
-}
-
-func (err ErrMetaNotFound) Error() string {
-	return fmt.Sprintf("%s trust data unavailable.  Has a notary repository been initialized?", err.Resource)
-}
diff --git a/vendor/github.com/theupdateframework/notary/storage/filestore.go b/vendor/github.com/theupdateframework/notary/storage/filestore.go
deleted file mode 100644
index fb91b3ea..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/filestore.go
+++ /dev/null
@@ -1,278 +0,0 @@
-package storage
-
-import (
-	"bytes"
-	"encoding/pem"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-)
-
-// NewFileStore creates a fully configurable file store
-func NewFileStore(baseDir, fileExt string) (*FilesystemStore, error) {
-	baseDir = filepath.Clean(baseDir)
-	if err := createDirectory(baseDir, notary.PrivExecPerms); err != nil {
-		return nil, err
-	}
-	if !strings.HasPrefix(fileExt, ".") {
-		fileExt = "." + fileExt
-	}
-
-	return &FilesystemStore{
-		baseDir: baseDir,
-		ext:     fileExt,
-	}, nil
-}
-
-// NewPrivateKeyFileStorage initializes a new filestore for private keys, appending
-// the notary.PrivDir to the baseDir.
-func NewPrivateKeyFileStorage(baseDir, fileExt string) (*FilesystemStore, error) {
-	baseDir = filepath.Join(baseDir, notary.PrivDir)
-	myStore, err := NewFileStore(baseDir, fileExt)
-	myStore.migrateTo0Dot4()
-	return myStore, err
-}
-
-// NewPrivateSimpleFileStore is a wrapper to create an owner readable/writeable
-// _only_ filestore
-func NewPrivateSimpleFileStore(baseDir, fileExt string) (*FilesystemStore, error) {
-	return NewFileStore(baseDir, fileExt)
-}
-
-// FilesystemStore is a store in a locally accessible directory
-type FilesystemStore struct {
-	baseDir string
-	ext     string
-}
-
-func (f *FilesystemStore) moveKeyTo0Dot4Location(file string) {
-	keyID := filepath.Base(file)
-	fileDir := filepath.Dir(file)
-	d, _ := f.Get(file)
-	block, _ := pem.Decode(d)
-	if block == nil {
-		logrus.Warn("Key data for", file, "could not be decoded as a valid PEM block. The key will not been migrated and may not be available")
-		return
-	}
-	fileDir = strings.TrimPrefix(fileDir, notary.RootKeysSubdir)
-	fileDir = strings.TrimPrefix(fileDir, notary.NonRootKeysSubdir)
-	if fileDir != "" {
-		block.Headers["gun"] = filepath.ToSlash(fileDir[1:])
-	}
-	if strings.Contains(keyID, "_") {
-		role := strings.Split(keyID, "_")[1]
-		keyID = strings.TrimSuffix(keyID, "_"+role)
-		block.Headers["role"] = role
-	}
-	var keyPEM bytes.Buffer
-	// since block came from decoding the PEM bytes in the first place, and all we're doing is adding some headers we ignore the possibility of an error while encoding the block
-	pem.Encode(&keyPEM, block)
-	f.Set(keyID, keyPEM.Bytes())
-}
-
-func (f *FilesystemStore) migrateTo0Dot4() {
-	rootKeysSubDir := filepath.Clean(filepath.Join(f.Location(), notary.RootKeysSubdir))
-	nonRootKeysSubDir := filepath.Clean(filepath.Join(f.Location(), notary.NonRootKeysSubdir))
-	if _, err := os.Stat(rootKeysSubDir); !os.IsNotExist(err) && f.Location() != rootKeysSubDir {
-		if rootKeysSubDir == "" || rootKeysSubDir == "/" {
-			// making sure we don't remove a user's homedir
-			logrus.Warn("The directory for root keys is an unsafe value, we are not going to delete the directory. Please delete it manually")
-		} else {
-			// root_keys exists, migrate things from it
-			listOnlyRootKeysDirStore, _ := NewFileStore(rootKeysSubDir, f.ext)
-			for _, file := range listOnlyRootKeysDirStore.ListFiles() {
-				f.moveKeyTo0Dot4Location(filepath.Join(notary.RootKeysSubdir, file))
-			}
-			// delete the old directory
-			os.RemoveAll(rootKeysSubDir)
-		}
-	}
-
-	if _, err := os.Stat(nonRootKeysSubDir); !os.IsNotExist(err) && f.Location() != nonRootKeysSubDir {
-		if nonRootKeysSubDir == "" || nonRootKeysSubDir == "/" {
-			// making sure we don't remove a user's homedir
-			logrus.Warn("The directory for non root keys is an unsafe value, we are not going to delete the directory. Please delete it manually")
-		} else {
-			// tuf_keys exists, migrate things from it
-			listOnlyNonRootKeysDirStore, _ := NewFileStore(nonRootKeysSubDir, f.ext)
-			for _, file := range listOnlyNonRootKeysDirStore.ListFiles() {
-				f.moveKeyTo0Dot4Location(filepath.Join(notary.NonRootKeysSubdir, file))
-			}
-			// delete the old directory
-			os.RemoveAll(nonRootKeysSubDir)
-		}
-	}
-
-	// if we have a trusted_certificates folder, let's delete for a complete migration since it is unused by new clients
-	certsSubDir := filepath.Join(f.Location(), "trusted_certificates")
-	if certsSubDir == "" || certsSubDir == "/" {
-		logrus.Warn("The directory for trusted certificate is an unsafe value, we are not going to delete the directory. Please delete it manually")
-	} else {
-		os.RemoveAll(certsSubDir)
-	}
-}
-
-func (f *FilesystemStore) getPath(name string) (string, error) {
-	fileName := fmt.Sprintf("%s%s", name, f.ext)
-	fullPath := filepath.Join(f.baseDir, fileName)
-
-	if !strings.HasPrefix(fullPath, f.baseDir) {
-		return "", ErrPathOutsideStore
-	}
-	return fullPath, nil
-}
-
-// GetSized returns the meta for the given name (a role) up to size bytes
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize". If the file is larger than size
-// we return ErrMaliciousServer for consistency with the HTTPStore
-func (f *FilesystemStore) GetSized(name string, size int64) ([]byte, error) {
-	p, err := f.getPath(name)
-	if err != nil {
-		return nil, err
-	}
-	file, err := os.Open(p)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = ErrMetaNotFound{Resource: name}
-		}
-		return nil, err
-	}
-	defer func() {
-		_ = file.Close()
-	}()
-
-	if size == NoSizeLimit {
-		size = notary.MaxDownloadSize
-	}
-
-	stat, err := file.Stat()
-	if err != nil {
-		return nil, err
-	}
-	if stat.Size() > size {
-		return nil, ErrMaliciousServer{}
-	}
-
-	l := io.LimitReader(file, size)
-	return ioutil.ReadAll(l)
-}
-
-// Get returns the meta for the given name.
-func (f *FilesystemStore) Get(name string) ([]byte, error) {
-	p, err := f.getPath(name)
-	if err != nil {
-		return nil, err
-	}
-	meta, err := ioutil.ReadFile(p)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = ErrMetaNotFound{Resource: name}
-		}
-		return nil, err
-	}
-	return meta, nil
-}
-
-// SetMulti sets the metadata for multiple roles in one operation
-func (f *FilesystemStore) SetMulti(metas map[string][]byte) error {
-	for role, blob := range metas {
-		err := f.Set(role, blob)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// Set sets the meta for a single role
-func (f *FilesystemStore) Set(name string, meta []byte) error {
-	fp, err := f.getPath(name)
-	if err != nil {
-		return err
-	}
-
-	// Ensures the parent directories of the file we are about to write exist
-	err = os.MkdirAll(filepath.Dir(fp), notary.PrivExecPerms)
-	if err != nil {
-		return err
-	}
-
-	// if something already exists, just delete it and re-write it
-	os.RemoveAll(fp)
-
-	// Write the file to disk
-	return ioutil.WriteFile(fp, meta, notary.PrivNoExecPerms)
-}
-
-// RemoveAll clears the existing filestore by removing its base directory
-func (f *FilesystemStore) RemoveAll() error {
-	return os.RemoveAll(f.baseDir)
-}
-
-// Remove removes the metadata for a single role - if the metadata doesn't
-// exist, no error is returned
-func (f *FilesystemStore) Remove(name string) error {
-	p, err := f.getPath(name)
-	if err != nil {
-		return err
-	}
-	return os.RemoveAll(p) // RemoveAll succeeds if path doesn't exist
-}
-
-// Location returns a human readable name for the storage location
-func (f FilesystemStore) Location() string {
-	return f.baseDir
-}
-
-// ListFiles returns a list of all the filenames that can be used with Get*
-// to retrieve content from this filestore
-func (f FilesystemStore) ListFiles() []string {
-	files := make([]string, 0, 0)
-	filepath.Walk(f.baseDir, func(fp string, fi os.FileInfo, err error) error {
-		// If there are errors, ignore this particular file
-		if err != nil {
-			return nil
-		}
-		// Ignore if it is a directory
-		if fi.IsDir() {
-			return nil
-		}
-
-		// If this is a symlink, ignore it
-		if fi.Mode()&os.ModeSymlink == os.ModeSymlink {
-			return nil
-		}
-
-		// Only allow matches that end with our certificate extension (e.g. *.crt)
-		matched, _ := filepath.Match("*"+f.ext, fi.Name())
-
-		if matched {
-			// Find the relative path for this file relative to the base path.
-			fp, err = filepath.Rel(f.baseDir, fp)
-			if err != nil {
-				return err
-			}
-			trimmed := strings.TrimSuffix(fp, f.ext)
-			files = append(files, trimmed)
-		}
-		return nil
-	})
-	return files
-}
-
-// createDirectory receives a string of the path to a directory.
-// It does not support passing files, so the caller has to remove
-// the filename by doing filepath.Dir(full_path_to_file)
-func createDirectory(dir string, perms os.FileMode) error {
-	// This prevents someone passing /path/to/dir and 'dir' not being created
-	// If two '//' exist, MkdirAll deals it with correctly
-	dir = dir + "/"
-	return os.MkdirAll(dir, perms)
-}
diff --git a/vendor/github.com/theupdateframework/notary/storage/httpstore.go b/vendor/github.com/theupdateframework/notary/storage/httpstore.go
deleted file mode 100644
index 3f81f0ab..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/httpstore.go
+++ /dev/null
@@ -1,379 +0,0 @@
-// A Store that can fetch and set metadata on a remote server.
-// Some API constraints:
-// - Response bodies for error codes should be unmarshallable as:
-//   {"errors": [{..., "detail": <serialized validation error>}]}
-//   else validation error details, etc. will be unparsable.  The errors
-//   should have a github.com/theupdateframework/notary/tuf/validation/SerializableError
-//   in the Details field.
-//   If writing your own server, please have a look at
-//   github.com/docker/distribution/registry/api/errcode
-
-package storage
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"mime/multipart"
-	"net/http"
-	"net/url"
-	"path"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/validation"
-)
-
-const (
-	// MaxErrorResponseSize is the maximum size for an error message - 1KiB
-	MaxErrorResponseSize int64 = 1 << 10
-	// MaxKeySize is the maximum size for a stored TUF key - 256KiB
-	MaxKeySize = 256 << 10
-)
-
-// ErrServerUnavailable indicates an error from the server. code allows us to
-// populate the http error we received
-type ErrServerUnavailable struct {
-	code int
-}
-
-// NetworkError represents any kind of network error when attempting to make a request
-type NetworkError struct {
-	Wrapped error
-}
-
-func (n NetworkError) Error() string {
-	if _, ok := n.Wrapped.(*url.Error); ok {
-		// QueryUnescape does the inverse transformation of QueryEscape,
-		// converting %AB into the byte 0xAB and '+' into ' ' (space).
-		// It returns an error if any % is not followed by two hexadecimal digits.
-		//
-		// If this happens, we log out the QueryUnescape error and return the
-		// original error to client.
-		res, err := url.QueryUnescape(n.Wrapped.Error())
-		if err != nil {
-			logrus.Errorf("unescape network error message failed: %s", err)
-			return n.Wrapped.Error()
-		}
-		return res
-	}
-
-	return n.Wrapped.Error()
-}
-
-func (err ErrServerUnavailable) Error() string {
-	if err.code == 401 {
-		return fmt.Sprintf("you are not authorized to perform this operation: server returned 401.")
-	}
-	return fmt.Sprintf("unable to reach trust server at this time: %d.", err.code)
-}
-
-// ErrMaliciousServer indicates the server returned a response that is highly suspected
-// of being malicious. i.e. it attempted to send us more data than the known size of a
-// particular role metadata.
-type ErrMaliciousServer struct{}
-
-func (err ErrMaliciousServer) Error() string {
-	return "trust server returned a bad response."
-}
-
-// ErrInvalidOperation indicates that the server returned a 400 response and
-// propagate any body we received.
-type ErrInvalidOperation struct {
-	msg string
-}
-
-func (err ErrInvalidOperation) Error() string {
-	if err.msg != "" {
-		return fmt.Sprintf("trust server rejected operation: %s", err.msg)
-	}
-	return "trust server rejected operation."
-}
-
-// HTTPStore manages pulling and pushing metadata from and to a remote
-// service over HTTP. It assumes the URL structure of the remote service
-// maps identically to the structure of the TUF repo:
-// <baseURL>/<metaPrefix>/(root|targets|snapshot|timestamp).json
-// <baseURL>/<targetsPrefix>/foo.sh
-//
-// If consistent snapshots are disabled, it is advised that caching is not
-// enabled. Simple set a cachePath (and ensure it's writeable) to enable
-// caching.
-type HTTPStore struct {
-	baseURL       url.URL
-	metaPrefix    string
-	metaExtension string
-	keyExtension  string
-	roundTrip     http.RoundTripper
-}
-
-// NewNotaryServerStore returns a new HTTPStore against a URL which should represent a notary
-// server
-func NewNotaryServerStore(serverURL string, gun data.GUN, roundTrip http.RoundTripper) (RemoteStore, error) {
-	return NewHTTPStore(
-		serverURL+"/v2/"+gun.String()+"/_trust/tuf/",
-		"",
-		"json",
-		"key",
-		roundTrip,
-	)
-}
-
-// NewHTTPStore initializes a new store against a URL and a number of configuration options.
-//
-// In case of a nil `roundTrip`, a default offline store is used instead.
-func NewHTTPStore(baseURL, metaPrefix, metaExtension, keyExtension string, roundTrip http.RoundTripper) (RemoteStore, error) {
-	base, err := url.Parse(baseURL)
-	if err != nil {
-		return nil, err
-	}
-	if !base.IsAbs() {
-		return nil, errors.New("HTTPStore requires an absolute baseURL")
-	}
-	if roundTrip == nil {
-		return &OfflineStore{}, nil
-	}
-	return &HTTPStore{
-		baseURL:       *base,
-		metaPrefix:    metaPrefix,
-		metaExtension: metaExtension,
-		keyExtension:  keyExtension,
-		roundTrip:     roundTrip,
-	}, nil
-}
-
-func tryUnmarshalError(resp *http.Response, defaultError error) error {
-	b := io.LimitReader(resp.Body, MaxErrorResponseSize)
-	bodyBytes, err := ioutil.ReadAll(b)
-	if err != nil {
-		return defaultError
-	}
-	var parsedErrors struct {
-		Errors []struct {
-			Detail validation.SerializableError `json:"detail"`
-		} `json:"errors"`
-	}
-	if err := json.Unmarshal(bodyBytes, &parsedErrors); err != nil {
-		return defaultError
-	}
-	if len(parsedErrors.Errors) != 1 {
-		return defaultError
-	}
-	err = parsedErrors.Errors[0].Detail.Error
-	if err == nil {
-		return defaultError
-	}
-	return err
-}
-
-func translateStatusToError(resp *http.Response, resource string) error {
-	switch resp.StatusCode {
-	case http.StatusOK:
-		return nil
-	case http.StatusNotFound:
-		return ErrMetaNotFound{Resource: resource}
-	case http.StatusBadRequest:
-		return tryUnmarshalError(resp, ErrInvalidOperation{})
-	default:
-		return ErrServerUnavailable{code: resp.StatusCode}
-	}
-}
-
-// GetSized downloads the named meta file with the given size. A short body
-// is acceptable because in the case of timestamp.json, the size is a cap,
-// not an exact length.
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize".
-func (s HTTPStore) GetSized(name string, size int64) ([]byte, error) {
-	url, err := s.buildMetaURL(name)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("GET", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, name); err != nil {
-		logrus.Debugf("received HTTP status %d when requesting %s.", resp.StatusCode, name)
-		return nil, err
-	}
-	if size == NoSizeLimit {
-		size = notary.MaxDownloadSize
-	}
-	if resp.ContentLength > size {
-		return nil, ErrMaliciousServer{}
-	}
-	logrus.Debugf("%d when retrieving metadata for %s", resp.StatusCode, name)
-	b := io.LimitReader(resp.Body, size)
-	body, err := ioutil.ReadAll(b)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// Set sends a single piece of metadata to the TUF server
-func (s HTTPStore) Set(name string, blob []byte) error {
-	return s.SetMulti(map[string][]byte{name: blob})
-}
-
-// Remove always fails, because we should never be able to delete metadata
-// remotely
-func (s HTTPStore) Remove(name string) error {
-	return ErrInvalidOperation{msg: "cannot delete individual metadata files"}
-}
-
-// NewMultiPartMetaRequest builds a request with the provided metadata updates
-// in multipart form
-func NewMultiPartMetaRequest(url string, metas map[string][]byte) (*http.Request, error) {
-	body := &bytes.Buffer{}
-	writer := multipart.NewWriter(body)
-	for role, blob := range metas {
-		part, err := writer.CreateFormFile("files", role)
-		if err != nil {
-			return nil, err
-		}
-		_, err = io.Copy(part, bytes.NewBuffer(blob))
-		if err != nil {
-			return nil, err
-		}
-	}
-	err := writer.Close()
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("POST", url, body)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", writer.FormDataContentType())
-	return req, nil
-}
-
-// SetMulti does a single batch upload of multiple pieces of TUF metadata.
-// This should be preferred for updating a remote server as it enable the server
-// to remain consistent, either accepting or rejecting the complete update.
-func (s HTTPStore) SetMulti(metas map[string][]byte) error {
-	url, err := s.buildMetaURL("")
-	if err != nil {
-		return err
-	}
-	req, err := NewMultiPartMetaRequest(url.String(), metas)
-	if err != nil {
-		return err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	// if this 404's something is pretty wrong
-	return translateStatusToError(resp, "POST metadata endpoint")
-}
-
-// RemoveAll will attempt to delete all TUF metadata for a GUN
-func (s HTTPStore) RemoveAll() error {
-	url, err := s.buildMetaURL("")
-	if err != nil {
-		return err
-	}
-	req, err := http.NewRequest("DELETE", url.String(), nil)
-	if err != nil {
-		return err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	return translateStatusToError(resp, "DELETE metadata for GUN endpoint")
-}
-
-func (s HTTPStore) buildMetaURL(name string) (*url.URL, error) {
-	var filename string
-	if name != "" {
-		filename = fmt.Sprintf("%s.%s", name, s.metaExtension)
-	}
-	uri := path.Join(s.metaPrefix, filename)
-	return s.buildURL(uri)
-}
-
-func (s HTTPStore) buildKeyURL(name data.RoleName) (*url.URL, error) {
-	filename := fmt.Sprintf("%s.%s", name.String(), s.keyExtension)
-	uri := path.Join(s.metaPrefix, filename)
-	return s.buildURL(uri)
-}
-
-func (s HTTPStore) buildURL(uri string) (*url.URL, error) {
-	sub, err := url.Parse(uri)
-	if err != nil {
-		return nil, err
-	}
-	return s.baseURL.ResolveReference(sub), nil
-}
-
-// GetKey retrieves a public key from the remote server
-func (s HTTPStore) GetKey(role data.RoleName) ([]byte, error) {
-	url, err := s.buildKeyURL(role)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("GET", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, role.String()+" key"); err != nil {
-		return nil, err
-	}
-	b := io.LimitReader(resp.Body, MaxKeySize)
-	body, err := ioutil.ReadAll(b)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// RotateKey rotates a private key and returns the public component from the remote server
-func (s HTTPStore) RotateKey(role data.RoleName) ([]byte, error) {
-	url, err := s.buildKeyURL(role)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("POST", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, role.String()+" key"); err != nil {
-		return nil, err
-	}
-	b := io.LimitReader(resp.Body, MaxKeySize)
-	body, err := ioutil.ReadAll(b)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// Location returns a human readable name for the storage location
-func (s HTTPStore) Location() string {
-	return s.baseURL.Host
-}
diff --git a/vendor/github.com/theupdateframework/notary/storage/interfaces.go b/vendor/github.com/theupdateframework/notary/storage/interfaces.go
deleted file mode 100644
index 4cbd6981..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/interfaces.go
+++ /dev/null
@@ -1,39 +0,0 @@
-package storage
-
-import (
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// NoSizeLimit is represented as -1 for arguments to GetMeta
-const NoSizeLimit int64 = -1
-
-// MetadataStore must be implemented by anything that intends to interact
-// with a store of TUF files
-type MetadataStore interface {
-	GetSized(name string, size int64) ([]byte, error)
-	Set(name string, blob []byte) error
-	SetMulti(map[string][]byte) error
-	RemoveAll() error
-	Remove(name string) error
-	Location() string
-}
-
-// PublicKeyStore must be implemented by a key service
-type PublicKeyStore interface {
-	GetKey(role data.RoleName) ([]byte, error)
-	RotateKey(role data.RoleName) ([]byte, error)
-}
-
-// RemoteStore is similar to LocalStore with the added expectation that it should
-// provide a way to download targets once located
-type RemoteStore interface {
-	MetadataStore
-	PublicKeyStore
-}
-
-// Bootstrapper is a thing that can set itself up
-type Bootstrapper interface {
-	// Bootstrap instructs a configured Bootstrapper to perform
-	// its setup operations.
-	Bootstrap() error
-}
diff --git a/vendor/github.com/theupdateframework/notary/storage/memorystore.go b/vendor/github.com/theupdateframework/notary/storage/memorystore.go
deleted file mode 100644
index 0c92c699..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/memorystore.go
+++ /dev/null
@@ -1,137 +0,0 @@
-package storage
-
-import (
-	"crypto/sha256"
-	"encoding/json"
-	"fmt"
-
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// NewMemoryStore returns a MetadataStore that operates entirely in memory.
-// Very useful for testing
-func NewMemoryStore(seed map[data.RoleName][]byte) *MemoryStore {
-	var (
-		consistent = make(map[string][]byte)
-		initial    = make(map[string][]byte)
-	)
-	// add all seed meta to consistent
-	for name, d := range seed {
-		checksum := sha256.Sum256(d)
-		path := utils.ConsistentName(name.String(), checksum[:])
-		initial[name.String()] = d
-		consistent[path] = d
-	}
-
-	return &MemoryStore{
-		data:       initial,
-		consistent: consistent,
-	}
-}
-
-// MemoryStore implements a mock RemoteStore entirely in memory.
-// For testing purposes only.
-type MemoryStore struct {
-	data       map[string][]byte
-	consistent map[string][]byte
-}
-
-// GetSized returns up to size bytes of data references by name.
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize", as we will always know the
-// size for everything but a timestamp and sometimes a root,
-// neither of which should be exceptionally large
-func (m MemoryStore) GetSized(name string, size int64) ([]byte, error) {
-	d, ok := m.data[name]
-	if ok {
-		if size == NoSizeLimit {
-			size = notary.MaxDownloadSize
-		}
-		if int64(len(d)) < size {
-			return d, nil
-		}
-		return d[:size], nil
-	}
-	d, ok = m.consistent[name]
-	if ok {
-		if int64(len(d)) < size {
-			return d, nil
-		}
-		return d[:size], nil
-	}
-	return nil, ErrMetaNotFound{Resource: name}
-}
-
-// Get returns the data associated with name
-func (m MemoryStore) Get(name string) ([]byte, error) {
-	if d, ok := m.data[name]; ok {
-		return d, nil
-	}
-	if d, ok := m.consistent[name]; ok {
-		return d, nil
-	}
-	return nil, ErrMetaNotFound{Resource: name}
-}
-
-// Set sets the metadata value for the given name
-func (m *MemoryStore) Set(name string, meta []byte) error {
-	m.data[name] = meta
-
-	parsedMeta := &data.SignedMeta{}
-	err := json.Unmarshal(meta, parsedMeta)
-	if err == nil {
-		// no parse error means this is metadata and not a key, so store by version
-		version := parsedMeta.Signed.Version
-		versionedName := fmt.Sprintf("%d.%s", version, name)
-		m.data[versionedName] = meta
-	}
-
-	checksum := sha256.Sum256(meta)
-	path := utils.ConsistentName(name, checksum[:])
-	m.consistent[path] = meta
-	return nil
-}
-
-// SetMulti sets multiple pieces of metadata for multiple names
-// in a single operation.
-func (m *MemoryStore) SetMulti(metas map[string][]byte) error {
-	for role, blob := range metas {
-		m.Set(role, blob)
-	}
-	return nil
-}
-
-// Remove removes the metadata for a single role - if the metadata doesn't
-// exist, no error is returned
-func (m *MemoryStore) Remove(name string) error {
-	if meta, ok := m.data[name]; ok {
-		checksum := sha256.Sum256(meta)
-		path := utils.ConsistentName(name, checksum[:])
-		delete(m.data, name)
-		delete(m.consistent, path)
-	}
-	return nil
-}
-
-// RemoveAll clears the existing memory store by setting this store as new empty one
-func (m *MemoryStore) RemoveAll() error {
-	*m = *NewMemoryStore(nil)
-	return nil
-}
-
-// Location provides a human readable name for the storage location
-func (m MemoryStore) Location() string {
-	return "memory"
-}
-
-// ListFiles returns a list of all files. The names returned should be
-// usable with Get directly, with no modification.
-func (m *MemoryStore) ListFiles() []string {
-	names := make([]string, 0, len(m.data))
-	for n := range m.data {
-		names = append(names, n)
-	}
-	return names
-}
diff --git a/vendor/github.com/theupdateframework/notary/storage/offlinestore.go b/vendor/github.com/theupdateframework/notary/storage/offlinestore.go
deleted file mode 100644
index c5062ae6..00000000
--- a/vendor/github.com/theupdateframework/notary/storage/offlinestore.go
+++ /dev/null
@@ -1,58 +0,0 @@
-package storage
-
-import (
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// ErrOffline is used to indicate we are operating offline
-type ErrOffline struct{}
-
-func (e ErrOffline) Error() string {
-	return "client is offline"
-}
-
-var err = ErrOffline{}
-
-// OfflineStore is to be used as a placeholder for a nil store. It simply
-// returns ErrOffline for every operation
-type OfflineStore struct{}
-
-// GetSized returns ErrOffline
-func (es OfflineStore) GetSized(name string, size int64) ([]byte, error) {
-	return nil, err
-}
-
-// Set returns ErrOffline
-func (es OfflineStore) Set(name string, blob []byte) error {
-	return err
-}
-
-// SetMulti returns ErrOffline
-func (es OfflineStore) SetMulti(map[string][]byte) error {
-	return err
-}
-
-// Remove returns ErrOffline
-func (es OfflineStore) Remove(name string) error {
-	return err
-}
-
-// GetKey returns ErrOffline
-func (es OfflineStore) GetKey(role data.RoleName) ([]byte, error) {
-	return nil, err
-}
-
-// RotateKey returns ErrOffline
-func (es OfflineStore) RotateKey(role data.RoleName) ([]byte, error) {
-	return nil, err
-}
-
-// RemoveAll return ErrOffline
-func (es OfflineStore) RemoveAll() error {
-	return err
-}
-
-// Location returns a human readable name for the storage location
-func (es OfflineStore) Location() string {
-	return "offline"
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/errors.go b/vendor/github.com/theupdateframework/notary/trustmanager/errors.go
deleted file mode 100644
index adfcb31b..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/errors.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package trustmanager
-
-import "fmt"
-
-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
-type ErrAttemptsExceeded struct{}
-
-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
-func (err ErrAttemptsExceeded) Error() string {
-	return "maximum number of passphrase attempts exceeded"
-}
-
-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
-// key file was corrupted, but we have no way to distinguish.
-type ErrPasswordInvalid struct{}
-
-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
-// key file was corrupted, but we have no way to distinguish.
-func (err ErrPasswordInvalid) Error() string {
-	return "password invalid, operation has failed."
-}
-
-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
-type ErrKeyNotFound struct {
-	KeyID string
-}
-
-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
-func (err ErrKeyNotFound) Error() string {
-	return fmt.Sprintf("signing key not found: %s", err.KeyID)
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/importLogic.md b/vendor/github.com/theupdateframework/notary/trustmanager/importLogic.md
deleted file mode 100644
index 90da0ebf..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/importLogic.md
+++ /dev/null
@@ -1,8 +0,0 @@
-###This document is intended as an overview of the logic we use for importing keys
-
-# A flowchart to detail the logic of our import function in `utils/keys.go` (`func ImportKeys`)
-
-![alt text](http://i.imgur.com/HQICWeO.png "Flowchart of key import logic")
-
-### Should this logic change, you can edit this image at `https://www.draw.io/i/HQICWeO`
-
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/interfaces.go b/vendor/github.com/theupdateframework/notary/trustmanager/interfaces.go
deleted file mode 100644
index 9925d0ff..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/interfaces.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package trustmanager
-
-import (
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// Storage implements the bare bones primitives (no hierarchy)
-type Storage interface {
-	// Add writes a file to the specified location, returning an error if this
-	// is not possible (reasons may include permissions errors). The path is cleaned
-	// before being made absolute against the store's base dir.
-	Set(fileName string, data []byte) error
-
-	// Remove deletes a file from the store relative to the store's base directory.
-	// The path is cleaned before being made absolute to ensure no path traversal
-	// outside the base directory is possible.
-	Remove(fileName string) error
-
-	// Get returns the file content found at fileName relative to the base directory
-	// of the file store. The path is cleaned before being made absolute to ensure
-	// path traversal outside the store is not possible. If the file is not found
-	// an error to that effect is returned.
-	Get(fileName string) ([]byte, error)
-
-	// ListFiles returns a list of paths relative to the base directory of the
-	// filestore. Any of these paths must be retrievable via the
-	// Storage.Get method.
-	ListFiles() []string
-
-	// Location returns a human readable name indicating where the implementer
-	// is storing keys
-	Location() string
-}
-
-// KeyInfo stores the role and gun for a corresponding private key ID
-// It is assumed that each private key ID is unique
-type KeyInfo struct {
-	Gun  data.GUN
-	Role data.RoleName
-}
-
-// KeyStore is a generic interface for private key storage
-type KeyStore interface {
-	// AddKey adds a key to the KeyStore, and if the key already exists,
-	// succeeds.  Otherwise, returns an error if it cannot add.
-	AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error
-	// Should fail with ErrKeyNotFound if the keystore is operating normally
-	// and knows that it does not store the requested key.
-	GetKey(keyID string) (data.PrivateKey, data.RoleName, error)
-	GetKeyInfo(keyID string) (KeyInfo, error)
-	ListKeys() map[string]KeyInfo
-	RemoveKey(keyID string) error
-	Name() string
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/keys.go b/vendor/github.com/theupdateframework/notary/trustmanager/keys.go
deleted file mode 100644
index 89e82a75..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/keys.go
+++ /dev/null
@@ -1,246 +0,0 @@
-package trustmanager
-
-import (
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"path/filepath"
-	"sort"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	tufdata "github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// Exporter is a simple interface for the two functions we need from the Storage interface
-type Exporter interface {
-	Get(string) ([]byte, error)
-	ListFiles() []string
-}
-
-// Importer is a simple interface for the one function we need from the Storage interface
-type Importer interface {
-	Set(string, []byte) error
-}
-
-// ExportKeysByGUN exports all keys filtered to a GUN
-func ExportKeysByGUN(to io.Writer, s Exporter, gun string) error {
-	keys := s.ListFiles()
-	sort.Strings(keys) // ensure consistency. ListFiles has no order guarantee
-	for _, loc := range keys {
-		keyFile, err := s.Get(loc)
-		if err != nil {
-			logrus.Warn("Could not parse key file at ", loc)
-			continue
-		}
-		block, _ := pem.Decode(keyFile)
-		keyGun := block.Headers["gun"]
-		if keyGun == gun { // must be full GUN match
-			if err := ExportKeys(to, s, loc); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-// ExportKeysByID exports all keys matching the given ID
-func ExportKeysByID(to io.Writer, s Exporter, ids []string) error {
-	want := make(map[string]struct{})
-	for _, id := range ids {
-		want[id] = struct{}{}
-	}
-	keys := s.ListFiles()
-	for _, k := range keys {
-		id := filepath.Base(k)
-		if _, ok := want[id]; ok {
-			if err := ExportKeys(to, s, k); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-// ExportKeys copies a key from the store to the io.Writer
-func ExportKeys(to io.Writer, s Exporter, from string) error {
-	// get PEM block
-	k, err := s.Get(from)
-	if err != nil {
-		return err
-	}
-
-	// parse PEM blocks if there are more than one
-	for block, rest := pem.Decode(k); block != nil; block, rest = pem.Decode(rest) {
-		// add from path in a header for later import
-		block.Headers["path"] = from
-		// write serialized PEM
-		err = pem.Encode(to, block)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// ImportKeys expects an io.Reader containing one or more PEM blocks.
-// It reads PEM blocks one at a time until pem.Decode returns a nil
-// block.
-// Each block is written to the subpath indicated in the "path" PEM
-// header. If the file already exists, the file is truncated. Multiple
-// adjacent PEMs with the same "path" header are appended together.
-func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN string, passRet notary.PassRetriever) error {
-	// importLogic.md contains a small flowchart I made to clear up my understand while writing the cases in this function
-	// it is very rough, but it may help while reading this piece of code
-	data, err := ioutil.ReadAll(from)
-	if err != nil {
-		return err
-	}
-	var (
-		writeTo   string
-		toWrite   []byte
-		errBlocks []string
-	)
-	for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
-		handleLegacyPath(block)
-		setFallbacks(block, fallbackGUN, fallbackRole)
-
-		loc, err := checkValidity(block)
-		if err != nil {
-			// already logged in checkValidity
-			errBlocks = append(errBlocks, err.Error())
-			continue
-		}
-
-		// the path header is not of any use once we've imported the key so strip it away
-		delete(block.Headers, "path")
-
-		// we are now all set for import but let's first encrypt the key
-		blockBytes := pem.EncodeToMemory(block)
-		// check if key is encrypted, note: if it is encrypted at this point, it will have had a path header
-		if privKey, err := utils.ParsePEMPrivateKey(blockBytes, ""); err == nil {
-			// Key is not encrypted- ask for a passphrase and encrypt this key
-			var chosenPassphrase string
-			for attempts := 0; ; attempts++ {
-				var giveup bool
-				chosenPassphrase, giveup, err = passRet(loc, block.Headers["role"], true, attempts)
-				if err == nil {
-					break
-				}
-				if giveup || attempts > 10 {
-					return errors.New("maximum number of passphrase attempts exceeded")
-				}
-			}
-			blockBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, tufdata.RoleName(block.Headers["role"]), tufdata.GUN(block.Headers["gun"]), chosenPassphrase)
-			if err != nil {
-				return errors.New("failed to encrypt key with given passphrase")
-			}
-		}
-
-		if loc != writeTo {
-			// next location is different from previous one. We've finished aggregating
-			// data for the previous file. If we have data, write the previous file,
-			// clear toWrite and set writeTo to the next path we're going to write
-			if toWrite != nil {
-				if err = importToStores(to, writeTo, toWrite); err != nil {
-					return err
-				}
-			}
-			// set up for aggregating next file's data
-			toWrite = nil
-			writeTo = loc
-		}
-
-		toWrite = append(toWrite, blockBytes...)
-	}
-	if toWrite != nil { // close out final iteration if there's data left
-		return importToStores(to, writeTo, toWrite)
-	}
-	if len(errBlocks) > 0 {
-		return fmt.Errorf("failed to import all keys: %s", strings.Join(errBlocks, ", "))
-	}
-	return nil
-}
-
-func handleLegacyPath(block *pem.Block) {
-	// if there is a legacy path then we set the gun header from this path
-	// this is the case when a user attempts to import a key bundle generated by an older client
-	if rawPath := block.Headers["path"]; rawPath != "" && rawPath != filepath.Base(rawPath) {
-		// this is a legacy filepath and we should try to deduce the gun name from it
-		pathWOFileName := filepath.Dir(rawPath)
-		if strings.HasPrefix(pathWOFileName, notary.NonRootKeysSubdir) {
-			// remove the notary keystore-specific segment of the path, and any potential leading or trailing slashes
-			gunName := strings.Trim(strings.TrimPrefix(pathWOFileName, notary.NonRootKeysSubdir), "/")
-			if gunName != "" {
-				block.Headers["gun"] = gunName
-			}
-		}
-		block.Headers["path"] = filepath.Base(rawPath)
-	}
-}
-
-func setFallbacks(block *pem.Block, fallbackGUN, fallbackRole string) {
-	if block.Headers["gun"] == "" {
-		if fallbackGUN != "" {
-			block.Headers["gun"] = fallbackGUN
-		}
-	}
-
-	if block.Headers["role"] == "" {
-		if fallbackRole == "" {
-			block.Headers["role"] = notary.DefaultImportRole
-		} else {
-			block.Headers["role"] = fallbackRole
-		}
-	}
-}
-
-// checkValidity ensures the fields in the pem headers are valid and parses out the location.
-// While importing a collection of keys, errors from this function should result in only the
-// current pem block being skipped.
-func checkValidity(block *pem.Block) (string, error) {
-	// A root key or a delegations key should not have a gun
-	// Note that a key that is not any of the canonical roles (except root) is a delegations key and should not have a gun
-	switch block.Headers["role"] {
-	case tufdata.CanonicalSnapshotRole.String(), tufdata.CanonicalTargetsRole.String(), tufdata.CanonicalTimestampRole.String():
-		// check if the key is missing a gun header or has an empty gun and error out since we don't know what gun it belongs to
-		if block.Headers["gun"] == "" {
-			logrus.Warnf("failed to import key (%s) to store: Cannot have canonical role key without a gun, don't know what gun it belongs to", block.Headers["path"])
-			return "", errors.New("invalid key pem block")
-		}
-	default:
-		delete(block.Headers, "gun")
-	}
-
-	loc, ok := block.Headers["path"]
-	// only if the path isn't specified do we get into this parsing path logic
-	if !ok || loc == "" {
-		// if the path isn't specified, we will try to infer the path rel to trust dir from the role (and then gun)
-		// parse key for the keyID which we will save it by.
-		// if the key is encrypted at this point, we will generate an error and continue since we don't know the ID to save it by
-
-		decodedKey, err := utils.ParsePEMPrivateKey(pem.EncodeToMemory(block), "")
-		if err != nil {
-			logrus.Warn("failed to import key to store: Invalid key generated, key may be encrypted and does not contain path header")
-			return "", errors.New("invalid key pem block")
-		}
-		loc = decodedKey.ID()
-	}
-	return loc, nil
-}
-
-func importToStores(to []Importer, path string, bytes []byte) error {
-	var err error
-	for _, i := range to {
-		if err = i.Set(path, bytes); err != nil {
-			logrus.Errorf("failed to import key to store: %s", err.Error())
-			continue
-		}
-		break
-	}
-	return err
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/keystore.go b/vendor/github.com/theupdateframework/notary/trustmanager/keystore.go
deleted file mode 100644
index 4383f8ed..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/keystore.go
+++ /dev/null
@@ -1,262 +0,0 @@
-package trustmanager
-
-import (
-	"fmt"
-	"path/filepath"
-	"strings"
-	"sync"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	store "github.com/theupdateframework/notary/storage"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-type keyInfoMap map[string]KeyInfo
-
-type cachedKey struct {
-	role data.RoleName
-	key  data.PrivateKey
-}
-
-// GenericKeyStore is a wrapper for Storage instances that provides
-// translation between the []byte form and Public/PrivateKey objects
-type GenericKeyStore struct {
-	store Storage
-	sync.Mutex
-	notary.PassRetriever
-	cachedKeys map[string]*cachedKey
-	keyInfoMap
-}
-
-// NewKeyFileStore returns a new KeyFileStore creating a private directory to
-// hold the keys.
-func NewKeyFileStore(baseDir string, p notary.PassRetriever) (*GenericKeyStore, error) {
-	fileStore, err := store.NewPrivateKeyFileStorage(baseDir, notary.KeyExtension)
-	if err != nil {
-		return nil, err
-	}
-	return NewGenericKeyStore(fileStore, p), nil
-}
-
-// NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory
-func NewKeyMemoryStore(p notary.PassRetriever) *GenericKeyStore {
-	memStore := store.NewMemoryStore(nil)
-	return NewGenericKeyStore(memStore, p)
-}
-
-// NewGenericKeyStore creates a GenericKeyStore wrapping the provided
-// Storage instance, using the PassRetriever to enc/decrypt keys
-func NewGenericKeyStore(s Storage, p notary.PassRetriever) *GenericKeyStore {
-	ks := GenericKeyStore{
-		store:         s,
-		PassRetriever: p,
-		cachedKeys:    make(map[string]*cachedKey),
-		keyInfoMap:    make(keyInfoMap),
-	}
-	ks.loadKeyInfo()
-	return &ks
-}
-
-func generateKeyInfoMap(s Storage) map[string]KeyInfo {
-	keyInfoMap := make(map[string]KeyInfo)
-	for _, keyPath := range s.ListFiles() {
-		d, err := s.Get(keyPath)
-		if err != nil {
-			logrus.Error(err)
-			continue
-		}
-		keyID, keyInfo, err := KeyInfoFromPEM(d, keyPath)
-		if err != nil {
-			logrus.Error(err)
-			continue
-		}
-		keyInfoMap[keyID] = keyInfo
-	}
-	return keyInfoMap
-}
-
-func (s *GenericKeyStore) loadKeyInfo() {
-	s.keyInfoMap = generateKeyInfoMap(s.store)
-}
-
-// GetKeyInfo returns the corresponding gun and role key info for a keyID
-func (s *GenericKeyStore) GetKeyInfo(keyID string) (KeyInfo, error) {
-	if info, ok := s.keyInfoMap[keyID]; ok {
-		return info, nil
-	}
-	return KeyInfo{}, fmt.Errorf("Could not find info for keyID %s", keyID)
-}
-
-// AddKey stores the contents of a PEM-encoded private key as a PEM block
-func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error {
-	var (
-		chosenPassphrase string
-		giveup           bool
-		err              error
-		pemPrivKey       []byte
-	)
-	s.Lock()
-	defer s.Unlock()
-	if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) {
-		keyInfo.Gun = ""
-	}
-	keyID := privKey.ID()
-	for attempts := 0; ; attempts++ {
-		chosenPassphrase, giveup, err = s.PassRetriever(keyID, keyInfo.Role.String(), true, attempts)
-		if err == nil {
-			break
-		}
-		if giveup || attempts > 10 {
-			return ErrAttemptsExceeded{}
-		}
-	}
-
-	pemPrivKey, err = utils.ConvertPrivateKeyToPKCS8(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase)
-
-	if err != nil {
-		return err
-	}
-
-	s.cachedKeys[keyID] = &cachedKey{role: keyInfo.Role, key: privKey}
-	err = s.store.Set(keyID, pemPrivKey)
-	if err != nil {
-		return err
-	}
-	s.keyInfoMap[privKey.ID()] = keyInfo
-	return nil
-}
-
-// GetKey returns the PrivateKey given a KeyID
-func (s *GenericKeyStore) GetKey(keyID string) (data.PrivateKey, data.RoleName, error) {
-	s.Lock()
-	defer s.Unlock()
-
-	cachedKeyEntry, ok := s.cachedKeys[keyID]
-	if ok {
-		return cachedKeyEntry.key, cachedKeyEntry.role, nil
-	}
-
-	role, err := getKeyRole(s.store, keyID)
-	if err != nil {
-		return nil, "", err
-	}
-
-	keyBytes, err := s.store.Get(keyID)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// See if the key is encrypted. If its encrypted we'll fail to parse the private key
-	privKey, err := utils.ParsePEMPrivateKey(keyBytes, "")
-	if err != nil {
-		privKey, _, err = GetPasswdDecryptBytes(s.PassRetriever, keyBytes, keyID, string(role))
-		if err != nil {
-			return nil, "", err
-		}
-	}
-	s.cachedKeys[keyID] = &cachedKey{role: role, key: privKey}
-	return privKey, role, nil
-}
-
-// ListKeys returns a list of unique PublicKeys present on the KeyFileStore, by returning a copy of the keyInfoMap
-func (s *GenericKeyStore) ListKeys() map[string]KeyInfo {
-	return copyKeyInfoMap(s.keyInfoMap)
-}
-
-// RemoveKey removes the key from the keyfilestore
-func (s *GenericKeyStore) RemoveKey(keyID string) error {
-	s.Lock()
-	defer s.Unlock()
-	delete(s.cachedKeys, keyID)
-
-	err := s.store.Remove(keyID)
-	if err != nil {
-		return err
-	}
-
-	delete(s.keyInfoMap, keyID)
-	return nil
-}
-
-// Name returns a user friendly name for the location this store
-// keeps its data
-func (s *GenericKeyStore) Name() string {
-	return s.store.Location()
-}
-
-// copyKeyInfoMap returns a deep copy of the passed-in keyInfoMap
-func copyKeyInfoMap(keyInfoMap map[string]KeyInfo) map[string]KeyInfo {
-	copyMap := make(map[string]KeyInfo)
-	for keyID, keyInfo := range keyInfoMap {
-		copyMap[keyID] = KeyInfo{Role: keyInfo.Role, Gun: keyInfo.Gun}
-	}
-	return copyMap
-}
-
-// KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key
-func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo, error) {
-	var keyID string
-	keyID = filepath.Base(filename)
-	role, gun, err := utils.ExtractPrivateKeyAttributes(pemBytes)
-	if err != nil {
-		return "", KeyInfo{}, err
-	}
-	return keyID, KeyInfo{Gun: gun, Role: role}, nil
-}
-
-// getKeyRole finds the role for the given keyID. It attempts to look
-// both in the newer format PEM headers, and also in the legacy filename
-// format. It returns: the role, and an error
-func getKeyRole(s Storage, keyID string) (data.RoleName, error) {
-	name := strings.TrimSpace(strings.TrimSuffix(filepath.Base(keyID), filepath.Ext(keyID)))
-
-	for _, file := range s.ListFiles() {
-		filename := filepath.Base(file)
-		if strings.HasPrefix(filename, name) {
-			d, err := s.Get(file)
-			if err != nil {
-				return "", err
-			}
-
-			role, _, err := utils.ExtractPrivateKeyAttributes(d)
-			if err != nil {
-				return "", err
-			}
-			return role, nil
-		}
-	}
-	return "", ErrKeyNotFound{KeyID: keyID}
-}
-
-// GetPasswdDecryptBytes gets the password to decrypt the given pem bytes.
-// Returns the password and private key
-func GetPasswdDecryptBytes(passphraseRetriever notary.PassRetriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) {
-	var (
-		passwd  string
-		privKey data.PrivateKey
-	)
-	for attempts := 0; ; attempts++ {
-		var (
-			giveup bool
-			err    error
-		)
-		if attempts > 10 {
-			return nil, "", ErrAttemptsExceeded{}
-		}
-		passwd, giveup, err = passphraseRetriever(name, alias, false, attempts)
-		// Check if the passphrase retriever got an error or if it is telling us to give up
-		if giveup || err != nil {
-			return nil, "", ErrPasswordInvalid{}
-		}
-
-		// Try to convert PEM encoded bytes back to a PrivateKey using the passphrase
-		privKey, err = utils.ParsePEMPrivateKey(pemBytes, passwd)
-		if err == nil {
-			// We managed to parse the PrivateKey. We've succeeded!
-			break
-		}
-	}
-	return privKey, passwd, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/import.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/import.go
deleted file mode 100644
index 680ded28..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/import.go
+++ /dev/null
@@ -1,59 +0,0 @@
-// +build pkcs11
-
-package yubikey
-
-import (
-	"encoding/pem"
-	"errors"
-
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// YubiImport is a wrapper around the YubiStore that allows us to import private
-// keys to the yubikey
-type YubiImport struct {
-	dest          *YubiStore
-	passRetriever notary.PassRetriever
-}
-
-// NewImporter returns a wrapper for the YubiStore provided that enables importing
-// keys via the simple Set(string, []byte) interface
-func NewImporter(ys *YubiStore, ret notary.PassRetriever) *YubiImport {
-	return &YubiImport{
-		dest:          ys,
-		passRetriever: ret,
-	}
-}
-
-// Set determines if we are allowed to set the given key on the Yubikey and
-// calls through to YubiStore.AddKey if it's valid
-func (s *YubiImport) Set(name string, bytes []byte) error {
-	block, _ := pem.Decode(bytes)
-	if block == nil {
-		return errors.New("invalid PEM data, could not parse")
-	}
-	role, ok := block.Headers["role"]
-	if !ok {
-		return errors.New("no role found for key")
-	}
-	ki := trustmanager.KeyInfo{
-		// GUN is ignored by YubiStore
-		Role: data.RoleName(role),
-	}
-	privKey, err := utils.ParsePEMPrivateKey(bytes, "")
-	if err != nil {
-		privKey, _, err = trustmanager.GetPasswdDecryptBytes(
-			s.passRetriever,
-			bytes,
-			name,
-			ki.Role.String(),
-		)
-		if err != nil {
-			return err
-		}
-	}
-	return s.dest.AddKey(ki, privKey)
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/non_pkcs11.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/non_pkcs11.go
deleted file mode 100644
index 77c07e6f..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/non_pkcs11.go
+++ /dev/null
@@ -1,9 +0,0 @@
-// go list ./... and go test ./... will not pick up this package without this
-// file, because go ? ./... does not honor build tags.
-
-// e.g. "go list -tags pkcs11 ./..." will not list this package if all the
-// files in it have a build tag.
-
-// See https://github.com/golang/go/issues/11246
-
-package yubikey
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_darwin.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_darwin.go
deleted file mode 100644
index f399dff3..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_darwin.go
+++ /dev/null
@@ -1,9 +0,0 @@
-// +build pkcs11,darwin
-
-package yubikey
-
-var possiblePkcs11Libs = []string{
-	"/usr/local/lib/libykcs11.dylib",
-	"/usr/local/docker/lib/libykcs11.dylib",
-	"/usr/local/docker-experimental/lib/libykcs11.dylib",
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_interface.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_interface.go
deleted file mode 100644
index 4a46e05f..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_interface.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// +build pkcs11
-
-// an interface around the pkcs11 library, so that things can be mocked out
-// for testing
-
-package yubikey
-
-import "github.com/miekg/pkcs11"
-
-// IPKCS11 is an interface for wrapping github.com/miekg/pkcs11
-type pkcs11LibLoader func(module string) IPKCS11Ctx
-
-func defaultLoader(module string) IPKCS11Ctx {
-	return pkcs11.New(module)
-}
-
-// IPKCS11Ctx is an interface for wrapping the parts of
-// github.com/miekg/pkcs11.Ctx that yubikeystore requires
-type IPKCS11Ctx interface {
-	Destroy()
-	Initialize() error
-	Finalize() error
-	GetSlotList(tokenPresent bool) ([]uint, error)
-	OpenSession(slotID uint, flags uint) (pkcs11.SessionHandle, error)
-	CloseSession(sh pkcs11.SessionHandle) error
-	Login(sh pkcs11.SessionHandle, userType uint, pin string) error
-	Logout(sh pkcs11.SessionHandle) error
-	CreateObject(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) (
-		pkcs11.ObjectHandle, error)
-	DestroyObject(sh pkcs11.SessionHandle, oh pkcs11.ObjectHandle) error
-	GetAttributeValue(sh pkcs11.SessionHandle, o pkcs11.ObjectHandle,
-		a []*pkcs11.Attribute) ([]*pkcs11.Attribute, error)
-	FindObjectsInit(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) error
-	FindObjects(sh pkcs11.SessionHandle, max int) (
-		[]pkcs11.ObjectHandle, bool, error)
-	FindObjectsFinal(sh pkcs11.SessionHandle) error
-	SignInit(sh pkcs11.SessionHandle, m []*pkcs11.Mechanism,
-		o pkcs11.ObjectHandle) error
-	Sign(sh pkcs11.SessionHandle, message []byte) ([]byte, error)
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go
deleted file mode 100644
index 836018f0..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// +build pkcs11,linux
-
-package yubikey
-
-var possiblePkcs11Libs = []string{
-	"/usr/lib/libykcs11.so",
-	"/usr/lib/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
-	"/usr/lib64/libykcs11.so",
-	"/usr/lib64/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
-	"/usr/lib/x86_64-linux-gnu/libykcs11.so",
-	"/usr/local/lib/libykcs11.so",
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/yubikeystore.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/yubikeystore.go
deleted file mode 100644
index 1fd71eea..00000000
--- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/yubikeystore.go
+++ /dev/null
@@ -1,924 +0,0 @@
-// +build pkcs11
-
-package yubikey
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"os"
-	"time"
-
-	"github.com/miekg/pkcs11"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-const (
-	// UserPin is the user pin of a yubikey (in PIV parlance, is the PIN)
-	UserPin = "123456"
-	// SOUserPin is the "Security Officer" user pin - this is the PIV management
-	// (MGM) key, which is different than the admin pin of the Yubikey PGP interface
-	// (which in PIV parlance is the PUK, and defaults to 12345678)
-	SOUserPin = "010203040506070801020304050607080102030405060708"
-	numSlots  = 4 // number of slots in the yubikey
-
-	// KeymodeNone means that no touch or PIN is required to sign with the yubikey
-	KeymodeNone = 0
-	// KeymodeTouch means that only touch is required to sign with the yubikey
-	KeymodeTouch = 1
-	// KeymodePinOnce means that the pin entry is required once the first time to sign with the yubikey
-	KeymodePinOnce = 2
-	// KeymodePinAlways means that pin entry is required every time to sign with the yubikey
-	KeymodePinAlways = 4
-
-	// the key size, when importing a key into yubikey, MUST be 32 bytes
-	ecdsaPrivateKeySize = 32
-
-	sigAttempts = 5
-)
-
-// what key mode to use when generating keys
-var (
-	yubikeyKeymode = KeymodeTouch | KeymodePinOnce
-	// order in which to prefer token locations on the yubikey.
-	// corresponds to: 9c, 9e, 9d, 9a
-	slotIDs = []int{2, 1, 3, 0}
-)
-
-// SetYubikeyKeyMode - sets the mode when generating yubikey keys.
-// This is to be used for testing.  It does nothing if not building with tag
-// pkcs11.
-func SetYubikeyKeyMode(keyMode int) error {
-	// technically 7 (1 | 2 | 4) is valid, but KeymodePinOnce +
-	// KeymdoePinAlways don't really make sense together
-	if keyMode < 0 || keyMode > 5 {
-		return errors.New("Invalid key mode")
-	}
-	yubikeyKeymode = keyMode
-	return nil
-}
-
-// SetTouchToSignUI - allows configurable UX for notifying a user that they
-// need to touch the yubikey to sign. The callback may be used to provide a
-// mechanism for updating a GUI (such as removing a modal) after the touch
-// has been made
-func SetTouchToSignUI(notifier func(), callback func()) {
-	touchToSignUI = notifier
-	if callback != nil {
-		touchDoneCallback = callback
-	}
-}
-
-var touchToSignUI = func() {
-	fmt.Println("Please touch the attached Yubikey to perform signing.")
-}
-
-var touchDoneCallback = func() {
-	// noop
-}
-
-var pkcs11Lib string
-
-func init() {
-	for _, loc := range possiblePkcs11Libs {
-		_, err := os.Stat(loc)
-		if err == nil {
-			p := pkcs11.New(loc)
-			if p != nil {
-				pkcs11Lib = loc
-				return
-			}
-		}
-	}
-}
-
-// ErrBackupFailed is returned when a YubiStore fails to back up a key that
-// is added
-type ErrBackupFailed struct {
-	err string
-}
-
-func (err ErrBackupFailed) Error() string {
-	return fmt.Sprintf("Failed to backup private key to: %s", err.err)
-}
-
-// An error indicating that the HSM is not present (as opposed to failing),
-// i.e. that we can confidently claim that the key is not stored in the HSM
-// without notifying the user about a missing or failing HSM.
-type errHSMNotPresent struct {
-	err string
-}
-
-func (err errHSMNotPresent) Error() string {
-	return err.err
-}
-
-type yubiSlot struct {
-	role   data.RoleName
-	slotID []byte
-}
-
-// YubiPrivateKey represents a private key inside of a yubikey
-type YubiPrivateKey struct {
-	data.ECDSAPublicKey
-	passRetriever notary.PassRetriever
-	slot          []byte
-	libLoader     pkcs11LibLoader
-}
-
-// yubikeySigner wraps a YubiPrivateKey and implements the crypto.Signer interface
-type yubikeySigner struct {
-	YubiPrivateKey
-}
-
-// NewYubiPrivateKey returns a YubiPrivateKey, which implements the data.PrivateKey
-// interface except that the private material is inaccessible
-func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey,
-	passRetriever notary.PassRetriever) *YubiPrivateKey {
-
-	return &YubiPrivateKey{
-		ECDSAPublicKey: pubKey,
-		passRetriever:  passRetriever,
-		slot:           slot,
-		libLoader:      defaultLoader,
-	}
-}
-
-// Public is a required method of the crypto.Signer interface
-func (ys *yubikeySigner) Public() crypto.PublicKey {
-	publicKey, err := x509.ParsePKIXPublicKey(ys.YubiPrivateKey.Public())
-	if err != nil {
-		return nil
-	}
-
-	return publicKey
-}
-
-func (y *YubiPrivateKey) setLibLoader(loader pkcs11LibLoader) {
-	y.libLoader = loader
-}
-
-// CryptoSigner returns a crypto.Signer tha wraps the YubiPrivateKey. Needed for
-// Certificate generation only
-func (y *YubiPrivateKey) CryptoSigner() crypto.Signer {
-	return &yubikeySigner{YubiPrivateKey: *y}
-}
-
-// Private is not implemented in hardware  keys
-func (y *YubiPrivateKey) Private() []byte {
-	// We cannot return the private material from a Yubikey
-	// TODO(david): We probably want to return an error here
-	return nil
-}
-
-// SignatureAlgorithm returns which algorithm this key uses to sign - currently
-// hardcoded to ECDSA
-func (y YubiPrivateKey) SignatureAlgorithm() data.SigAlgorithm {
-	return data.ECDSASignature
-}
-
-// Sign is a required method of the crypto.Signer interface and the data.PrivateKey
-// interface
-func (y *YubiPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, y.libLoader)
-	if err != nil {
-		return nil, err
-	}
-	defer cleanup(ctx, session)
-
-	v := signed.Verifiers[data.ECDSASignature]
-	for i := 0; i < sigAttempts; i++ {
-		sig, err := sign(ctx, session, y.slot, y.passRetriever, msg)
-		if err != nil {
-			return nil, fmt.Errorf("failed to sign using Yubikey: %v", err)
-		}
-		if err := v.Verify(&y.ECDSAPublicKey, sig, msg); err == nil {
-			return sig, nil
-		}
-	}
-	return nil, errors.New("failed to generate signature on Yubikey")
-}
-
-// If a byte array is less than the number of bytes specified by
-// ecdsaPrivateKeySize, left-zero-pad the byte array until
-// it is the required size.
-func ensurePrivateKeySize(payload []byte) []byte {
-	final := payload
-	if len(payload) < ecdsaPrivateKeySize {
-		final = make([]byte, ecdsaPrivateKeySize)
-		copy(final[ecdsaPrivateKeySize-len(payload):], payload)
-	}
-	return final
-}
-
-// addECDSAKey adds a key to the yubikey
-func addECDSAKey(
-	ctx IPKCS11Ctx,
-	session pkcs11.SessionHandle,
-	privKey data.PrivateKey,
-	pkcs11KeyID []byte,
-	passRetriever notary.PassRetriever,
-	role data.RoleName,
-) error {
-	logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID())
-
-	err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin)
-	if err != nil {
-		return err
-	}
-	defer ctx.Logout(session)
-
-	// Create an ecdsa.PrivateKey out of the private key bytes
-	ecdsaPrivKey, err := x509.ParseECPrivateKey(privKey.Private())
-	if err != nil {
-		return err
-	}
-
-	ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes())
-
-	// Hard-coded policy: the generated certificate expires in 10 years.
-	startTime := time.Now()
-	template, err := utils.NewCertificate(role.String(), startTime, startTime.AddDate(10, 0, 0))
-	if err != nil {
-		return fmt.Errorf("failed to create the certificate template: %v", err)
-	}
-
-	certBytes, err := x509.CreateCertificate(rand.Reader, template, template, ecdsaPrivKey.Public(), ecdsaPrivKey)
-	if err != nil {
-		return fmt.Errorf("failed to create the certificate: %v", err)
-	}
-
-	certTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, certBytes),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-	}
-
-	privateKeyTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, ecdsaPrivKeyD),
-		pkcs11.NewAttribute(pkcs11.CKA_VENDOR_DEFINED, yubikeyKeymode),
-	}
-
-	_, err = ctx.CreateObject(session, certTemplate)
-	if err != nil {
-		return fmt.Errorf("error importing: %v", err)
-	}
-
-	_, err = ctx.CreateObject(session, privateKeyTemplate)
-	if err != nil {
-		return fmt.Errorf("error importing: %v", err)
-	}
-
-	return nil
-}
-
-func getECDSAKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte) (*data.ECDSAPublicKey, data.RoleName, error) {
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
-	}
-
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0}),
-	}
-
-	if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return nil, "", err
-	}
-	obj, _, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %v", err)
-		return nil, "", err
-	}
-	if err := ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s", err.Error())
-		return nil, "", err
-	}
-	if len(obj) != 1 {
-		logrus.Debugf("should have found one object")
-		return nil, "", errors.New("no matching keys found inside of yubikey")
-	}
-
-	// Retrieve the public-key material to be able to create a new ECSAKey
-	attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
-	if err != nil {
-		logrus.Debugf("Failed to get Attribute for: %v", obj[0])
-		return nil, "", err
-	}
-
-	// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
-	var rawPubKey []byte
-	for _, a := range attr {
-		if a.Type == pkcs11.CKA_EC_POINT {
-			rawPubKey = a.Value
-		}
-
-	}
-
-	ecdsaPubKey := ecdsa.PublicKey{Curve: elliptic.P256(), X: new(big.Int).SetBytes(rawPubKey[3:35]), Y: new(big.Int).SetBytes(rawPubKey[35:])}
-	pubBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPubKey)
-	if err != nil {
-		logrus.Debugf("Failed to Marshal public key")
-		return nil, "", err
-	}
-
-	return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
-}
-
-// sign returns a signature for a given signature request
-func sign(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever notary.PassRetriever, payload []byte) ([]byte, error) {
-	err := login(ctx, session, passRetriever, pkcs11.CKU_USER, UserPin)
-	if err != nil {
-		return nil, fmt.Errorf("error logging in: %v", err)
-	}
-	defer ctx.Logout(session)
-
-	// Define the ECDSA Private key template
-	class := pkcs11.CKO_PRIVATE_KEY
-	privateKeyTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, class),
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-	}
-
-	if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
-		logrus.Debugf("Failed to init find objects: %s", err.Error())
-		return nil, err
-	}
-	obj, _, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %v", err)
-		return nil, err
-	}
-	if err = ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize find objects: %s", err.Error())
-		return nil, err
-	}
-	if len(obj) != 1 {
-		return nil, errors.New("length of objects found not 1")
-	}
-
-	var sig []byte
-	err = ctx.SignInit(
-		session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)}, obj[0])
-	if err != nil {
-		return nil, err
-	}
-
-	// Get the SHA256 of the payload
-	digest := sha256.Sum256(payload)
-
-	if (yubikeyKeymode & KeymodeTouch) > 0 {
-		touchToSignUI()
-		defer touchDoneCallback()
-	}
-	// a call to Sign, whether or not Sign fails, will clear the SignInit
-	sig, err = ctx.Sign(session, digest[:])
-	if err != nil {
-		logrus.Debugf("Error while signing: %s", err)
-		return nil, err
-	}
-
-	if sig == nil {
-		return nil, errors.New("Failed to create signature")
-	}
-	return sig[:], nil
-}
-
-func yubiRemoveKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever notary.PassRetriever, keyID string) error {
-	err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin)
-	if err != nil {
-		return err
-	}
-	defer ctx.Logout(session)
-
-	template := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		//pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-	}
-
-	if err := ctx.FindObjectsInit(session, template); err != nil {
-		logrus.Debugf("Failed to init find objects: %s", err.Error())
-		return err
-	}
-	obj, b, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %s %v", err.Error(), b)
-		return err
-	}
-	if err := ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize find objects: %s", err.Error())
-		return err
-	}
-	if len(obj) != 1 {
-		logrus.Debugf("should have found exactly one object")
-		return err
-	}
-
-	// Delete the certificate
-	err = ctx.DestroyObject(session, obj[0])
-	if err != nil {
-		logrus.Debugf("Failed to delete cert")
-		return err
-	}
-	return nil
-}
-
-func yubiListKeys(ctx IPKCS11Ctx, session pkcs11.SessionHandle) (keys map[string]yubiSlot, err error) {
-	keys = make(map[string]yubiSlot)
-
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, []byte{0}),
-	}
-
-	objs, err := listObjects(ctx, session)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(objs) == 0 {
-		return nil, errors.New("no keys found in yubikey")
-	}
-	logrus.Debugf("Found %d objects matching list filters", len(objs))
-	for _, obj := range objs {
-		var (
-			cert *x509.Certificate
-			slot []byte
-		)
-		// Retrieve the public-key material to be able to create a new ECDSA
-		attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
-		if err != nil {
-			logrus.Debugf("Failed to get Attribute for: %v", obj)
-			continue
-		}
-
-		// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
-		for _, a := range attr {
-			if a.Type == pkcs11.CKA_ID {
-				slot = a.Value
-			}
-			if a.Type == pkcs11.CKA_VALUE {
-				cert, err = x509.ParseCertificate(a.Value)
-				if err != nil {
-					continue
-				}
-				if !data.ValidRole(data.RoleName(cert.Subject.CommonName)) {
-					continue
-				}
-			}
-		}
-
-		// we found nothing
-		if cert == nil {
-			continue
-		}
-
-		var ecdsaPubKey *ecdsa.PublicKey
-		switch cert.PublicKeyAlgorithm {
-		case x509.ECDSA:
-			ecdsaPubKey = cert.PublicKey.(*ecdsa.PublicKey)
-		default:
-			logrus.Infof("Unsupported x509 PublicKeyAlgorithm: %d", cert.PublicKeyAlgorithm)
-			continue
-		}
-
-		pubBytes, err := x509.MarshalPKIXPublicKey(ecdsaPubKey)
-		if err != nil {
-			logrus.Debugf("Failed to Marshal public key")
-			continue
-		}
-
-		keys[data.NewECDSAPublicKey(pubBytes).ID()] = yubiSlot{
-			role:   data.RoleName(cert.Subject.CommonName),
-			slotID: slot,
-		}
-	}
-	return
-}
-
-func listObjects(ctx IPKCS11Ctx, session pkcs11.SessionHandle) ([]pkcs11.ObjectHandle, error) {
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-	}
-
-	if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return nil, err
-	}
-
-	objs, b, err := ctx.FindObjects(session, numSlots)
-	for err == nil {
-		var o []pkcs11.ObjectHandle
-		o, b, err = ctx.FindObjects(session, numSlots)
-		if err != nil {
-			continue
-		}
-		if len(o) == 0 {
-			break
-		}
-		objs = append(objs, o...)
-	}
-	if err != nil {
-		logrus.Debugf("Failed to find: %s %v", err.Error(), b)
-		if len(objs) == 0 {
-			return nil, err
-		}
-	}
-	if err := ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s", err.Error())
-		return nil, err
-	}
-	return objs, nil
-}
-
-func getNextEmptySlot(ctx IPKCS11Ctx, session pkcs11.SessionHandle) ([]byte, error) {
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-	}
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
-	}
-
-	if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return nil, err
-	}
-	objs, b, err := ctx.FindObjects(session, numSlots)
-	// if there are more objects than `numSlots`, get all of them until
-	// there are no more to get
-	for err == nil {
-		var o []pkcs11.ObjectHandle
-		o, b, err = ctx.FindObjects(session, numSlots)
-		if err != nil {
-			continue
-		}
-		if len(o) == 0 {
-			break
-		}
-		objs = append(objs, o...)
-	}
-	taken := make(map[int]bool)
-	if err != nil {
-		logrus.Debugf("Failed to find: %s %v", err.Error(), b)
-		return nil, err
-	}
-	if err = ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s\n", err.Error())
-		return nil, err
-	}
-	for _, obj := range objs {
-		// Retrieve the slot ID
-		attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
-		if err != nil {
-			continue
-		}
-
-		// Iterate through attributes. If an ID attr was found, mark it as taken
-		for _, a := range attr {
-			if a.Type == pkcs11.CKA_ID {
-				if len(a.Value) < 1 {
-					continue
-				}
-				// a byte will always be capable of representing all slot IDs
-				// for the Yubikeys
-				slotNum := int(a.Value[0])
-				if slotNum >= numSlots {
-					// defensive
-					continue
-				}
-				taken[slotNum] = true
-			}
-		}
-	}
-	// iterate the token locations in our preferred order and use the first
-	// available one. Otherwise exit the loop and return an error.
-	for _, loc := range slotIDs {
-		if !taken[loc] {
-			return []byte{byte(loc)}, nil
-		}
-	}
-	return nil, errors.New("yubikey has no available slots")
-}
-
-// YubiStore is a KeyStore for private keys inside a Yubikey
-type YubiStore struct {
-	passRetriever notary.PassRetriever
-	keys          map[string]yubiSlot
-	backupStore   trustmanager.KeyStore
-	libLoader     pkcs11LibLoader
-}
-
-// NewYubiStore returns a YubiStore, given a backup key store to write any
-// generated keys to (usually a KeyFileStore)
-func NewYubiStore(backupStore trustmanager.KeyStore, passphraseRetriever notary.PassRetriever) (
-	*YubiStore, error) {
-
-	s := &YubiStore{
-		passRetriever: passphraseRetriever,
-		keys:          make(map[string]yubiSlot),
-		backupStore:   backupStore,
-		libLoader:     defaultLoader,
-	}
-	s.ListKeys() // populate keys field
-	return s, nil
-}
-
-// Name returns a user friendly name for the location this store
-// keeps its data
-func (s YubiStore) Name() string {
-	return "yubikey"
-}
-
-func (s *YubiStore) setLibLoader(loader pkcs11LibLoader) {
-	s.libLoader = loader
-}
-
-// ListKeys returns a list of keys in the yubikey store
-func (s *YubiStore) ListKeys() map[string]trustmanager.KeyInfo {
-	if len(s.keys) > 0 {
-		return buildKeyMap(s.keys)
-	}
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return nil
-	}
-	defer cleanup(ctx, session)
-
-	keys, err := yubiListKeys(ctx, session)
-	if err != nil {
-		logrus.Debugf("Failed to list key from the yubikey: %s", err.Error())
-		return nil
-	}
-	s.keys = keys
-
-	return buildKeyMap(keys)
-}
-
-// AddKey puts a key inside the Yubikey, as well as writing it to the backup store
-func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error {
-	added, err := s.addKey(privKey.ID(), keyInfo.Role, privKey)
-	if err != nil {
-		return err
-	}
-	if added && s.backupStore != nil {
-		err = s.backupStore.AddKey(keyInfo, privKey)
-		if err != nil {
-			defer s.RemoveKey(privKey.ID())
-			return ErrBackupFailed{err: err.Error()}
-		}
-	}
-	return nil
-}
-
-// Only add if we haven't seen the key already.  Return whether the key was
-// added.
-func (s *YubiStore) addKey(keyID string, role data.RoleName, privKey data.PrivateKey) (
-	bool, error) {
-
-	// We only allow adding root keys for now
-	if role != data.CanonicalRootRole {
-		return false, fmt.Errorf(
-			"yubikey only supports storing root keys, got %s for key: %s", role, keyID)
-	}
-
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return false, err
-	}
-	defer cleanup(ctx, session)
-
-	if k, ok := s.keys[keyID]; ok {
-		if k.role == role {
-			// already have the key and it's associated with the correct role
-			return false, nil
-		}
-	}
-
-	slot, err := getNextEmptySlot(ctx, session)
-	if err != nil {
-		logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error())
-		return false, err
-	}
-	logrus.Debugf("Attempting to store key using yubikey slot %v", slot)
-
-	err = addECDSAKey(
-		ctx, session, privKey, slot, s.passRetriever, role)
-	if err == nil {
-		s.keys[privKey.ID()] = yubiSlot{
-			role:   role,
-			slotID: slot,
-		}
-		return true, nil
-	}
-	logrus.Debugf("Failed to add key to yubikey: %v", err)
-
-	return false, err
-}
-
-// GetKey retrieves a key from the Yubikey only (it does not look inside the
-// backup store)
-func (s *YubiStore) GetKey(keyID string) (data.PrivateKey, data.RoleName, error) {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		if _, ok := err.(errHSMNotPresent); ok {
-			err = trustmanager.ErrKeyNotFound{KeyID: keyID}
-		}
-		return nil, "", err
-	}
-	defer cleanup(ctx, session)
-
-	key, ok := s.keys[keyID]
-	if !ok {
-		return nil, "", trustmanager.ErrKeyNotFound{KeyID: keyID}
-	}
-
-	pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
-	if err != nil {
-		logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error())
-		return nil, "", err
-	}
-	// Check to see if we're returning the intended keyID
-	if pubKey.ID() != keyID {
-		return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID())
-	}
-	privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
-	if privKey == nil {
-		return nil, "", errors.New("could not initialize new YubiPrivateKey")
-	}
-
-	return privKey, alias, err
-}
-
-// RemoveKey deletes a key from the Yubikey only (it does not remove it from the
-// backup store)
-func (s *YubiStore) RemoveKey(keyID string) error {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return nil
-	}
-	defer cleanup(ctx, session)
-
-	key, ok := s.keys[keyID]
-	if !ok {
-		return errors.New("Key not present in yubikey")
-	}
-	err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID)
-	if err == nil {
-		delete(s.keys, keyID)
-	} else {
-		logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err)
-	}
-
-	return err
-}
-
-// GetKeyInfo is not yet implemented
-func (s *YubiStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {
-	return trustmanager.KeyInfo{}, fmt.Errorf("Not yet implemented")
-}
-
-func cleanup(ctx IPKCS11Ctx, session pkcs11.SessionHandle) {
-	err := ctx.CloseSession(session)
-	if err != nil {
-		logrus.Debugf("Error closing session: %s", err.Error())
-	}
-	finalizeAndDestroy(ctx)
-}
-
-func finalizeAndDestroy(ctx IPKCS11Ctx) {
-	err := ctx.Finalize()
-	if err != nil {
-		logrus.Debugf("Error finalizing: %s", err.Error())
-	}
-	ctx.Destroy()
-}
-
-// SetupHSMEnv is a method that depends on the existences
-func SetupHSMEnv(libraryPath string, libLoader pkcs11LibLoader) (
-	IPKCS11Ctx, pkcs11.SessionHandle, error) {
-
-	if libraryPath == "" {
-		return nil, 0, errHSMNotPresent{err: "no library found"}
-	}
-	p := libLoader(libraryPath)
-
-	if p == nil {
-		return nil, 0, fmt.Errorf("failed to load library %s", libraryPath)
-	}
-
-	if err := p.Initialize(); err != nil {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf("found library %s, but initialize error %s", libraryPath, err.Error())
-	}
-
-	slots, err := p.GetSlotList(true)
-	if err != nil {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but failed to list HSM slots %s", libraryPath, err)
-	}
-	// Check to see if we got any slots from the HSM.
-	if len(slots) < 1 {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but no HSM slots found", libraryPath)
-	}
-
-	// CKF_SERIAL_SESSION: TRUE if cryptographic functions are performed in serial with the application; FALSE if the functions may be performed in parallel with the application.
-	// CKF_RW_SESSION: TRUE if the session is read/write; FALSE if the session is read-only
-	session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
-	if err != nil {
-		defer cleanup(p, session)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but failed to start session with HSM %s",
-			libraryPath, err)
-	}
-
-	logrus.Debugf("Initialized PKCS11 library %s and started HSM session", libraryPath)
-	return p, session, nil
-}
-
-// IsAccessible returns true if a Yubikey can be accessed
-func IsAccessible() bool {
-	if pkcs11Lib == "" {
-		return false
-	}
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, defaultLoader)
-	if err != nil {
-		return false
-	}
-	defer cleanup(ctx, session)
-	return true
-}
-
-func login(ctx IPKCS11Ctx, session pkcs11.SessionHandle, passRetriever notary.PassRetriever, userFlag uint, defaultPassw string) error {
-	// try default password
-	err := ctx.Login(session, userFlag, defaultPassw)
-	if err == nil {
-		return nil
-	}
-
-	// default failed, ask user for password
-	for attempts := 0; ; attempts++ {
-		var (
-			giveup bool
-			err    error
-			user   string
-		)
-		if userFlag == pkcs11.CKU_SO {
-			user = "SO Pin"
-		} else {
-			user = "User Pin"
-		}
-		passwd, giveup, err := passRetriever(user, "yubikey", false, attempts)
-		// Check if the passphrase retriever got an error or if it is telling us to give up
-		if giveup || err != nil {
-			return trustmanager.ErrPasswordInvalid{}
-		}
-		if attempts > 2 {
-			return trustmanager.ErrAttemptsExceeded{}
-		}
-
-		// attempt to login. Loop if failed
-		err = ctx.Login(session, userFlag, passwd)
-		if err == nil {
-			return nil
-		}
-	}
-}
-
-func buildKeyMap(keys map[string]yubiSlot) map[string]trustmanager.KeyInfo {
-	res := make(map[string]trustmanager.KeyInfo)
-	for k, v := range keys {
-		res[k] = trustmanager.KeyInfo{Role: v.role, Gun: ""}
-	}
-	return res
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustpinning/ca.crt b/vendor/github.com/theupdateframework/notary/trustpinning/ca.crt
deleted file mode 100644
index df95eacf..00000000
--- a/vendor/github.com/theupdateframework/notary/trustpinning/ca.crt
+++ /dev/null
@@ -1,37 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGMzCCBBugAwIBAgIBATANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
-Y2tlcjEaMBgGA1UEAwwRTm90YXJ5IFRlc3RpbmcgQ0EwHhcNMTUwNzE2MDQyNTAz
-WhcNMjUwNzEzMDQyNTAzWjBfMRowGAYDVQQDDBFOb3RhcnkgVGVzdGluZyBDQTEL
-MAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
-Y2tlcjELMAkGA1UECAwCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQCwVVD4pK7z7pXPpJbaZ1Hg5eRXIcaYtbFPCnN0iqy9HsVEGnEn5BPNSEsuP+m0
-5N0qVV7DGb1SjiloLXD1qDDvhXWk+giS9ppqPHPLVPB4bvzsqwDYrtpbqkYvO0YK
-0SL3kxPXUFdlkFfgu0xjlczm2PhWG3Jd8aAtspL/L+VfPA13JUaWxSLpui1In8rh
-gAyQTK6Q4Of6GbJYTnAHb59UoLXSzB5AfqiUq6L7nEYYKoPflPbRAIWL/UBm0c+H
-ocms706PYpmPS2RQv3iOGmnn9hEVp3P6jq7WAevbA4aYGx5EsbVtYABqJBbFWAuw
-wTGRYmzn0Mj0eTMge9ztYB2/2sxdTe6uhmFgpUXngDqJI5O9N3zPfvlEImCky3HM
-jJoL7g5smqX9o1P+ESLh0VZzhh7IDPzQTXpcPIS/6z0l22QGkK/1N1PaADaUHdLL
-vSav3y2BaEmPvf2fkZj8yP5eYgi7Cw5ONhHLDYHFcl9Zm/ywmdxHJETz9nfgXnsW
-HNxDqrkCVO46r/u6rSrUt6hr3oddJG8s8Jo06earw6XU3MzM+3giwkK0SSM3uRPq
-4AscR1Tv+E31AuOAmjqYQoT29bMIxoSzeljj/YnedwjW45pWyc3JoHaibDwvW9Uo
-GSZBVy4hrM/Fa7XCWv1WfHNW1gDwaLYwDnl5jFmRBvcfuQIDAQABo4H5MIH2MIGR
-BgNVHSMEgYkwgYaAFHUM1U3E4WyL1nvFd+dPY8f4O2hZoWOkYTBfMQswCQYDVQQG
-EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNV
-BAoMBkRvY2tlcjEaMBgGA1UEAwwRTm90YXJ5IFRlc3RpbmcgQ0GCCQDCeDLbemIT
-SzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
-BQcDATAOBgNVHQ8BAf8EBAMCAUYwHQYDVR0OBBYEFHe48hcBcAp0bUVlTxXeRA4o
-E16pMA0GCSqGSIb3DQEBCwUAA4ICAQAWUtAPdUFpwRq+N1SzGUejSikeMGyPZscZ
-JBUCmhZoFufgXGbLO5OpcRLaV3Xda0t/5PtdGMSEzczeoZHWknDtw+79OBittPPj
-Sh1oFDuPo35R7eP624lUCch/InZCphTaLx9oDLGcaK3ailQ9wjBdKdlBl8KNKIZp
-a13aP5rnSm2Jva+tXy/yi3BSds3dGD8ITKZyI/6AFHxGvObrDIBpo4FF/zcWXVDj
-paOmxplRtM4Hitm+sXGvfqJe4x5DuOXOnPrT3dHvRT6vSZUoKobxMqmRTOcrOIPa
-EeMpOobshORuRntMDYvvgO3D6p6iciDW2Vp9N6rdMdfOWEQN8JVWvB7IxRHk9qKJ
-vYOWVbczAt0qpMvXF3PXLjZbUM0knOdUKIEbqP4YUbgdzx6RtgiiY930Aj6tAtce
-0fpgNlvjMRpSBuWTlAfNNjG/YhndMz9uI68TMfFpR3PcgVIv30krw/9VzoLi2Dpe
-ow6DrGO6oi+DhN78P4jY/O9UczZK2roZL1Oi5P0RIxf23UZC7x1DlcN3nBr4sYSv
-rBx4cFTMNpwU+nzsIi4djcFDKmJdEOyjMnkP2v0Lwe7yvK08pZdEu+0zbrq17kue
-XpXLc7K68QB15yxzGylU5rRwzmC/YsAVyE4eoGu8PxWxrERvHby4B8YP0vAfOraL
-lKmXlK4dTg==
------END CERTIFICATE-----
-
diff --git a/vendor/github.com/theupdateframework/notary/trustpinning/certs.go b/vendor/github.com/theupdateframework/notary/trustpinning/certs.go
deleted file mode 100644
index 9be49ee1..00000000
--- a/vendor/github.com/theupdateframework/notary/trustpinning/certs.go
+++ /dev/null
@@ -1,304 +0,0 @@
-package trustpinning
-
-import (
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-const wildcard = "*"
-
-// ErrValidationFail is returned when there is no valid trusted certificates
-// being served inside of the roots.json
-type ErrValidationFail struct {
-	Reason string
-}
-
-// ErrValidationFail is returned when there is no valid trusted certificates
-// being served inside of the roots.json
-func (err ErrValidationFail) Error() string {
-	return fmt.Sprintf("could not validate the path to a trusted root: %s", err.Reason)
-}
-
-// ErrRootRotationFail is returned when we fail to do a full root key rotation
-// by either failing to add the new root certificate, or delete the old ones
-type ErrRootRotationFail struct {
-	Reason string
-}
-
-// ErrRootRotationFail is returned when we fail to do a full root key rotation
-// by either failing to add the new root certificate, or delete the old ones
-func (err ErrRootRotationFail) Error() string {
-	return fmt.Sprintf("could not rotate trust to a new trusted root: %s", err.Reason)
-}
-
-func prettyFormatCertIDs(certs map[string]*x509.Certificate) string {
-	ids := make([]string, 0, len(certs))
-	for id := range certs {
-		ids = append(ids, id)
-	}
-	return strings.Join(ids, ", ")
-}
-
-/*
-ValidateRoot receives a new root, validates its correctness and attempts to
-do root key rotation if needed.
-
-First we check if we have any trusted certificates for a particular GUN in
-a previous root, if we have one. If the previous root is not nil and we find
-certificates for this GUN, we've already seen this repository before, and
-have a list of trusted certificates for it. In this case, we use this list of
-certificates to attempt to validate this root file.
-
-If the previous validation succeeds, we check the integrity of the root by
-making sure that it is validated by itself. This means that we will attempt to
-validate the root data with the certificates that are included in the root keys
-themselves.
-
-However, if we do not have any current trusted certificates for this GUN, we
-check if there are any pinned certificates specified in the trust_pinning section
-of the notary client config.  If this section specifies a Certs section with this
-GUN, we attempt to validate that the certificates present in the downloaded root
-file match the pinned ID.
-
-If the Certs section is empty for this GUN, we check if the trust_pinning
-section specifies a CA section specified in the config for this GUN.  If so, we check
-that the specified CA is valid and has signed a certificate included in the downloaded
-root file.  The specified CA can be a prefix for this GUN.
-
-If both the Certs and CA configs do not match this GUN, we fall back to the TOFU
-section in the config: if true, we trust certificates specified in the root for
-this GUN. If later we see a different certificate for that certificate, we return
-an ErrValidationFailed error.
-
-Note that since we only allow trust data to be downloaded over an HTTPS channel
-we are using the current public PKI to validate the first download of the certificate
-adding an extra layer of security over the normal (SSH style) trust model.
-We shall call this: TOFUS.
-
-Validation failure at any step will result in an ErrValidationFailed error.
-*/
-func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun data.GUN, trustPinning TrustPinConfig) (*data.SignedRoot, error) {
-	logrus.Debugf("entered ValidateRoot with dns: %s", gun)
-	signedRoot, err := data.RootFromSigned(root)
-	if err != nil {
-		return nil, err
-	}
-
-	rootRole, err := signedRoot.BuildBaseRole(data.CanonicalRootRole)
-	if err != nil {
-		return nil, err
-	}
-
-	// Retrieve all the leaf and intermediate certificates in root for which the CN matches the GUN
-	allLeafCerts, allIntCerts := parseAllCerts(signedRoot)
-	certsFromRoot, err := validRootLeafCerts(allLeafCerts, gun, true)
-	validIntCerts := validRootIntCerts(allIntCerts)
-
-	if err != nil {
-		logrus.Debugf("error retrieving valid leaf certificates for: %s, %v", gun, err)
-		return nil, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
-	}
-
-	logrus.Debugf("found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
-
-	// If we have a previous root, let's try to use it to validate that this new root is valid.
-	havePrevRoot := prevRoot != nil
-	if havePrevRoot {
-		// Retrieve all the trusted certificates from our previous root
-		// Note that we do not validate expiries here since our originally trusted root might have expired certs
-		allTrustedLeafCerts, allTrustedIntCerts := parseAllCerts(prevRoot)
-		trustedLeafCerts, err := validRootLeafCerts(allTrustedLeafCerts, gun, false)
-		if err != nil {
-			return nil, &ErrValidationFail{Reason: "could not retrieve trusted certs from previous root role data"}
-		}
-
-		// Use the certificates we found in the previous root for the GUN to verify its signatures
-		// This could potentially be an empty set, in which case we will fail to verify
-		logrus.Debugf("found %d valid root leaf certificates for %s: %s", len(trustedLeafCerts), gun,
-			prettyFormatCertIDs(trustedLeafCerts))
-
-		// Extract the previous root's threshold for signature verification
-		prevRootRoleData, ok := prevRoot.Signed.Roles[data.CanonicalRootRole]
-		if !ok {
-			return nil, &ErrValidationFail{Reason: "could not retrieve previous root role data"}
-		}
-		err = signed.VerifySignatures(
-			root, data.BaseRole{Keys: utils.CertsToKeys(trustedLeafCerts, allTrustedIntCerts), Threshold: prevRootRoleData.Threshold})
-		if err != nil {
-			logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
-			return nil, &ErrRootRotationFail{Reason: "failed to validate data with current trusted certificates"}
-		}
-		// Clear the IsValid marks we could have received from VerifySignatures
-		for i := range root.Signatures {
-			root.Signatures[i].IsValid = false
-		}
-	}
-
-	// Regardless of having a previous root or not, confirm that the new root validates against the trust pinning
-	logrus.Debugf("checking root against trust_pinning config for %s", gun)
-	trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun, !havePrevRoot)
-	if err != nil {
-		return nil, &ErrValidationFail{Reason: err.Error()}
-	}
-
-	validPinnedCerts := map[string]*x509.Certificate{}
-	for id, cert := range certsFromRoot {
-		logrus.Debugf("checking trust-pinning for cert: %s", id)
-		if ok := trustPinCheckFunc(cert, validIntCerts[id]); !ok {
-			logrus.Debugf("trust-pinning check failed for cert: %s", id)
-			continue
-		}
-		validPinnedCerts[id] = cert
-	}
-	if len(validPinnedCerts) == 0 {
-		return nil, &ErrValidationFail{Reason: "unable to match any certificates to trust_pinning config"}
-	}
-	certsFromRoot = validPinnedCerts
-
-	// Validate the integrity of the new root (does it have valid signatures)
-	// Note that certsFromRoot is guaranteed to be unchanged only if we had prior cert data for this GUN or enabled TOFUS
-	// If we attempted to pin a certain certificate or CA, certsFromRoot could have been pruned accordingly
-	err = signed.VerifySignatures(root, data.BaseRole{
-		Keys: utils.CertsToKeys(certsFromRoot, validIntCerts), Threshold: rootRole.Threshold})
-	if err != nil {
-		logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
-		return nil, &ErrValidationFail{Reason: "failed to validate integrity of roots"}
-	}
-
-	logrus.Debugf("root validation succeeded for %s", gun)
-	// Call RootFromSigned to make sure we pick up on the IsValid markings from VerifySignatures
-	return data.RootFromSigned(root)
-}
-
-// MatchCNToGun checks that the common name in a cert is valid for the given gun.
-// This allows wildcards as suffixes, e.g. `namespace/*`
-func MatchCNToGun(commonName string, gun data.GUN) bool {
-	if strings.HasSuffix(commonName, wildcard) {
-		prefix := strings.TrimRight(commonName, wildcard)
-		logrus.Debugf("checking gun %s against wildcard prefix %s", gun, prefix)
-		return strings.HasPrefix(gun.String(), prefix)
-	}
-	return commonName == gun.String()
-}
-
-// validRootLeafCerts returns a list of possibly (if checkExpiry is true) non-expired, non-sha1 certificates
-// found in root whose Common-Names match the provided GUN. Note that this
-// "validity" alone does not imply any measure of trust.
-func validRootLeafCerts(allLeafCerts map[string]*x509.Certificate, gun data.GUN, checkExpiry bool) (map[string]*x509.Certificate, error) {
-	validLeafCerts := make(map[string]*x509.Certificate)
-
-	// Go through every leaf certificate and check that the CN matches the gun
-	for id, cert := range allLeafCerts {
-		// Validate that this leaf certificate has a CN that matches the gun
-		if !MatchCNToGun(cert.Subject.CommonName, gun) {
-			logrus.Debugf("error leaf certificate CN: %s doesn't match the given GUN: %s",
-				cert.Subject.CommonName, gun)
-			continue
-		}
-		// Make sure the certificate is not expired if checkExpiry is true
-		// and warn if it hasn't expired yet but is within 6 months of expiry
-		if err := utils.ValidateCertificate(cert, checkExpiry); err != nil {
-			logrus.Debugf("%s is invalid: %s", id, err.Error())
-			continue
-		}
-
-		validLeafCerts[id] = cert
-	}
-
-	if len(validLeafCerts) < 1 {
-		logrus.Debugf("didn't find any valid leaf certificates for %s", gun)
-		return nil, errors.New("no valid leaf certificates found in any of the root keys")
-	}
-
-	logrus.Debugf("found %d valid leaf certificates for %s: %s", len(validLeafCerts), gun,
-		prettyFormatCertIDs(validLeafCerts))
-	return validLeafCerts, nil
-}
-
-// validRootIntCerts filters the passed in structure of intermediate certificates to only include non-expired, non-sha1 certificates
-// Note that this "validity" alone does not imply any measure of trust.
-func validRootIntCerts(allIntCerts map[string][]*x509.Certificate) map[string][]*x509.Certificate {
-	validIntCerts := make(map[string][]*x509.Certificate)
-
-	// Go through every leaf cert ID, and build its valid intermediate certificate list
-	for leafID, intCertList := range allIntCerts {
-		for _, intCert := range intCertList {
-			if err := utils.ValidateCertificate(intCert, true); err != nil {
-				continue
-			}
-			validIntCerts[leafID] = append(validIntCerts[leafID], intCert)
-		}
-
-	}
-	return validIntCerts
-}
-
-// parseAllCerts returns two maps, one with all of the leafCertificates and one
-// with all the intermediate certificates found in signedRoot
-func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, map[string][]*x509.Certificate) {
-	if signedRoot == nil {
-		return nil, nil
-	}
-
-	leafCerts := make(map[string]*x509.Certificate)
-	intCerts := make(map[string][]*x509.Certificate)
-
-	// Before we loop through all root keys available, make sure any exist
-	rootRoles, ok := signedRoot.Signed.Roles[data.CanonicalRootRole]
-	if !ok {
-		logrus.Debugf("tried to parse certificates from invalid root signed data")
-		return nil, nil
-	}
-
-	logrus.Debugf("found the following root keys: %v", rootRoles.KeyIDs)
-	// Iterate over every keyID for the root role inside of roots.json
-	for _, keyID := range rootRoles.KeyIDs {
-		// check that the key exists in the signed root keys map
-		key, ok := signedRoot.Signed.Keys[keyID]
-		if !ok {
-			logrus.Debugf("error while getting data for keyID: %s", keyID)
-			continue
-		}
-
-		// Decode all the x509 certificates that were bundled with this
-		// Specific root key
-		decodedCerts, err := utils.LoadCertBundleFromPEM(key.Public())
-		if err != nil {
-			logrus.Debugf("error while parsing root certificate with keyID: %s, %v", keyID, err)
-			continue
-		}
-
-		// Get all non-CA certificates in the decoded certificates
-		leafCertList := utils.GetLeafCerts(decodedCerts)
-
-		// If we got no leaf certificates or we got more than one, fail
-		if len(leafCertList) != 1 {
-			logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)
-			continue
-		}
-		// If we found a leaf certificate, assert that the cert bundle started with a leaf
-		if decodedCerts[0].IsCA {
-			logrus.Debugf("invalid chain due to leaf certificate not being first certificate for keyID: %s", keyID)
-			continue
-		}
-
-		// Get the ID of the leaf certificate
-		leafCert := leafCertList[0]
-
-		// Store the leaf cert in the map
-		leafCerts[key.ID()] = leafCert
-
-		// Get all the remainder certificates marked as a CA to be used as intermediates
-		intermediateCerts := utils.GetIntermediateCerts(decodedCerts)
-		intCerts[key.ID()] = intermediateCerts
-	}
-
-	return leafCerts, intCerts
-}
diff --git a/vendor/github.com/theupdateframework/notary/trustpinning/test.crt b/vendor/github.com/theupdateframework/notary/trustpinning/test.crt
deleted file mode 100644
index 88d806b7..00000000
--- a/vendor/github.com/theupdateframework/notary/trustpinning/test.crt
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFKzCCAxWgAwIBAgIQRyp9QqcJfd3ayqdjiz8xIDALBgkqhkiG9w0BAQswODEa
-MBgGA1UEChMRZG9ja2VyLmNvbS9ub3RhcnkxGjAYBgNVBAMTEWRvY2tlci5jb20v
-bm90YXJ5MB4XDTE1MDcxNzA2MzQyM1oXDTE3MDcxNjA2MzQyM1owODEaMBgGA1UE
-ChMRZG9ja2VyLmNvbS9ub3RhcnkxGjAYBgNVBAMTEWRvY2tlci5jb20vbm90YXJ5
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoQffrzsYnsH8vGf4Jh55
-Cj5wrjUGzD/sHkaFHptjJ6ToJGJv5yMAPxzyInu5sIoGLJapnYVBoAU0YgI9qlAc
-YA6SxaSwgm6rpvmnl8Qn0qc6ger3inpGaUJylWHuPwWkvcimQAqHZx2dQtL7g6kp
-rmKeTWpWoWLw3JoAUZUVhZMd6a22ZL/DvAw+Hrogbz4XeyahFb9IH402zPxN6vga
-JEFTF0Ji1jtNg0Mo4pb9SHsMsiw+LZK7SffHVKPxvd21m/biNmwsgExA3U8OOG8p
-uygfacys5c8+ZrX+ZFG/cvwKz0k6/QfJU40s6MhXw5C2WttdVmsG9/7rGFYjHoIJ
-weDyxgWk7vxKzRJI/un7cagDIaQsKrJQcCHIGFRlpIR5TwX7vl3R7cRncrDRMVvc
-VSEG2esxbw7jtzIp/ypnVRxcOny7IypyjKqVeqZ6HgxZtTBVrF1O/aHo2kvlwyRS
-Aus4kvh6z3+jzTm9EzfXiPQzY9BEk5gOLxhW9rc6UhlS+pe5lkaN/Hyqy/lPuq89
-fMr2rr7lf5WFdFnze6WNYMAaW7dNA4NE0dyD53428ZLXxNVPL4WU66Gac6lynQ8l
-r5tPsYIFXzh6FVaRKGQUtW1hz9ecO6Y27Rh2JsyiIxgUqk2ooxE69uN42t+dtqKC
-1s8G/7VtY8GDALFLYTnzLvsCAwEAAaM1MDMwDgYDVR0PAQH/BAQDAgCgMBMGA1Ud
-JQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwCwYJKoZIhvcNAQELA4ICAQBM
-Oll3G/XBz8idiNdNJDWUh+5w3ojmwanrTBdCdqEk1WenaR6DtcflJx6Z3f/mwV4o
-b1skOAX1yX5RCahJHUMxMicz/Q38pOVelGPrWnc3TJB+VKjGyHXlQDVkZFb+4+ef
-wtj7HngXhHFFDSgjm3EdMndvgDQ7SQb4skOnCNS9iyX7eXxhFBCZmZL+HALKBj2B
-yhV4IcBDqmp504t14rx9/Jvty0dG7fY7I51gEQpm4S02JML5xvTm1xfboWIhZODI
-swEAO+ekBoFHbS1Q9KMPjIAw3TrCHH8x8XZq5zsYtAC1yZHdCKa26aWdy56A9eHj
-O1VxzwmbNyXRenVuBYP+0wr3HVKFG4JJ4ZZpNZzQW/pqEPghCTJIvIueK652ByUc
-//sv+nXd5f19LeES9pf0l253NDaFZPb6aegKfquWh8qlQBmUQ2GzaTLbtmNd28M6
-W7iL7tkKZe1ZnBz9RKgtPrDjjWGZInjjcOU8EtT4SLq7kCVDmPs5MD8vaAm96JsE
-jmLC3Uu/4k7HiDYX0i0mOWkFjZQMdVatcIF5FPSppwsSbW8QidnXt54UtwtFDEPz
-lpjs7ybeQE71JXcMZnVIK4bjRXsEFPI98RpIlEdedbSUdYAncLNJRT7HZBMPGSwZ
-0PNJuglnlr3srVzdW1dz2xQjdvLwxy6mNUF6rbQBWA==
------END CERTIFICATE-----
-
diff --git a/vendor/github.com/theupdateframework/notary/trustpinning/trustpin.go b/vendor/github.com/theupdateframework/notary/trustpinning/trustpin.go
deleted file mode 100644
index 67908f8b..00000000
--- a/vendor/github.com/theupdateframework/notary/trustpinning/trustpin.go
+++ /dev/null
@@ -1,163 +0,0 @@
-package trustpinning
-
-import (
-	"crypto/x509"
-	"fmt"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// TrustPinConfig represents the configuration under the trust_pinning section of the config file
-// This struct represents the preferred way to bootstrap trust for this repository
-// This is fully optional. If left at the default, uninitialized value Notary will use TOFU over
-// HTTPS.
-// You can use this to provide certificates or a CA to pin to as a root of trust for a GUN.
-// These are used with the following precedence:
-//
-// 1. Certs
-// 2. CA
-// 3. TOFUS (TOFU over HTTPS)
-//
-// Only one trust pinning option will be used to validate a particular GUN.
-type TrustPinConfig struct {
-	// CA maps a GUN prefix to file paths containing the root CA.
-	// This file can contain multiple root certificates, bundled in separate PEM blocks.
-	CA map[string]string
-	// Certs maps a GUN to a list of certificate IDs
-	Certs map[string][]string
-	// DisableTOFU, when true, disables "Trust On First Use" of new key data
-	// This is false by default, which means new key data will always be trusted the first time it is seen.
-	DisableTOFU bool
-}
-
-type trustPinChecker struct {
-	gun           data.GUN
-	config        TrustPinConfig
-	pinnedCAPool  *x509.CertPool
-	pinnedCertIDs []string
-}
-
-// CertChecker is a function type that will be used to check leaf certs against pinned trust
-type CertChecker func(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool
-
-// NewTrustPinChecker returns a new certChecker function from a TrustPinConfig for a GUN
-func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun data.GUN, firstBootstrap bool) (CertChecker, error) {
-	t := trustPinChecker{gun: gun, config: trustPinConfig}
-	// Determine the mode, and if it's even valid
-	if pinnedCerts, ok := trustPinConfig.Certs[gun.String()]; ok {
-		logrus.Debugf("trust-pinning using Cert IDs")
-		t.pinnedCertIDs = pinnedCerts
-		return t.certsCheck, nil
-	}
-	var ok bool
-	t.pinnedCertIDs, ok = wildcardMatch(gun, trustPinConfig.Certs)
-	if ok {
-		return t.certsCheck, nil
-	}
-
-	if caFilepath, err := getPinnedCAFilepathByPrefix(gun, trustPinConfig); err == nil {
-		logrus.Debugf("trust-pinning using root CA bundle at: %s", caFilepath)
-
-		// Try to add the CA certs from its bundle file to our certificate store,
-		// and use it to validate certs in the root.json later
-		caCerts, err := utils.LoadCertBundleFromFile(caFilepath)
-		if err != nil {
-			return nil, fmt.Errorf("could not load root cert from CA path")
-		}
-		// Now only consider certificates that are direct children from this CA cert chain
-		caRootPool := x509.NewCertPool()
-		for _, caCert := range caCerts {
-			if err = utils.ValidateCertificate(caCert, true); err != nil {
-				logrus.Debugf("ignoring root CA certificate with CN %s in bundle: %s", caCert.Subject.CommonName, err)
-				continue
-			}
-			caRootPool.AddCert(caCert)
-		}
-		// If we didn't have any valid CA certs, error out
-		if len(caRootPool.Subjects()) == 0 {
-			return nil, fmt.Errorf("invalid CA certs provided")
-		}
-		t.pinnedCAPool = caRootPool
-		return t.caCheck, nil
-	}
-
-	// If TOFUs is disabled and we don't have any previous trusted root data for this GUN, we error out
-	if trustPinConfig.DisableTOFU && firstBootstrap {
-		return nil, fmt.Errorf("invalid trust pinning specified")
-
-	}
-	return t.tofusCheck, nil
-}
-
-func (t trustPinChecker) certsCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	// reconstruct the leaf + intermediate cert chain, which is bundled as {leaf, intermediates...},
-	// in order to get the matching id in the root file
-	key, err := utils.CertBundleToKey(leafCert, intCerts)
-	if err != nil {
-		logrus.Debug("error creating cert bundle: ", err.Error())
-		return false
-	}
-	return utils.StrSliceContains(t.pinnedCertIDs, key.ID())
-}
-
-func (t trustPinChecker) caCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	// Use intermediate certificates included in the root TUF metadata for our validation
-	caIntPool := x509.NewCertPool()
-	for _, intCert := range intCerts {
-		caIntPool.AddCert(intCert)
-	}
-	// Attempt to find a valid certificate chain from the leaf cert to CA root
-	// Use this certificate if such a valid chain exists (possibly using intermediates)
-	var err error
-	if _, err = leafCert.Verify(x509.VerifyOptions{Roots: t.pinnedCAPool, Intermediates: caIntPool}); err == nil {
-		return true
-	}
-	logrus.Debugf("unable to find a valid certificate chain from leaf cert to CA root: %s", err)
-	return false
-}
-
-func (t trustPinChecker) tofusCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	return true
-}
-
-// Will return the CA filepath corresponding to the most specific (longest) entry in the map that is still a prefix
-// of the provided gun.  Returns an error if no entry matches this GUN as a prefix.
-func getPinnedCAFilepathByPrefix(gun data.GUN, t TrustPinConfig) (string, error) {
-	specificGUN := ""
-	specificCAFilepath := ""
-	foundCA := false
-	for gunPrefix, caFilepath := range t.CA {
-		if strings.HasPrefix(gun.String(), gunPrefix) && len(gunPrefix) >= len(specificGUN) {
-			specificGUN = gunPrefix
-			specificCAFilepath = caFilepath
-			foundCA = true
-		}
-	}
-	if !foundCA {
-		return "", fmt.Errorf("could not find pinned CA for GUN: %s", gun)
-	}
-	return specificCAFilepath, nil
-}
-
-// wildcardMatch will attempt to match the most specific (longest prefix) wildcarded
-// trustpinning option for key IDs. Given the simple globbing and the use of maps,
-// it is impossible to have two different prefixes of equal length.
-// This logic also solves the issue of Go's randomization of map iteration.
-func wildcardMatch(gun data.GUN, certs map[string][]string) ([]string, bool) {
-	var (
-		longest = ""
-		ids     []string
-	)
-	for gunPrefix, keyIDs := range certs {
-		if strings.HasSuffix(gunPrefix, "*") {
-			if strings.HasPrefix(gun.String(), gunPrefix[:len(gunPrefix)-1]) && len(gunPrefix) > len(longest) {
-				longest = gunPrefix
-				ids = keyIDs
-			}
-		}
-	}
-	return ids, ids != nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/LICENSE b/vendor/github.com/theupdateframework/notary/tuf/LICENSE
deleted file mode 100644
index d92ae9ee..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/LICENSE
+++ /dev/null
@@ -1,30 +0,0 @@
-Copyright (c) 2015, Docker Inc.
-Copyright (c) 2014-2015 Prime Directive, Inc.
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Prime Directive, Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/theupdateframework/notary/tuf/README.md b/vendor/github.com/theupdateframework/notary/tuf/README.md
deleted file mode 100644
index 22dd9cd1..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-## Credits
-
-This implementation was originally forked from [flynn/go-tuf](https://github.com/flynn/go-tuf)
-
-This implementation retains the same 3 Clause BSD license present on 
-the original flynn implementation.
diff --git a/vendor/github.com/theupdateframework/notary/tuf/builder.go b/vendor/github.com/theupdateframework/notary/tuf/builder.go
deleted file mode 100644
index 7d9fc97e..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/builder.go
+++ /dev/null
@@ -1,732 +0,0 @@
-package tuf
-
-import (
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/theupdateframework/notary"
-
-	"github.com/theupdateframework/notary/trustpinning"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// ErrBuildDone is returned when any functions are called on RepoBuilder, and it
-// is already finished building
-var ErrBuildDone = fmt.Errorf(
-	"the builder has finished building and cannot accept any more input or produce any more output")
-
-// ErrInvalidBuilderInput is returned when RepoBuilder.Load is called
-// with the wrong type of metadata for the state that it's in
-type ErrInvalidBuilderInput struct{ msg string }
-
-func (e ErrInvalidBuilderInput) Error() string {
-	return e.msg
-}
-
-// ConsistentInfo is the consistent name and size of a role, or just the name
-// of the role and a -1 if no file metadata for the role is known
-type ConsistentInfo struct {
-	RoleName data.RoleName
-	fileMeta data.FileMeta
-}
-
-// ChecksumKnown determines whether or not we know enough to provide a size and
-// consistent name
-func (c ConsistentInfo) ChecksumKnown() bool {
-	// empty hash, no size : this is the zero value
-	return len(c.fileMeta.Hashes) > 0 || c.fileMeta.Length != 0
-}
-
-// ConsistentName returns the consistent name (rolename.sha256) for the role
-// given this consistent information
-func (c ConsistentInfo) ConsistentName() string {
-	return utils.ConsistentName(c.RoleName.String(), c.fileMeta.Hashes[notary.SHA256])
-}
-
-// Length returns the expected length of the role as per this consistent
-// information - if no checksum information is known, the size is -1.
-func (c ConsistentInfo) Length() int64 {
-	if c.ChecksumKnown() {
-		return c.fileMeta.Length
-	}
-	return -1
-}
-
-// RepoBuilder is an interface for an object which builds a tuf.Repo
-type RepoBuilder interface {
-	Load(roleName data.RoleName, content []byte, minVersion int, allowExpired bool) error
-	LoadRootForUpdate(content []byte, minVersion int, isFinal bool) error
-	GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error)
-	GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error)
-	Finish() (*Repo, *Repo, error)
-	BootstrapNewBuilder() RepoBuilder
-	BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder
-
-	// informative functions
-	IsLoaded(roleName data.RoleName) bool
-	GetLoadedVersion(roleName data.RoleName) int
-	GetConsistentInfo(roleName data.RoleName) ConsistentInfo
-}
-
-// finishedBuilder refuses any more input or output
-type finishedBuilder struct{}
-
-func (f finishedBuilder) Load(roleName data.RoleName, content []byte, minVersion int, allowExpired bool) error {
-	return ErrBuildDone
-}
-func (f finishedBuilder) LoadRootForUpdate(content []byte, minVersion int, isFinal bool) error {
-	return ErrBuildDone
-}
-func (f finishedBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error) {
-	return nil, 0, ErrBuildDone
-}
-func (f finishedBuilder) GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error) {
-	return nil, 0, ErrBuildDone
-}
-func (f finishedBuilder) Finish() (*Repo, *Repo, error)    { return nil, nil, ErrBuildDone }
-func (f finishedBuilder) BootstrapNewBuilder() RepoBuilder { return f }
-func (f finishedBuilder) BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return f
-}
-func (f finishedBuilder) IsLoaded(roleName data.RoleName) bool        { return false }
-func (f finishedBuilder) GetLoadedVersion(roleName data.RoleName) int { return 0 }
-func (f finishedBuilder) GetConsistentInfo(roleName data.RoleName) ConsistentInfo {
-	return ConsistentInfo{RoleName: roleName}
-}
-
-// NewRepoBuilder is the only way to get a pre-built RepoBuilder
-func NewRepoBuilder(gun data.GUN, cs signed.CryptoService, trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return NewBuilderFromRepo(gun, NewRepo(cs), trustpin)
-}
-
-// NewBuilderFromRepo allows us to bootstrap a builder given existing repo data.
-// YOU PROBABLY SHOULDN'T BE USING THIS OUTSIDE OF TESTING CODE!!!
-func NewBuilderFromRepo(gun data.GUN, repo *Repo, trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return &repoBuilderWrapper{
-		RepoBuilder: &repoBuilder{
-			repo:                 repo,
-			invalidRoles:         NewRepo(nil),
-			gun:                  gun,
-			trustpin:             trustpin,
-			loadedNotChecksummed: make(map[data.RoleName][]byte),
-		},
-	}
-}
-
-// repoBuilderWrapper embeds a repoBuilder, but once Finish is called, swaps
-// the embed out with a finishedBuilder
-type repoBuilderWrapper struct {
-	RepoBuilder
-}
-
-func (rbw *repoBuilderWrapper) Finish() (*Repo, *Repo, error) {
-	switch rbw.RepoBuilder.(type) {
-	case finishedBuilder:
-		return rbw.RepoBuilder.Finish()
-	default:
-		old := rbw.RepoBuilder
-		rbw.RepoBuilder = finishedBuilder{}
-		return old.Finish()
-	}
-}
-
-// repoBuilder actually builds a tuf.Repo
-type repoBuilder struct {
-	repo         *Repo
-	invalidRoles *Repo
-
-	// needed for root trust pininng verification
-	gun      data.GUN
-	trustpin trustpinning.TrustPinConfig
-
-	// in case we load root and/or targets before snapshot and timestamp (
-	// or snapshot and not timestamp), so we know what to verify when the
-	// data with checksums come in
-	loadedNotChecksummed map[data.RoleName][]byte
-
-	// bootstrapped values to validate a new root
-	prevRoot                 *data.SignedRoot
-	bootstrappedRootChecksum *data.FileMeta
-
-	// for bootstrapping the next builder
-	nextRootChecksum *data.FileMeta
-}
-
-func (rb *repoBuilder) Finish() (*Repo, *Repo, error) {
-	return rb.repo, rb.invalidRoles, nil
-}
-
-func (rb *repoBuilder) BootstrapNewBuilder() RepoBuilder {
-	return &repoBuilderWrapper{RepoBuilder: &repoBuilder{
-		repo:                 NewRepo(rb.repo.cryptoService),
-		invalidRoles:         NewRepo(nil),
-		gun:                  rb.gun,
-		loadedNotChecksummed: make(map[data.RoleName][]byte),
-		trustpin:             rb.trustpin,
-
-		prevRoot:                 rb.repo.Root,
-		bootstrappedRootChecksum: rb.nextRootChecksum,
-	}}
-}
-
-func (rb *repoBuilder) BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return &repoBuilderWrapper{RepoBuilder: &repoBuilder{
-		repo:                 NewRepo(rb.repo.cryptoService),
-		gun:                  rb.gun,
-		loadedNotChecksummed: make(map[data.RoleName][]byte),
-		trustpin:             trustpin,
-
-		prevRoot:                 rb.repo.Root,
-		bootstrappedRootChecksum: rb.nextRootChecksum,
-	}}
-}
-
-// IsLoaded returns whether a particular role has already been loaded
-func (rb *repoBuilder) IsLoaded(roleName data.RoleName) bool {
-	switch roleName {
-	case data.CanonicalRootRole:
-		return rb.repo.Root != nil
-	case data.CanonicalSnapshotRole:
-		return rb.repo.Snapshot != nil
-	case data.CanonicalTimestampRole:
-		return rb.repo.Timestamp != nil
-	default:
-		return rb.repo.Targets[roleName] != nil
-	}
-}
-
-// GetLoadedVersion returns the metadata version, if it is loaded, or 1 (the
-// minimum valid version number) otherwise
-func (rb *repoBuilder) GetLoadedVersion(roleName data.RoleName) int {
-	switch {
-	case roleName == data.CanonicalRootRole && rb.repo.Root != nil:
-		return rb.repo.Root.Signed.Version
-	case roleName == data.CanonicalSnapshotRole && rb.repo.Snapshot != nil:
-		return rb.repo.Snapshot.Signed.Version
-	case roleName == data.CanonicalTimestampRole && rb.repo.Timestamp != nil:
-		return rb.repo.Timestamp.Signed.Version
-	default:
-		if tgts, ok := rb.repo.Targets[roleName]; ok {
-			return tgts.Signed.Version
-		}
-	}
-
-	return 1
-}
-
-// GetConsistentInfo returns the consistent name and size of a role, if it is known,
-// otherwise just the rolename and a -1 for size (both of which are inside a
-// ConsistentInfo object)
-func (rb *repoBuilder) GetConsistentInfo(roleName data.RoleName) ConsistentInfo {
-	info := ConsistentInfo{RoleName: roleName} // starts out with unknown filemeta
-	switch roleName {
-	case data.CanonicalTimestampRole:
-		// we do not want to get a consistent timestamp, but we do want to
-		// limit its size
-		info.fileMeta.Length = notary.MaxTimestampSize
-	case data.CanonicalSnapshotRole:
-		if rb.repo.Timestamp != nil {
-			info.fileMeta = rb.repo.Timestamp.Signed.Meta[roleName.String()]
-		}
-	case data.CanonicalRootRole:
-		switch {
-		case rb.bootstrappedRootChecksum != nil:
-			info.fileMeta = *rb.bootstrappedRootChecksum
-		case rb.repo.Snapshot != nil:
-			info.fileMeta = rb.repo.Snapshot.Signed.Meta[roleName.String()]
-		}
-	default:
-		if rb.repo.Snapshot != nil {
-			info.fileMeta = rb.repo.Snapshot.Signed.Meta[roleName.String()]
-		}
-	}
-	return info
-}
-
-func (rb *repoBuilder) Load(roleName data.RoleName, content []byte, minVersion int, allowExpired bool) error {
-	return rb.loadOptions(roleName, content, minVersion, allowExpired, false, false)
-}
-
-// LoadRootForUpdate adds additional flags for updating the root.json file
-func (rb *repoBuilder) LoadRootForUpdate(content []byte, minVersion int, isFinal bool) error {
-	if err := rb.loadOptions(data.CanonicalRootRole, content, minVersion, !isFinal, !isFinal, true); err != nil {
-		return err
-	}
-	if !isFinal {
-		rb.prevRoot = rb.repo.Root
-	}
-	return nil
-}
-
-// loadOptions adds additional flags that should only be used for updating the root.json
-func (rb *repoBuilder) loadOptions(roleName data.RoleName, content []byte, minVersion int, allowExpired, skipChecksum, allowLoaded bool) error {
-	if !data.ValidRole(roleName) {
-		return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s is an invalid role", roleName)}
-	}
-
-	if !allowLoaded && rb.IsLoaded(roleName) {
-		return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s has already been loaded", roleName)}
-	}
-
-	var err error
-	switch roleName {
-	case data.CanonicalRootRole:
-		break
-	case data.CanonicalTimestampRole, data.CanonicalSnapshotRole, data.CanonicalTargetsRole:
-		err = rb.checkPrereqsLoaded([]data.RoleName{data.CanonicalRootRole})
-	default: // delegations
-		err = rb.checkPrereqsLoaded([]data.RoleName{data.CanonicalRootRole, data.CanonicalTargetsRole})
-	}
-	if err != nil {
-		return err
-	}
-
-	switch roleName {
-	case data.CanonicalRootRole:
-		return rb.loadRoot(content, minVersion, allowExpired, skipChecksum)
-	case data.CanonicalSnapshotRole:
-		return rb.loadSnapshot(content, minVersion, allowExpired)
-	case data.CanonicalTimestampRole:
-		return rb.loadTimestamp(content, minVersion, allowExpired)
-	case data.CanonicalTargetsRole:
-		return rb.loadTargets(content, minVersion, allowExpired)
-	default:
-		return rb.loadDelegation(roleName, content, minVersion, allowExpired)
-	}
-}
-
-func (rb *repoBuilder) checkPrereqsLoaded(prereqRoles []data.RoleName) error {
-	for _, req := range prereqRoles {
-		if !rb.IsLoaded(req) {
-			return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s must be loaded first", req)}
-		}
-	}
-	return nil
-}
-
-// GenerateSnapshot generates a new snapshot given a previous (optional) snapshot
-// We can't just load the previous snapshot, because it may have been signed by a different
-// snapshot key (maybe from a previous root version).  Note that we need the root role and
-// targets role to be loaded, because we need to generate metadata for both (and we need
-// the root to be loaded so we can get the snapshot role to sign with)
-func (rb *repoBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error) {
-	switch {
-	case rb.repo.cryptoService == nil:
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate snapshot without a cryptoservice"}
-	case rb.IsLoaded(data.CanonicalSnapshotRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "snapshot has already been loaded"}
-	case rb.IsLoaded(data.CanonicalTimestampRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate snapshot if timestamp has already been loaded"}
-	}
-
-	if err := rb.checkPrereqsLoaded([]data.RoleName{data.CanonicalRootRole}); err != nil {
-		return nil, 0, err
-	}
-
-	// If there is no previous snapshot, we need to generate one, and so the targets must
-	// have already been loaded.  Otherwise, so long as the previous snapshot structure is
-	// valid (it has a targets meta), we're good.
-	switch prev {
-	case nil:
-		if err := rb.checkPrereqsLoaded([]data.RoleName{data.CanonicalTargetsRole}); err != nil {
-			return nil, 0, err
-		}
-
-		if err := rb.repo.InitSnapshot(); err != nil {
-			rb.repo.Snapshot = nil
-			return nil, 0, err
-		}
-	default:
-		if err := data.IsValidSnapshotStructure(prev.Signed); err != nil {
-			return nil, 0, err
-		}
-		rb.repo.Snapshot = prev
-	}
-
-	sgnd, err := rb.repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
-	if err != nil {
-		rb.repo.Snapshot = nil
-		return nil, 0, err
-	}
-
-	sgndJSON, err := json.Marshal(sgnd)
-	if err != nil {
-		rb.repo.Snapshot = nil
-		return nil, 0, err
-	}
-
-	// loadedNotChecksummed should currently contain the root awaiting checksumming,
-	// since it has to have been loaded.  Since the snapshot was generated using
-	// the root and targets data (there may not be any) that have been loaded,
-	// remove all of them from rb.loadedNotChecksummed
-	for tgtName := range rb.repo.Targets {
-		delete(rb.loadedNotChecksummed, data.RoleName(tgtName))
-	}
-	delete(rb.loadedNotChecksummed, data.CanonicalRootRole)
-
-	// The timestamp can't have been loaded yet, so we want to cache the snapshot
-	// bytes so we can validate the checksum when a timestamp gets generated or
-	// loaded later.
-	rb.loadedNotChecksummed[data.CanonicalSnapshotRole] = sgndJSON
-
-	return sgndJSON, rb.repo.Snapshot.Signed.Version, nil
-}
-
-// GenerateTimestamp generates a new timestamp given a previous (optional) timestamp
-// We can't just load the previous timestamp, because it may have been signed by a different
-// timestamp key (maybe from a previous root version)
-func (rb *repoBuilder) GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error) {
-	switch {
-	case rb.repo.cryptoService == nil:
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate timestamp without a cryptoservice"}
-	case rb.IsLoaded(data.CanonicalTimestampRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "timestamp has already been loaded"}
-	}
-
-	// SignTimestamp always serializes the loaded snapshot and signs in the data, so we must always
-	// have the snapshot loaded first
-	if err := rb.checkPrereqsLoaded([]data.RoleName{data.CanonicalRootRole, data.CanonicalSnapshotRole}); err != nil {
-		return nil, 0, err
-	}
-
-	switch prev {
-	case nil:
-		if err := rb.repo.InitTimestamp(); err != nil {
-			rb.repo.Timestamp = nil
-			return nil, 0, err
-		}
-	default:
-		if err := data.IsValidTimestampStructure(prev.Signed); err != nil {
-			return nil, 0, err
-		}
-		rb.repo.Timestamp = prev
-	}
-
-	sgnd, err := rb.repo.SignTimestamp(data.DefaultExpires(data.CanonicalTimestampRole))
-	if err != nil {
-		rb.repo.Timestamp = nil
-		return nil, 0, err
-	}
-
-	sgndJSON, err := json.Marshal(sgnd)
-	if err != nil {
-		rb.repo.Timestamp = nil
-		return nil, 0, err
-	}
-
-	// The snapshot should have been loaded (and not checksummed, since a timestamp
-	// cannot have been loaded), so it is awaiting checksumming. Since this
-	// timestamp was generated using the snapshot awaiting checksumming, we can
-	// remove it from rb.loadedNotChecksummed. There should be no other items
-	// awaiting checksumming now since loading/generating a snapshot should have
-	// cleared out everything else in `loadNotChecksummed`.
-	delete(rb.loadedNotChecksummed, data.CanonicalSnapshotRole)
-
-	return sgndJSON, rb.repo.Timestamp.Signed.Version, nil
-}
-
-// loadRoot loads a root if one has not been loaded
-func (rb *repoBuilder) loadRoot(content []byte, minVersion int, allowExpired, skipChecksum bool) error {
-	roleName := data.CanonicalRootRole
-
-	signedObj, err := rb.bytesToSigned(content, data.CanonicalRootRole, skipChecksum)
-	if err != nil {
-		return err
-	}
-	// ValidateRoot validates against the previous root's role, as well as validates that the root
-	// itself is self-consistent with its own signatures and thresholds.
-	// This assumes that ValidateRoot calls data.RootFromSigned, which validates
-	// the metadata, rather than just unmarshalling signedObject into a SignedRoot object itself.
-	signedRoot, err := trustpinning.ValidateRoot(rb.prevRoot, signedObj, rb.gun, rb.trustpin)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedRoot.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedRoot.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	rootRole, err := signedRoot.BuildBaseRole(data.CanonicalRootRole)
-	if err != nil { // this should never happen since the root has been validated
-		return err
-	}
-	rb.repo.Root = signedRoot
-	rb.repo.originalRootRole = rootRole
-	return nil
-}
-
-func (rb *repoBuilder) loadTimestamp(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalTimestampRole
-
-	timestampRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(timestampRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedTimestamp, err := data.TimestampFromSigned(signedObj)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTimestamp.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTimestamp.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	if err := rb.validateChecksumsFromTimestamp(signedTimestamp); err != nil {
-		return err
-	}
-
-	rb.repo.Timestamp = signedTimestamp
-	return nil
-}
-
-func (rb *repoBuilder) loadSnapshot(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalSnapshotRole
-
-	snapshotRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(snapshotRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedSnapshot, err := data.SnapshotFromSigned(signedObj)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedSnapshot.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedSnapshot.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	// at this point, the only thing left to validate is existing checksums - we can use
-	// this snapshot to bootstrap the next builder if needed - and we don't need to do
-	// the 2-value assignment since we've already validated the signedSnapshot, which MUST
-	// have root metadata
-	rootMeta := signedSnapshot.Signed.Meta[data.CanonicalRootRole.String()]
-	rb.nextRootChecksum = &rootMeta
-
-	if err := rb.validateChecksumsFromSnapshot(signedSnapshot); err != nil {
-		return err
-	}
-
-	rb.repo.Snapshot = signedSnapshot
-	return nil
-}
-
-func (rb *repoBuilder) loadTargets(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalTargetsRole
-
-	targetsRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(targetsRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedTargets, err := data.TargetsFromSigned(signedObj, roleName)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTargets.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTargets.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	signedTargets.Signatures = signedObj.Signatures
-	rb.repo.Targets[roleName] = signedTargets
-	return nil
-}
-
-func (rb *repoBuilder) loadDelegation(roleName data.RoleName, content []byte, minVersion int, allowExpired bool) error {
-	delegationRole, err := rb.repo.GetDelegationRole(roleName)
-	if err != nil {
-		return err
-	}
-
-	// bytesToSigned checks checksum
-	signedObj, err := rb.bytesToSigned(content, roleName, false)
-	if err != nil {
-		return err
-	}
-
-	signedTargets, err := data.TargetsFromSigned(signedObj, roleName)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTargets.Signed.SignedCommon), minVersion); err != nil {
-		// don't capture in invalidRoles because the role we received is a rollback
-		return err
-	}
-
-	// verify signature
-	if err := signed.VerifySignatures(signedObj, delegationRole.BaseRole); err != nil {
-		rb.invalidRoles.Targets[roleName] = signedTargets
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTargets.Signed.SignedCommon), roleName); err != nil {
-			rb.invalidRoles.Targets[roleName] = signedTargets
-			return err
-		}
-	}
-
-	signedTargets.Signatures = signedObj.Signatures
-	rb.repo.Targets[roleName] = signedTargets
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumsFromTimestamp(ts *data.SignedTimestamp) error {
-	sn, ok := rb.loadedNotChecksummed[data.CanonicalSnapshotRole]
-	if ok {
-		// by this point, the SignedTimestamp has been validated so it must have a snapshot hash
-		snMeta := ts.Signed.Meta[data.CanonicalSnapshotRole.String()].Hashes
-		if err := data.CheckHashes(sn, data.CanonicalSnapshotRole.String(), snMeta); err != nil {
-			return err
-		}
-		delete(rb.loadedNotChecksummed, data.CanonicalSnapshotRole)
-	}
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumsFromSnapshot(sn *data.SignedSnapshot) error {
-	var goodRoles []data.RoleName
-	for roleName, loadedBytes := range rb.loadedNotChecksummed {
-		switch roleName {
-		case data.CanonicalSnapshotRole, data.CanonicalTimestampRole:
-			break
-		default:
-			if err := data.CheckHashes(loadedBytes, roleName.String(), sn.Signed.Meta[roleName.String()].Hashes); err != nil {
-				return err
-			}
-			goodRoles = append(goodRoles, roleName)
-		}
-	}
-	for _, roleName := range goodRoles {
-		delete(rb.loadedNotChecksummed, roleName)
-	}
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumFor(content []byte, roleName data.RoleName) error {
-	// validate the bootstrap checksum for root, if provided
-	if roleName == data.CanonicalRootRole && rb.bootstrappedRootChecksum != nil {
-		if err := data.CheckHashes(content, roleName.String(), rb.bootstrappedRootChecksum.Hashes); err != nil {
-			return err
-		}
-	}
-
-	// but we also want to cache the root content, so that when the snapshot is
-	// loaded it is validated (to make sure everything in the repo is self-consistent)
-	checksums := rb.getChecksumsFor(roleName)
-	if checksums != nil { // as opposed to empty, in which case hash check should fail
-		if err := data.CheckHashes(content, roleName.String(), *checksums); err != nil {
-			return err
-		}
-	} else if roleName != data.CanonicalTimestampRole {
-		// timestamp is the only role which does not need to be checksummed, but
-		// for everything else, cache the contents in the list of roles that have
-		// not been checksummed by the snapshot/timestamp yet
-		rb.loadedNotChecksummed[roleName] = content
-	}
-
-	return nil
-}
-
-// Checksums the given bytes, and if they validate, convert to a data.Signed object.
-// If a checksums are nil (as opposed to empty), adds the bytes to the list of roles that
-// haven't been checksummed (unless it's a timestamp, which has no checksum reference).
-func (rb *repoBuilder) bytesToSigned(content []byte, roleName data.RoleName, skipChecksum bool) (*data.Signed, error) {
-	if !skipChecksum {
-		if err := rb.validateChecksumFor(content, roleName); err != nil {
-			return nil, err
-		}
-	}
-
-	// unmarshal to signed
-	signedObj := &data.Signed{}
-	if err := json.Unmarshal(content, signedObj); err != nil {
-		return nil, err
-	}
-
-	return signedObj, nil
-}
-
-func (rb *repoBuilder) bytesToSignedAndValidateSigs(role data.BaseRole, content []byte) (*data.Signed, error) {
-
-	signedObj, err := rb.bytesToSigned(content, role.Name, false)
-	if err != nil {
-		return nil, err
-	}
-
-	// verify signature
-	if err := signed.VerifySignatures(signedObj, role); err != nil {
-		return nil, err
-	}
-
-	return signedObj, nil
-}
-
-// If the checksum reference (the loaded timestamp for the snapshot role, and
-// the loaded snapshot for every other role except timestamp and snapshot) is nil,
-// then return nil for the checksums, meaning that the checksum is not yet
-// available.  If the checksum reference *is* loaded, then always returns the
-// Hashes object for the given role - if it doesn't exist, returns an empty Hash
-// object (against which any checksum validation would fail).
-func (rb *repoBuilder) getChecksumsFor(role data.RoleName) *data.Hashes {
-	var hashes data.Hashes
-	switch role {
-	case data.CanonicalTimestampRole:
-		return nil
-	case data.CanonicalSnapshotRole:
-		if rb.repo.Timestamp == nil {
-			return nil
-		}
-		hashes = rb.repo.Timestamp.Signed.Meta[data.CanonicalSnapshotRole.String()].Hashes
-	default:
-		if rb.repo.Snapshot == nil {
-			return nil
-		}
-		hashes = rb.repo.Snapshot.Signed.Meta[role.String()].Hashes
-	}
-	return &hashes
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/errors.go b/vendor/github.com/theupdateframework/notary/tuf/data/errors.go
deleted file mode 100644
index 32dd2506..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/errors.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package data
-
-import "fmt"
-
-// ErrInvalidMetadata is the error to be returned when metadata is invalid
-type ErrInvalidMetadata struct {
-	role RoleName
-	msg  string
-}
-
-func (e ErrInvalidMetadata) Error() string {
-	return fmt.Sprintf("%s type metadata invalid: %s", e.role.String(), e.msg)
-}
-
-// ErrMissingMeta - couldn't find the FileMeta object for the given Role, or
-// the FileMeta object contained no supported checksums
-type ErrMissingMeta struct {
-	Role string
-}
-
-func (e ErrMissingMeta) Error() string {
-	return fmt.Sprintf("no checksums for supported algorithms were provided for %s", e.Role)
-}
-
-// ErrInvalidChecksum is the error to be returned when checksum is invalid
-type ErrInvalidChecksum struct {
-	alg string
-}
-
-func (e ErrInvalidChecksum) Error() string {
-	return fmt.Sprintf("%s checksum invalid", e.alg)
-}
-
-// ErrMismatchedChecksum is the error to be returned when checksum is mismatched
-type ErrMismatchedChecksum struct {
-	alg      string
-	name     string
-	expected string
-}
-
-func (e ErrMismatchedChecksum) Error() string {
-	return fmt.Sprintf("%s checksum for %s did not match: expected %s", e.alg, e.name,
-		e.expected)
-}
-
-// ErrCertExpired is the error to be returned when a certificate has expired
-type ErrCertExpired struct {
-	CN string
-}
-
-func (e ErrCertExpired) Error() string {
-	return fmt.Sprintf("certificate with CN %s is expired", e.CN)
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/keys.go b/vendor/github.com/theupdateframework/notary/tuf/data/keys.go
deleted file mode 100644
index 75b76b80..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/keys.go
+++ /dev/null
@@ -1,529 +0,0 @@
-package data
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/asn1"
-	"encoding/hex"
-	"errors"
-	"io"
-	"math/big"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/crypto/ed25519"
-)
-
-// PublicKey is the necessary interface for public keys
-type PublicKey interface {
-	ID() string
-	Algorithm() string
-	Public() []byte
-}
-
-// PrivateKey adds the ability to access the private key
-type PrivateKey interface {
-	PublicKey
-	Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)
-	Private() []byte
-	CryptoSigner() crypto.Signer
-	SignatureAlgorithm() SigAlgorithm
-}
-
-// KeyPair holds the public and private key bytes
-type KeyPair struct {
-	Public  []byte `json:"public"`
-	Private []byte `json:"private"`
-}
-
-// Keys represents a map of key ID to PublicKey object. It's necessary
-// to allow us to unmarshal into an interface via the json.Unmarshaller
-// interface
-type Keys map[string]PublicKey
-
-// UnmarshalJSON implements the json.Unmarshaller interface
-func (ks *Keys) UnmarshalJSON(data []byte) error {
-	parsed := make(map[string]TUFKey)
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return err
-	}
-	final := make(map[string]PublicKey)
-	for k, tk := range parsed {
-		final[k] = typedPublicKey(tk)
-	}
-	*ks = final
-	return nil
-}
-
-// KeyList represents a list of keys
-type KeyList []PublicKey
-
-// UnmarshalJSON implements the json.Unmarshaller interface
-func (ks *KeyList) UnmarshalJSON(data []byte) error {
-	parsed := make([]TUFKey, 0, 1)
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return err
-	}
-	final := make([]PublicKey, 0, len(parsed))
-	for _, tk := range parsed {
-		final = append(final, typedPublicKey(tk))
-	}
-	*ks = final
-	return nil
-}
-
-// IDs generates a list of the hex encoded key IDs in the KeyList
-func (ks KeyList) IDs() []string {
-	keyIDs := make([]string, 0, len(ks))
-	for _, k := range ks {
-		keyIDs = append(keyIDs, k.ID())
-	}
-	return keyIDs
-}
-
-func typedPublicKey(tk TUFKey) PublicKey {
-	switch tk.Algorithm() {
-	case ECDSAKey:
-		return &ECDSAPublicKey{TUFKey: tk}
-	case ECDSAx509Key:
-		return &ECDSAx509PublicKey{TUFKey: tk}
-	case RSAKey:
-		return &RSAPublicKey{TUFKey: tk}
-	case RSAx509Key:
-		return &RSAx509PublicKey{TUFKey: tk}
-	case ED25519Key:
-		return &ED25519PublicKey{TUFKey: tk}
-	}
-	return &UnknownPublicKey{TUFKey: tk}
-}
-
-func typedPrivateKey(tk TUFKey) (PrivateKey, error) {
-	private := tk.Value.Private
-	tk.Value.Private = nil
-	switch tk.Algorithm() {
-	case ECDSAKey:
-		return NewECDSAPrivateKey(
-			&ECDSAPublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case ECDSAx509Key:
-		return NewECDSAPrivateKey(
-			&ECDSAx509PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case RSAKey:
-		return NewRSAPrivateKey(
-			&RSAPublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case RSAx509Key:
-		return NewRSAPrivateKey(
-			&RSAx509PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case ED25519Key:
-		return NewED25519PrivateKey(
-			ED25519PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	}
-	return &UnknownPrivateKey{
-		TUFKey:     tk,
-		privateKey: privateKey{private: private},
-	}, nil
-}
-
-// NewPublicKey creates a new, correctly typed PublicKey, using the
-// UnknownPublicKey catchall for unsupported ciphers
-func NewPublicKey(alg string, public []byte) PublicKey {
-	tk := TUFKey{
-		Type: alg,
-		Value: KeyPair{
-			Public: public,
-		},
-	}
-	return typedPublicKey(tk)
-}
-
-// NewPrivateKey creates a new, correctly typed PrivateKey, using the
-// UnknownPrivateKey catchall for unsupported ciphers
-func NewPrivateKey(pubKey PublicKey, private []byte) (PrivateKey, error) {
-	tk := TUFKey{
-		Type: pubKey.Algorithm(),
-		Value: KeyPair{
-			Public:  pubKey.Public(),
-			Private: private, // typedPrivateKey moves this value
-		},
-	}
-	return typedPrivateKey(tk)
-}
-
-// UnmarshalPublicKey is used to parse individual public keys in JSON
-func UnmarshalPublicKey(data []byte) (PublicKey, error) {
-	var parsed TUFKey
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return nil, err
-	}
-	return typedPublicKey(parsed), nil
-}
-
-// UnmarshalPrivateKey is used to parse individual private keys in JSON
-func UnmarshalPrivateKey(data []byte) (PrivateKey, error) {
-	var parsed TUFKey
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return nil, err
-	}
-	return typedPrivateKey(parsed)
-}
-
-// TUFKey is the structure used for both public and private keys in TUF.
-// Normally it would make sense to use a different structures for public and
-// private keys, but that would change the key ID algorithm (since the canonical
-// JSON would be different). This structure should normally be accessed through
-// the PublicKey or PrivateKey interfaces.
-type TUFKey struct {
-	id    string
-	Type  string  `json:"keytype"`
-	Value KeyPair `json:"keyval"`
-}
-
-// Algorithm returns the algorithm of the key
-func (k TUFKey) Algorithm() string {
-	return k.Type
-}
-
-// ID efficiently generates if necessary, and caches the ID of the key
-func (k *TUFKey) ID() string {
-	if k.id == "" {
-		pubK := TUFKey{
-			Type: k.Algorithm(),
-			Value: KeyPair{
-				Public:  k.Public(),
-				Private: nil,
-			},
-		}
-		data, err := json.MarshalCanonical(&pubK)
-		if err != nil {
-			logrus.Error("Error generating key ID:", err)
-		}
-		digest := sha256.Sum256(data)
-		k.id = hex.EncodeToString(digest[:])
-	}
-	return k.id
-}
-
-// Public returns the public bytes
-func (k TUFKey) Public() []byte {
-	return k.Value.Public
-}
-
-// Public key types
-
-// ECDSAPublicKey represents an ECDSA key using a raw serialization
-// of the public key
-type ECDSAPublicKey struct {
-	TUFKey
-}
-
-// ECDSAx509PublicKey represents an ECDSA key using an x509 cert
-// as the serialized format of the public key
-type ECDSAx509PublicKey struct {
-	TUFKey
-}
-
-// RSAPublicKey represents an RSA key using a raw serialization
-// of the public key
-type RSAPublicKey struct {
-	TUFKey
-}
-
-// RSAx509PublicKey represents an RSA key using an x509 cert
-// as the serialized format of the public key
-type RSAx509PublicKey struct {
-	TUFKey
-}
-
-// ED25519PublicKey represents an ED25519 key using a raw serialization
-// of the public key
-type ED25519PublicKey struct {
-	TUFKey
-}
-
-// UnknownPublicKey is a catchall for key types that are not supported
-type UnknownPublicKey struct {
-	TUFKey
-}
-
-// NewECDSAPublicKey initializes a new public key with the ECDSAKey type
-func NewECDSAPublicKey(public []byte) *ECDSAPublicKey {
-	return &ECDSAPublicKey{
-		TUFKey: TUFKey{
-			Type: ECDSAKey,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewECDSAx509PublicKey initializes a new public key with the ECDSAx509Key type
-func NewECDSAx509PublicKey(public []byte) *ECDSAx509PublicKey {
-	return &ECDSAx509PublicKey{
-		TUFKey: TUFKey{
-			Type: ECDSAx509Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewRSAPublicKey initializes a new public key with the RSA type
-func NewRSAPublicKey(public []byte) *RSAPublicKey {
-	return &RSAPublicKey{
-		TUFKey: TUFKey{
-			Type: RSAKey,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewRSAx509PublicKey initializes a new public key with the RSAx509Key type
-func NewRSAx509PublicKey(public []byte) *RSAx509PublicKey {
-	return &RSAx509PublicKey{
-		TUFKey: TUFKey{
-			Type: RSAx509Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewED25519PublicKey initializes a new public key with the ED25519Key type
-func NewED25519PublicKey(public []byte) *ED25519PublicKey {
-	return &ED25519PublicKey{
-		TUFKey: TUFKey{
-			Type: ED25519Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// Private key types
-type privateKey struct {
-	private []byte
-}
-
-type signer struct {
-	signer crypto.Signer
-}
-
-// ECDSAPrivateKey represents a private ECDSA key
-type ECDSAPrivateKey struct {
-	PublicKey
-	privateKey
-	signer
-}
-
-// RSAPrivateKey represents a private RSA key
-type RSAPrivateKey struct {
-	PublicKey
-	privateKey
-	signer
-}
-
-// ED25519PrivateKey represents a private ED25519 key
-type ED25519PrivateKey struct {
-	ED25519PublicKey
-	privateKey
-}
-
-// UnknownPrivateKey is a catchall for unsupported key types
-type UnknownPrivateKey struct {
-	TUFKey
-	privateKey
-}
-
-// NewECDSAPrivateKey initializes a new ECDSA private key
-func NewECDSAPrivateKey(public PublicKey, private []byte) (*ECDSAPrivateKey, error) {
-	switch public.(type) {
-	case *ECDSAPublicKey, *ECDSAx509PublicKey:
-	default:
-		return nil, errors.New("invalid public key type provided to NewECDSAPrivateKey")
-	}
-	ecdsaPrivKey, err := x509.ParseECPrivateKey(private)
-	if err != nil {
-		return nil, err
-	}
-	return &ECDSAPrivateKey{
-		PublicKey:  public,
-		privateKey: privateKey{private: private},
-		signer:     signer{signer: ecdsaPrivKey},
-	}, nil
-}
-
-// NewRSAPrivateKey initialized a new RSA private key
-func NewRSAPrivateKey(public PublicKey, private []byte) (*RSAPrivateKey, error) {
-	switch public.(type) {
-	case *RSAPublicKey, *RSAx509PublicKey:
-	default:
-		return nil, errors.New("invalid public key type provided to NewRSAPrivateKey")
-	}
-	rsaPrivKey, err := x509.ParsePKCS1PrivateKey(private)
-	if err != nil {
-		return nil, err
-	}
-	return &RSAPrivateKey{
-		PublicKey:  public,
-		privateKey: privateKey{private: private},
-		signer:     signer{signer: rsaPrivKey},
-	}, nil
-}
-
-// NewED25519PrivateKey initialized a new ED25519 private key
-func NewED25519PrivateKey(public ED25519PublicKey, private []byte) (*ED25519PrivateKey, error) {
-	return &ED25519PrivateKey{
-		ED25519PublicKey: public,
-		privateKey:       privateKey{private: private},
-	}, nil
-}
-
-// Private return the serialized private bytes of the key
-func (k privateKey) Private() []byte {
-	return k.private
-}
-
-// CryptoSigner returns the underlying crypto.Signer for use cases where we need the default
-// signature or public key functionality (like when we generate certificates)
-func (s signer) CryptoSigner() crypto.Signer {
-	return s.signer
-}
-
-// CryptoSigner returns the ED25519PrivateKey which already implements crypto.Signer
-func (k ED25519PrivateKey) CryptoSigner() crypto.Signer {
-	return nil
-}
-
-// CryptoSigner returns the UnknownPrivateKey which already implements crypto.Signer
-func (k UnknownPrivateKey) CryptoSigner() crypto.Signer {
-	return nil
-}
-
-type ecdsaSig struct {
-	R *big.Int
-	S *big.Int
-}
-
-// Sign creates an ecdsa signature
-func (k ECDSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	ecdsaPrivKey, ok := k.CryptoSigner().(*ecdsa.PrivateKey)
-	if !ok {
-		return nil, errors.New("signer was based on the wrong key type")
-	}
-	hashed := sha256.Sum256(msg)
-	sigASN1, err := ecdsaPrivKey.Sign(rand, hashed[:], opts)
-	if err != nil {
-		return nil, err
-	}
-
-	sig := ecdsaSig{}
-	_, err = asn1.Unmarshal(sigASN1, &sig)
-	if err != nil {
-		return nil, err
-	}
-	rBytes, sBytes := sig.R.Bytes(), sig.S.Bytes()
-	octetLength := (ecdsaPrivKey.Params().BitSize + 7) >> 3
-
-	// MUST include leading zeros in the output
-	rBuf := make([]byte, octetLength-len(rBytes), octetLength)
-	sBuf := make([]byte, octetLength-len(sBytes), octetLength)
-
-	rBuf = append(rBuf, rBytes...)
-	sBuf = append(sBuf, sBytes...)
-	return append(rBuf, sBuf...), nil
-}
-
-// Sign creates an rsa signature
-func (k RSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	hashed := sha256.Sum256(msg)
-	if opts == nil {
-		opts = &rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthEqualsHash,
-			Hash:       crypto.SHA256,
-		}
-	}
-	return k.CryptoSigner().Sign(rand, hashed[:], opts)
-}
-
-// Sign creates an ed25519 signature
-func (k ED25519PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	priv := make([]byte, ed25519.PrivateKeySize)
-	// The ed25519 key is serialized as public key then private key, so just use private key here.
-	copy(priv, k.private[ed25519.PublicKeySize:])
-	return ed25519.Sign(ed25519.PrivateKey(priv), msg)[:], nil
-}
-
-// Sign on an UnknownPrivateKey raises an error because the client does not
-// know how to sign with this key type.
-func (k UnknownPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	return nil, errors.New("unknown key type, cannot sign")
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a ECDSAPrivateKey
-func (k ECDSAPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return ECDSASignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a RSAPrivateKey
-func (k RSAPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return RSAPSSSignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a ED25519PrivateKey
-func (k ED25519PrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return EDDSASignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for an UnknownPrivateKey
-func (k UnknownPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return ""
-}
-
-// PublicKeyFromPrivate returns a new TUFKey based on a private key, with
-// the private key bytes guaranteed to be nil.
-func PublicKeyFromPrivate(pk PrivateKey) PublicKey {
-	return typedPublicKey(TUFKey{
-		Type: pk.Algorithm(),
-		Value: KeyPair{
-			Public:  pk.Public(),
-			Private: nil,
-		},
-	})
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/roles.go b/vendor/github.com/theupdateframework/notary/tuf/data/roles.go
deleted file mode 100644
index c4e25af2..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/roles.go
+++ /dev/null
@@ -1,339 +0,0 @@
-package data
-
-import (
-	"fmt"
-	"path"
-	"regexp"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-)
-
-// Canonical base role names
-var (
-	CanonicalRootRole      RoleName = "root"
-	CanonicalTargetsRole   RoleName = "targets"
-	CanonicalSnapshotRole  RoleName = "snapshot"
-	CanonicalTimestampRole RoleName = "timestamp"
-)
-
-// BaseRoles is an easy to iterate list of the top level
-// roles.
-var BaseRoles = []RoleName{
-	CanonicalRootRole,
-	CanonicalTargetsRole,
-	CanonicalSnapshotRole,
-	CanonicalTimestampRole,
-}
-
-// Regex for validating delegation names
-var delegationRegexp = regexp.MustCompile("^[-a-z0-9_/]+$")
-
-// ErrNoSuchRole indicates the roles doesn't exist
-type ErrNoSuchRole struct {
-	Role RoleName
-}
-
-func (e ErrNoSuchRole) Error() string {
-	return fmt.Sprintf("role does not exist: %s", e.Role)
-}
-
-// ErrInvalidRole represents an error regarding a role. Typically
-// something like a role for which sone of the public keys were
-// not found in the TUF repo.
-type ErrInvalidRole struct {
-	Role   RoleName
-	Reason string
-}
-
-func (e ErrInvalidRole) Error() string {
-	if e.Reason != "" {
-		return fmt.Sprintf("tuf: invalid role %s. %s", e.Role, e.Reason)
-	}
-	return fmt.Sprintf("tuf: invalid role %s.", e.Role)
-}
-
-// ValidRole only determines the name is semantically
-// correct. For target delegated roles, it does NOT check
-// the appropriate parent roles exist.
-func ValidRole(name RoleName) bool {
-	if IsDelegation(name) {
-		return true
-	}
-
-	for _, v := range BaseRoles {
-		if name == v {
-			return true
-		}
-	}
-	return false
-}
-
-// IsDelegation checks if the role is a delegation or a root role
-func IsDelegation(role RoleName) bool {
-	strRole := role.String()
-	targetsBase := CanonicalTargetsRole + "/"
-
-	whitelistedChars := delegationRegexp.MatchString(strRole)
-
-	// Limit size of full role string to 255 chars for db column size limit
-	correctLength := len(role) < 256
-
-	// Removes ., .., extra slashes, and trailing slash
-	isClean := path.Clean(strRole) == strRole
-	return strings.HasPrefix(strRole, targetsBase.String()) &&
-		whitelistedChars &&
-		correctLength &&
-		isClean
-}
-
-// IsBaseRole checks if the role is a base role
-func IsBaseRole(role RoleName) bool {
-	for _, baseRole := range BaseRoles {
-		if role == baseRole {
-			return true
-		}
-	}
-	return false
-}
-
-// IsWildDelegation determines if a role represents a valid wildcard delegation
-// path, i.e. targets/*, targets/foo/*.
-// The wildcard may only appear as the final part of the delegation and must
-// be a whole segment, i.e. targets/foo* is not a valid wildcard delegation.
-func IsWildDelegation(role RoleName) bool {
-	if path.Clean(role.String()) != role.String() {
-		return false
-	}
-	base := role.Parent()
-	if !(IsDelegation(base) || base == CanonicalTargetsRole) {
-		return false
-	}
-	return role[len(role)-2:] == "/*"
-}
-
-// BaseRole is an internal representation of a root/targets/snapshot/timestamp role, with its public keys included
-type BaseRole struct {
-	Keys      map[string]PublicKey
-	Name      RoleName
-	Threshold int
-}
-
-// NewBaseRole creates a new BaseRole object with the provided parameters
-func NewBaseRole(name RoleName, threshold int, keys ...PublicKey) BaseRole {
-	r := BaseRole{
-		Name:      name,
-		Threshold: threshold,
-		Keys:      make(map[string]PublicKey),
-	}
-	for _, k := range keys {
-		r.Keys[k.ID()] = k
-	}
-	return r
-}
-
-// ListKeys retrieves the public keys valid for this role
-func (b BaseRole) ListKeys() KeyList {
-	return listKeys(b.Keys)
-}
-
-// ListKeyIDs retrieves the list of key IDs valid for this role
-func (b BaseRole) ListKeyIDs() []string {
-	return listKeyIDs(b.Keys)
-}
-
-// Equals returns whether this BaseRole equals another BaseRole
-func (b BaseRole) Equals(o BaseRole) bool {
-	if b.Threshold != o.Threshold || b.Name != o.Name || len(b.Keys) != len(o.Keys) {
-		return false
-	}
-
-	for keyID, key := range b.Keys {
-		oKey, ok := o.Keys[keyID]
-		if !ok || key.ID() != oKey.ID() {
-			return false
-		}
-	}
-
-	return true
-}
-
-// DelegationRole is an internal representation of a delegation role, with its public keys included
-type DelegationRole struct {
-	BaseRole
-	Paths []string
-}
-
-func listKeys(keyMap map[string]PublicKey) KeyList {
-	keys := KeyList{}
-	for _, key := range keyMap {
-		keys = append(keys, key)
-	}
-	return keys
-}
-
-func listKeyIDs(keyMap map[string]PublicKey) []string {
-	keyIDs := []string{}
-	for id := range keyMap {
-		keyIDs = append(keyIDs, id)
-	}
-	return keyIDs
-}
-
-// Restrict restricts the paths and path hash prefixes for the passed in delegation role,
-// returning a copy of the role with validated paths as if it was a direct child
-func (d DelegationRole) Restrict(child DelegationRole) (DelegationRole, error) {
-	if !d.IsParentOf(child) {
-		return DelegationRole{}, fmt.Errorf("%s is not a parent of %s", d.Name, child.Name)
-	}
-	return DelegationRole{
-		BaseRole: BaseRole{
-			Keys:      child.Keys,
-			Name:      child.Name,
-			Threshold: child.Threshold,
-		},
-		Paths: RestrictDelegationPathPrefixes(d.Paths, child.Paths),
-	}, nil
-}
-
-// IsParentOf returns whether the passed in delegation role is the direct child of this role,
-// determined by delegation name.
-// Ex: targets/a is a direct parent of targets/a/b, but targets/a is not a direct parent of targets/a/b/c
-func (d DelegationRole) IsParentOf(child DelegationRole) bool {
-	return path.Dir(child.Name.String()) == d.Name.String()
-}
-
-// CheckPaths checks if a given path is valid for the role
-func (d DelegationRole) CheckPaths(path string) bool {
-	return checkPaths(path, d.Paths)
-}
-
-func checkPaths(path string, permitted []string) bool {
-	for _, p := range permitted {
-		if strings.HasPrefix(path, p) {
-			return true
-		}
-	}
-	return false
-}
-
-// RestrictDelegationPathPrefixes returns the list of valid delegationPaths that are prefixed by parentPaths
-func RestrictDelegationPathPrefixes(parentPaths, delegationPaths []string) []string {
-	validPaths := []string{}
-	if len(delegationPaths) == 0 {
-		return validPaths
-	}
-
-	// Validate each individual delegation path
-	for _, delgPath := range delegationPaths {
-		isPrefixed := false
-		for _, parentPath := range parentPaths {
-			if strings.HasPrefix(delgPath, parentPath) {
-				isPrefixed = true
-				break
-			}
-		}
-		// If the delegation path did not match prefix against any parent path, it is not valid
-		if isPrefixed {
-			validPaths = append(validPaths, delgPath)
-		}
-	}
-	return validPaths
-}
-
-// RootRole is a cut down role as it appears in the root.json
-// Eventually should only be used for immediately before and after serialization/deserialization
-type RootRole struct {
-	KeyIDs    []string `json:"keyids"`
-	Threshold int      `json:"threshold"`
-}
-
-// Role is a more verbose role as they appear in targets delegations
-// Eventually should only be used for immediately before and after serialization/deserialization
-type Role struct {
-	RootRole
-	Name  RoleName `json:"name"`
-	Paths []string `json:"paths,omitempty"`
-}
-
-// NewRole creates a new Role object from the given parameters
-func NewRole(name RoleName, threshold int, keyIDs, paths []string) (*Role, error) {
-	if IsDelegation(name) {
-		if len(paths) == 0 {
-			logrus.Debugf("role %s with no Paths will never be able to publish content until one or more are added", name)
-		}
-	}
-	if threshold < 1 {
-		return nil, ErrInvalidRole{Role: name}
-	}
-	if !ValidRole(name) {
-		return nil, ErrInvalidRole{Role: name}
-	}
-	return &Role{
-		RootRole: RootRole{
-			KeyIDs:    keyIDs,
-			Threshold: threshold,
-		},
-		Name:  name,
-		Paths: paths,
-	}, nil
-
-}
-
-// CheckPaths checks if a given path is valid for the role
-func (r Role) CheckPaths(path string) bool {
-	return checkPaths(path, r.Paths)
-}
-
-// AddKeys merges the ids into the current list of role key ids
-func (r *Role) AddKeys(ids []string) {
-	r.KeyIDs = mergeStrSlices(r.KeyIDs, ids)
-}
-
-// AddPaths merges the paths into the current list of role paths
-func (r *Role) AddPaths(paths []string) error {
-	if len(paths) == 0 {
-		return nil
-	}
-	r.Paths = mergeStrSlices(r.Paths, paths)
-	return nil
-}
-
-// RemoveKeys removes the ids from the current list of key ids
-func (r *Role) RemoveKeys(ids []string) {
-	r.KeyIDs = subtractStrSlices(r.KeyIDs, ids)
-}
-
-// RemovePaths removes the paths from the current list of role paths
-func (r *Role) RemovePaths(paths []string) {
-	r.Paths = subtractStrSlices(r.Paths, paths)
-}
-
-func mergeStrSlices(orig, new []string) []string {
-	have := make(map[string]bool)
-	for _, e := range orig {
-		have[e] = true
-	}
-	merged := make([]string, len(orig), len(orig)+len(new))
-	copy(merged, orig)
-	for _, e := range new {
-		if !have[e] {
-			merged = append(merged, e)
-		}
-	}
-	return merged
-}
-
-func subtractStrSlices(orig, remove []string) []string {
-	kill := make(map[string]bool)
-	for _, e := range remove {
-		kill[e] = true
-	}
-	var keep []string
-	for _, e := range orig {
-		if !kill[e] {
-			keep = append(keep, e)
-		}
-	}
-	return keep
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/root.go b/vendor/github.com/theupdateframework/notary/tuf/data/root.go
deleted file mode 100644
index 9420e87c..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/root.go
+++ /dev/null
@@ -1,171 +0,0 @@
-package data
-
-import (
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-)
-
-// SignedRoot is a fully unpacked root.json
-type SignedRoot struct {
-	Signatures []Signature
-	Signed     Root
-	Dirty      bool
-}
-
-// Root is the Signed component of a root.json
-type Root struct {
-	SignedCommon
-	Keys               Keys                   `json:"keys"`
-	Roles              map[RoleName]*RootRole `json:"roles"`
-	ConsistentSnapshot bool                   `json:"consistent_snapshot"`
-}
-
-// isValidRootStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for root metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func isValidRootStructure(r Root) error {
-	expectedType := TUFTypes[CanonicalRootRole]
-	if r.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalRootRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, r.Type)}
-	}
-
-	if r.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalRootRole, msg: "version cannot be less than 1"}
-	}
-
-	// all the base roles MUST appear in the root.json - other roles are allowed,
-	// but other than the mirror role (not currently supported) are out of spec
-	for _, roleName := range BaseRoles {
-		roleObj, ok := r.Roles[roleName]
-		if !ok || roleObj == nil {
-			return ErrInvalidMetadata{
-				role: CanonicalRootRole, msg: fmt.Sprintf("missing %s role specification", roleName)}
-		}
-		if err := isValidRootRoleStructure(CanonicalRootRole, roleName, *roleObj, r.Keys); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func isValidRootRoleStructure(metaContainingRole, rootRoleName RoleName, r RootRole, validKeys Keys) error {
-	if r.Threshold < 1 {
-		return ErrInvalidMetadata{
-			role: metaContainingRole,
-			msg:  fmt.Sprintf("invalid threshold specified for %s: %v ", rootRoleName, r.Threshold),
-		}
-	}
-	for _, keyID := range r.KeyIDs {
-		if _, ok := validKeys[keyID]; !ok {
-			return ErrInvalidMetadata{
-				role: metaContainingRole,
-				msg:  fmt.Sprintf("key ID %s specified in %s without corresponding key", keyID, rootRoleName),
-			}
-		}
-	}
-	return nil
-}
-
-// NewRoot initializes a new SignedRoot with a set of keys, roles, and the consistent flag
-func NewRoot(keys map[string]PublicKey, roles map[RoleName]*RootRole, consistent bool) (*SignedRoot, error) {
-	signedRoot := &SignedRoot{
-		Signatures: make([]Signature, 0),
-		Signed: Root{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalRootRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalRootRole),
-			},
-			Keys:               keys,
-			Roles:              roles,
-			ConsistentSnapshot: consistent,
-		},
-		Dirty: true,
-	}
-
-	return signedRoot, nil
-}
-
-// BuildBaseRole returns a copy of a BaseRole using the information in this SignedRoot for the specified role name.
-// Will error for invalid role name or key metadata within this SignedRoot
-func (r SignedRoot) BuildBaseRole(roleName RoleName) (BaseRole, error) {
-	roleData, ok := r.Signed.Roles[roleName]
-	if !ok {
-		return BaseRole{}, ErrInvalidRole{Role: roleName, Reason: "role not found in root file"}
-	}
-	// Get all public keys for the base role from TUF metadata
-	keyIDs := roleData.KeyIDs
-	pubKeys := make(map[string]PublicKey)
-	for _, keyID := range keyIDs {
-		pubKey, ok := r.Signed.Keys[keyID]
-		if !ok {
-			return BaseRole{}, ErrInvalidRole{
-				Role:   roleName,
-				Reason: fmt.Sprintf("key with ID %s was not found in root metadata", keyID),
-			}
-		}
-		pubKeys[keyID] = pubKey
-	}
-
-	return BaseRole{
-		Name:      roleName,
-		Keys:      pubKeys,
-		Threshold: roleData.Threshold,
-	}, nil
-}
-
-// ToSigned partially serializes a SignedRoot for further signing
-func (r SignedRoot) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(r.Signed)
-	if err != nil {
-		return nil, err
-	}
-	// cast into a json.RawMessage
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(r.Signatures))
-	copy(sigs, r.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// MarshalJSON returns the serialized form of SignedRoot as bytes
-func (r SignedRoot) MarshalJSON() ([]byte, error) {
-	signed, err := r.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// RootFromSigned fully unpacks a Signed object into a SignedRoot and ensures
-// that it is a valid SignedRoot
-func RootFromSigned(s *Signed) (*SignedRoot, error) {
-	r := Root{}
-	if s.Signed == nil {
-		return nil, ErrInvalidMetadata{
-			role: CanonicalRootRole,
-			msg:  "root file contained an empty payload",
-		}
-	}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &r); err != nil {
-		return nil, err
-	}
-	if err := isValidRootStructure(r); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedRoot{
-		Signatures: sigs,
-		Signed:     r,
-	}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/serializer.go b/vendor/github.com/theupdateframework/notary/tuf/data/serializer.go
deleted file mode 100644
index 5c33d129..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/serializer.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package data
-
-import "github.com/docker/go/canonical/json"
-
-// Serializer is an interface that can marshal and unmarshal TUF data.  This
-// is expected to be a canonical JSON marshaller
-type serializer interface {
-	MarshalCanonical(from interface{}) ([]byte, error)
-	Marshal(from interface{}) ([]byte, error)
-	Unmarshal(from []byte, to interface{}) error
-}
-
-// CanonicalJSON marshals to and from canonical JSON
-type canonicalJSON struct{}
-
-// MarshalCanonical returns the canonical JSON form of a thing
-func (c canonicalJSON) MarshalCanonical(from interface{}) ([]byte, error) {
-	return json.MarshalCanonical(from)
-}
-
-// Marshal returns the regular non-canonical JSON form of a thing
-func (c canonicalJSON) Marshal(from interface{}) ([]byte, error) {
-	return json.Marshal(from)
-}
-
-// Unmarshal unmarshals some JSON bytes
-func (c canonicalJSON) Unmarshal(from []byte, to interface{}) error {
-	return json.Unmarshal(from, to)
-}
-
-// defaultSerializer is a canonical JSON serializer
-var defaultSerializer serializer = canonicalJSON{}
-
-func setDefaultSerializer(s serializer) {
-	defaultSerializer = s
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go b/vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go
deleted file mode 100644
index e82cc2f5..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go
+++ /dev/null
@@ -1,169 +0,0 @@
-package data
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-)
-
-// SignedSnapshot is a fully unpacked snapshot.json
-type SignedSnapshot struct {
-	Signatures []Signature
-	Signed     Snapshot
-	Dirty      bool
-}
-
-// Snapshot is the Signed component of a snapshot.json
-type Snapshot struct {
-	SignedCommon
-	Meta Files `json:"meta"`
-}
-
-// IsValidSnapshotStructure returns an error, or nil, depending on whether the content of the
-// struct is valid for snapshot metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func IsValidSnapshotStructure(s Snapshot) error {
-	expectedType := TUFTypes[CanonicalSnapshotRole]
-	if s.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalSnapshotRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, s.Type)}
-	}
-
-	if s.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalSnapshotRole, msg: "version cannot be less than one"}
-	}
-
-	for _, file := range []RoleName{CanonicalRootRole, CanonicalTargetsRole} {
-		// Meta is a map of FileMeta, so if the role isn't in the map it returns
-		// an empty FileMeta, which has an empty map, and you can check on keys
-		// from an empty map.
-		//
-		// For now sha256 is required and sha512 is not.
-		if _, ok := s.Meta[file.String()].Hashes[notary.SHA256]; !ok {
-			return ErrInvalidMetadata{
-				role: CanonicalSnapshotRole,
-				msg:  fmt.Sprintf("missing %s sha256 checksum information", file.String()),
-			}
-		}
-		if err := CheckValidHashStructures(s.Meta[file.String()].Hashes); err != nil {
-			return ErrInvalidMetadata{
-				role: CanonicalSnapshotRole,
-				msg:  fmt.Sprintf("invalid %s checksum information, %v", file.String(), err),
-			}
-		}
-	}
-	return nil
-}
-
-// NewSnapshot initializes a SignedSnapshot with a given top level root
-// and targets objects
-func NewSnapshot(root *Signed, targets *Signed) (*SignedSnapshot, error) {
-	logrus.Debug("generating new snapshot...")
-	targetsJSON, err := json.Marshal(targets)
-	if err != nil {
-		logrus.Debug("Error Marshalling Targets")
-		return nil, err
-	}
-	rootJSON, err := json.Marshal(root)
-	if err != nil {
-		logrus.Debug("Error Marshalling Root")
-		return nil, err
-	}
-	rootMeta, err := NewFileMeta(bytes.NewReader(rootJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	targetsMeta, err := NewFileMeta(bytes.NewReader(targetsJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	return &SignedSnapshot{
-		Signatures: make([]Signature, 0),
-		Signed: Snapshot{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalSnapshotRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalSnapshotRole),
-			},
-			Meta: Files{
-				CanonicalRootRole.String():    rootMeta,
-				CanonicalTargetsRole.String(): targetsMeta,
-			},
-		},
-	}, nil
-}
-
-// ToSigned partially serializes a SignedSnapshot for further signing
-func (sp *SignedSnapshot) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(sp.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(sp.Signatures))
-	copy(sigs, sp.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// AddMeta updates a role in the snapshot with new meta
-func (sp *SignedSnapshot) AddMeta(role RoleName, meta FileMeta) {
-	sp.Signed.Meta[role.String()] = meta
-	sp.Dirty = true
-}
-
-// GetMeta gets the metadata for a particular role, returning an error if it's
-// not found
-func (sp *SignedSnapshot) GetMeta(role RoleName) (*FileMeta, error) {
-	if meta, ok := sp.Signed.Meta[role.String()]; ok {
-		if _, ok := meta.Hashes["sha256"]; ok {
-			return &meta, nil
-		}
-	}
-	return nil, ErrMissingMeta{Role: role.String()}
-}
-
-// DeleteMeta removes a role from the snapshot. If the role doesn't
-// exist in the snapshot, it's a noop.
-func (sp *SignedSnapshot) DeleteMeta(role RoleName) {
-	if _, ok := sp.Signed.Meta[role.String()]; ok {
-		delete(sp.Signed.Meta, role.String())
-		sp.Dirty = true
-	}
-}
-
-// MarshalJSON returns the serialized form of SignedSnapshot as bytes
-func (sp *SignedSnapshot) MarshalJSON() ([]byte, error) {
-	signed, err := sp.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// SnapshotFromSigned fully unpacks a Signed object into a SignedSnapshot
-func SnapshotFromSigned(s *Signed) (*SignedSnapshot, error) {
-	sp := Snapshot{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &sp); err != nil {
-		return nil, err
-	}
-	if err := IsValidSnapshotStructure(sp); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedSnapshot{
-		Signatures: sigs,
-		Signed:     sp,
-	}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/targets.go b/vendor/github.com/theupdateframework/notary/tuf/data/targets.go
deleted file mode 100644
index b242c6f3..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/targets.go
+++ /dev/null
@@ -1,201 +0,0 @@
-package data
-
-import (
-	"errors"
-	"fmt"
-	"path"
-
-	"github.com/docker/go/canonical/json"
-)
-
-// SignedTargets is a fully unpacked targets.json, or target delegation
-// json file
-type SignedTargets struct {
-	Signatures []Signature
-	Signed     Targets
-	Dirty      bool
-}
-
-// Targets is the Signed components of a targets.json or delegation json file
-type Targets struct {
-	SignedCommon
-	Targets     Files       `json:"targets"`
-	Delegations Delegations `json:"delegations,omitempty"`
-}
-
-// isValidTargetsStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for targets metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func isValidTargetsStructure(t Targets, roleName RoleName) error {
-	if roleName != CanonicalTargetsRole && !IsDelegation(roleName) {
-		return ErrInvalidRole{Role: roleName}
-	}
-
-	// even if it's a delegated role, the metadata type is "Targets"
-	expectedType := TUFTypes[CanonicalTargetsRole]
-	if t.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: roleName, msg: fmt.Sprintf("expected type %s, not %s", expectedType, t.Type)}
-	}
-
-	if t.Version < 1 {
-		return ErrInvalidMetadata{role: roleName, msg: "version cannot be less than one"}
-	}
-
-	for _, roleObj := range t.Delegations.Roles {
-		if !IsDelegation(roleObj.Name) || path.Dir(roleObj.Name.String()) != roleName.String() {
-			return ErrInvalidMetadata{
-				role: roleName, msg: fmt.Sprintf("delegation role %s invalid", roleObj.Name)}
-		}
-		if err := isValidRootRoleStructure(roleName, roleObj.Name, roleObj.RootRole, t.Delegations.Keys); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// NewTargets initializes a new empty SignedTargets object
-func NewTargets() *SignedTargets {
-	return &SignedTargets{
-		Signatures: make([]Signature, 0),
-		Signed: Targets{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes["targets"],
-				Version: 0,
-				Expires: DefaultExpires("targets"),
-			},
-			Targets:     make(Files),
-			Delegations: *NewDelegations(),
-		},
-		Dirty: true,
-	}
-}
-
-// GetMeta attempts to find the targets entry for the path. It
-// will return nil in the case of the target not being found.
-func (t SignedTargets) GetMeta(path string) *FileMeta {
-	for p, meta := range t.Signed.Targets {
-		if p == path {
-			return &meta
-		}
-	}
-	return nil
-}
-
-// GetValidDelegations filters the delegation roles specified in the signed targets, and
-// only returns roles that are direct children and restricts their paths
-func (t SignedTargets) GetValidDelegations(parent DelegationRole) []DelegationRole {
-	roles := t.buildDelegationRoles()
-	result := []DelegationRole{}
-	for _, r := range roles {
-		validRole, err := parent.Restrict(r)
-		if err != nil {
-			continue
-		}
-		result = append(result, validRole)
-	}
-	return result
-}
-
-// BuildDelegationRole returns a copy of a DelegationRole using the information in this SignedTargets for the specified role name.
-// Will error for invalid role name or key metadata within this SignedTargets.  Path data is not validated.
-func (t *SignedTargets) BuildDelegationRole(roleName RoleName) (DelegationRole, error) {
-	for _, role := range t.Signed.Delegations.Roles {
-		if role.Name == roleName {
-			pubKeys := make(map[string]PublicKey)
-			for _, keyID := range role.KeyIDs {
-				pubKey, ok := t.Signed.Delegations.Keys[keyID]
-				if !ok {
-					// Couldn't retrieve all keys, so stop walking and return invalid role
-					return DelegationRole{}, ErrInvalidRole{
-						Role:   roleName,
-						Reason: "role lists unknown key " + keyID + " as a signing key",
-					}
-				}
-				pubKeys[keyID] = pubKey
-			}
-			return DelegationRole{
-				BaseRole: BaseRole{
-					Name:      role.Name,
-					Keys:      pubKeys,
-					Threshold: role.Threshold,
-				},
-				Paths: role.Paths,
-			}, nil
-		}
-	}
-	return DelegationRole{}, ErrNoSuchRole{Role: roleName}
-}
-
-// helper function to create DelegationRole structures from all delegations in a SignedTargets,
-// these delegations are read directly from the SignedTargets and not modified or validated
-func (t SignedTargets) buildDelegationRoles() []DelegationRole {
-	var roles []DelegationRole
-	for _, roleData := range t.Signed.Delegations.Roles {
-		delgRole, err := t.BuildDelegationRole(roleData.Name)
-		if err != nil {
-			continue
-		}
-		roles = append(roles, delgRole)
-	}
-	return roles
-}
-
-// AddTarget adds or updates the meta for the given path
-func (t *SignedTargets) AddTarget(path string, meta FileMeta) {
-	t.Signed.Targets[path] = meta
-	t.Dirty = true
-}
-
-// AddDelegation will add a new delegated role with the given keys,
-// ensuring the keys either already exist, or are added to the map
-// of delegation keys
-func (t *SignedTargets) AddDelegation(role *Role, keys []*PublicKey) error {
-	return errors.New("Not Implemented")
-}
-
-// ToSigned partially serializes a SignedTargets for further signing
-func (t *SignedTargets) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(t.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(t.Signatures))
-	copy(sigs, t.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// MarshalJSON returns the serialized form of SignedTargets as bytes
-func (t *SignedTargets) MarshalJSON() ([]byte, error) {
-	signed, err := t.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// TargetsFromSigned fully unpacks a Signed object into a SignedTargets, given
-// a role name (so it can validate the SignedTargets object)
-func TargetsFromSigned(s *Signed, roleName RoleName) (*SignedTargets, error) {
-	t := Targets{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &t); err != nil {
-		return nil, err
-	}
-	if err := isValidTargetsStructure(t, roleName); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedTargets{
-		Signatures: sigs,
-		Signed:     t,
-	}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/timestamp.go b/vendor/github.com/theupdateframework/notary/tuf/data/timestamp.go
deleted file mode 100644
index baf4016e..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/timestamp.go
+++ /dev/null
@@ -1,136 +0,0 @@
-package data
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/theupdateframework/notary"
-)
-
-// SignedTimestamp is a fully unpacked timestamp.json
-type SignedTimestamp struct {
-	Signatures []Signature
-	Signed     Timestamp
-	Dirty      bool
-}
-
-// Timestamp is the Signed component of a timestamp.json
-type Timestamp struct {
-	SignedCommon
-	Meta Files `json:"meta"`
-}
-
-// IsValidTimestampStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for timestamp metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func IsValidTimestampStructure(t Timestamp) error {
-	expectedType := TUFTypes[CanonicalTimestampRole]
-	if t.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, t.Type)}
-	}
-
-	if t.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: "version cannot be less than one"}
-	}
-
-	// Meta is a map of FileMeta, so if the role isn't in the map it returns
-	// an empty FileMeta, which has an empty map, and you can check on keys
-	// from an empty map.
-	//
-	// For now sha256 is required and sha512 is not.
-	if _, ok := t.Meta[CanonicalSnapshotRole.String()].Hashes[notary.SHA256]; !ok {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: "missing snapshot sha256 checksum information"}
-	}
-	if err := CheckValidHashStructures(t.Meta[CanonicalSnapshotRole.String()].Hashes); err != nil {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: fmt.Sprintf("invalid snapshot checksum information, %v", err)}
-	}
-
-	return nil
-}
-
-// NewTimestamp initializes a timestamp with an existing snapshot
-func NewTimestamp(snapshot *Signed) (*SignedTimestamp, error) {
-	snapshotJSON, err := json.Marshal(snapshot)
-	if err != nil {
-		return nil, err
-	}
-	snapshotMeta, err := NewFileMeta(bytes.NewReader(snapshotJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	return &SignedTimestamp{
-		Signatures: make([]Signature, 0),
-		Signed: Timestamp{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalTimestampRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalTimestampRole),
-			},
-			Meta: Files{
-				CanonicalSnapshotRole.String(): snapshotMeta,
-			},
-		},
-	}, nil
-}
-
-// ToSigned partially serializes a SignedTimestamp such that it can
-// be signed
-func (ts *SignedTimestamp) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(ts.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(ts.Signatures))
-	copy(sigs, ts.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// GetSnapshot gets the expected snapshot metadata hashes in the timestamp metadata,
-// or nil if it doesn't exist
-func (ts *SignedTimestamp) GetSnapshot() (*FileMeta, error) {
-	snapshotExpected, ok := ts.Signed.Meta[CanonicalSnapshotRole.String()]
-	if !ok {
-		return nil, ErrMissingMeta{Role: CanonicalSnapshotRole.String()}
-	}
-	return &snapshotExpected, nil
-}
-
-// MarshalJSON returns the serialized form of SignedTimestamp as bytes
-func (ts *SignedTimestamp) MarshalJSON() ([]byte, error) {
-	signed, err := ts.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// TimestampFromSigned parsed a Signed object into a fully unpacked
-// SignedTimestamp
-func TimestampFromSigned(s *Signed) (*SignedTimestamp, error) {
-	ts := Timestamp{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &ts); err != nil {
-		return nil, err
-	}
-	if err := IsValidTimestampStructure(ts); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedTimestamp{
-		Signatures: sigs,
-		Signed:     ts,
-	}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/data/types.go b/vendor/github.com/theupdateframework/notary/tuf/data/types.go
deleted file mode 100644
index 85eb986e..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/data/types.go
+++ /dev/null
@@ -1,390 +0,0 @@
-package data
-
-import (
-	"bytes"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"io"
-	"io/ioutil"
-	"path"
-	"strings"
-	"time"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-)
-
-// GUN is a Globally Unique Name. It is used to identify trust collections.
-// An example usage of this is for container image repositories.
-// For example: myregistry.io/myuser/myimage
-type GUN string
-
-func (g GUN) String() string {
-	return string(g)
-}
-
-// RoleName type for specifying role
-type RoleName string
-
-func (r RoleName) String() string {
-	return string(r)
-}
-
-// Parent provides the parent path role from the provided child role
-func (r RoleName) Parent() RoleName {
-	return RoleName(path.Dir(r.String()))
-}
-
-// MetadataRoleMapToStringMap generates a map string of bytes from a map RoleName of bytes
-func MetadataRoleMapToStringMap(roles map[RoleName][]byte) map[string][]byte {
-	metadata := make(map[string][]byte)
-	for k, v := range roles {
-		metadata[k.String()] = v
-	}
-	return metadata
-}
-
-// NewRoleList generates an array of RoleName objects from a slice of strings
-func NewRoleList(roles []string) []RoleName {
-	var roleNames []RoleName
-	for _, role := range roles {
-		roleNames = append(roleNames, RoleName(role))
-	}
-	return roleNames
-}
-
-// RolesListToStringList generates an array of string objects from a slice of roles
-func RolesListToStringList(roles []RoleName) []string {
-	var roleNames []string
-	for _, role := range roles {
-		roleNames = append(roleNames, role.String())
-	}
-	return roleNames
-}
-
-// SigAlgorithm for types of signatures
-type SigAlgorithm string
-
-func (k SigAlgorithm) String() string {
-	return string(k)
-}
-
-const defaultHashAlgorithm = "sha256"
-
-// NotaryDefaultExpiries is the construct used to configure the default expiry times of
-// the various role files.
-var NotaryDefaultExpiries = map[RoleName]time.Duration{
-	CanonicalRootRole:      notary.NotaryRootExpiry,
-	CanonicalTargetsRole:   notary.NotaryTargetsExpiry,
-	CanonicalSnapshotRole:  notary.NotarySnapshotExpiry,
-	CanonicalTimestampRole: notary.NotaryTimestampExpiry,
-}
-
-// Signature types
-const (
-	EDDSASignature       SigAlgorithm = "eddsa"
-	RSAPSSSignature      SigAlgorithm = "rsapss"
-	RSAPKCS1v15Signature SigAlgorithm = "rsapkcs1v15"
-	ECDSASignature       SigAlgorithm = "ecdsa"
-	PyCryptoSignature    SigAlgorithm = "pycrypto-pkcs#1 pss"
-)
-
-// Key types
-const (
-	ED25519Key   = "ed25519"
-	RSAKey       = "rsa"
-	RSAx509Key   = "rsa-x509"
-	ECDSAKey     = "ecdsa"
-	ECDSAx509Key = "ecdsa-x509"
-)
-
-// TUFTypes is the set of metadata types
-var TUFTypes = map[RoleName]string{
-	CanonicalRootRole:      "Root",
-	CanonicalTargetsRole:   "Targets",
-	CanonicalSnapshotRole:  "Snapshot",
-	CanonicalTimestampRole: "Timestamp",
-}
-
-// ValidTUFType checks if the given type is valid for the role
-func ValidTUFType(typ string, role RoleName) bool {
-	if ValidRole(role) {
-		// All targets delegation roles must have
-		// the valid type is for targets.
-		if role == "" {
-			// role is unknown and does not map to
-			// a type
-			return false
-		}
-		if strings.HasPrefix(role.String(), CanonicalTargetsRole.String()+"/") {
-			role = CanonicalTargetsRole
-		}
-	}
-	// most people will just use the defaults so have this optimal check
-	// first. Do comparison just in case there is some unknown vulnerability
-	// if a key and value in the map differ.
-	if v, ok := TUFTypes[role]; ok {
-		return typ == v
-	}
-	return false
-}
-
-// Signed is the high level, partially deserialized metadata object
-// used to verify signatures before fully unpacking, or to add signatures
-// before fully packing
-type Signed struct {
-	Signed     *json.RawMessage `json:"signed"`
-	Signatures []Signature      `json:"signatures"`
-}
-
-// SignedCommon contains the fields common to the Signed component of all
-// TUF metadata files
-type SignedCommon struct {
-	Type    string    `json:"_type"`
-	Expires time.Time `json:"expires"`
-	Version int       `json:"version"`
-}
-
-// SignedMeta is used in server validation where we only need signatures
-// and common fields
-type SignedMeta struct {
-	Signed     SignedCommon `json:"signed"`
-	Signatures []Signature  `json:"signatures"`
-}
-
-// Signature is a signature on a piece of metadata
-type Signature struct {
-	KeyID     string       `json:"keyid"`
-	Method    SigAlgorithm `json:"method"`
-	Signature []byte       `json:"sig"`
-	IsValid   bool         `json:"-"`
-}
-
-// Files is the map of paths to file meta container in targets and delegations
-// metadata files
-type Files map[string]FileMeta
-
-// Hashes is the map of hash type to digest created for each metadata
-// and target file
-type Hashes map[string][]byte
-
-// NotaryDefaultHashes contains the default supported hash algorithms.
-var NotaryDefaultHashes = []string{notary.SHA256, notary.SHA512}
-
-// FileMeta contains the size and hashes for a metadata or target file. Custom
-// data can be optionally added.
-type FileMeta struct {
-	Length int64            `json:"length"`
-	Hashes Hashes           `json:"hashes"`
-	Custom *json.RawMessage `json:"custom,omitempty"`
-}
-
-// Equals returns true if the other FileMeta object is equivalent to this one
-func (f FileMeta) Equals(o FileMeta) bool {
-	if o.Length != f.Length || len(o.Hashes) != len(f.Hashes) {
-		return false
-	}
-	if f.Custom == nil && o.Custom != nil || f.Custom != nil && o.Custom == nil {
-		return false
-	}
-	// we don't care if these are valid hashes, just that they are equal
-	for key, val := range f.Hashes {
-		if !bytes.Equal(val, o.Hashes[key]) {
-			return false
-		}
-	}
-	if f.Custom == nil && o.Custom == nil {
-		return true
-	}
-	fBytes, err := f.Custom.MarshalJSON()
-	if err != nil {
-		return false
-	}
-	oBytes, err := o.Custom.MarshalJSON()
-	if err != nil {
-		return false
-	}
-	return bytes.Equal(fBytes, oBytes)
-}
-
-// CheckHashes verifies all the checksums specified by the "hashes" of the payload.
-func CheckHashes(payload []byte, name string, hashes Hashes) error {
-	cnt := 0
-
-	// k, v indicate the hash algorithm and the corresponding value
-	for k, v := range hashes {
-		switch k {
-		case notary.SHA256:
-			checksum := sha256.Sum256(payload)
-			if subtle.ConstantTimeCompare(checksum[:], v) == 0 {
-				return ErrMismatchedChecksum{alg: notary.SHA256, name: name, expected: hex.EncodeToString(v)}
-			}
-			cnt++
-		case notary.SHA512:
-			checksum := sha512.Sum512(payload)
-			if subtle.ConstantTimeCompare(checksum[:], v) == 0 {
-				return ErrMismatchedChecksum{alg: notary.SHA512, name: name, expected: hex.EncodeToString(v)}
-			}
-			cnt++
-		}
-	}
-
-	if cnt == 0 {
-		return ErrMissingMeta{Role: name}
-	}
-
-	return nil
-}
-
-// CompareMultiHashes verifies that the two Hashes passed in can represent the same data.
-// This means that both maps must have at least one key defined for which they map, and no conflicts.
-// Note that we check the intersection of map keys, which adds support for non-default hash algorithms in notary
-func CompareMultiHashes(hashes1, hashes2 Hashes) error {
-	// First check if the two hash structures are valid
-	if err := CheckValidHashStructures(hashes1); err != nil {
-		return err
-	}
-	if err := CheckValidHashStructures(hashes2); err != nil {
-		return err
-	}
-	// Check if they have at least one matching hash, and no conflicts
-	cnt := 0
-	for hashAlg, hash1 := range hashes1 {
-
-		hash2, ok := hashes2[hashAlg]
-		if !ok {
-			continue
-		}
-
-		if subtle.ConstantTimeCompare(hash1[:], hash2[:]) == 0 {
-			return fmt.Errorf("mismatched %s checksum", hashAlg)
-		}
-		// If we reached here, we had a match
-		cnt++
-	}
-
-	if cnt == 0 {
-		return fmt.Errorf("at least one matching hash needed")
-	}
-
-	return nil
-}
-
-// CheckValidHashStructures returns an error, or nil, depending on whether
-// the content of the hashes is valid or not.
-func CheckValidHashStructures(hashes Hashes) error {
-	cnt := 0
-
-	for k, v := range hashes {
-		switch k {
-		case notary.SHA256:
-			if len(v) != sha256.Size {
-				return ErrInvalidChecksum{alg: notary.SHA256}
-			}
-			cnt++
-		case notary.SHA512:
-			if len(v) != sha512.Size {
-				return ErrInvalidChecksum{alg: notary.SHA512}
-			}
-			cnt++
-		}
-	}
-
-	if cnt == 0 {
-		return fmt.Errorf("at least one supported hash needed")
-	}
-
-	return nil
-}
-
-// NewFileMeta generates a FileMeta object from the reader, using the
-// hash algorithms provided
-func NewFileMeta(r io.Reader, hashAlgorithms ...string) (FileMeta, error) {
-	if len(hashAlgorithms) == 0 {
-		hashAlgorithms = []string{defaultHashAlgorithm}
-	}
-	hashes := make(map[string]hash.Hash, len(hashAlgorithms))
-	for _, hashAlgorithm := range hashAlgorithms {
-		var h hash.Hash
-		switch hashAlgorithm {
-		case notary.SHA256:
-			h = sha256.New()
-		case notary.SHA512:
-			h = sha512.New()
-		default:
-			return FileMeta{}, fmt.Errorf("Unknown hash algorithm: %s", hashAlgorithm)
-		}
-		hashes[hashAlgorithm] = h
-		r = io.TeeReader(r, h)
-	}
-	n, err := io.Copy(ioutil.Discard, r)
-	if err != nil {
-		return FileMeta{}, err
-	}
-	m := FileMeta{Length: n, Hashes: make(Hashes, len(hashes))}
-	for hashAlgorithm, h := range hashes {
-		m.Hashes[hashAlgorithm] = h.Sum(nil)
-	}
-	return m, nil
-}
-
-// Delegations holds a tier of targets delegations
-type Delegations struct {
-	Keys  Keys    `json:"keys"`
-	Roles []*Role `json:"roles"`
-}
-
-// NewDelegations initializes an empty Delegations object
-func NewDelegations() *Delegations {
-	return &Delegations{
-		Keys:  make(map[string]PublicKey),
-		Roles: make([]*Role, 0),
-	}
-}
-
-// These values are recommended TUF expiry times.
-var defaultExpiryTimes = map[RoleName]time.Duration{
-	CanonicalRootRole:      notary.Year,
-	CanonicalTargetsRole:   90 * notary.Day,
-	CanonicalSnapshotRole:  7 * notary.Day,
-	CanonicalTimestampRole: notary.Day,
-}
-
-// SetDefaultExpiryTimes allows one to change the default expiries.
-func SetDefaultExpiryTimes(times map[RoleName]time.Duration) {
-	for key, value := range times {
-		if _, ok := defaultExpiryTimes[key]; !ok {
-			logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key.String())
-			continue
-		}
-		defaultExpiryTimes[key] = value
-	}
-}
-
-// DefaultExpires gets the default expiry time for the given role
-func DefaultExpires(role RoleName) time.Time {
-	if d, ok := defaultExpiryTimes[role]; ok {
-		return time.Now().Add(d)
-	}
-	var t time.Time
-	return t.UTC().Round(time.Second)
-}
-
-type unmarshalledSignature Signature
-
-// UnmarshalJSON does a custom unmarshalling of the signature JSON
-func (s *Signature) UnmarshalJSON(data []byte) error {
-	uSignature := unmarshalledSignature{}
-	err := json.Unmarshal(data, &uSignature)
-	if err != nil {
-		return err
-	}
-	uSignature.Method = SigAlgorithm(strings.ToLower(string(uSignature.Method)))
-	*s = Signature(uSignature)
-	return nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/ed25519.go b/vendor/github.com/theupdateframework/notary/tuf/signed/ed25519.go
deleted file mode 100644
index b526085a..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/ed25519.go
+++ /dev/null
@@ -1,111 +0,0 @@
-package signed
-
-import (
-	"crypto/rand"
-	"errors"
-
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-type edCryptoKey struct {
-	role    data.RoleName
-	privKey data.PrivateKey
-}
-
-// Ed25519 implements a simple in memory cryptosystem for ED25519 keys
-type Ed25519 struct {
-	keys map[string]edCryptoKey
-}
-
-// NewEd25519 initializes a new empty Ed25519 CryptoService that operates
-// entirely in memory
-func NewEd25519() *Ed25519 {
-	return &Ed25519{
-		make(map[string]edCryptoKey),
-	}
-}
-
-// AddKey allows you to add a private key
-func (e *Ed25519) AddKey(role data.RoleName, gun data.GUN, k data.PrivateKey) error {
-	e.addKey(role, k)
-	return nil
-}
-
-// addKey allows you to add a private key
-func (e *Ed25519) addKey(role data.RoleName, k data.PrivateKey) {
-	e.keys[k.ID()] = edCryptoKey{
-		role:    role,
-		privKey: k,
-	}
-}
-
-// RemoveKey deletes a key from the signer
-func (e *Ed25519) RemoveKey(keyID string) error {
-	delete(e.keys, keyID)
-	return nil
-}
-
-// ListKeys returns the list of keys IDs for the role
-func (e *Ed25519) ListKeys(role data.RoleName) []string {
-	keyIDs := make([]string, 0, len(e.keys))
-	for id, edCryptoKey := range e.keys {
-		if edCryptoKey.role == role {
-			keyIDs = append(keyIDs, id)
-		}
-	}
-	return keyIDs
-}
-
-// ListAllKeys returns the map of keys IDs to role
-func (e *Ed25519) ListAllKeys() map[string]data.RoleName {
-	keys := make(map[string]data.RoleName)
-	for id, edKey := range e.keys {
-		keys[id] = edKey.role
-	}
-	return keys
-}
-
-// Create generates a new key and returns the public part
-func (e *Ed25519) Create(role data.RoleName, gun data.GUN, algorithm string) (data.PublicKey, error) {
-	if algorithm != data.ED25519Key {
-		return nil, errors.New("only ED25519 supported by this cryptoservice")
-	}
-
-	private, err := utils.GenerateED25519Key(rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-
-	e.addKey(role, private)
-	return data.PublicKeyFromPrivate(private), nil
-}
-
-// PublicKeys returns a map of public keys for the ids provided, when those IDs are found
-// in the store.
-func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error) {
-	k := make(map[string]data.PublicKey)
-	for _, keyID := range keyIDs {
-		if edKey, ok := e.keys[keyID]; ok {
-			k[keyID] = data.PublicKeyFromPrivate(edKey.privKey)
-		}
-	}
-	return k, nil
-}
-
-// GetKey returns a single public key based on the ID
-func (e *Ed25519) GetKey(keyID string) data.PublicKey {
-	if privKey, _, err := e.GetPrivateKey(keyID); err == nil {
-		return data.PublicKeyFromPrivate(privKey)
-	}
-	return nil
-}
-
-// GetPrivateKey returns a single private key and role if present, based on the ID
-func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, data.RoleName, error) {
-	if k, ok := e.keys[keyID]; ok {
-		return k.privKey, k.role, nil
-	}
-	return nil, "", trustmanager.ErrKeyNotFound{KeyID: keyID}
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/errors.go b/vendor/github.com/theupdateframework/notary/tuf/signed/errors.go
deleted file mode 100644
index 29ec40de..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/errors.go
+++ /dev/null
@@ -1,98 +0,0 @@
-package signed
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// ErrInsufficientSignatures - can not create enough signatures on a piece of
-// metadata
-type ErrInsufficientSignatures struct {
-	FoundKeys     int
-	NeededKeys    int
-	MissingKeyIDs []string
-}
-
-func (e ErrInsufficientSignatures) Error() string {
-	candidates := ""
-	if len(e.MissingKeyIDs) > 0 {
-		candidates = fmt.Sprintf(" (%s)", strings.Join(e.MissingKeyIDs, ", "))
-	}
-
-	if e.FoundKeys == 0 {
-		return fmt.Sprintf("signing keys not available: need %d keys from %d possible keys%s",
-			e.NeededKeys, len(e.MissingKeyIDs), candidates)
-	}
-	return fmt.Sprintf("not enough signing keys: found %d of %d needed keys - %d other possible keys%s",
-		e.FoundKeys, e.NeededKeys, len(e.MissingKeyIDs), candidates)
-}
-
-// ErrExpired indicates a piece of metadata has expired
-type ErrExpired struct {
-	Role    data.RoleName
-	Expired string
-}
-
-func (e ErrExpired) Error() string {
-	return fmt.Sprintf("%s expired at %v", e.Role.String(), e.Expired)
-}
-
-// ErrLowVersion indicates the piece of metadata has a version number lower than
-// a version number we're already seen for this role
-type ErrLowVersion struct {
-	Actual  int
-	Current int
-}
-
-func (e ErrLowVersion) Error() string {
-	return fmt.Sprintf("version %d is lower than current version %d", e.Actual, e.Current)
-}
-
-// ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold
-type ErrRoleThreshold struct {
-	Msg string
-}
-
-func (e ErrRoleThreshold) Error() string {
-	if e.Msg == "" {
-		return "valid signatures did not meet threshold"
-	}
-	return e.Msg
-}
-
-// ErrInvalidKeyType indicates the types for the key and signature it's associated with are
-// mismatched. Probably a sign of malicious behaviour
-type ErrInvalidKeyType struct{}
-
-func (e ErrInvalidKeyType) Error() string {
-	return "key type is not valid for signature"
-}
-
-// ErrInvalidKeyID indicates the specified key ID was incorrect for its associated data
-type ErrInvalidKeyID struct{}
-
-func (e ErrInvalidKeyID) Error() string {
-	return "key ID is not valid for key content"
-}
-
-// ErrInvalidKeyLength indicates that while we may support the cipher, the provided
-// key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys
-type ErrInvalidKeyLength struct {
-	msg string
-}
-
-func (e ErrInvalidKeyLength) Error() string {
-	return fmt.Sprintf("key length is not supported: %s", e.msg)
-}
-
-// ErrNoKeys indicates no signing keys were found when trying to sign
-type ErrNoKeys struct {
-	KeyIDs []string
-}
-
-func (e ErrNoKeys) Error() string {
-	return fmt.Sprintf("could not find necessary signing keys, at least one of these keys must be available: %s",
-		strings.Join(e.KeyIDs, ", "))
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/interface.go b/vendor/github.com/theupdateframework/notary/tuf/signed/interface.go
deleted file mode 100644
index ca28aca4..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/interface.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package signed
-
-import "github.com/theupdateframework/notary/tuf/data"
-
-// KeyService provides management of keys locally. It will never
-// accept or provide private keys. Communication between the KeyService
-// and a SigningService happen behind the Create function.
-type KeyService interface {
-	// Create issues a new key pair and is responsible for loading
-	// the private key into the appropriate signing service.
-	Create(role data.RoleName, gun data.GUN, algorithm string) (data.PublicKey, error)
-
-	// AddKey adds a private key to the specified role and gun
-	AddKey(role data.RoleName, gun data.GUN, key data.PrivateKey) error
-
-	// GetKey retrieves the public key if present, otherwise it returns nil
-	GetKey(keyID string) data.PublicKey
-
-	// GetPrivateKey retrieves the private key and role if present and retrievable,
-	// otherwise it returns nil and an error
-	GetPrivateKey(keyID string) (data.PrivateKey, data.RoleName, error)
-
-	// RemoveKey deletes the specified key, and returns an error only if the key
-	// removal fails. If the key doesn't exist, no error should be returned.
-	RemoveKey(keyID string) error
-
-	// ListKeys returns a list of key IDs for the role, or an empty list or
-	// nil if there are no keys.
-	ListKeys(role data.RoleName) []string
-
-	// ListAllKeys returns a map of all available signing key IDs to role, or
-	// an empty map or nil if there are no keys.
-	ListAllKeys() map[string]data.RoleName
-}
-
-// CryptoService is deprecated and all instances of its use should be
-// replaced with KeyService
-type CryptoService interface {
-	KeyService
-}
-
-// Verifier defines an interface for verifying signatures. An implementer
-// of this interface should verify signatures for one and only one
-// signing scheme.
-type Verifier interface {
-	Verify(key data.PublicKey, sig []byte, msg []byte) error
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/sign.go b/vendor/github.com/theupdateframework/notary/tuf/signed/sign.go
deleted file mode 100644
index 9ea5faa8..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/sign.go
+++ /dev/null
@@ -1,114 +0,0 @@
-package signed
-
-// The Sign function is a choke point for all code paths that do signing.
-// We use this fact to do key ID translation. There are 2 types of key ID:
-//   - Scoped: the key ID based purely on the data that appears in the TUF
-//             files. This may be wrapped by a certificate that scopes the
-//             key to be used in a specific context.
-//   - Canonical: the key ID based purely on the public key bytes. This is
-//             used by keystores to easily identify keys that may be reused
-//             in many scoped locations.
-// Currently these types only differ in the context of Root Keys in Notary
-// for which the root key is wrapped using an x509 certificate.
-
-import (
-	"crypto/rand"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/trustmanager"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// Sign takes a data.Signed and a cryptoservice containing private keys,
-// calculates and adds at least minSignature signatures using signingKeys the
-// data.Signed.  It will also clean up any signatures that are not in produced
-// by either a signingKey or an otherWhitelistedKey.
-// Note that in most cases, otherWhitelistedKeys should probably be null. They
-// are for keys you don't want to sign with, but you also don't want to remove
-// existing signatures by those keys.  For instance, if you want to call Sign
-// multiple times with different sets of signing keys without undoing removing
-// signatures produced by the previous call to Sign.
-func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey,
-	minSignatures int, otherWhitelistedKeys []data.PublicKey) error {
-
-	logrus.Debugf("sign called with %d/%d required keys", minSignatures, len(signingKeys))
-	signatures := make([]data.Signature, 0, len(s.Signatures)+1)
-	signingKeyIDs := make(map[string]struct{})
-	tufIDs := make(map[string]data.PublicKey)
-
-	privKeys := make(map[string]data.PrivateKey)
-
-	// Get all the private key objects related to the public keys
-	missingKeyIDs := []string{}
-	for _, key := range signingKeys {
-		canonicalID, err := utils.CanonicalKeyID(key)
-		tufIDs[key.ID()] = key
-		if err != nil {
-			return err
-		}
-		k, _, err := service.GetPrivateKey(canonicalID)
-		if err != nil {
-			if _, ok := err.(trustmanager.ErrKeyNotFound); ok {
-				missingKeyIDs = append(missingKeyIDs, canonicalID)
-				continue
-			}
-			return err
-		}
-		privKeys[key.ID()] = k
-	}
-
-	// include the list of otherWhitelistedKeys
-	for _, key := range otherWhitelistedKeys {
-		if _, ok := tufIDs[key.ID()]; !ok {
-			tufIDs[key.ID()] = key
-		}
-	}
-
-	// Check to ensure we have enough signing keys
-	if len(privKeys) < minSignatures {
-		return ErrInsufficientSignatures{FoundKeys: len(privKeys),
-			NeededKeys: minSignatures, MissingKeyIDs: missingKeyIDs}
-	}
-
-	emptyStruct := struct{}{}
-	// Do signing and generate list of signatures
-	for keyID, pk := range privKeys {
-		sig, err := pk.Sign(rand.Reader, *s.Signed, nil)
-		if err != nil {
-			logrus.Debugf("Failed to sign with key: %s. Reason: %v", keyID, err)
-			return err
-		}
-		signingKeyIDs[keyID] = emptyStruct
-		signatures = append(signatures, data.Signature{
-			KeyID:     keyID,
-			Method:    pk.SignatureAlgorithm(),
-			Signature: sig[:],
-		})
-	}
-
-	for i := range s.Signatures {
-		sig := s.Signatures[i]
-		if _, ok := signingKeyIDs[sig.KeyID]; ok {
-			// key is in the set of key IDs for which a signature has been created
-			continue
-		}
-		var (
-			k  data.PublicKey
-			ok bool
-		)
-		if k, ok = tufIDs[sig.KeyID]; !ok {
-			// key is no longer a valid signing key
-			continue
-		}
-		if err := VerifySignature(*s.Signed, &sig, k); err != nil {
-			// signature is no longer valid
-			continue
-		}
-		// keep any signatures that still represent valid keys and are
-		// themselves valid
-		signatures = append(signatures, sig)
-	}
-	s.Signatures = signatures
-	return nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go b/vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go
deleted file mode 100644
index 8f176e50..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go
+++ /dev/null
@@ -1,264 +0,0 @@
-package signed
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/tuf/data"
-	"golang.org/x/crypto/ed25519"
-)
-
-const (
-	minRSAKeySizeBit  = 2048 // 2048 bits = 256 bytes
-	minRSAKeySizeByte = minRSAKeySizeBit / 8
-)
-
-// Verifiers serves as a map of all verifiers available on the system and
-// can be injected into a verificationService. For testing and configuration
-// purposes, it will not be used by default.
-var Verifiers = map[data.SigAlgorithm]Verifier{
-	data.RSAPSSSignature:      RSAPSSVerifier{},
-	data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{},
-	data.PyCryptoSignature:    RSAPyCryptoVerifier{},
-	data.ECDSASignature:       ECDSAVerifier{},
-	data.EDDSASignature:       Ed25519Verifier{},
-}
-
-// Ed25519Verifier used to verify Ed25519 signatures
-type Ed25519Verifier struct{}
-
-// Verify checks that an ed25519 signature is valid
-func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	if key.Algorithm() != data.ED25519Key {
-		return ErrInvalidKeyType{}
-	}
-	sigBytes := make([]byte, ed25519.SignatureSize)
-	if len(sig) != ed25519.SignatureSize {
-		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
-		return ErrInvalid
-	}
-	copy(sigBytes, sig)
-
-	keyBytes := make([]byte, ed25519.PublicKeySize)
-	pub := key.Public()
-	if len(pub) != ed25519.PublicKeySize {
-		logrus.Errorf("public key is incorrect size, must be %d, was %d.", ed25519.PublicKeySize, len(pub))
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("ed25519 public key must be %d bytes.", ed25519.PublicKeySize)}
-	}
-	n := copy(keyBytes, key.Public())
-	if n < ed25519.PublicKeySize {
-		logrus.Errorf("failed to copy the key, must have %d bytes, copied %d bytes.", ed25519.PublicKeySize, n)
-		return ErrInvalid
-	}
-
-	if !ed25519.Verify(ed25519.PublicKey(keyBytes), msg, sigBytes) {
-		logrus.Debugf("failed ed25519 verification")
-		return ErrInvalid
-	}
-	return nil
-}
-
-func verifyPSS(key interface{}, digest, sig []byte) error {
-	rsaPub, ok := key.(*rsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value was not an RSA public key")
-		return ErrInvalid
-	}
-
-	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
-	}
-
-	if len(sig) < minRSAKeySizeByte {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
-		return ErrInvalid
-	}
-
-	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
-	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
-		logrus.Debugf("failed RSAPSS verification: %s", err)
-		return ErrInvalid
-	}
-	return nil
-}
-
-func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
-	algorithm := key.Algorithm()
-	var pubKey crypto.PublicKey
-
-	switch algorithm {
-	case data.RSAx509Key:
-		pemCert, _ := pem.Decode([]byte(key.Public()))
-		if pemCert == nil {
-			logrus.Debugf("failed to decode PEM-encoded x509 certificate")
-			return nil, ErrInvalid
-		}
-		cert, err := x509.ParseCertificate(pemCert.Bytes)
-		if err != nil {
-			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
-			return nil, ErrInvalid
-		}
-		pubKey = cert.PublicKey
-	case data.RSAKey:
-		var err error
-		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
-		if err != nil {
-			logrus.Debugf("failed to parse public key: %s\n", err)
-			return nil, ErrInvalid
-		}
-	default:
-		// only accept RSA keys
-		logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)
-		return nil, ErrInvalidKeyType{}
-	}
-
-	return pubKey, nil
-}
-
-// RSAPSSVerifier checks RSASSA-PSS signatures
-type RSAPSSVerifier struct{}
-
-// Verify does the actual check.
-func (v RSAPSSVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	// will return err if keytype is not a recognized RSA type
-	pubKey, err := getRSAPubKey(key)
-	if err != nil {
-		return err
-	}
-
-	digest := sha256.Sum256(msg)
-
-	return verifyPSS(pubKey, digest[:], sig)
-}
-
-// RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures
-type RSAPKCS1v15Verifier struct{}
-
-// Verify does the actual verification
-func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	// will return err if keytype is not a recognized RSA type
-	pubKey, err := getRSAPubKey(key)
-	if err != nil {
-		return err
-	}
-	digest := sha256.Sum256(msg)
-
-	rsaPub, ok := pubKey.(*rsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value was not an RSA public key")
-		return ErrInvalid
-	}
-
-	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
-	}
-
-	if len(sig) < minRSAKeySizeByte {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
-		return ErrInvalid
-	}
-
-	if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil {
-		logrus.Errorf("Failed verification: %s", err.Error())
-		return ErrInvalid
-	}
-	return nil
-}
-
-// RSAPyCryptoVerifier checks RSASSA-PSS signatures
-type RSAPyCryptoVerifier struct{}
-
-// Verify does the actual check.
-// N.B. We have not been able to make this work in a way that is compatible
-// with PyCrypto.
-func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	digest := sha256.Sum256(msg)
-	if key.Algorithm() != data.RSAKey {
-		return ErrInvalidKeyType{}
-	}
-
-	k, _ := pem.Decode([]byte(key.Public()))
-	if k == nil {
-		logrus.Debugf("failed to decode PEM-encoded x509 certificate")
-		return ErrInvalid
-	}
-
-	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
-	if err != nil {
-		logrus.Debugf("failed to parse public key: %s\n", err)
-		return ErrInvalid
-	}
-
-	return verifyPSS(pub, digest[:], sig)
-}
-
-// ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately
-type ECDSAVerifier struct{}
-
-// Verify does the actual check.
-func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	algorithm := key.Algorithm()
-	var pubKey crypto.PublicKey
-
-	switch algorithm {
-	case data.ECDSAx509Key:
-		pemCert, _ := pem.Decode([]byte(key.Public()))
-		if pemCert == nil {
-			logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
-			logrus.Debugf("certificate bytes: %s", string(key.Public()))
-			return ErrInvalid
-		}
-		cert, err := x509.ParseCertificate(pemCert.Bytes)
-		if err != nil {
-			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
-			return ErrInvalid
-		}
-		pubKey = cert.PublicKey
-	case data.ECDSAKey:
-		var err error
-		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
-		if err != nil {
-			logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
-			return ErrInvalid
-		}
-	default:
-		// only accept ECDSA keys.
-		logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)
-		return ErrInvalidKeyType{}
-	}
-
-	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value isn't an ECDSA public key")
-		return ErrInvalid
-	}
-
-	sigLength := len(sig)
-	expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
-	if sigLength != expectedOctetLength {
-		logrus.Debugf("signature had an unexpected length")
-		return ErrInvalid
-	}
-
-	rBytes, sBytes := sig[:sigLength/2], sig[sigLength/2:]
-	r := new(big.Int).SetBytes(rBytes)
-	s := new(big.Int).SetBytes(sBytes)
-
-	digest := sha256.Sum256(msg)
-
-	if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
-		logrus.Debugf("failed ECDSA signature validation")
-		return ErrInvalid
-	}
-
-	return nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/signed/verify.go b/vendor/github.com/theupdateframework/notary/tuf/signed/verify.go
deleted file mode 100644
index 5ae2da48..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/signed/verify.go
+++ /dev/null
@@ -1,123 +0,0 @@
-package signed
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// Various basic signing errors
-var (
-	ErrNoSignatures = errors.New("tuf: data has no signatures")
-	ErrInvalid      = errors.New("tuf: signature verification failed")
-	ErrWrongType    = errors.New("tuf: meta file has wrong type")
-)
-
-// IsExpired checks if the given time passed before the present time
-func IsExpired(t time.Time) bool {
-	return t.Before(time.Now())
-}
-
-// VerifyExpiry returns ErrExpired if the metadata is expired
-func VerifyExpiry(s *data.SignedCommon, role data.RoleName) error {
-	if IsExpired(s.Expires) {
-		logrus.Errorf("Metadata for %s expired", role)
-		return ErrExpired{Role: role, Expired: s.Expires.Format("Mon Jan 2 15:04:05 MST 2006")}
-	}
-	return nil
-}
-
-// VerifyVersion returns ErrLowVersion if the metadata version is lower than the min version
-func VerifyVersion(s *data.SignedCommon, minVersion int) error {
-	if s.Version < minVersion {
-		return ErrLowVersion{Actual: s.Version, Current: minVersion}
-	}
-	return nil
-}
-
-// VerifySignatures checks the we have sufficient valid signatures for the given role
-func VerifySignatures(s *data.Signed, roleData data.BaseRole) error {
-	if len(s.Signatures) == 0 {
-		return ErrNoSignatures
-	}
-
-	if roleData.Threshold < 1 {
-		return ErrRoleThreshold{}
-	}
-	logrus.Debugf("%s role has key IDs: %s", roleData.Name, strings.Join(roleData.ListKeyIDs(), ","))
-
-	// remarshal the signed part so we can verify the signature, since the signature has
-	// to be of a canonically marshalled signed object
-	var decoded map[string]interface{}
-	if err := json.Unmarshal(*s.Signed, &decoded); err != nil {
-		return err
-	}
-	msg, err := json.MarshalCanonical(decoded)
-	if err != nil {
-		return err
-	}
-
-	valid := make(map[string]struct{})
-	for i := range s.Signatures {
-		sig := &(s.Signatures[i])
-		logrus.Debug("verifying signature for key ID: ", sig.KeyID)
-		key, ok := roleData.Keys[sig.KeyID]
-		if !ok {
-			logrus.Debugf("continuing b/c keyid lookup was nil: %s\n", sig.KeyID)
-			continue
-		}
-		// Check that the signature key ID actually matches the content ID of the key
-		if key.ID() != sig.KeyID {
-			return ErrInvalidKeyID{}
-		}
-		if err := VerifySignature(msg, sig, key); err != nil {
-			logrus.Debugf("continuing b/c %s", err.Error())
-			continue
-		}
-		valid[sig.KeyID] = struct{}{}
-	}
-	if len(valid) < roleData.Threshold {
-		return ErrRoleThreshold{
-			Msg: fmt.Sprintf("valid signatures did not meet threshold for %s", roleData.Name),
-		}
-	}
-
-	return nil
-}
-
-// VerifySignature checks a single signature and public key against a payload
-// If the signature is verified, the signature's is valid field will actually
-// be mutated to be equal to the boolean true
-func VerifySignature(msg []byte, sig *data.Signature, pk data.PublicKey) error {
-	// method lookup is consistent due to Unmarshal JSON doing lower case for us.
-	method := sig.Method
-	verifier, ok := Verifiers[method]
-	if !ok {
-		return fmt.Errorf("signing method is not supported: %s", sig.Method)
-	}
-
-	if err := verifier.Verify(pk, sig.Signature, msg); err != nil {
-		return fmt.Errorf("signature was invalid")
-	}
-	sig.IsValid = true
-	return nil
-}
-
-// VerifyPublicKeyMatchesPrivateKey checks if the private key and the public keys forms valid key pairs.
-// Supports both x509 certificate PublicKeys and non-certificate PublicKeys
-func VerifyPublicKeyMatchesPrivateKey(privKey data.PrivateKey, pubKey data.PublicKey) error {
-	pubKeyID, err := utils.CanonicalKeyID(pubKey)
-	if err != nil {
-		return fmt.Errorf("could not verify key pair: %v", err)
-	}
-	if privKey == nil || pubKeyID != privKey.ID() {
-		return fmt.Errorf("private key is nil or does not match public key")
-	}
-	return nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/tuf.go b/vendor/github.com/theupdateframework/notary/tuf/tuf.go
deleted file mode 100644
index 866403bb..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/tuf.go
+++ /dev/null
@@ -1,1072 +0,0 @@
-// Package tuf defines the core TUF logic around manipulating a repo.
-package tuf
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/tuf/data"
-	"github.com/theupdateframework/notary/tuf/signed"
-	"github.com/theupdateframework/notary/tuf/utils"
-)
-
-// ErrSigVerifyFail - signature verification failed
-type ErrSigVerifyFail struct{}
-
-func (e ErrSigVerifyFail) Error() string {
-	return "Error: Signature verification failed"
-}
-
-// ErrMetaExpired - metadata file has expired
-type ErrMetaExpired struct{}
-
-func (e ErrMetaExpired) Error() string {
-	return "Error: Metadata has expired"
-}
-
-// ErrLocalRootExpired - the local root file is out of date
-type ErrLocalRootExpired struct{}
-
-func (e ErrLocalRootExpired) Error() string {
-	return "Error: Local Root Has Expired"
-}
-
-// ErrNotLoaded - attempted to access data that has not been loaded into
-// the repo. This means specifically that the relevant JSON file has not
-// been loaded.
-type ErrNotLoaded struct {
-	Role data.RoleName
-}
-
-func (err ErrNotLoaded) Error() string {
-	return fmt.Sprintf("%s role has not been loaded", err.Role)
-}
-
-// StopWalk - used by visitor functions to signal WalkTargets to stop walking
-type StopWalk struct{}
-
-// Repo is an in memory representation of the TUF Repo.
-// It operates at the data.Signed level, accepting and producing
-// data.Signed objects. Users of a Repo are responsible for
-// fetching raw JSON and using the Set* functions to populate
-// the Repo instance.
-type Repo struct {
-	Root          *data.SignedRoot
-	Targets       map[data.RoleName]*data.SignedTargets
-	Snapshot      *data.SignedSnapshot
-	Timestamp     *data.SignedTimestamp
-	cryptoService signed.CryptoService
-
-	// Because Repo is a mutable structure, these keep track of what the root
-	// role was when a root is set on the repo (as opposed to what it might be
-	// after things like AddBaseKeys and RemoveBaseKeys have been called on it).
-	// If we know what the original was, we'll if and how to handle root
-	// rotations.
-	originalRootRole data.BaseRole
-}
-
-// NewRepo initializes a Repo instance with a CryptoService.
-// If the Repo will only be used for reading, the CryptoService
-// can be nil.
-func NewRepo(cryptoService signed.CryptoService) *Repo {
-	return &Repo{
-		Targets:       make(map[data.RoleName]*data.SignedTargets),
-		cryptoService: cryptoService,
-	}
-}
-
-// AddBaseKeys is used to add keys to the role in root.json
-func (tr *Repo) AddBaseKeys(role data.RoleName, keys ...data.PublicKey) error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	ids := []string{}
-	for _, k := range keys {
-		// Store only the public portion
-		tr.Root.Signed.Keys[k.ID()] = k
-		tr.Root.Signed.Roles[role].KeyIDs = append(tr.Root.Signed.Roles[role].KeyIDs, k.ID())
-		ids = append(ids, k.ID())
-	}
-	tr.Root.Dirty = true
-
-	// also, whichever role was switched out needs to be re-signed
-	// root has already been marked dirty.
-	switch role {
-	case data.CanonicalSnapshotRole:
-		if tr.Snapshot != nil {
-			tr.Snapshot.Dirty = true
-		}
-	case data.CanonicalTargetsRole:
-		if target, ok := tr.Targets[data.CanonicalTargetsRole]; ok {
-			target.Dirty = true
-		}
-	case data.CanonicalTimestampRole:
-		if tr.Timestamp != nil {
-			tr.Timestamp.Dirty = true
-		}
-	}
-	return nil
-}
-
-// ReplaceBaseKeys is used to replace all keys for the given role with the new keys
-func (tr *Repo) ReplaceBaseKeys(role data.RoleName, keys ...data.PublicKey) error {
-	r, err := tr.GetBaseRole(role)
-	if err != nil {
-		return err
-	}
-	err = tr.RemoveBaseKeys(role, r.ListKeyIDs()...)
-	if err != nil {
-		return err
-	}
-	return tr.AddBaseKeys(role, keys...)
-}
-
-// RemoveBaseKeys is used to remove keys from the roles in root.json
-func (tr *Repo) RemoveBaseKeys(role data.RoleName, keyIDs ...string) error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	var keep []string
-	toDelete := make(map[string]struct{})
-	emptyStruct := struct{}{}
-	// remove keys from specified role
-	for _, k := range keyIDs {
-		toDelete[k] = emptyStruct
-	}
-
-	oldKeyIDs := tr.Root.Signed.Roles[role].KeyIDs
-	for _, rk := range oldKeyIDs {
-		if _, ok := toDelete[rk]; !ok {
-			keep = append(keep, rk)
-		}
-	}
-
-	tr.Root.Signed.Roles[role].KeyIDs = keep
-
-	// also, whichever role had keys removed needs to be re-signed
-	// root has already been marked dirty.
-	tr.markRoleDirty(role)
-
-	// determine which keys are no longer in use by any roles
-	for roleName, r := range tr.Root.Signed.Roles {
-		if roleName == role {
-			continue
-		}
-		for _, rk := range r.KeyIDs {
-			if _, ok := toDelete[rk]; ok {
-				delete(toDelete, rk)
-			}
-		}
-	}
-
-	// Remove keys no longer in use by any roles, except for root keys.
-	// Root private keys must be kept in tr.cryptoService to be able to sign
-	// for rotation, and root certificates must be kept in tr.Root.SignedKeys
-	// because we are not necessarily storing them elsewhere (tuf.Repo does not
-	// depend on certs.Manager, that is an upper layer), and without storing
-	// the certificates in their x509 form we are not able to do the
-	// util.CanonicalKeyID conversion.
-	if role != data.CanonicalRootRole {
-		for k := range toDelete {
-			delete(tr.Root.Signed.Keys, k)
-			tr.cryptoService.RemoveKey(k)
-		}
-	}
-
-	tr.Root.Dirty = true
-	return nil
-}
-
-func (tr *Repo) markRoleDirty(role data.RoleName) {
-	switch role {
-	case data.CanonicalSnapshotRole:
-		if tr.Snapshot != nil {
-			tr.Snapshot.Dirty = true
-		}
-	case data.CanonicalTargetsRole:
-		if target, ok := tr.Targets[data.CanonicalTargetsRole]; ok {
-			target.Dirty = true
-		}
-	case data.CanonicalTimestampRole:
-		if tr.Timestamp != nil {
-			tr.Timestamp.Dirty = true
-		}
-	}
-}
-
-// GetBaseRole gets a base role from this repo's metadata
-func (tr *Repo) GetBaseRole(name data.RoleName) (data.BaseRole, error) {
-	if !data.ValidRole(name) {
-		return data.BaseRole{}, data.ErrInvalidRole{Role: name, Reason: "invalid base role name"}
-	}
-	if tr.Root == nil {
-		return data.BaseRole{}, ErrNotLoaded{data.CanonicalRootRole}
-	}
-	// Find the role data public keys for the base role from TUF metadata
-	baseRole, err := tr.Root.BuildBaseRole(name)
-	if err != nil {
-		return data.BaseRole{}, err
-	}
-
-	return baseRole, nil
-}
-
-// GetDelegationRole gets a delegation role from this repo's metadata, walking from the targets role down to the delegation itself
-func (tr *Repo) GetDelegationRole(name data.RoleName) (data.DelegationRole, error) {
-	if !data.IsDelegation(name) {
-		return data.DelegationRole{}, data.ErrInvalidRole{Role: name, Reason: "invalid delegation name"}
-	}
-	if tr.Root == nil {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalRootRole}
-	}
-	_, ok := tr.Root.Signed.Roles[data.CanonicalTargetsRole]
-	if !ok {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalTargetsRole}
-	}
-	// Traverse target metadata, down to delegation itself
-	// Get all public keys for the base role from TUF metadata
-	_, ok = tr.Targets[data.CanonicalTargetsRole]
-	if !ok {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalTargetsRole}
-	}
-
-	// Start with top level roles in targets. Walk the chain of ancestors
-	// until finding the desired role, or we run out of targets files to search.
-	var foundRole *data.DelegationRole
-	buildDelegationRoleVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		// Try to find the delegation and build a DelegationRole structure
-		for _, role := range tgt.Signed.Delegations.Roles {
-			if role.Name == name {
-				delgRole, err := tgt.BuildDelegationRole(name)
-				if err != nil {
-					return err
-				}
-				// Check all public key certificates in the role for expiry
-				// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
-				for _, pubKey := range delgRole.Keys {
-					certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
-					if err != nil {
-						continue
-					}
-					//Don't check the delegation certificate expiry once added, use the TUF role expiry instead
-					if err := utils.ValidateCertificate(certFromKey, false); err != nil {
-						return err
-					}
-				}
-				foundRole = &delgRole
-				return StopWalk{}
-			}
-		}
-		return nil
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	err := tr.WalkTargets("", name.Parent(), buildDelegationRoleVisitor)
-	if err != nil {
-		return data.DelegationRole{}, err
-	}
-
-	// We never found the delegation. In the context of this repo it is considered
-	// invalid. N.B. it may be that it existed at one point but an ancestor has since
-	// been modified/removed.
-	if foundRole == nil {
-		return data.DelegationRole{}, data.ErrInvalidRole{Role: name, Reason: "delegation does not exist"}
-	}
-
-	return *foundRole, nil
-}
-
-// GetAllLoadedRoles returns a list of all role entries loaded in this TUF repo, could be empty
-func (tr *Repo) GetAllLoadedRoles() []*data.Role {
-	var res []*data.Role
-	if tr.Root == nil {
-		// if root isn't loaded, we should consider we have no loaded roles because we can't
-		// trust any other state that might be present
-		return res
-	}
-	for name, rr := range tr.Root.Signed.Roles {
-		res = append(res, &data.Role{
-			RootRole: *rr,
-			Name:     name,
-		})
-	}
-	for _, delegate := range tr.Targets {
-		for _, r := range delegate.Signed.Delegations.Roles {
-			res = append(res, r)
-		}
-	}
-	return res
-}
-
-// Walk to parent, and either create or update this delegation.  We can only create a new delegation if we're given keys
-// Ensure all updates are valid, by checking against parent ancestor paths and ensuring the keys meet the role threshold.
-func delegationUpdateVisitor(roleName data.RoleName, addKeys data.KeyList, removeKeys, addPaths, removePaths []string, clearAllPaths bool, newThreshold int) walkVisitorFunc {
-	return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		var err error
-		// Validate the changes underneath this restricted validRole for adding paths, reject invalid path additions
-		if len(addPaths) != len(data.RestrictDelegationPathPrefixes(validRole.Paths, addPaths)) {
-			return data.ErrInvalidRole{Role: roleName, Reason: "invalid paths to add to role"}
-		}
-		// Try to find the delegation and amend it using our changelist
-		var delgRole *data.Role
-		for _, role := range tgt.Signed.Delegations.Roles {
-			if role.Name == roleName {
-				// Make a copy and operate on this role until we validate the changes
-				keyIDCopy := make([]string, len(role.KeyIDs))
-				copy(keyIDCopy, role.KeyIDs)
-				pathsCopy := make([]string, len(role.Paths))
-				copy(pathsCopy, role.Paths)
-				delgRole = &data.Role{
-					RootRole: data.RootRole{
-						KeyIDs:    keyIDCopy,
-						Threshold: role.Threshold,
-					},
-					Name:  role.Name,
-					Paths: pathsCopy,
-				}
-				delgRole.RemovePaths(removePaths)
-				if clearAllPaths {
-					delgRole.Paths = []string{}
-				}
-				delgRole.AddPaths(addPaths)
-				delgRole.RemoveKeys(removeKeys)
-				break
-			}
-		}
-		// We didn't find the role earlier, so create it.
-		if addKeys == nil {
-			addKeys = data.KeyList{} // initialize to empty list if necessary so calling .IDs() below won't panic
-		}
-		if delgRole == nil {
-			delgRole, err = data.NewRole(roleName, newThreshold, addKeys.IDs(), addPaths)
-			if err != nil {
-				return err
-			}
-
-		}
-		// Add the key IDs to the role and the keys themselves to the parent
-		for _, k := range addKeys {
-			if !utils.StrSliceContains(delgRole.KeyIDs, k.ID()) {
-				delgRole.KeyIDs = append(delgRole.KeyIDs, k.ID())
-			}
-		}
-		// Make sure we have a valid role still
-		if len(delgRole.KeyIDs) < delgRole.Threshold {
-			logrus.Warnf("role %s has fewer keys than its threshold of %d; it will not be usable until keys are added to it", delgRole.Name, delgRole.Threshold)
-		}
-		// NOTE: this closure CANNOT error after this point, as we've committed to editing the SignedTargets metadata in the repo object.
-		// Any errors related to updating this delegation must occur before this point.
-		// If all of our changes were valid, we should edit the actual SignedTargets to match our copy
-		for _, k := range addKeys {
-			tgt.Signed.Delegations.Keys[k.ID()] = k
-		}
-		foundAt := utils.FindRoleIndex(tgt.Signed.Delegations.Roles, delgRole.Name)
-		if foundAt < 0 {
-			tgt.Signed.Delegations.Roles = append(tgt.Signed.Delegations.Roles, delgRole)
-		} else {
-			tgt.Signed.Delegations.Roles[foundAt] = delgRole
-		}
-		tgt.Dirty = true
-		utils.RemoveUnusedKeys(tgt)
-		return StopWalk{}
-	}
-}
-
-// UpdateDelegationKeys updates the appropriate delegations, either adding
-// a new delegation or updating an existing one. If keys are
-// provided, the IDs will be added to the role (if they do not exist
-// there already), and the keys will be added to the targets file.
-func (tr *Repo) UpdateDelegationKeys(roleName data.RoleName, addKeys data.KeyList, removeKeys []string, newThreshold int) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-	parent := roleName.Parent()
-
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// check the parent role's metadata
-	_, ok := tr.Targets[parent]
-	if !ok { // the parent targetfile may not exist yet - if not, then create it
-		var err error
-		_, err = tr.InitTargets(parent)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	// We do not have to verify that the walker reached its desired role in this scenario
-	// since we've already done another walk to the parent role in VerifyCanSign, and potentially made a targets file
-	return tr.WalkTargets("", roleName.Parent(), delegationUpdateVisitor(roleName, addKeys, removeKeys, []string{}, []string{}, false, newThreshold))
-}
-
-// PurgeDelegationKeys removes the provided canonical key IDs from all delegations
-// present in the subtree rooted at role. The role argument must be provided in a wildcard
-// format, i.e. targets/* would remove the key from all delegations in the repo
-func (tr *Repo) PurgeDelegationKeys(role data.RoleName, removeKeys []string) error {
-	if !data.IsWildDelegation(role) {
-		return data.ErrInvalidRole{
-			Role:   role,
-			Reason: "only wildcard roles can be used in a purge",
-		}
-	}
-
-	removeIDs := make(map[string]struct{})
-	for _, id := range removeKeys {
-		removeIDs[id] = struct{}{}
-	}
-
-	start := role.Parent()
-	tufIDToCanon := make(map[string]string)
-
-	purgeKeys := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		var (
-			deleteCandidates []string
-			err              error
-		)
-		for id, key := range tgt.Signed.Delegations.Keys {
-			var (
-				canonID string
-				ok      bool
-			)
-			if canonID, ok = tufIDToCanon[id]; !ok {
-				canonID, err = utils.CanonicalKeyID(key)
-				if err != nil {
-					return err
-				}
-				tufIDToCanon[id] = canonID
-			}
-			if _, ok := removeIDs[canonID]; ok {
-				deleteCandidates = append(deleteCandidates, id)
-			}
-		}
-		if len(deleteCandidates) == 0 {
-			// none of the interesting keys were present. We're done with this role
-			return nil
-		}
-		// now we know there are changes, check if we'll be able to sign them in
-		if err := tr.VerifyCanSign(validRole.Name); err != nil {
-			logrus.Warnf(
-				"role %s contains keys being purged but you do not have the necessary keys present to sign it; keys will not be purged from %s or its immediate children",
-				validRole.Name,
-				validRole.Name,
-			)
-			return nil
-		}
-		// we know we can sign in the changes, delete the keys
-		for _, id := range deleteCandidates {
-			delete(tgt.Signed.Delegations.Keys, id)
-		}
-		// delete candidate keys from all roles.
-		for _, role := range tgt.Signed.Delegations.Roles {
-			role.RemoveKeys(deleteCandidates)
-			if len(role.KeyIDs) < role.Threshold {
-				logrus.Warnf("role %s has fewer keys than its threshold of %d; it will not be usable until keys are added to it", role.Name, role.Threshold)
-			}
-		}
-		tgt.Dirty = true
-		return nil
-	}
-	return tr.WalkTargets("", start, purgeKeys)
-}
-
-// UpdateDelegationPaths updates the appropriate delegation's paths.
-// It is not allowed to create a new delegation.
-func (tr *Repo) UpdateDelegationPaths(roleName data.RoleName, addPaths, removePaths []string, clearPaths bool) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-	parent := roleName.Parent()
-
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// check the parent role's metadata
-	_, ok := tr.Targets[parent]
-	if !ok { // the parent targetfile may not exist yet
-		// if not, this is an error because a delegation must exist to edit only paths
-		return data.ErrInvalidRole{Role: roleName, Reason: "no valid delegated role exists"}
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	// We do not have to verify that the walker reached its desired role in this scenario
-	// since we've already done another walk to the parent role in VerifyCanSign
-	err := tr.WalkTargets("", parent, delegationUpdateVisitor(roleName, data.KeyList{}, []string{}, addPaths, removePaths, clearPaths, notary.MinThreshold))
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// DeleteDelegation removes a delegated targets role from its parent
-// targets object. It also deletes the delegation from the snapshot.
-// DeleteDelegation will only make use of the role Name field.
-func (tr *Repo) DeleteDelegation(roleName data.RoleName) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-
-	parent := roleName.Parent()
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// delete delegated data from Targets map and Snapshot - if they don't
-	// exist, these are no-op
-	delete(tr.Targets, roleName)
-	tr.Snapshot.DeleteMeta(roleName)
-
-	p, ok := tr.Targets[parent]
-	if !ok {
-		// if there is no parent metadata (the role exists though), then this
-		// is as good as done.
-		return nil
-	}
-
-	foundAt := utils.FindRoleIndex(p.Signed.Delegations.Roles, roleName)
-
-	if foundAt >= 0 {
-		var roles []*data.Role
-		// slice out deleted role
-		roles = append(roles, p.Signed.Delegations.Roles[:foundAt]...)
-		if foundAt+1 < len(p.Signed.Delegations.Roles) {
-			roles = append(roles, p.Signed.Delegations.Roles[foundAt+1:]...)
-		}
-		p.Signed.Delegations.Roles = roles
-
-		utils.RemoveUnusedKeys(p)
-
-		p.Dirty = true
-	} // if the role wasn't found, it's a good as deleted
-
-	return nil
-}
-
-// InitRoot initializes an empty root file with the 4 core roles passed to the
-// method, and the consistent flag.
-func (tr *Repo) InitRoot(root, timestamp, snapshot, targets data.BaseRole, consistent bool) error {
-	rootRoles := make(map[data.RoleName]*data.RootRole)
-	rootKeys := make(map[string]data.PublicKey)
-
-	for _, r := range []data.BaseRole{root, timestamp, snapshot, targets} {
-		rootRoles[r.Name] = &data.RootRole{
-			Threshold: r.Threshold,
-			KeyIDs:    r.ListKeyIDs(),
-		}
-		for kid, k := range r.Keys {
-			rootKeys[kid] = k
-		}
-	}
-	r, err := data.NewRoot(rootKeys, rootRoles, consistent)
-	if err != nil {
-		return err
-	}
-	tr.Root = r
-	tr.originalRootRole = root
-	return nil
-}
-
-// InitTargets initializes an empty targets, and returns the new empty target
-func (tr *Repo) InitTargets(role data.RoleName) (*data.SignedTargets, error) {
-	if !data.IsDelegation(role) && role != data.CanonicalTargetsRole {
-		return nil, data.ErrInvalidRole{
-			Role:   role,
-			Reason: fmt.Sprintf("role is not a valid targets role name: %s", role.String()),
-		}
-	}
-	targets := data.NewTargets()
-	tr.Targets[role] = targets
-	return targets, nil
-}
-
-// InitSnapshot initializes a snapshot based on the current root and targets
-func (tr *Repo) InitSnapshot() error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	root, err := tr.Root.ToSigned()
-	if err != nil {
-		return err
-	}
-
-	if _, ok := tr.Targets[data.CanonicalTargetsRole]; !ok {
-		return ErrNotLoaded{Role: data.CanonicalTargetsRole}
-	}
-	targets, err := tr.Targets[data.CanonicalTargetsRole].ToSigned()
-	if err != nil {
-		return err
-	}
-	snapshot, err := data.NewSnapshot(root, targets)
-	if err != nil {
-		return err
-	}
-	tr.Snapshot = snapshot
-	return nil
-}
-
-// InitTimestamp initializes a timestamp based on the current snapshot
-func (tr *Repo) InitTimestamp() error {
-	snap, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return err
-	}
-	timestamp, err := data.NewTimestamp(snap)
-	if err != nil {
-		return err
-	}
-
-	tr.Timestamp = timestamp
-	return nil
-}
-
-// TargetMeta returns the FileMeta entry for the given path in the
-// targets file associated with the given role. This may be nil if
-// the target isn't found in the targets file.
-func (tr Repo) TargetMeta(role data.RoleName, path string) *data.FileMeta {
-	if t, ok := tr.Targets[role]; ok {
-		if m, ok := t.Signed.Targets[path]; ok {
-			return &m
-		}
-	}
-	return nil
-}
-
-// TargetDelegations returns a slice of Roles that are valid publishers
-// for the target path provided.
-func (tr Repo) TargetDelegations(role data.RoleName, path string) []*data.Role {
-	var roles []*data.Role
-	if t, ok := tr.Targets[role]; ok {
-		for _, r := range t.Signed.Delegations.Roles {
-			if r.CheckPaths(path) {
-				roles = append(roles, r)
-			}
-		}
-	}
-	return roles
-}
-
-// VerifyCanSign returns nil if the role exists and we have at least one
-// signing key for the role, false otherwise.  This does not check that we have
-// enough signing keys to meet the threshold, since we want to support the use
-// case of multiple signers for a role.  It returns an error if the role doesn't
-// exist or if there are no signing keys.
-func (tr *Repo) VerifyCanSign(roleName data.RoleName) error {
-	var (
-		role            data.BaseRole
-		err             error
-		canonicalKeyIDs []string
-	)
-	// we only need the BaseRole part of a delegation because we're just
-	// checking KeyIDs
-	if data.IsDelegation(roleName) {
-		r, err := tr.GetDelegationRole(roleName)
-		if err != nil {
-			return err
-		}
-		role = r.BaseRole
-	} else {
-		role, err = tr.GetBaseRole(roleName)
-	}
-	if err != nil {
-		return data.ErrInvalidRole{Role: roleName, Reason: "does not exist"}
-	}
-
-	for keyID, k := range role.Keys {
-		check := []string{keyID}
-		if canonicalID, err := utils.CanonicalKeyID(k); err == nil {
-			check = append(check, canonicalID)
-			canonicalKeyIDs = append(canonicalKeyIDs, canonicalID)
-		}
-		for _, id := range check {
-			p, _, err := tr.cryptoService.GetPrivateKey(id)
-			if err == nil && p != nil {
-				return nil
-			}
-		}
-	}
-	return signed.ErrNoKeys{KeyIDs: canonicalKeyIDs}
-}
-
-// used for walking the targets/delegations tree, potentially modifying the underlying SignedTargets for the repo
-type walkVisitorFunc func(*data.SignedTargets, data.DelegationRole) interface{}
-
-// WalkTargets will apply the specified visitor function to iteratively walk the targets/delegation metadata tree,
-// until receiving a StopWalk.  The walk starts from the base "targets" role, and searches for the correct targetPath and/or rolePath
-// to call the visitor function on.  Any roles passed into skipRoles will be excluded from the walk, as well as roles in those subtrees
-func (tr *Repo) WalkTargets(targetPath string, rolePath data.RoleName, visitTargets walkVisitorFunc, skipRoles ...data.RoleName) error {
-	// Start with the base targets role, which implicitly has the "" targets path
-	targetsRole, err := tr.GetBaseRole(data.CanonicalTargetsRole)
-	if err != nil {
-		return err
-	}
-	// Make the targets role have the empty path, when we treat it as a delegation role
-	roles := []data.DelegationRole{
-		{
-			BaseRole: targetsRole,
-			Paths:    []string{""},
-		},
-	}
-
-	for len(roles) > 0 {
-		role := roles[0]
-		roles = roles[1:]
-
-		// Check the role metadata
-		signedTgt, ok := tr.Targets[role.Name]
-		if !ok {
-			// The role meta doesn't exist in the repo so continue onward
-			continue
-		}
-
-		// We're at a prefix of the desired role subtree, so add its delegation role children and continue walking
-		if strings.HasPrefix(rolePath.String(), role.Name.String()+"/") {
-			roles = append(roles, signedTgt.GetValidDelegations(role)...)
-			continue
-		}
-
-		// Determine whether to visit this role or not:
-		// If the paths validate against the specified targetPath and the role is empty or is a path in the subtree.
-		// Also check if we are choosing to skip visiting this role on this walk (see ListTargets and GetTargetByName priority)
-		if isValidPath(targetPath, role) && isAncestorRole(role.Name, rolePath) && !utils.RoleNameSliceContains(skipRoles, role.Name) {
-			// If we had matching path or role name, visit this target and determine whether or not to keep walking
-			res := visitTargets(signedTgt, role)
-			switch typedRes := res.(type) {
-			case StopWalk:
-				// If the visitor function signalled a stop, return nil to finish the walk
-				return nil
-			case nil:
-				// If the visitor function signalled to continue, add this role's delegation to the walk
-				roles = append(roles, signedTgt.GetValidDelegations(role)...)
-			case error:
-				// Propagate any errors from the visitor
-				return typedRes
-			default:
-				// Return out with an error if we got a different result
-				return fmt.Errorf("unexpected return while walking: %v", res)
-			}
-
-		}
-	}
-	return nil
-}
-
-// helper function that returns whether the candidateChild role name is an ancestor or equal to the candidateAncestor role name
-// Will return true if given an empty candidateAncestor role name
-// The HasPrefix check is for determining whether the role name for candidateChild is a child (direct or further down the chain)
-// of candidateAncestor, for ex: candidateAncestor targets/a and candidateChild targets/a/b/c
-func isAncestorRole(candidateChild data.RoleName, candidateAncestor data.RoleName) bool {
-	return candidateAncestor.String() == "" || candidateAncestor == candidateChild || strings.HasPrefix(candidateChild.String(), candidateAncestor.String()+"/")
-}
-
-// helper function that returns whether the delegation Role is valid against the given path
-// Will return true if given an empty candidatePath
-func isValidPath(candidatePath string, delgRole data.DelegationRole) bool {
-	return candidatePath == "" || delgRole.CheckPaths(candidatePath)
-}
-
-// AddTargets will attempt to add the given targets specifically to
-// the directed role. If the metadata for the role doesn't exist yet,
-// AddTargets will create one.
-func (tr *Repo) AddTargets(role data.RoleName, targets data.Files) (data.Files, error) {
-	cantSignErr := tr.VerifyCanSign(role)
-	if _, ok := cantSignErr.(data.ErrInvalidRole); ok {
-		return nil, cantSignErr
-	}
-	var needSign bool
-
-	// check existence of the role's metadata
-	_, ok := tr.Targets[role]
-	if !ok { // the targetfile may not exist yet - if not, then create it
-		var err error
-		_, err = tr.InitTargets(role)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	addedTargets := make(data.Files)
-	addTargetVisitor := func(targetPath string, targetMeta data.FileMeta) func(*data.SignedTargets, data.DelegationRole) interface{} {
-		return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We've already validated the role's target path in our walk, so just modify the metadata
-			if targetMeta.Equals(tgt.Signed.Targets[targetPath]) {
-				// Also add to our new addedTargets map because this target was "added" successfully
-				addedTargets[targetPath] = targetMeta
-				return StopWalk{}
-			}
-			needSign = true
-			if cantSignErr == nil {
-				tgt.Signed.Targets[targetPath] = targetMeta
-				tgt.Dirty = true
-				// Also add to our new addedTargets map to keep track of every target we've added successfully
-				addedTargets[targetPath] = targetMeta
-			}
-			return StopWalk{}
-		}
-	}
-
-	// Walk the role tree while validating the target paths, and add all of our targets
-	for path, target := range targets {
-		tr.WalkTargets(path, role, addTargetVisitor(path, target))
-		if needSign && cantSignErr != nil {
-			return nil, cantSignErr
-		}
-	}
-	if len(addedTargets) != len(targets) {
-		return nil, fmt.Errorf("Could not add all targets")
-	}
-	return nil, nil
-}
-
-// RemoveTargets removes the given target (paths) from the given target role (delegation)
-func (tr *Repo) RemoveTargets(role data.RoleName, targets ...string) error {
-	cantSignErr := tr.VerifyCanSign(role)
-	if _, ok := cantSignErr.(data.ErrInvalidRole); ok {
-		return cantSignErr
-	}
-	var needSign bool
-	removeTargetVisitor := func(targetPath string) func(*data.SignedTargets, data.DelegationRole) interface{} {
-		return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We've already validated the role path in our walk, so just modify the metadata
-			// We don't check against the target path against the valid role paths because it's
-			// possible we got into an invalid state and are trying to fix it
-			if _, needSign = tgt.Signed.Targets[targetPath]; needSign && cantSignErr == nil {
-				delete(tgt.Signed.Targets, targetPath)
-				tgt.Dirty = true
-			}
-			return StopWalk{}
-		}
-	}
-
-	// if the role exists but metadata does not yet, then our work is done
-	_, ok := tr.Targets[role]
-	if ok {
-		for _, path := range targets {
-			tr.WalkTargets("", role, removeTargetVisitor(path))
-			if needSign && cantSignErr != nil {
-				return cantSignErr
-			}
-		}
-	}
-
-	return nil
-}
-
-// UpdateSnapshot updates the FileMeta for the given role based on the Signed object
-func (tr *Repo) UpdateSnapshot(role data.RoleName, s *data.Signed) error {
-	jsonData, err := json.Marshal(s)
-	if err != nil {
-		return err
-	}
-	meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...)
-	if err != nil {
-		return err
-	}
-	tr.Snapshot.Signed.Meta[role.String()] = meta
-	tr.Snapshot.Dirty = true
-	return nil
-}
-
-// UpdateTimestamp updates the snapshot meta in the timestamp based on the Signed object
-func (tr *Repo) UpdateTimestamp(s *data.Signed) error {
-	jsonData, err := json.Marshal(s)
-	if err != nil {
-		return err
-	}
-	meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...)
-	if err != nil {
-		return err
-	}
-	tr.Timestamp.Signed.Meta[data.CanonicalSnapshotRole.String()] = meta
-	tr.Timestamp.Dirty = true
-	return nil
-}
-
-// SignRoot signs the root, using all keys from the "root" role (i.e. currently trusted)
-// as well as available keys used to sign the previous version, if the public part is
-// carried in tr.Root.Keys and the private key is available (i.e. probably previously
-// trusted keys, to allow rollover).  If there are any errors, attempt to put root
-// back to the way it was (so version won't be incremented, for instance).
-// Extra signing keys can be added to support older clients
-func (tr *Repo) SignRoot(expires time.Time, extraSigningKeys data.KeyList) (*data.Signed, error) {
-	logrus.Debug("signing root...")
-
-	// duplicate root and attempt to modify it rather than the existing root
-	rootBytes, err := tr.Root.MarshalJSON()
-	if err != nil {
-		return nil, err
-	}
-	tempRoot := data.SignedRoot{}
-	if err := json.Unmarshal(rootBytes, &tempRoot); err != nil {
-		return nil, err
-	}
-
-	currRoot, err := tr.GetBaseRole(data.CanonicalRootRole)
-	if err != nil {
-		return nil, err
-	}
-
-	var rolesToSignWith []data.BaseRole
-
-	// If the root role (root keys or root threshold) has changed, sign with the
-	// previous root role keys
-	if !tr.originalRootRole.Equals(currRoot) {
-		rolesToSignWith = append(rolesToSignWith, tr.originalRootRole)
-	}
-
-	tempRoot.Signed.Expires = expires
-	tempRoot.Signed.Version++
-	rolesToSignWith = append(rolesToSignWith, currRoot)
-
-	signed, err := tempRoot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-
-	signed, err = tr.sign(signed, rolesToSignWith, extraSigningKeys)
-	if err != nil {
-		return nil, err
-	}
-
-	tr.Root = &tempRoot
-	tr.Root.Signatures = signed.Signatures
-	tr.originalRootRole = currRoot
-	return signed, nil
-}
-
-func oldRootVersionName(version int) string {
-	return fmt.Sprintf("%s.%v", data.CanonicalRootRole, version)
-}
-
-// SignTargets signs the targets file for the given top level or delegated targets role
-func (tr *Repo) SignTargets(role data.RoleName, expires time.Time) (*data.Signed, error) {
-	logrus.Debugf("sign targets called for role %s", role)
-	if _, ok := tr.Targets[role]; !ok {
-		return nil, data.ErrInvalidRole{
-			Role:   role,
-			Reason: "SignTargets called with non-existent targets role",
-		}
-	}
-	tr.Targets[role].Signed.Expires = expires
-	tr.Targets[role].Signed.Version++
-	signed, err := tr.Targets[role].ToSigned()
-	if err != nil {
-		logrus.Debug("errored getting targets data.Signed object")
-		return nil, err
-	}
-
-	var targets data.BaseRole
-	if role == data.CanonicalTargetsRole {
-		targets, err = tr.GetBaseRole(role)
-	} else {
-		tr, err := tr.GetDelegationRole(role)
-		if err != nil {
-			return nil, err
-		}
-		targets = tr.BaseRole
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	signed, err = tr.sign(signed, []data.BaseRole{targets}, nil)
-	if err != nil {
-		logrus.Debug("errored signing ", role)
-		return nil, err
-	}
-	tr.Targets[role].Signatures = signed.Signatures
-	return signed, nil
-}
-
-// SignSnapshot updates the snapshot based on the current targets and root then signs it
-func (tr *Repo) SignSnapshot(expires time.Time) (*data.Signed, error) {
-	logrus.Debug("signing snapshot...")
-	signedRoot, err := tr.Root.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	err = tr.UpdateSnapshot(data.CanonicalRootRole, signedRoot)
-	if err != nil {
-		return nil, err
-	}
-	tr.Root.Dirty = false // root dirty until changes captures in snapshot
-	for role, targets := range tr.Targets {
-		signedTargets, err := targets.ToSigned()
-		if err != nil {
-			return nil, err
-		}
-		err = tr.UpdateSnapshot(role, signedTargets)
-		if err != nil {
-			return nil, err
-		}
-		targets.Dirty = false
-	}
-	tr.Snapshot.Signed.Expires = expires
-	tr.Snapshot.Signed.Version++
-	signed, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	snapshot, err := tr.GetBaseRole(data.CanonicalSnapshotRole)
-	if err != nil {
-		return nil, err
-	}
-	signed, err = tr.sign(signed, []data.BaseRole{snapshot}, nil)
-	if err != nil {
-		return nil, err
-	}
-	tr.Snapshot.Signatures = signed.Signatures
-	return signed, nil
-}
-
-// SignTimestamp updates the timestamp based on the current snapshot then signs it
-func (tr *Repo) SignTimestamp(expires time.Time) (*data.Signed, error) {
-	logrus.Debug("SignTimestamp")
-	signedSnapshot, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	err = tr.UpdateTimestamp(signedSnapshot)
-	if err != nil {
-		return nil, err
-	}
-	tr.Timestamp.Signed.Expires = expires
-	tr.Timestamp.Signed.Version++
-	signed, err := tr.Timestamp.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	timestamp, err := tr.GetBaseRole(data.CanonicalTimestampRole)
-	if err != nil {
-		return nil, err
-	}
-	signed, err = tr.sign(signed, []data.BaseRole{timestamp}, nil)
-	if err != nil {
-		return nil, err
-	}
-	tr.Timestamp.Signatures = signed.Signatures
-	tr.Snapshot.Dirty = false // snapshot is dirty until changes have been captured in timestamp
-	return signed, nil
-}
-
-func (tr Repo) sign(signedData *data.Signed, roles []data.BaseRole, optionalKeys []data.PublicKey) (*data.Signed, error) {
-	validKeys := optionalKeys
-	for _, r := range roles {
-		roleKeys := r.ListKeys()
-		validKeys = append(roleKeys, validKeys...)
-		if err := signed.Sign(tr.cryptoService, signedData, roleKeys, r.Threshold, validKeys); err != nil {
-			return nil, err
-		}
-	}
-	// Attempt to sign with the optional keys, but ignore any errors, because these keys are optional
-	signed.Sign(tr.cryptoService, signedData, optionalKeys, 0, validKeys)
-
-	return signedData, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go b/vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go
deleted file mode 100644
index ff01d281..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go
+++ /dev/null
@@ -1,341 +0,0 @@
-// Package utils contains tuf related utility functions however this file is hard
-// forked from https://github.com/youmark/pkcs8 package. It has been further modified
-// based on the requirements of Notary. For converting keys into PKCS#8 format,
-// original package expected *crypto.PrivateKey interface, which then type inferred
-// to either *rsa.PrivateKey or *ecdsa.PrivateKey depending on the need and later
-// converted to ASN.1 DER encoded form, this whole process was superfluous here as
-// keys are already being kept in ASN.1 DER format wrapped in data.PrivateKey
-// structure. With these changes, package has became tightly coupled with notary as
-// most of the method signatures have been updated. Moreover support for ED25519
-// keys has been added as well. License for original package is following:
-//
-// The MIT License (MIT)
-//
-// Copyright (c) 2014 youmark
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all
-// copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-// SOFTWARE.
-package utils
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1" // #nosec
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"errors"
-	"fmt"
-
-	"golang.org/x/crypto/pbkdf2"
-
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// Copy from crypto/x509
-var (
-	oidPublicKeyRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
-	oidPublicKeyDSA   = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
-	oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
-	// crypto/x509 doesn't have support for ED25519
-	// http://www.oid-info.com/get/1.3.6.1.4.1.11591.15.1
-	oidPublicKeyED25519 = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11591, 15, 1}
-)
-
-// Copy from crypto/x509
-var (
-	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
-	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
-	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
-	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
-)
-
-// Copy from crypto/x509
-func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
-	switch curve {
-	case elliptic.P224():
-		return oidNamedCurveP224, true
-	case elliptic.P256():
-		return oidNamedCurveP256, true
-	case elliptic.P384():
-		return oidNamedCurveP384, true
-	case elliptic.P521():
-		return oidNamedCurveP521, true
-	}
-
-	return nil, false
-}
-
-// Unecrypted PKCS8
-var (
-	oidPKCS5PBKDF2 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 5, 12}
-	oidPBES2       = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 5, 13}
-	oidAES256CBC   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 42}
-)
-
-type ecPrivateKey struct {
-	Version       int
-	PrivateKey    []byte
-	NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
-	PublicKey     asn1.BitString        `asn1:"optional,explicit,tag:1"`
-}
-
-type privateKeyInfo struct {
-	Version             int
-	PrivateKeyAlgorithm []asn1.ObjectIdentifier
-	PrivateKey          []byte
-}
-
-// Encrypted PKCS8
-type pbkdf2Params struct {
-	Salt           []byte
-	IterationCount int
-}
-
-type pbkdf2Algorithms struct {
-	IDPBKDF2     asn1.ObjectIdentifier
-	PBKDF2Params pbkdf2Params
-}
-
-type pbkdf2Encs struct {
-	EncryAlgo asn1.ObjectIdentifier
-	IV        []byte
-}
-
-type pbes2Params struct {
-	KeyDerivationFunc pbkdf2Algorithms
-	EncryptionScheme  pbkdf2Encs
-}
-
-type pbes2Algorithms struct {
-	IDPBES2     asn1.ObjectIdentifier
-	PBES2Params pbes2Params
-}
-
-type encryptedPrivateKeyInfo struct {
-	EncryptionAlgorithm pbes2Algorithms
-	EncryptedData       []byte
-}
-
-// pkcs8 reflects an ASN.1, PKCS#8 PrivateKey.
-// copied from https://github.com/golang/go/blob/964639cc338db650ccadeafb7424bc8ebb2c0f6c/src/crypto/x509/pkcs8.go#L17
-type pkcs8 struct {
-	Version    int
-	Algo       pkix.AlgorithmIdentifier
-	PrivateKey []byte
-}
-
-func parsePKCS8ToTufKey(der []byte) (data.PrivateKey, error) {
-	var key pkcs8
-
-	if _, err := asn1.Unmarshal(der, &key); err != nil {
-		if _, ok := err.(asn1.StructuralError); ok {
-			return nil, errors.New("could not decrypt private key")
-		}
-		return nil, err
-	}
-
-	if key.Algo.Algorithm.Equal(oidPublicKeyED25519) {
-		tufED25519PrivateKey, err := ED25519ToPrivateKey(key.PrivateKey)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ed25519.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufED25519PrivateKey, nil
-	}
-
-	privKey, err := x509.ParsePKCS8PrivateKey(der)
-	if err != nil {
-		return nil, err
-	}
-
-	switch priv := privKey.(type) {
-	case *rsa.PrivateKey:
-		tufRSAPrivateKey, err := RSAToPrivateKey(priv)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert rsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufRSAPrivateKey, nil
-	case *ecdsa.PrivateKey:
-		tufECDSAPrivateKey, err := ECDSAToPrivateKey(priv)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ecdsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufECDSAPrivateKey, nil
-	}
-
-	return nil, errors.New("unsupported key type")
-}
-
-// ParsePKCS8ToTufKey requires PKCS#8 key in DER format and returns data.PrivateKey
-// Password should be provided in case of Encrypted PKCS#8 key, else it should be nil.
-func ParsePKCS8ToTufKey(der []byte, password []byte) (data.PrivateKey, error) {
-	if password == nil {
-		return parsePKCS8ToTufKey(der)
-	}
-
-	var privKey encryptedPrivateKeyInfo
-	if _, err := asn1.Unmarshal(der, &privKey); err != nil {
-		return nil, errors.New("pkcs8: only PKCS #5 v2.0 supported")
-	}
-
-	if !privKey.EncryptionAlgorithm.IDPBES2.Equal(oidPBES2) {
-		return nil, errors.New("pkcs8: only PBES2 supported")
-	}
-
-	if !privKey.EncryptionAlgorithm.PBES2Params.KeyDerivationFunc.IDPBKDF2.Equal(oidPKCS5PBKDF2) {
-		return nil, errors.New("pkcs8: only PBKDF2 supported")
-	}
-
-	encParam := privKey.EncryptionAlgorithm.PBES2Params.EncryptionScheme
-	kdfParam := privKey.EncryptionAlgorithm.PBES2Params.KeyDerivationFunc.PBKDF2Params
-
-	switch {
-	case encParam.EncryAlgo.Equal(oidAES256CBC):
-		iv := encParam.IV
-		salt := kdfParam.Salt
-		iter := kdfParam.IterationCount
-
-		encryptedKey := privKey.EncryptedData
-		symkey := pbkdf2.Key(password, salt, iter, 32, sha1.New)
-		block, err := aes.NewCipher(symkey)
-		if err != nil {
-			return nil, err
-		}
-		mode := cipher.NewCBCDecrypter(block, iv)
-		mode.CryptBlocks(encryptedKey, encryptedKey)
-
-		// no need to explicitly remove padding, as ASN.1 unmarshalling will automatically discard it
-		key, err := parsePKCS8ToTufKey(encryptedKey)
-		if err != nil {
-			return nil, errors.New("pkcs8: incorrect password")
-		}
-
-		return key, nil
-	default:
-		return nil, errors.New("pkcs8: only AES-256-CBC supported")
-	}
-
-}
-
-func convertTUFKeyToPKCS8(priv data.PrivateKey) ([]byte, error) {
-	var pkey privateKeyInfo
-
-	switch priv.Algorithm() {
-	case data.RSAKey, data.RSAx509Key:
-		// Per RFC5958, if publicKey is present, then version is set to v2(1) else version is set to v1(0).
-		// But openssl set to v1 even publicKey is present
-		pkey.Version = 0
-		pkey.PrivateKeyAlgorithm = make([]asn1.ObjectIdentifier, 1)
-		pkey.PrivateKeyAlgorithm[0] = oidPublicKeyRSA
-		pkey.PrivateKey = priv.Private()
-	case data.ECDSAKey, data.ECDSAx509Key:
-		// To extract Curve value, parsing ECDSA key to *ecdsa.PrivateKey
-		eckey, err := x509.ParseECPrivateKey(priv.Private())
-		if err != nil {
-			return nil, err
-		}
-
-		oidNamedCurve, ok := oidFromNamedCurve(eckey.Curve)
-		if !ok {
-			return nil, errors.New("pkcs8: unknown elliptic curve")
-		}
-
-		// Per RFC5958, if publicKey is present, then version is set to v2(1) else version is set to v1(0).
-		// But openssl set to v1 even publicKey is present
-		pkey.Version = 1
-		pkey.PrivateKeyAlgorithm = make([]asn1.ObjectIdentifier, 2)
-		pkey.PrivateKeyAlgorithm[0] = oidPublicKeyECDSA
-		pkey.PrivateKeyAlgorithm[1] = oidNamedCurve
-		pkey.PrivateKey = priv.Private()
-	case data.ED25519Key:
-		pkey.Version = 0
-		pkey.PrivateKeyAlgorithm = make([]asn1.ObjectIdentifier, 1)
-		pkey.PrivateKeyAlgorithm[0] = oidPublicKeyED25519
-		pkey.PrivateKey = priv.Private()
-	default:
-		return nil, fmt.Errorf("algorithm %s not supported", priv.Algorithm())
-	}
-
-	return asn1.Marshal(pkey)
-}
-
-func convertTUFKeyToPKCS8Encrypted(priv data.PrivateKey, password []byte) ([]byte, error) {
-	// Convert private key into PKCS8 format
-	pkey, err := convertTUFKeyToPKCS8(priv)
-	if err != nil {
-		return nil, err
-	}
-
-	// Calculate key from password based on PKCS5 algorithm
-	// Use 8 byte salt, 16 byte IV, and 2048 iteration
-	iter := 2048
-	salt := make([]byte, 8)
-	iv := make([]byte, 16)
-	_, err = rand.Reader.Read(salt)
-	if err != nil {
-		return nil, err
-	}
-
-	_, err = rand.Reader.Read(iv)
-	if err != nil {
-		return nil, err
-	}
-
-	key := pbkdf2.Key(password, salt, iter, 32, sha1.New)
-
-	// Use AES256-CBC mode, pad plaintext with PKCS5 padding scheme
-	padding := aes.BlockSize - len(pkey)%aes.BlockSize
-	if padding > 0 {
-		n := len(pkey)
-		pkey = append(pkey, make([]byte, padding)...)
-		for i := 0; i < padding; i++ {
-			pkey[n+i] = byte(padding)
-		}
-	}
-
-	encryptedKey := make([]byte, len(pkey))
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-	mode := cipher.NewCBCEncrypter(block, iv)
-	mode.CryptBlocks(encryptedKey, pkey)
-
-	pbkdf2algo := pbkdf2Algorithms{oidPKCS5PBKDF2, pbkdf2Params{salt, iter}}
-	pbkdf2encs := pbkdf2Encs{oidAES256CBC, iv}
-	pbes2algo := pbes2Algorithms{oidPBES2, pbes2Params{pbkdf2algo, pbkdf2encs}}
-
-	encryptedPkey := encryptedPrivateKeyInfo{pbes2algo, encryptedKey}
-	return asn1.Marshal(encryptedPkey)
-}
-
-// ConvertTUFKeyToPKCS8 converts a private key (data.Private) to PKCS#8 and returns in DER format
-// if password is not nil, it would convert the Private Key to Encrypted PKCS#8.
-func ConvertTUFKeyToPKCS8(priv data.PrivateKey, password []byte) ([]byte, error) {
-	if password == nil {
-		return convertTUFKeyToPKCS8(priv)
-	}
-	return convertTUFKeyToPKCS8Encrypted(priv, password)
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/utils/role_sort.go b/vendor/github.com/theupdateframework/notary/tuf/utils/role_sort.go
deleted file mode 100644
index 368925c3..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/role_sort.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package utils
-
-import (
-	"strings"
-)
-
-// RoleList is a list of roles
-type RoleList []string
-
-// Len returns the length of the list
-func (r RoleList) Len() int {
-	return len(r)
-}
-
-// Less returns true if the item at i should be sorted
-// before the item at j. It's an unstable partial ordering
-// based on the number of segments, separated by "/", in
-// the role name
-func (r RoleList) Less(i, j int) bool {
-	segsI := strings.Split(r[i], "/")
-	segsJ := strings.Split(r[j], "/")
-	if len(segsI) == len(segsJ) {
-		return r[i] < r[j]
-	}
-	return len(segsI) < len(segsJ)
-}
-
-// Swap the items at 2 locations in the list
-func (r RoleList) Swap(i, j int) {
-	r[i], r[j] = r[j], r[i]
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/utils/stack.go b/vendor/github.com/theupdateframework/notary/tuf/utils/stack.go
deleted file mode 100644
index e79b5c86..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/stack.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package utils
-
-import (
-	"fmt"
-	"sync"
-)
-
-// ErrEmptyStack is used when an action that requires some
-// content is invoked and the stack is empty
-type ErrEmptyStack struct {
-	action string
-}
-
-func (err ErrEmptyStack) Error() string {
-	return fmt.Sprintf("attempted to %s with empty stack", err.action)
-}
-
-// ErrBadTypeCast is used by PopX functions when the item
-// cannot be typed to X
-type ErrBadTypeCast struct{}
-
-func (err ErrBadTypeCast) Error() string {
-	return "attempted to do a typed pop and item was not of type"
-}
-
-// Stack is a simple type agnostic stack implementation
-type Stack struct {
-	s []interface{}
-	l sync.Mutex
-}
-
-// NewStack create a new stack
-func NewStack() *Stack {
-	s := &Stack{
-		s: make([]interface{}, 0),
-	}
-	return s
-}
-
-// Push adds an item to the top of the stack.
-func (s *Stack) Push(item interface{}) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	s.s = append(s.s, item)
-}
-
-// Pop removes and returns the top item on the stack, or returns
-// ErrEmptyStack if the stack has no content
-func (s *Stack) Pop() (interface{}, error) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	l := len(s.s)
-	if l > 0 {
-		item := s.s[l-1]
-		s.s = s.s[:l-1]
-		return item, nil
-	}
-	return nil, ErrEmptyStack{action: "Pop"}
-}
-
-// PopString attempts to cast the top item on the stack to the string type.
-// If this succeeds, it removes and returns the top item. If the item
-// is not of the string type, ErrBadTypeCast is returned. If the stack
-// is empty, ErrEmptyStack is returned
-func (s *Stack) PopString() (string, error) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	l := len(s.s)
-	if l > 0 {
-		item := s.s[l-1]
-		if item, ok := item.(string); ok {
-			s.s = s.s[:l-1]
-			return item, nil
-		}
-		return "", ErrBadTypeCast{}
-	}
-	return "", ErrEmptyStack{action: "PopString"}
-}
-
-// Empty returns true if the stack is empty
-func (s *Stack) Empty() bool {
-	s.l.Lock()
-	defer s.l.Unlock()
-	return len(s.s) == 0
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/utils/utils.go b/vendor/github.com/theupdateframework/notary/tuf/utils/utils.go
deleted file mode 100644
index cf054c22..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/utils.go
+++ /dev/null
@@ -1,119 +0,0 @@
-package utils
-
-import (
-	"crypto/sha256"
-	"crypto/sha512"
-	"encoding/hex"
-	"fmt"
-	"io"
-
-	"github.com/theupdateframework/notary/tuf/data"
-)
-
-// StrSliceContains checks if the given string appears in the slice
-func StrSliceContains(ss []string, s string) bool {
-	for _, v := range ss {
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
-// RoleNameSliceContains checks if the given string appears in the slice
-func RoleNameSliceContains(ss []data.RoleName, s data.RoleName) bool {
-	for _, v := range ss {
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
-// RoleNameSliceRemove removes the given RoleName from the slice, returning a new slice
-func RoleNameSliceRemove(ss []data.RoleName, s data.RoleName) []data.RoleName {
-	res := []data.RoleName{}
-	for _, v := range ss {
-		if v != s {
-			res = append(res, v)
-		}
-	}
-	return res
-}
-
-// NoopCloser is a simple Reader wrapper that does nothing when Close is
-// called
-type NoopCloser struct {
-	io.Reader
-}
-
-// Close does nothing for a NoopCloser
-func (nc *NoopCloser) Close() error {
-	return nil
-}
-
-// DoHash returns the digest of d using the hashing algorithm named
-// in alg
-func DoHash(alg string, d []byte) []byte {
-	switch alg {
-	case "sha256":
-		digest := sha256.Sum256(d)
-		return digest[:]
-	case "sha512":
-		digest := sha512.Sum512(d)
-		return digest[:]
-	}
-	return nil
-}
-
-// UnusedDelegationKeys prunes a list of keys, returning those that are no
-// longer in use for a given targets file
-func UnusedDelegationKeys(t data.SignedTargets) []string {
-	// compare ids to all still active key ids in all active roles
-	// with the targets file
-	found := make(map[string]bool)
-	for _, r := range t.Signed.Delegations.Roles {
-		for _, id := range r.KeyIDs {
-			found[id] = true
-		}
-	}
-	var discard []string
-	for id := range t.Signed.Delegations.Keys {
-		if !found[id] {
-			discard = append(discard, id)
-		}
-	}
-	return discard
-}
-
-// RemoveUnusedKeys determines which keys in the slice of IDs are no longer
-// used in the given targets file and removes them from the delegated keys
-// map
-func RemoveUnusedKeys(t *data.SignedTargets) {
-	unusedIDs := UnusedDelegationKeys(*t)
-	for _, id := range unusedIDs {
-		delete(t.Signed.Delegations.Keys, id)
-	}
-}
-
-// FindRoleIndex returns the index of the role named <name> or -1 if no
-// matching role is found.
-func FindRoleIndex(rs []*data.Role, name data.RoleName) int {
-	for i, r := range rs {
-		if r.Name == name {
-			return i
-		}
-	}
-	return -1
-}
-
-// ConsistentName generates the appropriate HTTP URL path for the role,
-// based on whether the repo is marked as consistent. The RemoteStore
-// is responsible for adding file extensions.
-func ConsistentName(role string, hashSHA256 []byte) string {
-	if len(hashSHA256) > 0 {
-		hash := hex.EncodeToString(hashSHA256)
-		return fmt.Sprintf("%s.%s", role, hash)
-	}
-	return role
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/utils/x509.go b/vendor/github.com/theupdateframework/notary/tuf/utils/x509.go
deleted file mode 100644
index 02a73b31..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/utils/x509.go
+++ /dev/null
@@ -1,564 +0,0 @@
-package utils
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"math/big"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"github.com/theupdateframework/notary"
-	"github.com/theupdateframework/notary/tuf/data"
-	"golang.org/x/crypto/ed25519"
-)
-
-// CanonicalKeyID returns the ID of the public bytes version of a TUF key.
-// On regular RSA/ECDSA TUF keys, this is just the key ID.  On X509 RSA/ECDSA
-// TUF keys, this is the key ID of the public key part of the key in the leaf cert
-func CanonicalKeyID(k data.PublicKey) (string, error) {
-	if k == nil {
-		return "", errors.New("public key is nil")
-	}
-	switch k.Algorithm() {
-	case data.ECDSAx509Key, data.RSAx509Key:
-		return X509PublicKeyID(k)
-	default:
-		return k.ID(), nil
-	}
-}
-
-// LoadCertFromPEM returns the first certificate found in a bunch of bytes or error
-// if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.
-func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
-	for len(pemBytes) > 0 {
-		var block *pem.Block
-		block, pemBytes = pem.Decode(pemBytes)
-		if block == nil {
-			return nil, errors.New("no certificates found in PEM data")
-		}
-		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-			continue
-		}
-
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			continue
-		}
-
-		return cert, nil
-	}
-
-	return nil, errors.New("no certificates found in PEM data")
-}
-
-// X509PublicKeyID returns a public key ID as a string, given a
-// data.PublicKey that contains an X509 Certificate
-func X509PublicKeyID(certPubKey data.PublicKey) (string, error) {
-	// Note that this only loads the first certificate from the public key
-	cert, err := LoadCertFromPEM(certPubKey.Public())
-	if err != nil {
-		return "", err
-	}
-	pubKeyBytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-	if err != nil {
-		return "", err
-	}
-
-	var key data.PublicKey
-	switch certPubKey.Algorithm() {
-	case data.ECDSAx509Key:
-		key = data.NewECDSAPublicKey(pubKeyBytes)
-	case data.RSAx509Key:
-		key = data.NewRSAPublicKey(pubKeyBytes)
-	}
-
-	return key.ID(), nil
-}
-
-func parseLegacyPrivateKey(block *pem.Block, passphrase string) (data.PrivateKey, error) {
-	var privKeyBytes []byte
-	var err error
-	if x509.IsEncryptedPEMBlock(block) {
-		privKeyBytes, err = x509.DecryptPEMBlock(block, []byte(passphrase))
-		if err != nil {
-			return nil, errors.New("could not decrypt private key")
-		}
-	} else {
-		privKeyBytes = block.Bytes
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY":
-		rsaPrivKey, err := x509.ParsePKCS1PrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse DER encoded key: %v", err)
-		}
-
-		tufRSAPrivateKey, err := RSAToPrivateKey(rsaPrivKey)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert rsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufRSAPrivateKey, nil
-	case "EC PRIVATE KEY":
-		ecdsaPrivKey, err := x509.ParseECPrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse DER encoded private key: %v", err)
-		}
-
-		tufECDSAPrivateKey, err := ECDSAToPrivateKey(ecdsaPrivKey)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ecdsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufECDSAPrivateKey, nil
-	case "ED25519 PRIVATE KEY":
-		// We serialize ED25519 keys by concatenating the private key
-		// to the public key and encoding with PEM. See the
-		// ED25519ToPrivateKey function.
-		tufECDSAPrivateKey, err := ED25519ToPrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ecdsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufECDSAPrivateKey, nil
-
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", block.Type)
-	}
-}
-
-// ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It
-// supports PKCS#8 as well as RSA/ECDSA (PKCS#1) only in non-FIPS mode and
-// attempts to decrypt using the passphrase, if encrypted.
-func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error) {
-	return parsePEMPrivateKey(pemBytes, passphrase, notary.FIPSEnabled())
-}
-
-func parsePEMPrivateKey(pemBytes []byte, passphrase string, fips bool) (data.PrivateKey, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return nil, errors.New("no valid private key found")
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY", "EC PRIVATE KEY", "ED25519 PRIVATE KEY":
-		if fips {
-			return nil, fmt.Errorf("%s not supported in FIPS mode", block.Type)
-		}
-		return parseLegacyPrivateKey(block, passphrase)
-	case "ENCRYPTED PRIVATE KEY", "PRIVATE KEY":
-		if passphrase == "" {
-			return ParsePKCS8ToTufKey(block.Bytes, nil)
-		}
-		return ParsePKCS8ToTufKey(block.Bytes, []byte(passphrase))
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", block.Type)
-	}
-}
-
-// CertToPEM is a utility function returns a PEM encoded x509 Certificate
-func CertToPEM(cert *x509.Certificate) []byte {
-	pemCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
-
-	return pemCert
-}
-
-// CertChainToPEM is a utility function returns a PEM encoded chain of x509 Certificates, in the order they are passed
-func CertChainToPEM(certChain []*x509.Certificate) ([]byte, error) {
-	var pemBytes bytes.Buffer
-	for _, cert := range certChain {
-		if err := pem.Encode(&pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}); err != nil {
-			return nil, err
-		}
-	}
-	return pemBytes.Bytes(), nil
-}
-
-// LoadCertFromFile loads the first certificate from the file provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertFromFile(filename string) (*x509.Certificate, error) {
-	certs, err := LoadCertBundleFromFile(filename)
-	if err != nil {
-		return nil, err
-	}
-	return certs[0], nil
-}
-
-// LoadCertBundleFromFile loads certificates from the []byte provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error) {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-
-	return LoadCertBundleFromPEM(b)
-}
-
-// LoadCertBundleFromPEM loads certificates from the []byte provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error) {
-	certificates := []*x509.Certificate{}
-	var block *pem.Block
-	block, pemBytes = pem.Decode(pemBytes)
-	for ; block != nil; block, pemBytes = pem.Decode(pemBytes) {
-		if block.Type == "CERTIFICATE" {
-			cert, err := x509.ParseCertificate(block.Bytes)
-			if err != nil {
-				return nil, err
-			}
-			certificates = append(certificates, cert)
-		} else {
-			return nil, fmt.Errorf("invalid pem block type: %s", block.Type)
-		}
-	}
-
-	if len(certificates) == 0 {
-		return nil, fmt.Errorf("no valid certificates found")
-	}
-
-	return certificates, nil
-}
-
-// GetLeafCerts parses a list of x509 Certificates and returns all of them
-// that aren't CA
-func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate {
-	var leafCerts []*x509.Certificate
-	for _, cert := range certs {
-		if cert.IsCA {
-			continue
-		}
-		leafCerts = append(leafCerts, cert)
-	}
-	return leafCerts
-}
-
-// GetIntermediateCerts parses a list of x509 Certificates and returns all of the
-// ones marked as a CA, to be used as intermediates
-func GetIntermediateCerts(certs []*x509.Certificate) []*x509.Certificate {
-	var intCerts []*x509.Certificate
-	for _, cert := range certs {
-		if cert.IsCA {
-			intCerts = append(intCerts, cert)
-		}
-	}
-	return intCerts
-}
-
-// ParsePEMPublicKey returns a data.PublicKey from a PEM encoded public key or certificate.
-func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) {
-	pemBlock, _ := pem.Decode(pubKeyBytes)
-	if pemBlock == nil {
-		return nil, errors.New("no valid public key found")
-	}
-
-	switch pemBlock.Type {
-	case "CERTIFICATE":
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse provided certificate: %v", err)
-		}
-		err = ValidateCertificate(cert, true)
-		if err != nil {
-			return nil, fmt.Errorf("invalid certificate: %v", err)
-		}
-		return CertToKey(cert), nil
-	case "PUBLIC KEY":
-		keyType, err := keyTypeForPublicKey(pemBlock.Bytes)
-		if err != nil {
-			return nil, err
-		}
-		return data.NewPublicKey(keyType, pemBlock.Bytes), nil
-	default:
-		return nil, fmt.Errorf("unsupported PEM block type %q, expected CERTIFICATE or PUBLIC KEY", pemBlock.Type)
-	}
-}
-
-func keyTypeForPublicKey(pubKeyBytes []byte) (string, error) {
-	pub, err := x509.ParsePKIXPublicKey(pubKeyBytes)
-	if err != nil {
-		return "", fmt.Errorf("unable to parse pem encoded public key: %v", err)
-	}
-	switch pub.(type) {
-	case *ecdsa.PublicKey:
-		return data.ECDSAKey, nil
-	case *rsa.PublicKey:
-		return data.RSAKey, nil
-	}
-	return "", fmt.Errorf("unknown public key format")
-}
-
-// ValidateCertificate returns an error if the certificate is not valid for notary
-// Currently this is only ensuring the public key has a large enough modulus if RSA,
-// using a non SHA1 signature algorithm, and an optional time expiry check
-func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error {
-	if (c.NotBefore).After(c.NotAfter) {
-		return fmt.Errorf("certificate validity window is invalid")
-	}
-	// Can't have SHA1 sig algorithm
-	if c.SignatureAlgorithm == x509.SHA1WithRSA || c.SignatureAlgorithm == x509.DSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA1 {
-		return fmt.Errorf("certificate with CN %s uses invalid SHA1 signature algorithm", c.Subject.CommonName)
-	}
-	// If we have an RSA key, make sure it's long enough
-	if c.PublicKeyAlgorithm == x509.RSA {
-		rsaKey, ok := c.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			return fmt.Errorf("unable to parse RSA public key")
-		}
-		if rsaKey.N.BitLen() < notary.MinRSABitSize {
-			return fmt.Errorf("RSA bit length is too short")
-		}
-	}
-	if checkExpiry {
-		now := time.Now()
-		tomorrow := now.AddDate(0, 0, 1)
-		// Give one day leeway on creation "before" time, check "after" against today
-		if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
-			return data.ErrCertExpired{CN: c.Subject.CommonName}
-		}
-		// If this certificate is expiring within 6 months, put out a warning
-		if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
-			logrus.Warnf("certificate with CN %s is near expiry", c.Subject.CommonName)
-		}
-	}
-	return nil
-}
-
-// GenerateKey returns a new private key using the provided algorithm or an
-// error detailing why the key could not be generated
-func GenerateKey(algorithm string) (data.PrivateKey, error) {
-	switch algorithm {
-	case data.ECDSAKey:
-		return GenerateECDSAKey(rand.Reader)
-	case data.ED25519Key:
-		return GenerateED25519Key(rand.Reader)
-	}
-	return nil, fmt.Errorf("private key type not supported for key generation: %s", algorithm)
-}
-
-// RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type
-func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error) {
-	// Get a DER-encoded representation of the PublicKey
-	rsaPubBytes, err := x509.MarshalPKIXPublicKey(&rsaPrivKey.PublicKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal public key: %v", err)
-	}
-
-	// Get a DER-encoded representation of the PrivateKey
-	rsaPrivBytes := x509.MarshalPKCS1PrivateKey(rsaPrivKey)
-
-	pubKey := data.NewRSAPublicKey(rsaPubBytes)
-	return data.NewRSAPrivateKey(pubKey, rsaPrivBytes)
-}
-
-// GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey
-func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error) {
-	ecdsaPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), random)
-	if err != nil {
-		return nil, err
-	}
-
-	tufPrivKey, err := ECDSAToPrivateKey(ecdsaPrivKey)
-	if err != nil {
-		return nil, err
-	}
-
-	logrus.Debugf("generated ECDSA key with keyID: %s", tufPrivKey.ID())
-
-	return tufPrivKey, nil
-}
-
-// GenerateED25519Key generates an ED25519 private key and returns a TUF
-// PrivateKey. The serialization format we use is just the public key bytes
-// followed by the private key bytes
-func GenerateED25519Key(random io.Reader) (data.PrivateKey, error) {
-	pub, priv, err := ed25519.GenerateKey(random)
-	if err != nil {
-		return nil, err
-	}
-
-	var serialized [ed25519.PublicKeySize + ed25519.PrivateKeySize]byte
-	copy(serialized[:], pub[:])
-	copy(serialized[ed25519.PublicKeySize:], priv[:])
-
-	tufPrivKey, err := ED25519ToPrivateKey(serialized[:])
-	if err != nil {
-		return nil, err
-	}
-
-	logrus.Debugf("generated ED25519 key with keyID: %s", tufPrivKey.ID())
-
-	return tufPrivKey, nil
-}
-
-// ECDSAToPrivateKey converts an ecdsa.Private key to a TUF data.PrivateKey type
-func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error) {
-	// Get a DER-encoded representation of the PublicKey
-	ecdsaPubBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPrivKey.PublicKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal public key: %v", err)
-	}
-
-	// Get a DER-encoded representation of the PrivateKey
-	ecdsaPrivKeyBytes, err := x509.MarshalECPrivateKey(ecdsaPrivKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal private key: %v", err)
-	}
-
-	pubKey := data.NewECDSAPublicKey(ecdsaPubBytes)
-	return data.NewECDSAPrivateKey(pubKey, ecdsaPrivKeyBytes)
-}
-
-// ED25519ToPrivateKey converts a serialized ED25519 key to a TUF
-// data.PrivateKey type
-func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error) {
-	if len(privKeyBytes) != ed25519.PublicKeySize+ed25519.PrivateKeySize {
-		return nil, errors.New("malformed ed25519 private key")
-	}
-
-	pubKey := data.NewED25519PublicKey(privKeyBytes[:ed25519.PublicKeySize])
-	return data.NewED25519PrivateKey(*pubKey, privKeyBytes)
-}
-
-// ExtractPrivateKeyAttributes extracts role and gun values from private key bytes
-func ExtractPrivateKeyAttributes(pemBytes []byte) (data.RoleName, data.GUN, error) {
-	return extractPrivateKeyAttributes(pemBytes, notary.FIPSEnabled())
-}
-
-func extractPrivateKeyAttributes(pemBytes []byte, fips bool) (data.RoleName, data.GUN, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return "", "", errors.New("PEM block is empty")
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY", "EC PRIVATE KEY", "ED25519 PRIVATE KEY":
-		if fips {
-			return "", "", fmt.Errorf("%s not supported in FIPS mode", block.Type)
-		}
-	case "PRIVATE KEY", "ENCRYPTED PRIVATE KEY":
-		// do nothing for PKCS#8 keys
-	default:
-		return "", "", errors.New("unknown key format")
-	}
-	return data.RoleName(block.Headers["role"]), data.GUN(block.Headers["gun"]), nil
-}
-
-// ConvertPrivateKeyToPKCS8 converts a data.PrivateKey to PKCS#8 Format
-func ConvertPrivateKeyToPKCS8(key data.PrivateKey, role data.RoleName, gun data.GUN, passphrase string) ([]byte, error) {
-	var (
-		err       error
-		der       []byte
-		blockType = "PRIVATE KEY"
-	)
-
-	if passphrase == "" {
-		der, err = ConvertTUFKeyToPKCS8(key, nil)
-	} else {
-		blockType = "ENCRYPTED PRIVATE KEY"
-		der, err = ConvertTUFKeyToPKCS8(key, []byte(passphrase))
-	}
-	if err != nil {
-		return nil, fmt.Errorf("unable to convert to PKCS8 key")
-	}
-
-	headers := make(map[string]string)
-	if role != "" {
-		headers["role"] = role.String()
-	}
-
-	if gun != "" {
-		headers["gun"] = gun.String()
-	}
-
-	return pem.EncodeToMemory(&pem.Block{Bytes: der, Type: blockType, Headers: headers}), nil
-}
-
-// CertToKey transforms a single input certificate into its corresponding
-// PublicKey
-func CertToKey(cert *x509.Certificate) data.PublicKey {
-	block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-	pemdata := pem.EncodeToMemory(&block)
-
-	switch cert.PublicKeyAlgorithm {
-	case x509.RSA:
-		return data.NewRSAx509PublicKey(pemdata)
-	case x509.ECDSA:
-		return data.NewECDSAx509PublicKey(pemdata)
-	default:
-		logrus.Debugf("Unknown key type parsed from certificate: %v", cert.PublicKeyAlgorithm)
-		return nil
-	}
-}
-
-// CertsToKeys transforms each of the input certificate chains into its corresponding
-// PublicKey
-func CertsToKeys(leafCerts map[string]*x509.Certificate, intCerts map[string][]*x509.Certificate) map[string]data.PublicKey {
-	keys := make(map[string]data.PublicKey)
-	for id, leafCert := range leafCerts {
-		if key, err := CertBundleToKey(leafCert, intCerts[id]); err == nil {
-			keys[key.ID()] = key
-		}
-	}
-	return keys
-}
-
-// CertBundleToKey creates a TUF key from a leaf certs and a list of
-// intermediates
-func CertBundleToKey(leafCert *x509.Certificate, intCerts []*x509.Certificate) (data.PublicKey, error) {
-	certBundle := []*x509.Certificate{leafCert}
-	certBundle = append(certBundle, intCerts...)
-	certChainPEM, err := CertChainToPEM(certBundle)
-	if err != nil {
-		return nil, err
-	}
-	var newKey data.PublicKey
-	// Use the leaf cert's public key algorithm for typing
-	switch leafCert.PublicKeyAlgorithm {
-	case x509.RSA:
-		newKey = data.NewRSAx509PublicKey(certChainPEM)
-	case x509.ECDSA:
-		newKey = data.NewECDSAx509PublicKey(certChainPEM)
-	default:
-		logrus.Debugf("Unknown key type parsed from certificate: %v", leafCert.PublicKeyAlgorithm)
-		return nil, x509.ErrUnsupportedAlgorithm
-	}
-	return newKey, nil
-}
-
-// NewCertificate returns an X509 Certificate following a template, given a Common Name and validity interval.
-func NewCertificate(commonName string, startTime, endTime time.Time) (*x509.Certificate, error) {
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate new certificate: %v", err)
-	}
-
-	return &x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: commonName,
-		},
-		NotBefore: startTime,
-		NotAfter:  endTime,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
-		BasicConstraintsValid: true,
-	}, nil
-}
diff --git a/vendor/github.com/theupdateframework/notary/tuf/validation/errors.go b/vendor/github.com/theupdateframework/notary/tuf/validation/errors.go
deleted file mode 100644
index 6cca0dfa..00000000
--- a/vendor/github.com/theupdateframework/notary/tuf/validation/errors.go
+++ /dev/null
@@ -1,126 +0,0 @@
-package validation
-
-import (
-	"encoding/json"
-	"fmt"
-)
-
-// VALIDATION ERRORS
-
-// ErrValidation represents a general validation error
-type ErrValidation struct {
-	Msg string
-}
-
-func (err ErrValidation) Error() string {
-	return fmt.Sprintf("An error occurred during validation: %s", err.Msg)
-}
-
-// ErrBadHierarchy represents missing metadata.  Currently: a missing snapshot
-// at this current time. When delegations are implemented it will also
-// represent a missing delegation parent
-type ErrBadHierarchy struct {
-	Missing string
-	Msg     string
-}
-
-func (err ErrBadHierarchy) Error() string {
-	return fmt.Sprintf("Metadata hierarchy is incomplete: %s", err.Msg)
-}
-
-// ErrBadRoot represents a failure validating the root
-type ErrBadRoot struct {
-	Msg string
-}
-
-func (err ErrBadRoot) Error() string {
-	return fmt.Sprintf("The root metadata is invalid: %s", err.Msg)
-}
-
-// ErrBadTargets represents a failure to validate a targets (incl delegations)
-type ErrBadTargets struct {
-	Msg string
-}
-
-func (err ErrBadTargets) Error() string {
-	return fmt.Sprintf("The targets metadata is invalid: %s", err.Msg)
-}
-
-// ErrBadSnapshot represents a failure to validate the snapshot
-type ErrBadSnapshot struct {
-	Msg string
-}
-
-func (err ErrBadSnapshot) Error() string {
-	return fmt.Sprintf("The snapshot metadata is invalid: %s", err.Msg)
-}
-
-// END VALIDATION ERRORS
-
-// SerializableError is a struct that can be used to serialize an error as JSON
-type SerializableError struct {
-	Name  string
-	Error error
-}
-
-// UnmarshalJSON attempts to unmarshal the error into the right type
-func (s *SerializableError) UnmarshalJSON(text []byte) (err error) {
-	var x struct{ Name string }
-	err = json.Unmarshal(text, &x)
-	if err != nil {
-		return
-	}
-	var theError error
-	switch x.Name {
-	case "ErrValidation":
-		var e struct{ Error ErrValidation }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadHierarchy":
-		var e struct{ Error ErrBadHierarchy }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadRoot":
-		var e struct{ Error ErrBadRoot }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadTargets":
-		var e struct{ Error ErrBadTargets }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadSnapshot":
-		var e struct{ Error ErrBadSnapshot }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	default:
-		err = fmt.Errorf("do not know how to unmarshal %s", x.Name)
-		return
-	}
-	if err != nil {
-		return
-	}
-	s.Name = x.Name
-	s.Error = theError
-	return nil
-}
-
-// NewSerializableError serializes one of the above errors into JSON
-func NewSerializableError(err error) (*SerializableError, error) {
-	// make sure it's one of our errors
-	var name string
-	switch err.(type) {
-	case ErrValidation:
-		name = "ErrValidation"
-	case ErrBadHierarchy:
-		name = "ErrBadHierarchy"
-	case ErrBadRoot:
-		name = "ErrBadRoot"
-	case ErrBadTargets:
-		name = "ErrBadTargets"
-	case ErrBadSnapshot:
-		name = "ErrBadSnapshot"
-	default:
-		return nil, fmt.Errorf("does not support serializing non-validation errors")
-	}
-	return &SerializableError{Name: name, Error: err}, nil
-}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
index a01bfafb..6bd50d4c 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
@@ -176,6 +176,10 @@ func WithMessageEvents(events ...event) Option {
 
 // WithSpanNameFormatter takes a function that will be called on every
 // request and the returned string will become the Span Name.
+//
+// When using [http.ServeMux] (or any middleware that sets the Pattern of [http.Request]),
+// the span name formatter will run twice. Once when the span is created, and
+// second time after the middleware, so the pattern can be used.
 func WithSpanNameFormatter(f func(operation string, r *http.Request) string) Option {
 	return optionFunc(func(c *config) {
 		c.SpanNameFormatter = f
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
index 3ea05d01..937f9b4e 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
@@ -98,7 +98,7 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 
 	ctx := h.propagators.Extract(r.Context(), propagation.HeaderCarrier(r.Header))
 	opts := []trace.SpanStartOption{
-		trace.WithAttributes(h.semconv.RequestTraceAttrs(h.server, r)...),
+		trace.WithAttributes(h.semconv.RequestTraceAttrs(h.server, r, semconv.RequestTraceAttrsOpts{})...),
 	}
 
 	opts = append(opts, h.spanStartOptions...)
@@ -176,7 +176,12 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 		ctx = ContextWithLabeler(ctx, labeler)
 	}
 
-	next.ServeHTTP(w, r.WithContext(ctx))
+	r = r.WithContext(ctx)
+	next.ServeHTTP(w, r)
+
+	if r.Pattern != "" {
+		span.SetName(h.spanNameFormatter(h.operation, r))
+	}
 
 	statusCode := rww.StatusCode()
 	bytesWritten := rww.BytesWritten()
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
index 866aa21d..d032aa84 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
@@ -1,9 +1,11 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/request/body_wrapper.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package request provides types and functionality to handle HTTP request
+// handling.
 package request // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request"
 
 import (
@@ -56,7 +58,7 @@ func (w *BodyWrapper) updateReadData(n int64, err error) {
 	}
 }
 
-// Closes closes the io.ReadCloser.
+// Close closes the io.ReadCloser.
 func (w *BodyWrapper) Close() error {
 	return w.ReadCloser.Close()
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
index 73184e7d..ca2e4c14 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/request/resp_writer_wrapper.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -105,7 +105,7 @@ func (w *RespWriterWrapper) BytesWritten() int64 {
 	return w.written
 }
 
-// BytesWritten returns the HTTP status code that was sent.
+// StatusCode returns the HTTP status code that was sent.
 func (w *RespWriterWrapper) StatusCode() int {
 	w.mu.RLock()
 	defer w.mu.RUnlock()
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
index 4693a019..7edc8d10 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconv/env.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -17,10 +17,11 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
 	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/semconv/v1.34.0/httpconv"
 )
 
 // OTelSemConvStabilityOptIn is an environment variable.
-// That can be set to "old" or "http/dup" to opt into the new HTTP semantic conventions.
+// That can be set to "http/dup" to keep getting the old HTTP semantic conventions.
 const OTelSemConvStabilityOptIn = "OTEL_SEMCONV_STABILITY_OPT_IN"
 
 type ResponseTelemetry struct {
@@ -40,9 +41,9 @@ type HTTPServer struct {
 	serverLatencyMeasure metric.Float64Histogram
 
 	// New metrics
-	requestBodySizeHistogram  metric.Int64Histogram
-	responseBodySizeHistogram metric.Int64Histogram
-	requestDurationHistogram  metric.Float64Histogram
+	requestBodySizeHistogram  httpconv.ServerRequestBodySize
+	responseBodySizeHistogram httpconv.ServerResponseBodySize
+	requestDurationHistogram  httpconv.ServerRequestDuration
 }
 
 // RequestTraceAttrs returns trace attributes for an HTTP request received by a
@@ -61,19 +62,23 @@ type HTTPServer struct {
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (s HTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
+func (s HTTPServer) RequestTraceAttrs(server string, req *http.Request, opts RequestTraceAttrsOpts) []attribute.KeyValue {
+	attrs := CurrentHTTPServer{}.RequestTraceAttrs(server, req, opts)
 	if s.duplicate {
-		return append(OldHTTPServer{}.RequestTraceAttrs(server, req), CurrentHTTPServer{}.RequestTraceAttrs(server, req)...)
+		return OldHTTPServer{}.RequestTraceAttrs(server, req, attrs)
 	}
-	return OldHTTPServer{}.RequestTraceAttrs(server, req)
+	return attrs
 }
 
 func (s HTTPServer) NetworkTransportAttr(network string) []attribute.KeyValue {
 	if s.duplicate {
-		return append([]attribute.KeyValue{OldHTTPServer{}.NetworkTransportAttr(network)}, CurrentHTTPServer{}.NetworkTransportAttr(network))
+		return []attribute.KeyValue{
+			OldHTTPServer{}.NetworkTransportAttr(network),
+			CurrentHTTPServer{}.NetworkTransportAttr(network),
+		}
 	}
 	return []attribute.KeyValue{
-		OldHTTPServer{}.NetworkTransportAttr(network),
+		CurrentHTTPServer{}.NetworkTransportAttr(network),
 	}
 }
 
@@ -81,15 +86,16 @@ func (s HTTPServer) NetworkTransportAttr(network string) []attribute.KeyValue {
 //
 // If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
 func (s HTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
+	attrs := CurrentHTTPServer{}.ResponseTraceAttrs(resp)
 	if s.duplicate {
-		return append(OldHTTPServer{}.ResponseTraceAttrs(resp), CurrentHTTPServer{}.ResponseTraceAttrs(resp)...)
+		return OldHTTPServer{}.ResponseTraceAttrs(resp, attrs)
 	}
-	return OldHTTPServer{}.ResponseTraceAttrs(resp)
+	return attrs
 }
 
 // Route returns the attribute for the route.
 func (s HTTPServer) Route(route string) attribute.KeyValue {
-	return OldHTTPServer{}.Route(route)
+	return CurrentHTTPServer{}.Route(route)
 }
 
 // Status returns a span status code and message for an HTTP status code
@@ -121,6 +127,8 @@ type MetricAttributes struct {
 
 type MetricData struct {
 	RequestSize int64
+
+	// The request duration, in milliseconds
 	ElapsedTime float64
 }
 
@@ -139,7 +147,17 @@ var (
 )
 
 func (s HTTPServer) RecordMetrics(ctx context.Context, md ServerMetricData) {
-	if s.requestBytesCounter != nil && s.responseBytesCounter != nil && s.serverLatencyMeasure != nil {
+	attributes := CurrentHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
+	o := metric.WithAttributeSet(attribute.NewSet(attributes...))
+	recordOpts := metricRecordOptionPool.Get().(*[]metric.RecordOption)
+	*recordOpts = append(*recordOpts, o)
+	s.requestBodySizeHistogram.Inst().Record(ctx, md.RequestSize, *recordOpts...)
+	s.responseBodySizeHistogram.Inst().Record(ctx, md.ResponseSize, *recordOpts...)
+	s.requestDurationHistogram.Inst().Record(ctx, md.ElapsedTime/1000.0, o)
+	*recordOpts = (*recordOpts)[:0]
+	metricRecordOptionPool.Put(recordOpts)
+
+	if s.duplicate && s.requestBytesCounter != nil && s.responseBytesCounter != nil && s.serverLatencyMeasure != nil {
 		attributes := OldHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
 		o := metric.WithAttributeSet(attribute.NewSet(attributes...))
 		addOpts := metricAddOptionPool.Get().(*[]metric.AddOption)
@@ -150,29 +168,44 @@ func (s HTTPServer) RecordMetrics(ctx context.Context, md ServerMetricData) {
 		*addOpts = (*addOpts)[:0]
 		metricAddOptionPool.Put(addOpts)
 	}
+}
 
-	if s.duplicate && s.requestDurationHistogram != nil && s.requestBodySizeHistogram != nil && s.responseBodySizeHistogram != nil {
-		attributes := CurrentHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
-		o := metric.WithAttributeSet(attribute.NewSet(attributes...))
-		recordOpts := metricRecordOptionPool.Get().(*[]metric.RecordOption)
-		*recordOpts = append(*recordOpts, o)
-		s.requestBodySizeHistogram.Record(ctx, md.RequestSize, *recordOpts...)
-		s.responseBodySizeHistogram.Record(ctx, md.ResponseSize, *recordOpts...)
-		s.requestDurationHistogram.Record(ctx, md.ElapsedTime, o)
-		*recordOpts = (*recordOpts)[:0]
-		metricRecordOptionPool.Put(recordOpts)
+// hasOptIn returns true if the comma-separated version string contains the
+// exact optIn value.
+func hasOptIn(version, optIn string) bool {
+	for _, v := range strings.Split(version, ",") {
+		if strings.TrimSpace(v) == optIn {
+			return true
+		}
 	}
+	return false
 }
 
 func NewHTTPServer(meter metric.Meter) HTTPServer {
 	env := strings.ToLower(os.Getenv(OTelSemConvStabilityOptIn))
-	duplicate := env == "http/dup"
+	duplicate := hasOptIn(env, "http/dup")
 	server := HTTPServer{
 		duplicate: duplicate,
 	}
-	server.requestBytesCounter, server.responseBytesCounter, server.serverLatencyMeasure = OldHTTPServer{}.createMeasures(meter)
+
+	var err error
+	server.requestBodySizeHistogram, err = httpconv.NewServerRequestBodySize(meter)
+	handleErr(err)
+
+	server.responseBodySizeHistogram, err = httpconv.NewServerResponseBodySize(meter)
+	handleErr(err)
+
+	server.requestDurationHistogram, err = httpconv.NewServerRequestDuration(
+		meter,
+		metric.WithExplicitBucketBoundaries(
+			0.005, 0.01, 0.025, 0.05, 0.075, 0.1,
+			0.25, 0.5, 0.75, 1, 2.5, 5, 7.5, 10,
+		),
+	)
+	handleErr(err)
+
 	if duplicate {
-		server.requestBodySizeHistogram, server.responseBodySizeHistogram, server.requestDurationHistogram = CurrentHTTPServer{}.createMeasures(meter)
+		server.requestBytesCounter, server.responseBytesCounter, server.serverLatencyMeasure = OldHTTPServer{}.createMeasures(meter)
 	}
 	return server
 }
@@ -186,19 +219,29 @@ type HTTPClient struct {
 	latencyMeasure       metric.Float64Histogram
 
 	// new metrics
-	requestBodySize metric.Int64Histogram
-	requestDuration metric.Float64Histogram
+	requestBodySize httpconv.ClientRequestBodySize
+	requestDuration httpconv.ClientRequestDuration
 }
 
 func NewHTTPClient(meter metric.Meter) HTTPClient {
 	env := strings.ToLower(os.Getenv(OTelSemConvStabilityOptIn))
-	duplicate := env == "http/dup"
+	duplicate := hasOptIn(env, "http/dup")
 	client := HTTPClient{
 		duplicate: duplicate,
 	}
-	client.requestBytesCounter, client.responseBytesCounter, client.latencyMeasure = OldHTTPClient{}.createMeasures(meter)
+
+	var err error
+	client.requestBodySize, err = httpconv.NewClientRequestBodySize(meter)
+	handleErr(err)
+
+	client.requestDuration, err = httpconv.NewClientRequestDuration(
+		meter,
+		metric.WithExplicitBucketBoundaries(0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 0.75, 1, 2.5, 5, 7.5, 10),
+	)
+	handleErr(err)
+
 	if duplicate {
-		client.requestBodySize, client.requestDuration = CurrentHTTPClient{}.createMeasures(meter)
+		client.requestBytesCounter, client.responseBytesCounter, client.latencyMeasure = OldHTTPClient{}.createMeasures(meter)
 	}
 
 	return client
@@ -206,19 +249,20 @@ func NewHTTPClient(meter metric.Meter) HTTPClient {
 
 // RequestTraceAttrs returns attributes for an HTTP request made by a client.
 func (c HTTPClient) RequestTraceAttrs(req *http.Request) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.RequestTraceAttrs(req)
 	if c.duplicate {
-		return append(OldHTTPClient{}.RequestTraceAttrs(req), CurrentHTTPClient{}.RequestTraceAttrs(req)...)
+		return OldHTTPClient{}.RequestTraceAttrs(req, attrs)
 	}
-	return OldHTTPClient{}.RequestTraceAttrs(req)
+	return attrs
 }
 
 // ResponseTraceAttrs returns metric attributes for an HTTP request made by a client.
 func (c HTTPClient) ResponseTraceAttrs(resp *http.Response) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.ResponseTraceAttrs(resp)
 	if c.duplicate {
-		return append(OldHTTPClient{}.ResponseTraceAttrs(resp), CurrentHTTPClient{}.ResponseTraceAttrs(resp)...)
+		return OldHTTPClient{}.ResponseTraceAttrs(resp, attrs)
 	}
-
-	return OldHTTPClient{}.ResponseTraceAttrs(resp)
+	return attrs
 }
 
 func (c HTTPClient) Status(code int) (codes.Code, string) {
@@ -232,11 +276,7 @@ func (c HTTPClient) Status(code int) (codes.Code, string) {
 }
 
 func (c HTTPClient) ErrorType(err error) attribute.KeyValue {
-	if c.duplicate {
-		return CurrentHTTPClient{}.ErrorType(err)
-	}
-
-	return attribute.KeyValue{}
+	return CurrentHTTPClient{}.ErrorType(err)
 }
 
 type MetricOpts struct {
@@ -255,17 +295,17 @@ func (o MetricOpts) AddOptions() metric.AddOption {
 func (c HTTPClient) MetricOptions(ma MetricAttributes) map[string]MetricOpts {
 	opts := map[string]MetricOpts{}
 
-	attributes := OldHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
+	attributes := CurrentHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
 	set := metric.WithAttributeSet(attribute.NewSet(attributes...))
-	opts["old"] = MetricOpts{
+	opts["new"] = MetricOpts{
 		measurement: set,
 		addOptions:  set,
 	}
 
 	if c.duplicate {
-		attributes := CurrentHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
+		attributes := OldHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
 		set := metric.WithAttributeSet(attribute.NewSet(attributes...))
-		opts["new"] = MetricOpts{
+		opts["old"] = MetricOpts{
 			measurement: set,
 			addOptions:  set,
 		}
@@ -275,17 +315,12 @@ func (c HTTPClient) MetricOptions(ma MetricAttributes) map[string]MetricOpts {
 }
 
 func (s HTTPClient) RecordMetrics(ctx context.Context, md MetricData, opts map[string]MetricOpts) {
-	if s.requestBytesCounter == nil || s.latencyMeasure == nil {
-		// This will happen if an HTTPClient{} is used instead of NewHTTPClient().
-		return
-	}
-
-	s.requestBytesCounter.Add(ctx, md.RequestSize, opts["old"].AddOptions())
-	s.latencyMeasure.Record(ctx, md.ElapsedTime, opts["old"].MeasurementOption())
+	s.requestBodySize.Inst().Record(ctx, md.RequestSize, opts["new"].MeasurementOption())
+	s.requestDuration.Inst().Record(ctx, md.ElapsedTime/1000, opts["new"].MeasurementOption())
 
 	if s.duplicate {
-		s.requestBodySize.Record(ctx, md.RequestSize, opts["new"].MeasurementOption())
-		s.requestDuration.Record(ctx, md.ElapsedTime, opts["new"].MeasurementOption())
+		s.requestBytesCounter.Add(ctx, md.RequestSize, opts["old"].AddOptions())
+		s.latencyMeasure.Record(ctx, md.ElapsedTime, opts["old"].MeasurementOption())
 	}
 }
 
@@ -299,9 +334,10 @@ func (s HTTPClient) RecordResponseSize(ctx context.Context, responseData int64,
 }
 
 func (s HTTPClient) TraceAttributes(host string) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.TraceAttributes(host)
 	if s.duplicate {
-		return append(OldHTTPClient{}.TraceAttributes(host), CurrentHTTPClient{}.TraceAttributes(host)...)
+		return OldHTTPClient{}.TraceAttributes(host, attrs)
 	}
 
-	return OldHTTPClient{}.TraceAttributes(host)
+	return attrs
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go
index f2cf8a15..b4036dd9 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go
@@ -5,10 +5,12 @@ package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/
 
 // Generate semconv package:
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/bench_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=bench_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/common_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=common_test.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/env.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=env.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/env_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=env_test.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/httpconv.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=httpconv.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/httpconv_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=httpconv_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/httpconvtest_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=httpconvtest_test.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/util.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=util.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/util_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=util_test.go
 //go:generate gotmpl --body=../../../../../../internal/shared/semconv/v1.20.0.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=v1.20.0.go
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
index 8b85eff9..9766f3ac 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
@@ -1,9 +1,11 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconv/httpconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package semconv provides OpenTelemetry semantic convention types and
+// functionality.
 package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
 
 import (
@@ -15,14 +17,17 @@ import (
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/metric/noop"
-	semconvNew "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconvNew "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
+type RequestTraceAttrsOpts struct {
+	// If set, this is used as value for the "http.client_ip" attribute.
+	HTTPClientIP string
+}
+
 type CurrentHTTPServer struct{}
 
-// TraceRequest returns trace attributes for an HTTP request received by a
+// RequestTraceAttrs returns trace attributes for an HTTP request received by a
 // server.
 //
 // The server must be the primary server name if it is known. For example this
@@ -38,7 +43,7 @@ type CurrentHTTPServer struct{}
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
+func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request, opts RequestTraceAttrsOpts) []attribute.KeyValue {
 	count := 3 // ServerAddress, Method, Scheme
 
 	var host string
@@ -65,7 +70,8 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 
 	scheme := n.scheme(req.TLS != nil)
 
-	if peer, peerPort := SplitHostPort(req.RemoteAddr); peer != "" {
+	peer, peerPort := SplitHostPort(req.RemoteAddr)
+	if peer != "" {
 		// The Go HTTP server sets RemoteAddr to "IP:port", this will not be a
 		// file-path that would be interpreted with a sock family.
 		count++
@@ -79,7 +85,17 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		count++
 	}
 
-	clientIP := serverClientIP(req.Header.Get("X-Forwarded-For"))
+	// For client IP, use, in order:
+	// 1. The value passed in the options
+	// 2. The value in the X-Forwarded-For header
+	// 3. The peer address
+	clientIP := opts.HTTPClientIP
+	if clientIP == "" {
+		clientIP = serverClientIP(req.Header.Get("X-Forwarded-For"))
+		if clientIP == "" {
+			clientIP = peer
+		}
+	}
 	if clientIP != "" {
 		count++
 	}
@@ -96,6 +112,11 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		count++
 	}
 
+	route := httpRoute(req.Pattern)
+	if route != "" {
+		count++
+	}
+
 	attrs := make([]attribute.KeyValue, 0, count)
 	attrs = append(attrs,
 		semconvNew.ServerAddress(host),
@@ -119,7 +140,7 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		}
 	}
 
-	if useragent := req.UserAgent(); useragent != "" {
+	if useragent != "" {
 		attrs = append(attrs, semconvNew.UserAgentOriginal(useragent))
 	}
 
@@ -138,10 +159,14 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		attrs = append(attrs, semconvNew.NetworkProtocolVersion(protoVersion))
 	}
 
+	if route != "" {
+		attrs = append(attrs, n.Route(route))
+	}
+
 	return attrs
 }
 
-func (o CurrentHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
+func (n CurrentHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
 	switch network {
 	case "tcp", "tcp4", "tcp6":
 		return semconvNew.NetworkTransportTCP
@@ -176,9 +201,11 @@ func (n CurrentHTTPServer) scheme(https bool) attribute.KeyValue { // nolint:rev
 	return semconvNew.URLScheme("http")
 }
 
-// TraceResponse returns trace attributes for telemetry from an HTTP response.
+// ResponseTraceAttrs returns trace attributes for telemetry from an HTTP
+// response.
 //
-// If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
+// If any of the fields in the ResponseTelemetry are not set the attribute will
+// be omitted.
 func (n CurrentHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
 	var count int
 
@@ -218,35 +245,6 @@ func (n CurrentHTTPServer) Route(route string) attribute.KeyValue {
 	return semconvNew.HTTPRoute(route)
 }
 
-func (n CurrentHTTPServer) createMeasures(meter metric.Meter) (metric.Int64Histogram, metric.Int64Histogram, metric.Float64Histogram) {
-	if meter == nil {
-		return noop.Int64Histogram{}, noop.Int64Histogram{}, noop.Float64Histogram{}
-	}
-
-	var err error
-	requestBodySizeHistogram, err := meter.Int64Histogram(
-		semconvNew.HTTPServerRequestBodySizeName,
-		metric.WithUnit(semconvNew.HTTPServerRequestBodySizeUnit),
-		metric.WithDescription(semconvNew.HTTPServerRequestBodySizeDescription),
-	)
-	handleErr(err)
-
-	responseBodySizeHistogram, err := meter.Int64Histogram(
-		semconvNew.HTTPServerResponseBodySizeName,
-		metric.WithUnit(semconvNew.HTTPServerResponseBodySizeUnit),
-		metric.WithDescription(semconvNew.HTTPServerResponseBodySizeDescription),
-	)
-	handleErr(err)
-	requestDurationHistogram, err := meter.Float64Histogram(
-		semconvNew.HTTPServerRequestDurationName,
-		metric.WithUnit(semconvNew.HTTPServerRequestDurationUnit),
-		metric.WithDescription(semconvNew.HTTPServerRequestDurationDescription),
-	)
-	handleErr(err)
-
-	return requestBodySizeHistogram, responseBodySizeHistogram, requestDurationHistogram
-}
-
 func (n CurrentHTTPServer) MetricAttributes(server string, req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
 	num := len(additionalAttributes) + 3
 	var host string
@@ -442,29 +440,6 @@ func (n CurrentHTTPClient) method(method string) (attribute.KeyValue, attribute.
 	return semconvNew.HTTPRequestMethodGet, orig
 }
 
-func (n CurrentHTTPClient) createMeasures(meter metric.Meter) (metric.Int64Histogram, metric.Float64Histogram) {
-	if meter == nil {
-		return noop.Int64Histogram{}, noop.Float64Histogram{}
-	}
-
-	var err error
-	requestBodySize, err := meter.Int64Histogram(
-		semconvNew.HTTPClientRequestBodySizeName,
-		metric.WithUnit(semconvNew.HTTPClientRequestBodySizeUnit),
-		metric.WithDescription(semconvNew.HTTPClientRequestBodySizeDescription),
-	)
-	handleErr(err)
-
-	requestDuration, err := meter.Float64Histogram(
-		semconvNew.HTTPClientRequestDurationName,
-		metric.WithUnit(semconvNew.HTTPClientRequestDurationUnit),
-		metric.WithDescription(semconvNew.HTTPClientRequestDurationDescription),
-	)
-	handleErr(err)
-
-	return requestBodySize, requestDuration
-}
-
 func (n CurrentHTTPClient) MetricAttributes(req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
 	num := len(additionalAttributes) + 2
 	var h string
@@ -501,7 +476,7 @@ func (n CurrentHTTPClient) MetricAttributes(req *http.Request, statusCode int, a
 	attributes = append(attributes,
 		semconvNew.HTTPRequestMethodKey.String(standardizeHTTPMethod(req.Method)),
 		semconvNew.ServerAddress(requestHost),
-		n.scheme(req.TLS != nil),
+		n.scheme(req),
 	)
 
 	if port > 0 {
@@ -520,15 +495,18 @@ func (n CurrentHTTPClient) MetricAttributes(req *http.Request, statusCode int, a
 	return attributes
 }
 
-// Attributes for httptrace.
+// TraceAttributes returns attributes for httptrace.
 func (n CurrentHTTPClient) TraceAttributes(host string) []attribute.KeyValue {
 	return []attribute.KeyValue{
 		semconvNew.ServerAddress(host),
 	}
 }
 
-func (n CurrentHTTPClient) scheme(https bool) attribute.KeyValue { // nolint:revive
-	if https {
+func (n CurrentHTTPClient) scheme(req *http.Request) attribute.KeyValue {
+	if req.URL != nil && req.URL.Scheme != "" {
+		return semconvNew.URLScheme(req.URL.Scheme)
+	}
+	if req.TLS != nil {
 		return semconvNew.URLScheme("https")
 	}
 	return semconvNew.URLScheme("http")
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
index 315d3dd2..e4ebf858 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconv/util.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -14,7 +14,7 @@ import (
 
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
-	semconvNew "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconvNew "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 // SplitHostPort splits a network address hostport of the form "host",
@@ -28,17 +28,17 @@ func SplitHostPort(hostport string) (host string, port int) {
 	port = -1
 
 	if strings.HasPrefix(hostport, "[") {
-		addrEnd := strings.LastIndex(hostport, "]")
+		addrEnd := strings.LastIndexByte(hostport, ']')
 		if addrEnd < 0 {
 			// Invalid hostport.
 			return
 		}
-		if i := strings.LastIndex(hostport[addrEnd:], ":"); i < 0 {
+		if i := strings.LastIndexByte(hostport[addrEnd:], ':'); i < 0 {
 			host = hostport[1:addrEnd]
 			return
 		}
 	} else {
-		if i := strings.LastIndex(hostport, ":"); i < 0 {
+		if i := strings.LastIndexByte(hostport, ':'); i < 0 {
 			host = hostport
 			return
 		}
@@ -70,12 +70,19 @@ func requiredHTTPPort(https bool, port int) int { // nolint:revive
 }
 
 func serverClientIP(xForwardedFor string) string {
-	if idx := strings.Index(xForwardedFor, ","); idx >= 0 {
+	if idx := strings.IndexByte(xForwardedFor, ','); idx >= 0 {
 		xForwardedFor = xForwardedFor[:idx]
 	}
 	return xForwardedFor
 }
 
+func httpRoute(pattern string) string {
+	if idx := strings.IndexByte(pattern, '/'); idx >= 0 {
+		return pattern[idx:]
+	}
+	return ""
+}
+
 func netProtocol(proto string) (name string, version string) {
 	name, version, _ = strings.Cut(proto, "/")
 	switch name {
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
index 742c2113..ba7fccf1 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconv/v120.0.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -37,8 +37,8 @@ type OldHTTPServer struct{}
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (o OldHTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
-	return semconvutil.HTTPServerRequest(server, req)
+func (o OldHTTPServer) RequestTraceAttrs(server string, req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPServerRequest(server, req, semconvutil.HTTPServerRequestOptions{}, attrs)
 }
 
 func (o OldHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
@@ -48,9 +48,7 @@ func (o OldHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
 // ResponseTraceAttrs returns trace attributes for telemetry from an HTTP response.
 //
 // If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
-func (o OldHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
-	attributes := []attribute.KeyValue{}
-
+func (o OldHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry, attributes []attribute.KeyValue) []attribute.KeyValue {
 	if resp.ReadBytes > 0 {
 		attributes = append(attributes, semconv.HTTPRequestContentLength(int(resp.ReadBytes)))
 	}
@@ -179,12 +177,12 @@ func (o OldHTTPServer) scheme(https bool) attribute.KeyValue { // nolint:revive
 
 type OldHTTPClient struct{}
 
-func (o OldHTTPClient) RequestTraceAttrs(req *http.Request) []attribute.KeyValue {
-	return semconvutil.HTTPClientRequest(req)
+func (o OldHTTPClient) RequestTraceAttrs(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPClientRequest(req, attrs)
 }
 
-func (o OldHTTPClient) ResponseTraceAttrs(resp *http.Response) []attribute.KeyValue {
-	return semconvutil.HTTPClientResponse(resp)
+func (o OldHTTPClient) ResponseTraceAttrs(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPClientResponse(resp, attrs)
 }
 
 func (o OldHTTPClient) MetricAttributes(req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
@@ -269,9 +267,7 @@ func (o OldHTTPClient) createMeasures(meter metric.Meter) (metric.Int64Counter,
 	return requestBytesCounter, responseBytesCounter, latencyMeasure
 }
 
-// Attributes for httptrace.
-func (c OldHTTPClient) TraceAttributes(host string) []attribute.KeyValue {
-	return []attribute.KeyValue{
-		semconv.NetHostName(host),
-	}
+// TraceAttributes returns attributes for httptrace.
+func (c OldHTTPClient) TraceAttributes(host string, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return append(attrs, semconv.NetHostName(host))
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
index a73bb06e..b9973547 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
@@ -1,14 +1,16 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconvutil/httpconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package semconvutil provides OpenTelemetry semantic convention utilities.
 package semconvutil // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -16,6 +18,11 @@ import (
 	semconv "go.opentelemetry.io/otel/semconv/v1.20.0"
 )
 
+type HTTPServerRequestOptions struct {
+	// If set, this is used as value for the "http.client_ip" attribute.
+	HTTPClientIP string
+}
+
 // HTTPClientResponse returns trace attributes for an HTTP response received by a
 // client from a server. It will return the following attributes if the related
 // values are defined in resp: "http.status.code",
@@ -26,9 +33,9 @@ import (
 // attributes. If a complete set of attributes can be generated using the
 // request contained in resp. For example:
 //
-//	append(HTTPClientResponse(resp), ClientRequest(resp.Request)...)
-func HTTPClientResponse(resp *http.Response) []attribute.KeyValue {
-	return hc.ClientResponse(resp)
+//	HTTPClientResponse(resp, ClientRequest(resp.Request)))
+func HTTPClientResponse(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ClientResponse(resp, attrs)
 }
 
 // HTTPClientRequest returns trace attributes for an HTTP request made by a client.
@@ -36,8 +43,8 @@ func HTTPClientResponse(resp *http.Response) []attribute.KeyValue {
 // "net.peer.name". The following attributes are returned if the related values
 // are defined in req: "net.peer.port", "user_agent.original",
 // "http.request_content_length".
-func HTTPClientRequest(req *http.Request) []attribute.KeyValue {
-	return hc.ClientRequest(req)
+func HTTPClientRequest(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ClientRequest(req, attrs)
 }
 
 // HTTPClientRequestMetrics returns metric attributes for an HTTP request made by a client.
@@ -75,8 +82,8 @@ func HTTPClientStatus(code int) (codes.Code, string) {
 // "http.target", "net.host.name". The following attributes are returned if
 // they related values are defined in req: "net.host.port", "net.sock.peer.addr",
 // "net.sock.peer.port", "user_agent.original", "http.client_ip".
-func HTTPServerRequest(server string, req *http.Request) []attribute.KeyValue {
-	return hc.ServerRequest(server, req)
+func HTTPServerRequest(server string, req *http.Request, opts HTTPServerRequestOptions, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ServerRequest(server, req, opts, attrs)
 }
 
 // HTTPServerRequestMetrics returns metric attributes for an HTTP request received by a
@@ -153,8 +160,8 @@ var hc = &httpConv{
 // attributes. If a complete set of attributes can be generated using the
 // request contained in resp. For example:
 //
-//	append(ClientResponse(resp), ClientRequest(resp.Request)...)
-func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
+//	ClientResponse(resp, ClientRequest(resp.Request))
+func (c *httpConv) ClientResponse(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.status_code                int
 	http.response_content_length    int
@@ -166,8 +173,11 @@ func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
 	if resp.ContentLength > 0 {
 		n++
 	}
+	if n == 0 {
+		return attrs
+	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
+	attrs = slices.Grow(attrs, n)
 	if resp.StatusCode > 0 {
 		attrs = append(attrs, c.HTTPStatusCodeKey.Int(resp.StatusCode))
 	}
@@ -182,7 +192,7 @@ func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
 // "net.peer.name". The following attributes are returned if the related values
 // are defined in req: "net.peer.port", "user_agent.original",
 // "http.request_content_length", "user_agent.original".
-func (c *httpConv) ClientRequest(req *http.Request) []attribute.KeyValue {
+func (c *httpConv) ClientRequest(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.method                     string
 	user_agent.original             string
@@ -221,8 +231,7 @@ func (c *httpConv) ClientRequest(req *http.Request) []attribute.KeyValue {
 		n++
 	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
-
+	attrs = slices.Grow(attrs, n)
 	attrs = append(attrs, c.method(req.Method))
 
 	var u string
@@ -305,7 +314,7 @@ func (c *httpConv) ClientRequestMetrics(req *http.Request) []attribute.KeyValue
 // related values are defined in req: "net.host.port", "net.sock.peer.addr",
 // "net.sock.peer.port", "user_agent.original", "http.client_ip",
 // "net.protocol.name", "net.protocol.version".
-func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.KeyValue {
+func (c *httpConv) ServerRequest(server string, req *http.Request, opts HTTPServerRequestOptions, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.method             string
 	http.scheme             string
@@ -358,7 +367,17 @@ func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.K
 		n++
 	}
 
-	clientIP := serverClientIP(req.Header.Get("X-Forwarded-For"))
+	// For client IP, use, in order:
+	// 1. The value passed in the options
+	// 2. The value in the X-Forwarded-For header
+	// 3. The peer address
+	clientIP := opts.HTTPClientIP
+	if clientIP == "" {
+		clientIP = serverClientIP(req.Header.Get("X-Forwarded-For"))
+		if clientIP == "" {
+			clientIP = peer
+		}
+	}
 	if clientIP != "" {
 		n++
 	}
@@ -378,7 +397,7 @@ func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.K
 		n++
 	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
+	attrs = slices.Grow(attrs, n)
 
 	attrs = append(attrs, c.method(req.Method))
 	attrs = append(attrs, c.scheme(req.TLS != nil))
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
index de74fa25..df97255e 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconvutil/netconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
index ea504e39..d62ce44b 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
@@ -35,14 +35,14 @@ func (l *Labeler) Get() []attribute.KeyValue {
 
 type labelerContextKeyType int
 
-const lablelerContextKey labelerContextKeyType = 0
+const labelerContextKey labelerContextKeyType = 0
 
 // ContextWithLabeler returns a new context with the provided Labeler instance.
 // Attributes added to the specified labeler will be injected into metrics
 // emitted by the instrumentation. Only one labeller can be injected into the
 // context. Injecting it multiple times will override the previous calls.
 func ContextWithLabeler(parent context.Context, l *Labeler) context.Context {
-	return context.WithValue(parent, lablelerContextKey, l)
+	return context.WithValue(parent, labelerContextKey, l)
 }
 
 // LabelerFromContext retrieves a Labeler instance from the provided context if
@@ -50,7 +50,7 @@ func ContextWithLabeler(parent context.Context, l *Labeler) context.Context {
 // Labeler is returned and the second return value is false.  In this case it is
 // safe to use the Labeler but any attributes added to it will not be used.
 func LabelerFromContext(ctx context.Context) (*Labeler, bool) {
-	l, ok := ctx.Value(lablelerContextKey).(*Labeler)
+	l, ok := ctx.Value(labelerContextKey).(*Labeler)
 	if !ok {
 		l = &Labeler{}
 	}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
index 44b86ad8..e4c02a42 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
@@ -129,6 +129,41 @@ func (t *Transport) RoundTrip(r *http.Request) (*http.Response, error) {
 	t.propagators.Inject(ctx, propagation.HeaderCarrier(r.Header))
 
 	res, err := t.rt.RoundTrip(r)
+
+	// Defer metrics recording function to record the metrics on error or no error.
+	defer func() {
+		metricAttributes := semconv.MetricAttributes{
+			Req:                  r,
+			AdditionalAttributes: append(labeler.Get(), t.metricAttributesFromRequest(r)...),
+		}
+
+		if err == nil {
+			metricAttributes.StatusCode = res.StatusCode
+		}
+
+		metricOpts := t.semconv.MetricOptions(metricAttributes)
+
+		metricData := semconv.MetricData{
+			RequestSize: bw.BytesRead(),
+		}
+
+		if err == nil {
+			// For handling response bytes we leverage a callback when the client reads the http response
+			readRecordFunc := func(n int64) {
+				t.semconv.RecordResponseSize(ctx, n, metricOpts)
+			}
+
+			res.Body = newWrappedBody(span, readRecordFunc, res.Body)
+		}
+
+		// Use floating point division here for higher precision (instead of Millisecond method).
+		elapsedTime := float64(time.Since(requestStartTime)) / float64(time.Millisecond)
+
+		metricData.ElapsedTime = elapsedTime
+
+		t.semconv.RecordMetrics(ctx, metricData, metricOpts)
+	}()
+
 	if err != nil {
 		// set error type attribute if the error is part of the predefined
 		// error types.
@@ -141,35 +176,14 @@ func (t *Transport) RoundTrip(r *http.Request) (*http.Response, error) {
 
 		span.SetStatus(codes.Error, err.Error())
 		span.End()
+
 		return res, err
 	}
 
-	// metrics
-	metricOpts := t.semconv.MetricOptions(semconv.MetricAttributes{
-		Req:                  r,
-		StatusCode:           res.StatusCode,
-		AdditionalAttributes: append(labeler.Get(), t.metricAttributesFromRequest(r)...),
-	})
-
-	// For handling response bytes we leverage a callback when the client reads the http response
-	readRecordFunc := func(n int64) {
-		t.semconv.RecordResponseSize(ctx, n, metricOpts)
-	}
-
 	// traces
 	span.SetAttributes(t.semconv.ResponseTraceAttrs(res)...)
 	span.SetStatus(t.semconv.Status(res.StatusCode))
 
-	res.Body = newWrappedBody(span, readRecordFunc, res.Body)
-
-	// Use floating point division here for higher precision (instead of Millisecond method).
-	elapsedTime := float64(time.Since(requestStartTime)) / float64(time.Millisecond)
-
-	t.semconv.RecordMetrics(ctx, semconv.MetricData{
-		RequestSize: bw.BytesRead(),
-		ElapsedTime: elapsedTime,
-	}, metricOpts)
-
 	return res, nil
 }
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
index 1ec9a00c..2fe5a136 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
@@ -5,13 +5,6 @@ package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http
 
 // Version is the current release version of the otelhttp instrumentation.
 func Version() string {
-	return "0.60.0"
+	return "0.62.0"
 	// This string is updated by the pre_release.sh script during release
 }
-
-// SemVersion is the semantic version to be supplied to tracer/meter creation.
-//
-// Deprecated: Use [Version] instead.
-func SemVersion() string {
-	return Version()
-}
diff --git a/vendor/go.opentelemetry.io/otel/.clomonitor.yml b/vendor/go.opentelemetry.io/otel/.clomonitor.yml
new file mode 100644
index 00000000..128d61a2
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/.clomonitor.yml
@@ -0,0 +1,3 @@
+exemptions:
+  - check: artifacthub_badge
+    reason: "Artifact Hub doesn't support Go packages"
diff --git a/vendor/go.opentelemetry.io/otel/.golangci.yml b/vendor/go.opentelemetry.io/otel/.golangci.yml
index c58e48ab..5f69cc02 100644
--- a/vendor/go.opentelemetry.io/otel/.golangci.yml
+++ b/vendor/go.opentelemetry.io/otel/.golangci.yml
@@ -1,13 +1,9 @@
-# See https://github.com/golangci/golangci-lint#config-file
+version: "2"
 run:
-  issues-exit-code: 1 #Default
-  tests: true #Default
-
+  issues-exit-code: 1
+  tests: true
 linters:
-  # Disable everything by default so upgrades to not include new "default
-  # enabled" linters.
-  disable-all: true
-  # Specifically enable linters we want to use.
+  default: none
   enable:
     - asasalint
     - bodyclose
@@ -15,10 +11,7 @@ linters:
     - errcheck
     - errorlint
     - godot
-    - gofumpt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - misspell
@@ -26,227 +19,232 @@ linters:
     - revive
     - staticcheck
     - testifylint
-    - typecheck
     - unconvert
-    - unused
     - unparam
+    - unused
     - usestdlibvars
     - usetesting
-
+  settings:
+    depguard:
+      rules:
+        auto/sdk:
+          files:
+            - '!internal/global/trace.go'
+            - ~internal/global/trace_test.go
+          deny:
+            - pkg: go.opentelemetry.io/auto/sdk
+              desc: Do not use SDK from automatic instrumentation.
+        non-tests:
+          files:
+            - '!$test'
+            - '!**/*test/*.go'
+            - '!**/internal/matchers/*.go'
+          deny:
+            - pkg: testing
+            - pkg: github.com/stretchr/testify
+            - pkg: crypto/md5
+            - pkg: crypto/sha1
+            - pkg: crypto/**/pkix
+        otel-internal:
+          files:
+            - '**/sdk/*.go'
+            - '**/sdk/**/*.go'
+            - '**/exporters/*.go'
+            - '**/exporters/**/*.go'
+            - '**/schema/*.go'
+            - '**/schema/**/*.go'
+            - '**/metric/*.go'
+            - '**/metric/**/*.go'
+            - '**/bridge/*.go'
+            - '**/bridge/**/*.go'
+            - '**/trace/*.go'
+            - '**/trace/**/*.go'
+            - '**/log/*.go'
+            - '**/log/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/internal$
+              desc: Do not use cross-module internal packages.
+            - pkg: go.opentelemetry.io/otel/internal/internaltest
+              desc: Do not use cross-module internal packages.
+        otlp-internal:
+          files:
+            - '!**/exporters/otlp/internal/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/internal
+              desc: Do not use cross-module internal packages.
+        otlpmetric-internal:
+          files:
+            - '!**/exporters/otlp/otlpmetric/internal/*.go'
+            - '!**/exporters/otlp/otlpmetric/internal/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/internal
+              desc: Do not use cross-module internal packages.
+        otlptrace-internal:
+          files:
+            - '!**/exporters/otlp/otlptrace/*.go'
+            - '!**/exporters/otlp/otlptrace/internal/**.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal
+              desc: Do not use cross-module internal packages.
+    godot:
+      exclude:
+        # Exclude links.
+        - '^ *\[[^]]+\]:'
+        # Exclude sentence fragments for lists.
+        - ^[ ]*[-•]
+        # Exclude sentences prefixing a list.
+        - :$
+    misspell:
+      locale: US
+      ignore-rules:
+        - cancelled
+    perfsprint:
+      int-conversion: true
+      err-error: true
+      errorf: true
+      sprintf1: true
+      strconcat: true
+    revive:
+      confidence: 0.01
+      rules:
+        - name: blank-imports
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+          arguments:
+            - allowTypesBefore: '*testing.T'
+          disabled: true
+        - name: context-keys-type
+        - name: deep-exit
+        - name: defer
+          arguments:
+            - - call-chain
+              - loop
+        - name: dot-imports
+        - name: duplicated-imports
+        - name: early-return
+          arguments:
+            - preserveScope
+        - name: empty-block
+        - name: empty-lines
+        - name: error-naming
+        - name: error-return
+        - name: error-strings
+        - name: errorf
+        - name: exported
+          arguments:
+            - sayRepetitiveInsteadOfStutters
+        - name: flag-parameter
+        - name: identical-branches
+        - name: if-return
+        - name: import-shadowing
+        - name: increment-decrement
+        - name: indent-error-flow
+          arguments:
+            - preserveScope
+        - name: package-comments
+        - name: range
+        - name: range-val-in-closure
+        - name: range-val-address
+        - name: redefines-builtin-id
+        - name: string-format
+          arguments:
+            - - panic
+              - /^[^\n]*$/
+              - must not contain line breaks
+        - name: struct-tag
+        - name: superfluous-else
+          arguments:
+            - preserveScope
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unexported-return
+        - name: unhandled-error
+          arguments:
+            - fmt.Fprint
+            - fmt.Fprintf
+            - fmt.Fprintln
+            - fmt.Print
+            - fmt.Printf
+            - fmt.Println
+        - name: unnecessary-stmt
+        - name: useless-break
+        - name: var-declaration
+        - name: var-naming
+          arguments:
+            - ["ID"] # AllowList
+            - ["Otel", "Aws", "Gcp"] # DenyList
+        - name: waitgroup-by-value
+    testifylint:
+      enable-all: true
+      disable:
+        - float-compare
+        - go-require
+        - require-error
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - revive
+        path: schema/v.*/types/.*
+        text: avoid meaningless package names
+      # TODO: Having appropriate comments for exported objects helps development,
+      # even for objects in internal packages. Appropriate comments for all
+      # exported objects should be added and this exclusion removed.
+      - linters:
+          - revive
+        path: .*internal/.*
+        text: exported (method|function|type|const) (.+) should have comment or be unexported
+      # Yes, they are, but it's okay in a test.
+      - linters:
+          - revive
+        path: _test\.go
+        text: exported func.*returns unexported type.*which can be annoying to use
+      # Example test functions should be treated like main.
+      - linters:
+          - revive
+        path: example.*_test\.go
+        text: calls to (.+) only in main[(][)] or init[(][)] functions
+      # It's okay to not run gosec and perfsprint in a test.
+      - linters:
+          - gosec
+          - perfsprint
+        path: _test\.go
+      # Ignoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand)
+      # as we commonly use it in tests and examples.
+      - linters:
+          - gosec
+        text: 'G404:'
+      # Ignoring gosec G402: TLS MinVersion too low
+      # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well.
+      - linters:
+          - gosec
+        text: 'G402: TLS MinVersion too low.'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
-  # Setting to unlimited so the linter only is run once to debug all issues.
   max-issues-per-linter: 0
-  # Maximum count of issues with the same text.
-  # Set to 0 to disable.
-  # Default: 3
-  # Setting to unlimited so the linter only is run once to debug all issues.
   max-same-issues: 0
-  # Excluding configuration per-path, per-linter, per-text and per-source.
-  exclude-rules:
-    # TODO: Having appropriate comments for exported objects helps development,
-    # even for objects in internal packages. Appropriate comments for all
-    # exported objects should be added and this exclusion removed.
-    - path: '.*internal/.*'
-      text: "exported (method|function|type|const) (.+) should have comment or be unexported"
-      linters:
-        - revive
-    # Yes, they are, but it's okay in a test.
-    - path: _test\.go
-      text: "exported func.*returns unexported type.*which can be annoying to use"
-      linters:
-        - revive
-    # Example test functions should be treated like main.
-    - path: example.*_test\.go
-      text: "calls to (.+) only in main[(][)] or init[(][)] functions"
-      linters:
-        - revive
-    # It's okay to not run gosec and perfsprint in a test.
-    - path: _test\.go
-      linters:
-        - gosec
-        - perfsprint
-    # Ignoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand)
-    # as we commonly use it in tests and examples.
-    - text: "G404:"
-      linters:
-        - gosec
-    # Ignoring gosec G402: TLS MinVersion too low
-    # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well.
-    - text: "G402: TLS MinVersion too low."
-      linters:
-        - gosec
-  include:
-    # revive exported should have comment or be unexported.
-    - EXC0012
-    # revive package comment should be of the form ...
-    - EXC0013
-
-linters-settings:
-  depguard:
-    rules:
-      non-tests:
-        files:
-          - "!$test"
-          - "!**/*test/*.go"
-          - "!**/internal/matchers/*.go"
-        deny:
-          - pkg: "testing"
-          - pkg: "github.com/stretchr/testify"
-          - pkg: "crypto/md5"
-          - pkg: "crypto/sha1"
-          - pkg: "crypto/**/pkix"
-      auto/sdk:
-        files:
-          - "!internal/global/trace.go"
-          - "~internal/global/trace_test.go"
-        deny:
-          - pkg: "go.opentelemetry.io/auto/sdk"
-            desc: Do not use SDK from automatic instrumentation.
-      otlp-internal:
-        files:
-          - "!**/exporters/otlp/internal/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/internal"
-            desc: Do not use cross-module internal packages.
-      otlptrace-internal:
-        files:
-          - "!**/exporters/otlp/otlptrace/*.go"
-          - "!**/exporters/otlp/otlptrace/internal/**.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal"
-            desc: Do not use cross-module internal packages.
-      otlpmetric-internal:
-        files:
-          - "!**/exporters/otlp/otlpmetric/internal/*.go"
-          - "!**/exporters/otlp/otlpmetric/internal/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/internal"
-            desc: Do not use cross-module internal packages.
-      otel-internal:
-        files:
-          - "**/sdk/*.go"
-          - "**/sdk/**/*.go"
-          - "**/exporters/*.go"
-          - "**/exporters/**/*.go"
-          - "**/schema/*.go"
-          - "**/schema/**/*.go"
-          - "**/metric/*.go"
-          - "**/metric/**/*.go"
-          - "**/bridge/*.go"
-          - "**/bridge/**/*.go"
-          - "**/trace/*.go"
-          - "**/trace/**/*.go"
-          - "**/log/*.go"
-          - "**/log/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/internal$"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/attribute"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/internaltest"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/matchers"
-            desc: Do not use cross-module internal packages.
-  godot:
-    exclude:
-      # Exclude links.
-      - '^ *\[[^]]+\]:'
-      # Exclude sentence fragments for lists.
-      - '^[ ]*[-•]'
-      # Exclude sentences prefixing a list.
-      - ':$'
-  goimports:
-    local-prefixes: go.opentelemetry.io
-  misspell:
-    locale: US
-    ignore-words:
-      - cancelled
-  perfsprint:
-    err-error: true
-    errorf: true
-    int-conversion: true
-    sprintf1: true
-    strconcat: true
-  revive:
-    # Sets the default failure confidence.
-    # This means that linting errors with less than 0.8 confidence will be ignored.
-    # Default: 0.8
-    confidence: 0.01
-    # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
-    rules:
-      - name: blank-imports
-      - name: bool-literal-in-expr
-      - name: constant-logical-expr
-      - name: context-as-argument
-        disabled: true
-        arguments:
-          - allowTypesBefore: "*testing.T"
-      - name: context-keys-type
-      - name: deep-exit
-      - name: defer
-        arguments:
-          - ["call-chain", "loop"]
-      - name: dot-imports
-      - name: duplicated-imports
-      - name: early-return
-        arguments:
-          - "preserveScope"
-      - name: empty-block
-      - name: empty-lines
-      - name: error-naming
-      - name: error-return
-      - name: error-strings
-      - name: errorf
-      - name: exported
-        arguments:
-          - "sayRepetitiveInsteadOfStutters"
-      - name: flag-parameter
-      - name: identical-branches
-      - name: if-return
-      - name: import-shadowing
-      - name: increment-decrement
-      - name: indent-error-flow
-        arguments:
-          - "preserveScope"
-      - name: package-comments
-      - name: range
-      - name: range-val-in-closure
-      - name: range-val-address
-      - name: redefines-builtin-id
-      - name: string-format
-        arguments:
-          - - panic
-            - '/^[^\n]*$/'
-            - must not contain line breaks
-      - name: struct-tag
-      - name: superfluous-else
-        arguments:
-          - "preserveScope"
-      - name: time-equal
-      - name: unconditional-recursion
-      - name: unexported-return
-      - name: unhandled-error
-        arguments:
-          - "fmt.Fprint"
-          - "fmt.Fprintf"
-          - "fmt.Fprintln"
-          - "fmt.Print"
-          - "fmt.Printf"
-          - "fmt.Println"
-      - name: unnecessary-stmt
-      - name: useless-break
-      - name: var-declaration
-      - name: var-naming
-        arguments:
-          - ["ID"] # AllowList
-          - ["Otel", "Aws", "Gcp"] # DenyList
-      - name: waitgroup-by-value
-  testifylint:
-    enable-all: true
-    disable:
-      - float-compare
-      - go-require
-      - require-error
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+    - golines
+  settings:
+    goimports:
+      local-prefixes:
+        - go.opentelemetry.io
+    golines:
+      max-len: 120
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/go.opentelemetry.io/otel/CHANGELOG.md b/vendor/go.opentelemetry.io/otel/CHANGELOG.md
index c076db28..4acc7570 100644
--- a/vendor/go.opentelemetry.io/otel/CHANGELOG.md
+++ b/vendor/go.opentelemetry.io/otel/CHANGELOG.md
@@ -11,6 +11,112 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 <!-- Released section -->
 <!-- Don't change this section unless doing release -->
 
+## [1.37.0/0.59.0/0.13.0] 2025-06-25
+
+### Added
+
+- The `go.opentelemetry.io/otel/semconv/v1.33.0` package.
+  The package contains semantic conventions from the `v1.33.0` version of the OpenTelemetry Semantic Conventions.
+  See the [migration documentation](./semconv/v1.33.0/MIGRATION.md) for information on how to upgrade from `go.opentelemetry.io/otel/semconv/v1.32.0.`(#6799)
+- The `go.opentelemetry.io/otel/semconv/v1.34.0` package.
+  The package contains semantic conventions from the `v1.34.0` version of the OpenTelemetry Semantic Conventions. (#6812)
+- Add metric's schema URL as `otel_scope_schema_url` label in `go.opentelemetry.io/otel/exporters/prometheus`. (#5947)
+- Add metric's scope attributes as `otel_scope_[attribute]` labels in `go.opentelemetry.io/otel/exporters/prometheus`. (#5947)
+- Add `EventName` to `EnabledParameters` in `go.opentelemetry.io/otel/log`. (#6825)
+- Add `EventName` to `EnabledParameters` in `go.opentelemetry.io/otel/sdk/log`. (#6825)
+- Changed handling of `go.opentelemetry.io/otel/exporters/prometheus` metric renaming to add unit suffixes when it doesn't match one of the pre-defined values in the unit suffix map. (#6839)
+
+### Changed
+
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/bridge/opentracing`. (#6827)
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/exporters/zipkin`. (#6829)
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/metric`. (#6832)
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/sdk/resource`. (#6834)
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/sdk/trace`. (#6835)
+- The semantic conventions have been upgraded from `v1.26.0` to `v1.34.0` in `go.opentelemetry.io/otel/trace`. (#6836)
+- `Record.Resource` now returns `*resource.Resource` instead of `resource.Resource` in `go.opentelemetry.io/otel/sdk/log`. (#6864)
+- Retry now shows error cause for context timeout in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`, `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`, `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`, `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`, `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`, `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6898)
+
+### Fixed
+
+- Stop stripping trailing slashes from configured endpoint URL in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`. (#6710)
+- Stop stripping trailing slashes from configured endpoint URL in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. (#6710)
+- Stop stripping trailing slashes from configured endpoint URL in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`. (#6710)
+- Stop stripping trailing slashes from configured endpoint URL in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. (#6710)
+- Validate exponential histogram scale range for Prometheus compatibility in `go.opentelemetry.io/otel/exporters/prometheus`. (#6822)
+- Context cancellation during metric pipeline produce does not corrupt data in `go.opentelemetry.io/otel/sdk/metric`. (#6914)
+
+### Removed
+
+- `go.opentelemetry.io/otel/exporters/prometheus` no longer exports `otel_scope_info` metric. (#6770)
+
+## [0.12.2] 2025-05-22
+
+### Fixed
+
+- Retract `v0.12.0` release of `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc` module that contains invalid dependencies. (#6804)
+- Retract `v0.12.0` release of `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` module that contains invalid dependencies. (#6804)
+- Retract `v0.12.0` release of `go.opentelemetry.io/otel/exporters/stdout/stdoutlog` module that contains invalid dependencies. (#6804)
+
+## [0.12.1] 2025-05-21
+
+### Fixes
+
+- Use the proper dependency version of `go.opentelemetry.io/otel/sdk/log/logtest` in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`. (#6800)
+- Use the proper dependency version of `go.opentelemetry.io/otel/sdk/log/logtest` in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6800)
+- Use the proper dependency version of `go.opentelemetry.io/otel/sdk/log/logtest` in `go.opentelemetry.io/otel/exporters/stdout/stdoutlog`. (#6800)
+
+## [1.36.0/0.58.0/0.12.0] 2025-05-20
+
+### Added
+
+- Add exponential histogram support in `go.opentelemetry.io/otel/exporters/prometheus`. (#6421)
+- The `go.opentelemetry.io/otel/semconv/v1.31.0` package.
+  The package contains semantic conventions from the `v1.31.0` version of the OpenTelemetry Semantic Conventions.
+  See the [migration documentation](./semconv/v1.31.0/MIGRATION.md) for information on how to upgrade from `go.opentelemetry.io/otel/semconv/v1.30.0`. (#6479)
+- Add `Recording`, `Scope`, and `Record` types in `go.opentelemetry.io/otel/log/logtest`. (#6507)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. (#6751)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. (#6752)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6688)
+- Add `ValuesGetter` in `go.opentelemetry.io/otel/propagation`, a `TextMapCarrier` that supports retrieving multiple values for a single key. (#5973)
+- Add `Values` method to `HeaderCarrier` to implement the new `ValuesGetter` interface in `go.opentelemetry.io/otel/propagation`. (#5973)
+- Update `Baggage` in `go.opentelemetry.io/otel/propagation` to retrieve multiple values for a key when the carrier implements `ValuesGetter`. (#5973)
+- Add `AssertEqual` function in `go.opentelemetry.io/otel/log/logtest`. (#6662)
+- The `go.opentelemetry.io/otel/semconv/v1.32.0` package.
+  The package contains semantic conventions from the `v1.32.0` version of the OpenTelemetry Semantic Conventions.
+  See the [migration documentation](./semconv/v1.32.0/MIGRATION.md) for information on how to upgrade from `go.opentelemetry.io/otel/semconv/v1.31.0`(#6782)
+- Add `Transform` option in `go.opentelemetry.io/otel/log/logtest`. (#6794)
+- Add `Desc` option in `go.opentelemetry.io/otel/log/logtest`. (#6796)
+
+### Removed
+
+- Drop support for [Go 1.22]. (#6381, #6418)
+- Remove `Resource` field from `EnabledParameters` in `go.opentelemetry.io/otel/sdk/log`. (#6494)
+- Remove `RecordFactory` type from `go.opentelemetry.io/otel/log/logtest`. (#6492)
+- Remove `ScopeRecords`, `EmittedRecord`, and `RecordFactory` types from `go.opentelemetry.io/otel/log/logtest`. (#6507)
+- Remove `AssertRecordEqual` function in `go.opentelemetry.io/otel/log/logtest`, use `AssertEqual` instead. (#6662)
+
+### Changed
+
+- ⚠️ Update `github.com/prometheus/client_golang` to `v1.21.1`, which changes the `NameValidationScheme` to `UTF8Validation`.
+  This allows metrics names to keep original delimiters (e.g. `.`), rather than replacing with underscores.
+  This can be reverted by setting `github.com/prometheus/common/model.NameValidationScheme` to `LegacyValidation` in `github.com/prometheus/common/model`. (#6433)
+- Initialize map with `len(keys)` in `NewAllowKeysFilter` and `NewDenyKeysFilter` to avoid unnecessary allocations in `go.opentelemetry.io/otel/attribute`. (#6455)
+- `go.opentelemetry.io/otel/log/logtest` is now a separate Go module. (#6465)
+- `go.opentelemetry.io/otel/sdk/log/logtest` is now a separate Go module. (#6466)
+- `Recorder` in `go.opentelemetry.io/otel/log/logtest` no longer separately stores records emitted by loggers with the same instrumentation scope. (#6507)
+- Improve performance of `BatchProcessor` in `go.opentelemetry.io/otel/sdk/log` by not exporting when exporter cannot accept more. (#6569, #6641)
+
+### Deprecated
+
+- Deprecate support for `model.LegacyValidation` for `go.opentelemetry.io/otel/exporters/prometheus`. (#6449)
+
+### Fixes
+
+- Stop percent encoding header environment variables in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc` and `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6392)
+- Ensure the `noopSpan.tracerProvider` method is not inlined in `go.opentelemetry.io/otel/trace` so the `go.opentelemetry.io/auto` instrumentation can instrument non-recording spans. (#6456)
+- Use a `sync.Pool` instead of allocating `metricdata.ResourceMetrics` in `go.opentelemetry.io/otel/exporters/prometheus`. (#6472)
+
 ## [1.35.0/0.57.0/0.11.0] 2025-03-05
 
 This release is the last to support [Go 1.22].
@@ -3237,7 +3343,11 @@ It contains api and sdk for trace and meter.
 - CircleCI build CI manifest files.
 - CODEOWNERS file to track owners of this project.
 
-[Unreleased]: https://github.com/open-telemetry/opentelemetry-go/compare/v1.35.0...HEAD
+[Unreleased]: https://github.com/open-telemetry/opentelemetry-go/compare/v1.37.0...HEAD
+[1.37.0/0.59.0/0.13.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.37.0
+[0.12.2]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/log/v0.12.2
+[0.12.1]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/log/v0.12.1
+[1.36.0/0.58.0/0.12.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.36.0
 [1.35.0/0.57.0/0.11.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.35.0
 [1.34.0/0.56.0/0.10.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.34.0
 [1.33.0/0.55.0/0.9.0/0.0.12]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.33.0
diff --git a/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md b/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
index 7b8af585..f9ddc281 100644
--- a/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
+++ b/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
@@ -109,10 +109,9 @@ A PR is considered **ready to merge** when:
 
   This is not enforced through automation, but needs to be validated by the
   maintainer merging.
-  * The qualified approvals need to be from [Approver]s/[Maintainer]s
-    affiliated with different companies. Two qualified approvals from
-    [Approver]s or [Maintainer]s affiliated with the same company counts as a
-    single qualified approval.
+  * At least one of the qualified approvals need to be from an
+    [Approver]/[Maintainer] affiliated with a different company than the author
+    of the PR.
   * PRs introducing changes that have already been discussed and consensus
     reached only need one qualified approval. The discussion and resolution
     needs to be linked to the PR.
@@ -643,17 +642,18 @@ should be canceled.
 
 ### Triagers
 
+- [Alex Kats](https://github.com/akats7), Capital One
 - [Cheng-Zhen Yang](https://github.com/scorpionknifes), Independent
 
 ### Approvers
 
 ### Maintainers
 
-- [Damien Mathieu](https://github.com/dmathieu), Elastic
-- [David Ashpole](https://github.com/dashpole), Google
-- [Robert Pająk](https://github.com/pellared), Splunk
-- [Sam Xie](https://github.com/XSAM), Cisco/AppDynamics
-- [Tyler Yahn](https://github.com/MrAlias), Splunk
+- [Damien Mathieu](https://github.com/dmathieu), Elastic ([GPG](https://keys.openpgp.org/search?q=5A126B972A81A6CE443E5E1B408B8E44F0873832))
+- [David Ashpole](https://github.com/dashpole), Google ([GPG](https://keys.openpgp.org/search?q=C0D1BDDCAAEAE573673085F176327DA4D864DC70))
+- [Robert Pająk](https://github.com/pellared), Splunk ([GPG](https://keys.openpgp.org/search?q=CDAD3A60476A3DE599AA5092E5F7C35A4DBE90C2))
+- [Sam Xie](https://github.com/XSAM), Splunk ([GPG](https://keys.openpgp.org/search?q=AEA033782371ABB18EE39188B8044925D6FEEBEA))
+- [Tyler Yahn](https://github.com/MrAlias), Splunk ([GPG](https://keys.openpgp.org/search?q=0x46B0F3E1A8B1BA5A))
 
 ### Emeritus
 
diff --git a/vendor/go.opentelemetry.io/otel/Makefile b/vendor/go.opentelemetry.io/otel/Makefile
index 226410d7..4fa423ca 100644
--- a/vendor/go.opentelemetry.io/otel/Makefile
+++ b/vendor/go.opentelemetry.io/otel/Makefile
@@ -43,8 +43,11 @@ $(TOOLS)/crosslink: PACKAGE=go.opentelemetry.io/build-tools/crosslink
 SEMCONVKIT = $(TOOLS)/semconvkit
 $(TOOLS)/semconvkit: PACKAGE=go.opentelemetry.io/otel/$(TOOLS_MOD_DIR)/semconvkit
 
+VERIFYREADMES = $(TOOLS)/verifyreadmes
+$(TOOLS)/verifyreadmes: PACKAGE=go.opentelemetry.io/otel/$(TOOLS_MOD_DIR)/verifyreadmes
+
 GOLANGCI_LINT = $(TOOLS)/golangci-lint
-$(TOOLS)/golangci-lint: PACKAGE=github.com/golangci/golangci-lint/cmd/golangci-lint
+$(TOOLS)/golangci-lint: PACKAGE=github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 
 MISSPELL = $(TOOLS)/misspell
 $(TOOLS)/misspell: PACKAGE=github.com/client9/misspell/cmd/misspell
@@ -68,7 +71,7 @@ GOVULNCHECK = $(TOOLS)/govulncheck
 $(TOOLS)/govulncheck: PACKAGE=golang.org/x/vuln/cmd/govulncheck
 
 .PHONY: tools
-tools: $(CROSSLINK) $(GOLANGCI_LINT) $(MISSPELL) $(GOCOVMERGE) $(STRINGER) $(PORTO) $(SEMCONVGEN) $(MULTIMOD) $(SEMCONVKIT) $(GOTMPL) $(GORELEASE)
+tools: $(CROSSLINK) $(GOLANGCI_LINT) $(MISSPELL) $(GOCOVMERGE) $(STRINGER) $(PORTO) $(SEMCONVGEN) $(VERIFYREADMES) $(MULTIMOD) $(SEMCONVKIT) $(GOTMPL) $(GORELEASE)
 
 # Virtualized python tools via docker
 
@@ -213,11 +216,8 @@ go-mod-tidy/%: crosslink
 		&& cd $(DIR) \
 		&& $(GO) mod tidy -compat=1.21
 
-.PHONY: lint-modules
-lint-modules: go-mod-tidy
-
 .PHONY: lint
-lint: misspell lint-modules golangci-lint govulncheck
+lint: misspell go-mod-tidy golangci-lint govulncheck
 
 .PHONY: vanity-import-check
 vanity-import-check: $(PORTO)
@@ -293,7 +293,7 @@ semconv-generate: $(SEMCONVKIT)
 		--param tag=$(TAG) \
 		go \
 		/home/weaver/target
-	$(SEMCONVKIT) -output "$(SEMCONVPKG)/$(TAG)" -tag "$(TAG)"
+	$(SEMCONVKIT) -semconv "$(SEMCONVPKG)" -tag "$(TAG)"
 
 .PHONY: gorelease
 gorelease: $(OTEL_GO_MOD_DIRS:%=gorelease/%)
@@ -319,10 +319,11 @@ add-tags: verify-mods
 	@[ "${MODSET}" ] || ( echo ">> env var MODSET is not set"; exit 1 )
 	$(MULTIMOD) tag -m ${MODSET} -c ${COMMIT}
 
+MARKDOWNIMAGE := $(shell awk '$$4=="markdown" {print $$2}' $(DEPENDENCIES_DOCKERFILE))
 .PHONY: lint-markdown
 lint-markdown:
-	docker run -v "$(CURDIR):$(WORKDIR)" avtodev/markdown-lint:v1 -c $(WORKDIR)/.markdownlint.yaml $(WORKDIR)/**/*.md
+	docker run --rm -u $(DOCKER_USER) -v "$(CURDIR):$(WORKDIR)" $(MARKDOWNIMAGE) -c $(WORKDIR)/.markdownlint.yaml $(WORKDIR)/**/*.md
 
 .PHONY: verify-readmes
-verify-readmes:
-	./verify_readmes.sh
+verify-readmes: $(VERIFYREADMES)
+	$(VERIFYREADMES)
diff --git a/vendor/go.opentelemetry.io/otel/README.md b/vendor/go.opentelemetry.io/otel/README.md
index 8421cd7e..5fa1b75c 100644
--- a/vendor/go.opentelemetry.io/otel/README.md
+++ b/vendor/go.opentelemetry.io/otel/README.md
@@ -6,6 +6,8 @@
 [![Go Report Card](https://goreportcard.com/badge/go.opentelemetry.io/otel)](https://goreportcard.com/report/go.opentelemetry.io/otel)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-telemetry/opentelemetry-go/badge)](https://scorecard.dev/viewer/?uri=github.com/open-telemetry/opentelemetry-go)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9996/badge)](https://www.bestpractices.dev/projects/9996)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opentelemetry-go.svg)](https://issues.oss-fuzz.com/issues?q=project:opentelemetry-go)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Fopen-telemetry%2Fopentelemetry-go.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Fopen-telemetry%2Fopentelemetry-go?ref=badge_shield&issueType=license)
 [![Slack](https://img.shields.io/badge/slack-@cncf/otel--go-brightgreen.svg?logo=slack)](https://cloud-native.slack.com/archives/C01NPAXACKT)
 
 OpenTelemetry-Go is the [Go](https://golang.org/) implementation of [OpenTelemetry](https://opentelemetry.io/).
@@ -53,25 +55,18 @@ Currently, this project supports the following environments.
 |----------|------------|--------------|
 | Ubuntu   | 1.24       | amd64        |
 | Ubuntu   | 1.23       | amd64        |
-| Ubuntu   | 1.22       | amd64        |
 | Ubuntu   | 1.24       | 386          |
 | Ubuntu   | 1.23       | 386          |
-| Ubuntu   | 1.22       | 386          |
 | Ubuntu   | 1.24       | arm64        |
 | Ubuntu   | 1.23       | arm64        |
-| Ubuntu   | 1.22       | arm64        |
 | macOS 13 | 1.24       | amd64        |
 | macOS 13 | 1.23       | amd64        |
-| macOS 13 | 1.22       | amd64        |
 | macOS    | 1.24       | arm64        |
 | macOS    | 1.23       | arm64        |
-| macOS    | 1.22       | arm64        |
 | Windows  | 1.24       | amd64        |
 | Windows  | 1.23       | amd64        |
-| Windows  | 1.22       | amd64        |
 | Windows  | 1.24       | 386          |
 | Windows  | 1.23       | 386          |
-| Windows  | 1.22       | 386          |
 
 While this project should work for other systems, no compatibility guarantees
 are made for those systems currently.
diff --git a/vendor/go.opentelemetry.io/otel/RELEASING.md b/vendor/go.opentelemetry.io/otel/RELEASING.md
index 1e13ae54..1ddcdef0 100644
--- a/vendor/go.opentelemetry.io/otel/RELEASING.md
+++ b/vendor/go.opentelemetry.io/otel/RELEASING.md
@@ -1,5 +1,9 @@
 # Release Process
 
+## Create a `Version Release` issue
+
+Create a `Version Release` issue to track the release process.
+
 ## Semantic Convention Generation
 
 New versions of the [OpenTelemetry Semantic Conventions] mean new versions of the `semconv` package need to be generated.
@@ -108,6 +112,29 @@ It is critical you make sure the version you push upstream is correct.
 Finally create a Release for the new `<new tag>` on GitHub.
 The release body should include all the release notes from the Changelog for this release.
 
+### Sign the Release Artifact
+
+To ensure we comply with CNCF best practices, we need to sign the release artifact.
+The tarball attached to the GitHub release needs to be signed with your GPG key.
+
+Follow [these steps] to sign the release artifact and upload it to GitHub.
+You can use [this script] to verify the contents of the tarball before signing it.
+
+Be sure to use the correct GPG key when signing the release artifact.
+
+```terminal
+gpg --local-user <key-id> --armor --detach-sign opentelemetry-go-<version>.tar.gz
+```
+
+You can verify the signature with:
+
+```terminal
+gpg --verify opentelemetry-go-<version>.tar.gz.asc opentelemetry-go-<version>.tar.gz
+```
+
+[these steps]: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
+[this script]: https://github.com/MrAlias/attest-sh
+
 ## Post-Release
 
 ### Contrib Repository
@@ -123,6 +150,16 @@ Importantly, bump any package versions referenced to be the latest one you just
 [Go instrumentation documentation]: https://opentelemetry.io/docs/languages/go/
 [content/en/docs/languages/go]: https://github.com/open-telemetry/opentelemetry.io/tree/main/content/en/docs/languages/go
 
+### Close the milestone
+
+Once a release is made, ensure all issues that were fixed and PRs that were merged as part of this release are added to the corresponding milestone.
+This helps track what changes were included in each release.
+
+- To find issues that haven't been included in a milestone, use this [GitHub search query](https://github.com/open-telemetry/opentelemetry-go/issues?q=is%3Aissue%20no%3Amilestone%20is%3Aclosed%20sort%3Aupdated-desc%20reason%3Acompleted%20-label%3AStale%20linked%3Apr)
+- To find merged PRs that haven't been included in a milestone, use this [GitHub search query](https://github.com/open-telemetry/opentelemetry-go/pulls?q=is%3Apr+no%3Amilestone+is%3Amerged).
+
+Once all related issues and PRs have been added to the milestone, close the milestone.
+
 ### Demo Repository
 
 Bump the dependencies in the following Go services:
@@ -130,3 +167,7 @@ Bump the dependencies in the following Go services:
 - [`accounting`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/accounting)
 - [`checkoutservice`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/checkout)
 - [`productcatalogservice`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/product-catalog)
+
+### Close the `Version Release` issue
+
+Once the todo list in the `Version Release` issue is complete, close the issue.
diff --git a/vendor/go.opentelemetry.io/otel/attribute/filter.go b/vendor/go.opentelemetry.io/otel/attribute/filter.go
index be9cd922..3eeaa5d4 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/filter.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/filter.go
@@ -19,7 +19,7 @@ func NewAllowKeysFilter(keys ...Key) Filter {
 		return func(kv KeyValue) bool { return false }
 	}
 
-	allowed := make(map[Key]struct{})
+	allowed := make(map[Key]struct{}, len(keys))
 	for _, k := range keys {
 		allowed[k] = struct{}{}
 	}
@@ -38,7 +38,7 @@ func NewDenyKeysFilter(keys ...Key) Filter {
 		return func(kv KeyValue) bool { return true }
 	}
 
-	forbid := make(map[Key]struct{})
+	forbid := make(map[Key]struct{}, len(keys))
 	for _, k := range keys {
 		forbid[k] = struct{}{}
 	}
diff --git a/vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
similarity index 97%
rename from vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go
rename to vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
index 691d96c7..b76d2bbf 100644
--- a/vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
@@ -5,7 +5,7 @@
 Package attribute provide several helper functions for some commonly used
 logic of processing attributes.
 */
-package attribute // import "go.opentelemetry.io/otel/internal/attribute"
+package attribute // import "go.opentelemetry.io/otel/attribute/internal"
 
 import (
 	"reflect"
diff --git a/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go b/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go
new file mode 100644
index 00000000..5791c6e7
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go
@@ -0,0 +1,37 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package attribute // import "go.opentelemetry.io/otel/attribute"
+
+import (
+	"math"
+)
+
+func boolToRaw(b bool) uint64 { // nolint:revive  // b is not a control flag.
+	if b {
+		return 1
+	}
+	return 0
+}
+
+func rawToBool(r uint64) bool {
+	return r != 0
+}
+
+func int64ToRaw(i int64) uint64 {
+	// Assumes original was a valid int64 (overflow not checked).
+	return uint64(i) // nolint: gosec
+}
+
+func rawToInt64(r uint64) int64 {
+	// Assumes original was a valid int64 (overflow not checked).
+	return int64(r) // nolint: gosec
+}
+
+func float64ToRaw(f float64) uint64 {
+	return math.Float64bits(f)
+}
+
+func rawToFloat64(r uint64) float64 {
+	return math.Float64frombits(r)
+}
diff --git a/vendor/go.opentelemetry.io/otel/attribute/value.go b/vendor/go.opentelemetry.io/otel/attribute/value.go
index 9ea0ecbb..817eecac 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/value.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/value.go
@@ -9,8 +9,7 @@ import (
 	"reflect"
 	"strconv"
 
-	"go.opentelemetry.io/otel/internal"
-	"go.opentelemetry.io/otel/internal/attribute"
+	attribute "go.opentelemetry.io/otel/attribute/internal"
 )
 
 //go:generate stringer -type=Type
@@ -51,7 +50,7 @@ const (
 func BoolValue(v bool) Value {
 	return Value{
 		vtype:   BOOL,
-		numeric: internal.BoolToRaw(v),
+		numeric: boolToRaw(v),
 	}
 }
 
@@ -82,7 +81,7 @@ func IntSliceValue(v []int) Value {
 func Int64Value(v int64) Value {
 	return Value{
 		vtype:   INT64,
-		numeric: internal.Int64ToRaw(v),
+		numeric: int64ToRaw(v),
 	}
 }
 
@@ -95,7 +94,7 @@ func Int64SliceValue(v []int64) Value {
 func Float64Value(v float64) Value {
 	return Value{
 		vtype:   FLOAT64,
-		numeric: internal.Float64ToRaw(v),
+		numeric: float64ToRaw(v),
 	}
 }
 
@@ -125,7 +124,7 @@ func (v Value) Type() Type {
 // AsBool returns the bool value. Make sure that the Value's type is
 // BOOL.
 func (v Value) AsBool() bool {
-	return internal.RawToBool(v.numeric)
+	return rawToBool(v.numeric)
 }
 
 // AsBoolSlice returns the []bool value. Make sure that the Value's type is
@@ -144,7 +143,7 @@ func (v Value) asBoolSlice() []bool {
 // AsInt64 returns the int64 value. Make sure that the Value's type is
 // INT64.
 func (v Value) AsInt64() int64 {
-	return internal.RawToInt64(v.numeric)
+	return rawToInt64(v.numeric)
 }
 
 // AsInt64Slice returns the []int64 value. Make sure that the Value's type is
@@ -163,7 +162,7 @@ func (v Value) asInt64Slice() []int64 {
 // AsFloat64 returns the float64 value. Make sure that the Value's
 // type is FLOAT64.
 func (v Value) AsFloat64() float64 {
-	return internal.RawToFloat64(v.numeric)
+	return rawToFloat64(v.numeric)
 }
 
 // AsFloat64Slice returns the []float64 value. Make sure that the Value's type is
diff --git a/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile b/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
index e4c4a753..935bd487 100644
--- a/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
+++ b/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
@@ -1,3 +1,4 @@
 # This is a renovate-friendly source of Docker images.
-FROM python:3.13.2-slim-bullseye@sha256:31b581c8218e1f3c58672481b3b7dba8e898852866b408c6a984c22832523935 AS python
-FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver
+FROM python:3.13.5-slim-bullseye@sha256:5b9fc0d8ef79cfb5f300e61cb516e0c668067bbf77646762c38c94107e230dbc AS python
+FROM otel/weaver:v0.15.2@sha256:b13acea09f721774daba36344861f689ac4bb8d6ecd94c4600b4d590c8fb34b9 AS weaver
+FROM avtodev/markdown-lint:v1@sha256:6aeedc2f49138ce7a1cd0adffc1b1c0321b841dc2102408967d9301c031949ee AS markdown
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/client.go
index e0fa0570..82a4c2c2 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/client.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/client.go
@@ -5,6 +5,7 @@ package otlpmetricgrpc // import "go.opentelemetry.io/otel/exporters/otlp/otlpme
 
 import (
 	"context"
+	"errors"
 	"time"
 
 	"google.golang.org/genproto/googleapis/rpc/errdetails"
@@ -149,7 +150,7 @@ func (c *client) exportContext(parent context.Context) (context.Context, context
 	)
 
 	if c.exportTimeout > 0 {
-		ctx, cancel = context.WithTimeout(parent, c.exportTimeout)
+		ctx, cancel = context.WithTimeoutCause(parent, c.exportTimeout, errors.New("exporter export timeout"))
 	} else {
 		ctx, cancel = context.WithCancel(parent)
 	}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/config.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/config.go
index db6e3714..c831bb60 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/config.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/config.go
@@ -238,8 +238,9 @@ func WithTimeout(duration time.Duration) Option {
 // explicitly returns a backoff time in the response, that time will take
 // precedence over these settings.
 //
-// These settings do not define any network retry strategy. That is entirely
-// handled by the gRPC ClientConn.
+// These settings define the retry strategy implemented by the exporter.
+// These settings do not define any network retry strategy.
+// That is handled by the gRPC ClientConn.
 //
 // If unset, the default retry policy will be used. It will retry the export
 // 5 seconds after receiving a retryable error and increase exponentially
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go
index 261f5502..2cd98b92 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go
@@ -1,9 +1,11 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/envconfig/envconfig.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package envconfig provides functionality to parse configuration from
+// environment variables.
 package envconfig // import "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/gen.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/gen.go
index 95e2f4ba..b29cd11a 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/gen.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/gen.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package internal provides internal functionally for the otlpmetricgrpc package.
 package internal // import "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal"
 
 //go:generate gotmpl --body=../../../../../internal/shared/otlp/partialsuccess.go.tmpl "--data={}" --out=partialsuccess.go
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/envconfig.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/envconfig.go
index 7ae53f2d..b54a173b 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/envconfig.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/envconfig.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/oconf/envconfig.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -80,8 +80,16 @@ func getOptionsFromEnv() []GenericOption {
 		}),
 		envconfig.WithCertPool("CERTIFICATE", func(p *x509.CertPool) { tlsConf.RootCAs = p }),
 		envconfig.WithCertPool("METRICS_CERTIFICATE", func(p *x509.CertPool) { tlsConf.RootCAs = p }),
-		envconfig.WithClientCert("CLIENT_CERTIFICATE", "CLIENT_KEY", func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} }),
-		envconfig.WithClientCert("METRICS_CLIENT_CERTIFICATE", "METRICS_CLIENT_KEY", func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} }),
+		envconfig.WithClientCert(
+			"CLIENT_CERTIFICATE",
+			"CLIENT_KEY",
+			func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} },
+		),
+		envconfig.WithClientCert(
+			"METRICS_CLIENT_CERTIFICATE",
+			"METRICS_CLIENT_KEY",
+			func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} },
+		),
 		envconfig.WithBool("INSECURE", func(b bool) { opts = append(opts, withInsecure(b)) }),
 		envconfig.WithBool("METRICS_INSECURE", func(b bool) { opts = append(opts, withInsecure(b)) }),
 		withTLSConfig(tlsConf, func(c *tls.Config) { opts = append(opts, WithTLSClientConfig(c)) }),
@@ -91,8 +99,14 @@ func getOptionsFromEnv() []GenericOption {
 		WithEnvCompression("METRICS_COMPRESSION", func(c Compression) { opts = append(opts, WithCompression(c)) }),
 		envconfig.WithDuration("TIMEOUT", func(d time.Duration) { opts = append(opts, WithTimeout(d)) }),
 		envconfig.WithDuration("METRICS_TIMEOUT", func(d time.Duration) { opts = append(opts, WithTimeout(d)) }),
-		withEnvTemporalityPreference("METRICS_TEMPORALITY_PREFERENCE", func(t metric.TemporalitySelector) { opts = append(opts, WithTemporalitySelector(t)) }),
-		withEnvAggPreference("METRICS_DEFAULT_HISTOGRAM_AGGREGATION", func(a metric.AggregationSelector) { opts = append(opts, WithAggregationSelector(a)) }),
+		withEnvTemporalityPreference(
+			"METRICS_TEMPORALITY_PREFERENCE",
+			func(t metric.TemporalitySelector) { opts = append(opts, WithTemporalitySelector(t)) },
+		),
+		withEnvAggPreference(
+			"METRICS_DEFAULT_HISTOGRAM_AGGREGATION",
+			func(a metric.AggregationSelector) { opts = append(opts, WithAggregationSelector(a)) },
+		),
 	)
 
 	return opts
@@ -157,7 +171,11 @@ func withEnvTemporalityPreference(n string, fn func(metric.TemporalitySelector))
 			case "lowmemory":
 				fn(lowMemory)
 			default:
-				global.Warn("OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE is set to an invalid value, ignoring.", "value", s)
+				global.Warn(
+					"OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE is set to an invalid value, ignoring.",
+					"value",
+					s,
+				)
 			}
 		}
 	}
@@ -203,7 +221,11 @@ func withEnvAggPreference(n string, fn func(metric.AggregationSelector)) func(e
 					return metric.DefaultAggregationSelector(kind)
 				})
 			default:
-				global.Warn("OTEL_EXPORTER_OTLP_METRICS_DEFAULT_HISTOGRAM_AGGREGATION is set to an invalid value, ignoring.", "value", s)
+				global.Warn(
+					"OTEL_EXPORTER_OTLP_METRICS_DEFAULT_HISTOGRAM_AGGREGATION is set to an invalid value, ignoring.",
+					"value",
+					s,
+				)
 			}
 		}
 	}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/options.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/options.go
index 2ac8db5a..758d1ea3 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/options.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/options.go
@@ -1,9 +1,10 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/oconf/options.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package oconf provides configuration for the otlpmetric exporters.
 package oconf // import "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf"
 
 import (
@@ -56,13 +57,15 @@ type (
 		Timeout     time.Duration
 		URLPath     string
 
-		// gRPC configurations
-		GRPCCredentials credentials.TransportCredentials
-
 		TemporalitySelector metric.TemporalitySelector
 		AggregationSelector metric.AggregationSelector
 
-		Proxy HTTPTransportProxyFunc
+		// gRPC configurations
+		GRPCCredentials credentials.TransportCredentials
+
+		// HTTP configurations
+		Proxy      HTTPTransportProxyFunc
+		HTTPClient *http.Client
 	}
 
 	Config struct {
@@ -102,12 +105,11 @@ func NewHTTPConfig(opts ...HTTPOption) Config {
 	return cfg
 }
 
-// cleanPath returns a path with all spaces trimmed and all redundancies
-// removed. If urlPath is empty or cleaning it results in an empty string,
+// cleanPath returns a path with all spaces trimmed. If urlPath is empty,
 // defaultPath is returned instead.
 func cleanPath(urlPath string, defaultPath string) string {
-	tmp := path.Clean(strings.TrimSpace(urlPath))
-	if tmp == "." {
+	tmp := strings.TrimSpace(urlPath)
+	if tmp == "" || tmp == "." {
 		return defaultPath
 	}
 	if !path.IsAbs(tmp) {
@@ -372,3 +374,10 @@ func WithProxy(pf HTTPTransportProxyFunc) GenericOption {
 		return cfg
 	})
 }
+
+func WithHTTPClient(c *http.Client) GenericOption {
+	return newGenericOption(func(cfg Config) Config {
+		cfg.Metrics.HTTPClient = c
+		return cfg
+	})
+}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/optiontypes.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/optiontypes.go
index 83f6d7fd..c18a6b1f 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/optiontypes.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/optiontypes.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/oconf/optiontypes.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/tls.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/tls.go
index 03e7fbcd..e4547b3a 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/tls.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/tls.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/oconf/tls.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go
index 50e25fdb..6af5591e 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/partialsuccess.go
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry/retry.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry/retry.go
index cc3a7705..80691ac3 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry/retry.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry/retry.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/retry/retry.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -14,7 +14,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
+	"github.com/cenkalti/backoff/v5"
 )
 
 // DefaultConfig are the recommended defaults to use.
@@ -77,12 +77,12 @@ func (c Config) RequestFunc(evaluate EvaluateFunc) RequestFunc {
 			RandomizationFactor: backoff.DefaultRandomizationFactor,
 			Multiplier:          backoff.DefaultMultiplier,
 			MaxInterval:         c.MaxInterval,
-			MaxElapsedTime:      c.MaxElapsedTime,
-			Stop:                backoff.Stop,
-			Clock:               backoff.SystemClock,
 		}
 		b.Reset()
 
+		maxElapsedTime := c.MaxElapsedTime
+		startTime := time.Now()
+
 		for {
 			err := fn(ctx)
 			if err == nil {
@@ -94,21 +94,17 @@ func (c Config) RequestFunc(evaluate EvaluateFunc) RequestFunc {
 				return err
 			}
 
-			bOff := b.NextBackOff()
-			if bOff == backoff.Stop {
+			if maxElapsedTime != 0 && time.Since(startTime) > maxElapsedTime {
 				return fmt.Errorf("max retry time elapsed: %w", err)
 			}
 
 			// Wait for the greater of the backoff or throttle delay.
-			var delay time.Duration
-			if bOff > throttle {
-				delay = bOff
-			} else {
-				elapsed := b.GetElapsedTime()
-				if b.MaxElapsedTime != 0 && elapsed+throttle > b.MaxElapsedTime {
-					return fmt.Errorf("max retry time would elapse: %w", err)
-				}
-				delay = throttle
+			bOff := b.NextBackOff()
+			delay := max(throttle, bOff)
+
+			elapsed := time.Since(startTime)
+			if maxElapsedTime != 0 && elapsed+throttle > maxElapsedTime {
+				return fmt.Errorf("max retry time would elapse: %w", err)
 			}
 
 			if ctxErr := waitFunc(ctx, delay); ctxErr != nil {
@@ -136,7 +132,7 @@ func wait(ctx context.Context, delay time.Duration) error {
 		select {
 		case <-timer.C:
 		default:
-			return ctx.Err()
+			return context.Cause(ctx)
 		}
 	case <-timer.C:
 	}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/attribute.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/attribute.go
index 2605c74d..cb70a9c4 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/attribute.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/attribute.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/transform/attribute.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/error.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/error.go
index d31652b4..f03bfec4 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/error.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/error.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/transform/error.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/metricdata.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/metricdata.go
index abf7f021..9c156e91 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/metricdata.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/metricdata.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlpmetric/transform/metricdata.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -203,7 +203,9 @@ func HistogramDataPoints[N int64 | float64](dPts []metricdata.HistogramDataPoint
 
 // ExponentialHistogram returns an OTLP Metric_ExponentialHistogram generated from h. An error is
 // returned if the temporality of h is unknown.
-func ExponentialHistogram[N int64 | float64](h metricdata.ExponentialHistogram[N]) (*mpb.Metric_ExponentialHistogram, error) {
+func ExponentialHistogram[N int64 | float64](
+	h metricdata.ExponentialHistogram[N],
+) (*mpb.Metric_ExponentialHistogram, error) {
 	t, err := Temporality(h.Temporality)
 	if err != nil {
 		return nil, err
@@ -218,7 +220,9 @@ func ExponentialHistogram[N int64 | float64](h metricdata.ExponentialHistogram[N
 
 // ExponentialHistogramDataPoints returns a slice of OTLP ExponentialHistogramDataPoint generated
 // from dPts.
-func ExponentialHistogramDataPoints[N int64 | float64](dPts []metricdata.ExponentialHistogramDataPoint[N]) []*mpb.ExponentialHistogramDataPoint {
+func ExponentialHistogramDataPoints[N int64 | float64](
+	dPts []metricdata.ExponentialHistogramDataPoint[N],
+) []*mpb.ExponentialHistogramDataPoint {
 	out := make([]*mpb.ExponentialHistogramDataPoint, 0, len(dPts))
 	for _, dPt := range dPts {
 		sum := float64(dPt.Sum)
@@ -250,7 +254,9 @@ func ExponentialHistogramDataPoints[N int64 | float64](dPts []metricdata.Exponen
 
 // ExponentialHistogramDataPointBuckets returns an OTLP ExponentialHistogramDataPoint_Buckets generated
 // from bucket.
-func ExponentialHistogramDataPointBuckets(bucket metricdata.ExponentialBucket) *mpb.ExponentialHistogramDataPoint_Buckets {
+func ExponentialHistogramDataPointBuckets(
+	bucket metricdata.ExponentialBucket,
+) *mpb.ExponentialHistogramDataPoint_Buckets {
 	return &mpb.ExponentialHistogramDataPoint_Buckets{
 		Offset:       bucket.Offset,
 		BucketCounts: bucket.Counts,
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/version.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/version.go
index 0b5dec3a..b34d35b0 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/version.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/version.go
@@ -5,5 +5,5 @@ package otlpmetricgrpc // import "go.opentelemetry.io/otel/exporters/otlp/otlpme
 
 // Version is the current release version of the OpenTelemetry OTLP over gRPC metrics exporter in use.
 func Version() string {
-	return "1.35.0"
+	return "1.37.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go
index 4571a5ca..ca4544f0 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go
@@ -1,6 +1,8 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package tracetransform provides conversion functionality for the otlptrace
+// exporters.
 package tracetransform // import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go
index 8409b5f8..8236c995 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go
@@ -223,7 +223,7 @@ func (c *client) exportContext(parent context.Context) (context.Context, context
 	)
 
 	if c.exportTimeout > 0 {
-		ctx, cancel = context.WithTimeout(parent, c.exportTimeout)
+		ctx, cancel = context.WithTimeoutCause(parent, c.exportTimeout, errors.New("exporter export timeout"))
 	} else {
 		ctx, cancel = context.WithCancel(parent)
 	}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig/envconfig.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig/envconfig.go
index 4abf48d1..6eacdf31 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig/envconfig.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig/envconfig.go
@@ -1,9 +1,11 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/envconfig/envconfig.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package envconfig provides functionality to parse configuration from
+// environment variables.
 package envconfig // import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/gen.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/gen.go
index 97cd6c54..b6e6b10f 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/gen.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/gen.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package internal provides internal functionally for the otlptracegrpc package.
 package internal // import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal"
 
 //go:generate gotmpl --body=../../../../../internal/shared/otlp/partialsuccess.go.tmpl "--data={}" --out=partialsuccess.go
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/envconfig.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/envconfig.go
index 7bb189a9..1d840be2 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/envconfig.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/envconfig.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlptrace/otlpconfig/envconfig.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -77,8 +77,16 @@ func getOptionsFromEnv() []GenericOption {
 		}),
 		envconfig.WithCertPool("CERTIFICATE", func(p *x509.CertPool) { tlsConf.RootCAs = p }),
 		envconfig.WithCertPool("TRACES_CERTIFICATE", func(p *x509.CertPool) { tlsConf.RootCAs = p }),
-		envconfig.WithClientCert("CLIENT_CERTIFICATE", "CLIENT_KEY", func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} }),
-		envconfig.WithClientCert("TRACES_CLIENT_CERTIFICATE", "TRACES_CLIENT_KEY", func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} }),
+		envconfig.WithClientCert(
+			"CLIENT_CERTIFICATE",
+			"CLIENT_KEY",
+			func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} },
+		),
+		envconfig.WithClientCert(
+			"TRACES_CLIENT_CERTIFICATE",
+			"TRACES_CLIENT_KEY",
+			func(c tls.Certificate) { tlsConf.Certificates = []tls.Certificate{c} },
+		),
 		withTLSConfig(tlsConf, func(c *tls.Config) { opts = append(opts, WithTLSClientConfig(c)) }),
 		envconfig.WithBool("INSECURE", func(b bool) { opts = append(opts, withInsecure(b)) }),
 		envconfig.WithBool("TRACES_INSECURE", func(b bool) { opts = append(opts, withInsecure(b)) }),
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/options.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/options.go
index 0a317d92..4f47117a 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/options.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/options.go
@@ -1,9 +1,10 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlptrace/otlpconfig/options.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package otlpconfig provides configuration for the otlptrace exporters.
 package otlpconfig // import "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig"
 
 import (
@@ -52,7 +53,9 @@ type (
 		// gRPC configurations
 		GRPCCredentials credentials.TransportCredentials
 
-		Proxy HTTPTransportProxyFunc
+		// HTTP configurations
+		Proxy      HTTPTransportProxyFunc
+		HTTPClient *http.Client
 	}
 
 	Config struct {
@@ -89,12 +92,11 @@ func NewHTTPConfig(opts ...HTTPOption) Config {
 	return cfg
 }
 
-// cleanPath returns a path with all spaces trimmed and all redundancies
-// removed. If urlPath is empty or cleaning it results in an empty string,
+// cleanPath returns a path with all spaces trimmed. If urlPath is empty,
 // defaultPath is returned instead.
 func cleanPath(urlPath string, defaultPath string) string {
-	tmp := path.Clean(strings.TrimSpace(urlPath))
-	if tmp == "." {
+	tmp := strings.TrimSpace(urlPath)
+	if tmp == "" || tmp == "." {
 		return defaultPath
 	}
 	if !path.IsAbs(tmp) {
@@ -349,3 +351,10 @@ func WithProxy(pf HTTPTransportProxyFunc) GenericOption {
 		return cfg
 	})
 }
+
+func WithHTTPClient(c *http.Client) GenericOption {
+	return newGenericOption(func(cfg Config) Config {
+		cfg.Traces.HTTPClient = c
+		return cfg
+	})
+}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/optiontypes.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/optiontypes.go
index 3d4f699d..91849038 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/optiontypes.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/optiontypes.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlptrace/otlpconfig/optiontypes.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/tls.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/tls.go
index 38b97a01..ba6e4118 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/tls.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig/tls.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/otlptrace/otlpconfig/tls.go.tmpl
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/partialsuccess.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/partialsuccess.go
index a12ea4c4..1c465942 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/partialsuccess.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/partialsuccess.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/partialsuccess.go
 
 // Copyright The OpenTelemetry Authors
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry/retry.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry/retry.go
index 1c5450ab..259a898a 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry/retry.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry/retry.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/otlp/retry/retry.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -14,7 +14,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
+	"github.com/cenkalti/backoff/v5"
 )
 
 // DefaultConfig are the recommended defaults to use.
@@ -77,12 +77,12 @@ func (c Config) RequestFunc(evaluate EvaluateFunc) RequestFunc {
 			RandomizationFactor: backoff.DefaultRandomizationFactor,
 			Multiplier:          backoff.DefaultMultiplier,
 			MaxInterval:         c.MaxInterval,
-			MaxElapsedTime:      c.MaxElapsedTime,
-			Stop:                backoff.Stop,
-			Clock:               backoff.SystemClock,
 		}
 		b.Reset()
 
+		maxElapsedTime := c.MaxElapsedTime
+		startTime := time.Now()
+
 		for {
 			err := fn(ctx)
 			if err == nil {
@@ -94,21 +94,17 @@ func (c Config) RequestFunc(evaluate EvaluateFunc) RequestFunc {
 				return err
 			}
 
-			bOff := b.NextBackOff()
-			if bOff == backoff.Stop {
+			if maxElapsedTime != 0 && time.Since(startTime) > maxElapsedTime {
 				return fmt.Errorf("max retry time elapsed: %w", err)
 			}
 
 			// Wait for the greater of the backoff or throttle delay.
-			var delay time.Duration
-			if bOff > throttle {
-				delay = bOff
-			} else {
-				elapsed := b.GetElapsedTime()
-				if b.MaxElapsedTime != 0 && elapsed+throttle > b.MaxElapsedTime {
-					return fmt.Errorf("max retry time would elapse: %w", err)
-				}
-				delay = throttle
+			bOff := b.NextBackOff()
+			delay := max(throttle, bOff)
+
+			elapsed := time.Since(startTime)
+			if maxElapsedTime != 0 && elapsed+throttle > maxElapsedTime {
+				return fmt.Errorf("max retry time would elapse: %w", err)
 			}
 
 			if ctxErr := waitFunc(ctx, delay); ctxErr != nil {
@@ -136,7 +132,7 @@ func wait(ctx context.Context, delay time.Duration) error {
 		select {
 		case <-timer.C:
 		default:
-			return ctx.Err()
+			return context.Cause(ctx)
 		}
 	case <-timer.C:
 	}
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/options.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/options.go
index 00ab1f20..2da22987 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/options.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/options.go
@@ -199,8 +199,9 @@ func WithTimeout(duration time.Duration) Option {
 // explicitly returns a backoff time in the response. That time will take
 // precedence over these settings.
 //
-// These settings do not define any network retry strategy. That is entirely
-// handled by the gRPC ClientConn.
+// These settings define the retry strategy implemented by the exporter.
+// These settings do not define any network retry strategy.
+// That is handled by the gRPC ClientConn.
 //
 // If unset, the default retry policy will be used. It will retry the export
 // 5 seconds after receiving a retryable error and increase exponentially
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go
index f5cad46b..ed2ddce7 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go
@@ -5,5 +5,5 @@ package otlptrace // import "go.opentelemetry.io/otel/exporters/otlp/otlptrace"
 
 // Version is the current release version of the OpenTelemetry OTLP trace exporter in use.
 func Version() string {
-	return "1.35.0"
+	return "1.37.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh b/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh
deleted file mode 100644
index 93e80ea3..00000000
--- a/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright The OpenTelemetry Authors
-# SPDX-License-Identifier: Apache-2.0
-
-set -euo pipefail
-
-top_dir='.'
-if [[ $# -gt 0 ]]; then
-    top_dir="${1}"
-fi
-
-p=$(pwd)
-mod_dirs=()
-
-# Note `mapfile` does not exist in older bash versions:
-# https://stackoverflow.com/questions/41475261/need-alternative-to-readarray-mapfile-for-script-on-older-version-of-bash
-
-while IFS= read -r line; do
-    mod_dirs+=("$line")
-done < <(find "${top_dir}" -type f -name 'go.mod' -exec dirname {} \; | sort)
-
-for mod_dir in "${mod_dirs[@]}"; do
-    cd "${mod_dir}"
-
-    while IFS= read -r line; do
-        echo ".${line#${p}}"
-    done < <(go list --find -f '{{.Name}}|{{.Dir}}' ./... | grep '^main|' | cut -f 2- -d '|')
-    cd "${p}"
-done
diff --git a/vendor/go.opentelemetry.io/otel/internal/gen.go b/vendor/go.opentelemetry.io/otel/internal/gen.go
deleted file mode 100644
index 4259f032..00000000
--- a/vendor/go.opentelemetry.io/otel/internal/gen.go
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package internal // import "go.opentelemetry.io/otel/internal"
-
-//go:generate gotmpl --body=./shared/matchers/expectation.go.tmpl "--data={}" --out=matchers/expectation.go
-//go:generate gotmpl --body=./shared/matchers/expecter.go.tmpl "--data={}" --out=matchers/expecter.go
-//go:generate gotmpl --body=./shared/matchers/temporal_matcher.go.tmpl "--data={}" --out=matchers/temporal_matcher.go
-
-//go:generate gotmpl --body=./shared/internaltest/alignment.go.tmpl "--data={}" --out=internaltest/alignment.go
-//go:generate gotmpl --body=./shared/internaltest/env.go.tmpl "--data={}" --out=internaltest/env.go
-//go:generate gotmpl --body=./shared/internaltest/env_test.go.tmpl "--data={}" --out=internaltest/env_test.go
-//go:generate gotmpl --body=./shared/internaltest/errors.go.tmpl "--data={}" --out=internaltest/errors.go
-//go:generate gotmpl --body=./shared/internaltest/harness.go.tmpl "--data={\"matchersImportPath\": \"go.opentelemetry.io/otel/internal/matchers\"}" --out=internaltest/harness.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_carrier.go.tmpl "--data={}" --out=internaltest/text_map_carrier.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_carrier_test.go.tmpl "--data={}" --out=internaltest/text_map_carrier_test.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_propagator.go.tmpl "--data={}" --out=internaltest/text_map_propagator.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_propagator_test.go.tmpl "--data={}" --out=internaltest/text_map_propagator_test.go
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/handler.go b/vendor/go.opentelemetry.io/otel/internal/global/handler.go
index c657ff8e..2e47b296 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/handler.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/handler.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package global provides the OpenTelemetry global API.
 package global // import "go.opentelemetry.io/otel/internal/global"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/meter.go b/vendor/go.opentelemetry.io/otel/internal/global/meter.go
index a6acd8dc..adb37b5b 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/meter.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/meter.go
@@ -169,7 +169,10 @@ func (m *meter) Int64Counter(name string, options ...metric.Int64CounterOption)
 	return i, nil
 }
 
-func (m *meter) Int64UpDownCounter(name string, options ...metric.Int64UpDownCounterOption) (metric.Int64UpDownCounter, error) {
+func (m *meter) Int64UpDownCounter(
+	name string,
+	options ...metric.Int64UpDownCounterOption,
+) (metric.Int64UpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -238,7 +241,10 @@ func (m *meter) Int64Gauge(name string, options ...metric.Int64GaugeOption) (met
 	return i, nil
 }
 
-func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64ObservableCounterOption) (metric.Int64ObservableCounter, error) {
+func (m *meter) Int64ObservableCounter(
+	name string,
+	options ...metric.Int64ObservableCounterOption,
+) (metric.Int64ObservableCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -261,7 +267,10 @@ func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64Obser
 	return i, nil
 }
 
-func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int64ObservableUpDownCounterOption) (metric.Int64ObservableUpDownCounter, error) {
+func (m *meter) Int64ObservableUpDownCounter(
+	name string,
+	options ...metric.Int64ObservableUpDownCounterOption,
+) (metric.Int64ObservableUpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -284,7 +293,10 @@ func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int6
 	return i, nil
 }
 
-func (m *meter) Int64ObservableGauge(name string, options ...metric.Int64ObservableGaugeOption) (metric.Int64ObservableGauge, error) {
+func (m *meter) Int64ObservableGauge(
+	name string,
+	options ...metric.Int64ObservableGaugeOption,
+) (metric.Int64ObservableGauge, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -330,7 +342,10 @@ func (m *meter) Float64Counter(name string, options ...metric.Float64CounterOpti
 	return i, nil
 }
 
-func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDownCounterOption) (metric.Float64UpDownCounter, error) {
+func (m *meter) Float64UpDownCounter(
+	name string,
+	options ...metric.Float64UpDownCounterOption,
+) (metric.Float64UpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -353,7 +368,10 @@ func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDow
 	return i, nil
 }
 
-func (m *meter) Float64Histogram(name string, options ...metric.Float64HistogramOption) (metric.Float64Histogram, error) {
+func (m *meter) Float64Histogram(
+	name string,
+	options ...metric.Float64HistogramOption,
+) (metric.Float64Histogram, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -399,7 +417,10 @@ func (m *meter) Float64Gauge(name string, options ...metric.Float64GaugeOption)
 	return i, nil
 }
 
-func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64ObservableCounterOption) (metric.Float64ObservableCounter, error) {
+func (m *meter) Float64ObservableCounter(
+	name string,
+	options ...metric.Float64ObservableCounterOption,
+) (metric.Float64ObservableCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -422,7 +443,10 @@ func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64O
 	return i, nil
 }
 
-func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Float64ObservableUpDownCounterOption) (metric.Float64ObservableUpDownCounter, error) {
+func (m *meter) Float64ObservableUpDownCounter(
+	name string,
+	options ...metric.Float64ObservableUpDownCounterOption,
+) (metric.Float64ObservableUpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -445,7 +469,10 @@ func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Fl
 	return i, nil
 }
 
-func (m *meter) Float64ObservableGauge(name string, options ...metric.Float64ObservableGaugeOption) (metric.Float64ObservableGauge, error) {
+func (m *meter) Float64ObservableGauge(
+	name string,
+	options ...metric.Float64ObservableGaugeOption,
+) (metric.Float64ObservableGauge, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/trace.go b/vendor/go.opentelemetry.io/otel/internal/global/trace.go
index 8982aa0d..49e4ac4f 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/trace.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/trace.go
@@ -158,7 +158,18 @@ func (t *tracer) Start(ctx context.Context, name string, opts ...trace.SpanStart
 // a nonRecordingSpan by default.
 var autoInstEnabled = new(bool)
 
-func (t *tracer) newSpan(ctx context.Context, autoSpan *bool, name string, opts []trace.SpanStartOption) (context.Context, trace.Span) {
+// newSpan is called by tracer.Start so auto-instrumentation can attach an eBPF
+// uprobe to this code.
+//
+// "noinline" pragma prevents the method from ever being inlined.
+//
+//go:noinline
+func (t *tracer) newSpan(
+	ctx context.Context,
+	autoSpan *bool,
+	name string,
+	opts []trace.SpanStartOption,
+) (context.Context, trace.Span) {
 	// autoInstEnabled is passed to newSpan via the autoSpan parameter. This is
 	// so the auto-instrumentation can define a uprobe for (*t).newSpan and be
 	// provided with the address of the bool autoInstEnabled points to. It
diff --git a/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go b/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go
deleted file mode 100644
index b2fe3e41..00000000
--- a/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package internal // import "go.opentelemetry.io/otel/internal"
-
-import (
-	"math"
-	"unsafe"
-)
-
-func BoolToRaw(b bool) uint64 { // nolint:revive  // b is not a control flag.
-	if b {
-		return 1
-	}
-	return 0
-}
-
-func RawToBool(r uint64) bool {
-	return r != 0
-}
-
-func Int64ToRaw(i int64) uint64 {
-	// Assumes original was a valid int64 (overflow not checked).
-	return uint64(i) // nolint: gosec
-}
-
-func RawToInt64(r uint64) int64 {
-	// Assumes original was a valid int64 (overflow not checked).
-	return int64(r) // nolint: gosec
-}
-
-func Float64ToRaw(f float64) uint64 {
-	return math.Float64bits(f)
-}
-
-func RawToFloat64(r uint64) float64 {
-	return math.Float64frombits(r)
-}
-
-func RawPtrToFloat64Ptr(r *uint64) *float64 {
-	// Assumes original was a valid *float64 (overflow not checked).
-	return (*float64)(unsafe.Pointer(r)) // nolint: gosec
-}
-
-func RawPtrToInt64Ptr(r *uint64) *int64 {
-	// Assumes original was a valid *int64 (overflow not checked).
-	return (*int64)(unsafe.Pointer(r)) // nolint: gosec
-}
diff --git a/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go b/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
index f8435d8f..b7fc973a 100644
--- a/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
+++ b/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
@@ -106,7 +106,9 @@ type Float64ObservableUpDownCounterConfig struct {
 
 // NewFloat64ObservableUpDownCounterConfig returns a new
 // [Float64ObservableUpDownCounterConfig] with all opts applied.
-func NewFloat64ObservableUpDownCounterConfig(opts ...Float64ObservableUpDownCounterOption) Float64ObservableUpDownCounterConfig {
+func NewFloat64ObservableUpDownCounterConfig(
+	opts ...Float64ObservableUpDownCounterOption,
+) Float64ObservableUpDownCounterConfig {
 	var config Float64ObservableUpDownCounterConfig
 	for _, o := range opts {
 		config = o.applyFloat64ObservableUpDownCounter(config)
@@ -239,12 +241,16 @@ type float64CallbackOpt struct {
 	cback Float64Callback
 }
 
-func (o float64CallbackOpt) applyFloat64ObservableCounter(cfg Float64ObservableCounterConfig) Float64ObservableCounterConfig {
+func (o float64CallbackOpt) applyFloat64ObservableCounter(
+	cfg Float64ObservableCounterConfig,
+) Float64ObservableCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
 
-func (o float64CallbackOpt) applyFloat64ObservableUpDownCounter(cfg Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o float64CallbackOpt) applyFloat64ObservableUpDownCounter(
+	cfg Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/asyncint64.go b/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
index e079aaef..4404b71a 100644
--- a/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
+++ b/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
@@ -105,7 +105,9 @@ type Int64ObservableUpDownCounterConfig struct {
 
 // NewInt64ObservableUpDownCounterConfig returns a new
 // [Int64ObservableUpDownCounterConfig] with all opts applied.
-func NewInt64ObservableUpDownCounterConfig(opts ...Int64ObservableUpDownCounterOption) Int64ObservableUpDownCounterConfig {
+func NewInt64ObservableUpDownCounterConfig(
+	opts ...Int64ObservableUpDownCounterOption,
+) Int64ObservableUpDownCounterConfig {
 	var config Int64ObservableUpDownCounterConfig
 	for _, o := range opts {
 		config = o.applyInt64ObservableUpDownCounter(config)
@@ -242,7 +244,9 @@ func (o int64CallbackOpt) applyInt64ObservableCounter(cfg Int64ObservableCounter
 	return cfg
 }
 
-func (o int64CallbackOpt) applyInt64ObservableUpDownCounter(cfg Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o int64CallbackOpt) applyInt64ObservableUpDownCounter(
+	cfg Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/instrument.go b/vendor/go.opentelemetry.io/otel/metric/instrument.go
index a535782e..9f48d5f1 100644
--- a/vendor/go.opentelemetry.io/otel/metric/instrument.go
+++ b/vendor/go.opentelemetry.io/otel/metric/instrument.go
@@ -63,7 +63,9 @@ func (o descOpt) applyFloat64ObservableCounter(c Float64ObservableCounterConfig)
 	return c
 }
 
-func (o descOpt) applyFloat64ObservableUpDownCounter(c Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o descOpt) applyFloat64ObservableUpDownCounter(
+	c Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	c.description = string(o)
 	return c
 }
@@ -98,7 +100,9 @@ func (o descOpt) applyInt64ObservableCounter(c Int64ObservableCounterConfig) Int
 	return c
 }
 
-func (o descOpt) applyInt64ObservableUpDownCounter(c Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o descOpt) applyInt64ObservableUpDownCounter(
+	c Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	c.description = string(o)
 	return c
 }
@@ -138,7 +142,9 @@ func (o unitOpt) applyFloat64ObservableCounter(c Float64ObservableCounterConfig)
 	return c
 }
 
-func (o unitOpt) applyFloat64ObservableUpDownCounter(c Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o unitOpt) applyFloat64ObservableUpDownCounter(
+	c Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	c.unit = string(o)
 	return c
 }
@@ -173,7 +179,9 @@ func (o unitOpt) applyInt64ObservableCounter(c Int64ObservableCounterConfig) Int
 	return c
 }
 
-func (o unitOpt) applyInt64ObservableUpDownCounter(c Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o unitOpt) applyInt64ObservableUpDownCounter(
+	c Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	c.unit = string(o)
 	return c
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/meter.go b/vendor/go.opentelemetry.io/otel/metric/meter.go
index 14e08c24..fdd2a701 100644
--- a/vendor/go.opentelemetry.io/otel/metric/meter.go
+++ b/vendor/go.opentelemetry.io/otel/metric/meter.go
@@ -110,7 +110,10 @@ type Meter interface {
 	// The name needs to conform to the OpenTelemetry instrument name syntax.
 	// See the Instrument Name section of the package documentation for more
 	// information.
-	Int64ObservableUpDownCounter(name string, options ...Int64ObservableUpDownCounterOption) (Int64ObservableUpDownCounter, error)
+	Int64ObservableUpDownCounter(
+		name string,
+		options ...Int64ObservableUpDownCounterOption,
+	) (Int64ObservableUpDownCounter, error)
 
 	// Int64ObservableGauge returns a new Int64ObservableGauge instrument
 	// identified by name and configured with options. The instrument is used
@@ -194,7 +197,10 @@ type Meter interface {
 	// The name needs to conform to the OpenTelemetry instrument name syntax.
 	// See the Instrument Name section of the package documentation for more
 	// information.
-	Float64ObservableUpDownCounter(name string, options ...Float64ObservableUpDownCounterOption) (Float64ObservableUpDownCounter, error)
+	Float64ObservableUpDownCounter(
+		name string,
+		options ...Float64ObservableUpDownCounterOption,
+	) (Float64ObservableUpDownCounter, error)
 
 	// Float64ObservableGauge returns a new Float64ObservableGauge instrument
 	// identified by name and configured with options. The instrument is used
diff --git a/vendor/go.opentelemetry.io/otel/metric/noop/noop.go b/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
index ca6fcbdc..9afb69e5 100644
--- a/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
+++ b/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
@@ -86,13 +86,19 @@ func (Meter) Int64Gauge(string, ...metric.Int64GaugeOption) (metric.Int64Gauge,
 
 // Int64ObservableCounter returns an ObservableCounter used to record int64
 // measurements that produces no telemetry.
-func (Meter) Int64ObservableCounter(string, ...metric.Int64ObservableCounterOption) (metric.Int64ObservableCounter, error) {
+func (Meter) Int64ObservableCounter(
+	string,
+	...metric.Int64ObservableCounterOption,
+) (metric.Int64ObservableCounter, error) {
 	return Int64ObservableCounter{}, nil
 }
 
 // Int64ObservableUpDownCounter returns an ObservableUpDownCounter used to
 // record int64 measurements that produces no telemetry.
-func (Meter) Int64ObservableUpDownCounter(string, ...metric.Int64ObservableUpDownCounterOption) (metric.Int64ObservableUpDownCounter, error) {
+func (Meter) Int64ObservableUpDownCounter(
+	string,
+	...metric.Int64ObservableUpDownCounterOption,
+) (metric.Int64ObservableUpDownCounter, error) {
 	return Int64ObservableUpDownCounter{}, nil
 }
 
@@ -128,19 +134,28 @@ func (Meter) Float64Gauge(string, ...metric.Float64GaugeOption) (metric.Float64G
 
 // Float64ObservableCounter returns an ObservableCounter used to record int64
 // measurements that produces no telemetry.
-func (Meter) Float64ObservableCounter(string, ...metric.Float64ObservableCounterOption) (metric.Float64ObservableCounter, error) {
+func (Meter) Float64ObservableCounter(
+	string,
+	...metric.Float64ObservableCounterOption,
+) (metric.Float64ObservableCounter, error) {
 	return Float64ObservableCounter{}, nil
 }
 
 // Float64ObservableUpDownCounter returns an ObservableUpDownCounter used to
 // record int64 measurements that produces no telemetry.
-func (Meter) Float64ObservableUpDownCounter(string, ...metric.Float64ObservableUpDownCounterOption) (metric.Float64ObservableUpDownCounter, error) {
+func (Meter) Float64ObservableUpDownCounter(
+	string,
+	...metric.Float64ObservableUpDownCounterOption,
+) (metric.Float64ObservableUpDownCounter, error) {
 	return Float64ObservableUpDownCounter{}, nil
 }
 
 // Float64ObservableGauge returns an ObservableGauge used to record int64
 // measurements that produces no telemetry.
-func (Meter) Float64ObservableGauge(string, ...metric.Float64ObservableGaugeOption) (metric.Float64ObservableGauge, error) {
+func (Meter) Float64ObservableGauge(
+	string,
+	...metric.Float64ObservableGaugeOption,
+) (metric.Float64ObservableGauge, error) {
 	return Float64ObservableGauge{}, nil
 }
 
diff --git a/vendor/go.opentelemetry.io/otel/propagation/baggage.go b/vendor/go.opentelemetry.io/otel/propagation/baggage.go
index 552263ba..ebda5026 100644
--- a/vendor/go.opentelemetry.io/otel/propagation/baggage.go
+++ b/vendor/go.opentelemetry.io/otel/propagation/baggage.go
@@ -28,7 +28,21 @@ func (b Baggage) Inject(ctx context.Context, carrier TextMapCarrier) {
 }
 
 // Extract returns a copy of parent with the baggage from the carrier added.
+// If carrier implements [ValuesGetter] (e.g. [HeaderCarrier]), Values is invoked
+// for multiple values extraction. Otherwise, Get is called.
 func (b Baggage) Extract(parent context.Context, carrier TextMapCarrier) context.Context {
+	if multiCarrier, ok := carrier.(ValuesGetter); ok {
+		return extractMultiBaggage(parent, multiCarrier)
+	}
+	return extractSingleBaggage(parent, carrier)
+}
+
+// Fields returns the keys who's values are set with Inject.
+func (b Baggage) Fields() []string {
+	return []string{baggageHeader}
+}
+
+func extractSingleBaggage(parent context.Context, carrier TextMapCarrier) context.Context {
 	bStr := carrier.Get(baggageHeader)
 	if bStr == "" {
 		return parent
@@ -41,7 +55,23 @@ func (b Baggage) Extract(parent context.Context, carrier TextMapCarrier) context
 	return baggage.ContextWithBaggage(parent, bag)
 }
 
-// Fields returns the keys who's values are set with Inject.
-func (b Baggage) Fields() []string {
-	return []string{baggageHeader}
+func extractMultiBaggage(parent context.Context, carrier ValuesGetter) context.Context {
+	bVals := carrier.Values(baggageHeader)
+	if len(bVals) == 0 {
+		return parent
+	}
+	var members []baggage.Member
+	for _, bStr := range bVals {
+		currBag, err := baggage.Parse(bStr)
+		if err != nil {
+			continue
+		}
+		members = append(members, currBag.Members()...)
+	}
+
+	b, err := baggage.New(members...)
+	if err != nil || b.Len() == 0 {
+		return parent
+	}
+	return baggage.ContextWithBaggage(parent, b)
 }
diff --git a/vendor/go.opentelemetry.io/otel/propagation/propagation.go b/vendor/go.opentelemetry.io/otel/propagation/propagation.go
index 8c8286aa..5c8c26ea 100644
--- a/vendor/go.opentelemetry.io/otel/propagation/propagation.go
+++ b/vendor/go.opentelemetry.io/otel/propagation/propagation.go
@@ -9,6 +9,7 @@ import (
 )
 
 // TextMapCarrier is the storage medium used by a TextMapPropagator.
+// See ValuesGetter for how a TextMapCarrier can get multiple values for a key.
 type TextMapCarrier interface {
 	// DO NOT CHANGE: any modification will not be backwards compatible and
 	// must never be done outside of a new major release.
@@ -29,6 +30,18 @@ type TextMapCarrier interface {
 	// must never be done outside of a new major release.
 }
 
+// ValuesGetter can return multiple values for a single key,
+// with contrast to TextMapCarrier.Get which returns a single value.
+type ValuesGetter interface {
+	// DO NOT CHANGE: any modification will not be backwards compatible and
+	// must never be done outside of a new major release.
+
+	// Values returns all values associated with the passed key.
+	Values(key string) []string
+	// DO NOT CHANGE: any modification will not be backwards compatible and
+	// must never be done outside of a new major release.
+}
+
 // MapCarrier is a TextMapCarrier that uses a map held in memory as a storage
 // medium for propagated key-value pairs.
 type MapCarrier map[string]string
@@ -55,14 +68,25 @@ func (c MapCarrier) Keys() []string {
 	return keys
 }
 
-// HeaderCarrier adapts http.Header to satisfy the TextMapCarrier interface.
+// HeaderCarrier adapts http.Header to satisfy the TextMapCarrier and ValuesGetter interfaces.
 type HeaderCarrier http.Header
 
-// Get returns the value associated with the passed key.
+// Compile time check that HeaderCarrier implements ValuesGetter.
+var _ TextMapCarrier = HeaderCarrier{}
+
+// Compile time check that HeaderCarrier implements TextMapCarrier.
+var _ ValuesGetter = HeaderCarrier{}
+
+// Get returns the first value associated with the passed key.
 func (hc HeaderCarrier) Get(key string) string {
 	return http.Header(hc).Get(key)
 }
 
+// Values returns all values associated with the passed key.
+func (hc HeaderCarrier) Values(key string) []string {
+	return http.Header(hc).Values(key)
+}
+
 // Set stores the key-value pair.
 func (hc HeaderCarrier) Set(key string, value string) {
 	http.Header(hc).Set(key, value)
@@ -89,6 +113,8 @@ type TextMapPropagator interface {
 	// must never be done outside of a new major release.
 
 	// Extract reads cross-cutting concerns from the carrier into a Context.
+	// Implementations may check if the carrier implements ValuesGetter,
+	// to support extraction of multiple values per key.
 	Extract(ctx context.Context, carrier TextMapCarrier) context.Context
 	// DO NOT CHANGE: any modification will not be backwards compatible and
 	// must never be done outside of a new major release.
diff --git a/vendor/go.opentelemetry.io/otel/renovate.json b/vendor/go.opentelemetry.io/otel/renovate.json
index a6fa353f..fa5acf2d 100644
--- a/vendor/go.opentelemetry.io/otel/renovate.json
+++ b/vendor/go.opentelemetry.io/otel/renovate.json
@@ -1,7 +1,8 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:best-practices"
+    "config:best-practices",
+    "helpers:pinGitHubActionDigestsToSemver"
   ],
   "ignorePaths": [],
   "labels": ["Skip Changelog", "dependencies"],
@@ -25,6 +26,10 @@
     {
       "matchPackageNames": ["golang.org/x/**"],
       "groupName": "golang.org/x"
+    },
+    {
+      "matchPackageNames": ["go.opentelemetry.io/otel/sdk/log/logtest"],
+      "enabled": false
     }
   ]
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go b/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
index 07923ed8..e3309231 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
@@ -1,6 +1,8 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package env provides types and functionality for environment variable support
+// in the OpenTelemetry SDK.
 package env // import "go.opentelemetry.io/otel/sdk/internal/env"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar.go b/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar.go
index 0335b8ae..549d3bd5 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar.go
@@ -18,7 +18,10 @@ type ExemplarReservoirProviderSelector func(Aggregation) exemplar.ReservoirProvi
 
 // reservoirFunc returns the appropriately configured exemplar reservoir
 // creation func based on the passed InstrumentKind and filter configuration.
-func reservoirFunc[N int64 | float64](provider exemplar.ReservoirProvider, filter exemplar.Filter) func(attribute.Set) aggregate.FilteredExemplarReservoir[N] {
+func reservoirFunc[N int64 | float64](
+	provider exemplar.ReservoirProvider,
+	filter exemplar.Filter,
+) func(attribute.Set) aggregate.FilteredExemplarReservoir[N] {
 	return func(attrs attribute.Set) aggregate.FilteredExemplarReservoir[N] {
 		return aggregate.NewFilteredExemplarReservoir[N](filter, provider(attrs))
 	}
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/fixed_size_reservoir.go b/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/fixed_size_reservoir.go
index d4aab0aa..1fb1e009 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/fixed_size_reservoir.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/exemplar/fixed_size_reservoir.go
@@ -6,7 +6,7 @@ package exemplar // import "go.opentelemetry.io/otel/sdk/metric/exemplar"
 import (
 	"context"
 	"math"
-	"math/rand"
+	"math/rand/v2"
 	"time"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -44,18 +44,11 @@ type FixedSizeReservoir struct {
 	// w is the largest random number in a distribution that is used to compute
 	// the next next.
 	w float64
-
-	// rng is used to make sampling decisions.
-	//
-	// Do not use crypto/rand. There is no reason for the decrease in performance
-	// given this is not a security sensitive decision.
-	rng *rand.Rand
 }
 
 func newFixedSizeReservoir(s *storage) *FixedSizeReservoir {
 	r := &FixedSizeReservoir{
 		storage: s,
-		rng:     rand.New(rand.NewSource(time.Now().UnixNano())),
 	}
 	r.reset()
 	return r
@@ -64,26 +57,15 @@ func newFixedSizeReservoir(s *storage) *FixedSizeReservoir {
 // randomFloat64 returns, as a float64, a uniform pseudo-random number in the
 // open interval (0.0,1.0).
 func (r *FixedSizeReservoir) randomFloat64() float64 {
-	// TODO: This does not return a uniform number. rng.Float64 returns a
-	// uniformly random int in [0,2^53) that is divided by 2^53. Meaning it
-	// returns multiples of 2^-53, and not all floating point numbers between 0
-	// and 1 (i.e. for values less than 2^-4 the 4 last bits of the significand
-	// are always going to be 0).
+	// TODO: Use an algorithm that avoids rejection sampling. For example:
 	//
-	// An alternative algorithm should be considered that will actually return
-	// a uniform number in the interval (0,1). For example, since the default
-	// rand source provides a uniform distribution for Int63, this can be
-	// converted following the prototypical code of Mersenne Twister 64 (Takuji
-	// Nishimura and Makoto Matsumoto:
-	// http://www.math.sci.hiroshima-u.ac.jp/m-mat/MT/VERSIONS/C-LANG/mt19937-64.c)
-	//
-	//   (float64(rng.Int63()>>11) + 0.5) * (1.0 / 4503599627370496.0)
-	//
-	// There are likely many other methods to explore here as well.
-
-	f := r.rng.Float64()
+	//   const precision = 1 << 53 // 2^53
+	//   // Generate an integer in [1, 2^53 - 1]
+	//   v := rand.Uint64() % (precision - 1) + 1
+	//   return float64(v) / float64(precision)
+	f := rand.Float64()
 	for f == 0 {
-		f = r.rng.Float64()
+		f = rand.Float64()
 	}
 	return f
 }
@@ -146,7 +128,7 @@ func (r *FixedSizeReservoir) Offer(ctx context.Context, t time.Time, n Value, a
 	} else {
 		if r.count == r.next {
 			// Overwrite a random existing measurement with the one offered.
-			idx := int(r.rng.Int63n(int64(cap(r.store))))
+			idx := int(rand.Int64N(int64(cap(r.store))))
 			r.store[idx] = newMeasurement(ctx, t, n, a)
 			r.advance()
 		}
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/instrument.go b/vendor/go.opentelemetry.io/otel/sdk/metric/instrument.go
index c33e1a28..18891ed5 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/instrument.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/instrument.go
@@ -28,7 +28,7 @@ type InstrumentKind uint8
 const (
 	// instrumentKindUndefined is an undefined instrument kind, it should not
 	// be used by any initialized type.
-	instrumentKindUndefined InstrumentKind = 0 // nolint:deadcode,varcheck,unused
+	instrumentKindUndefined InstrumentKind = 0 // nolint:unused
 	// InstrumentKindCounter identifies a group of instruments that record
 	// increasing values synchronously with the code path they are measuring.
 	InstrumentKindCounter InstrumentKind = 1
@@ -208,7 +208,11 @@ func (i *int64Inst) Enabled(_ context.Context) bool {
 	return len(i.measures) != 0
 }
 
-func (i *int64Inst) aggregate(ctx context.Context, val int64, s attribute.Set) { // nolint:revive  // okay to shadow pkg with method.
+func (i *int64Inst) aggregate(
+	ctx context.Context,
+	val int64,
+	s attribute.Set,
+) { // nolint:revive  // okay to shadow pkg with method.
 	for _, in := range i.measures {
 		in(ctx, val, s)
 	}
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/aggregate.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/aggregate.go
index fde21933..0321da68 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/aggregate.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/aggregate.go
@@ -121,7 +121,10 @@ func (b Builder[N]) Sum(monotonic bool) (Measure[N], ComputeAggregation) {
 
 // ExplicitBucketHistogram returns a histogram aggregate function input and
 // output.
-func (b Builder[N]) ExplicitBucketHistogram(boundaries []float64, noMinMax, noSum bool) (Measure[N], ComputeAggregation) {
+func (b Builder[N]) ExplicitBucketHistogram(
+	boundaries []float64,
+	noMinMax, noSum bool,
+) (Measure[N], ComputeAggregation) {
 	h := newHistogram[N](boundaries, noMinMax, noSum, b.AggregationLimit, b.resFunc())
 	switch b.Temporality {
 	case metricdata.DeltaTemporality:
@@ -133,7 +136,10 @@ func (b Builder[N]) ExplicitBucketHistogram(boundaries []float64, noMinMax, noSu
 
 // ExponentialBucketHistogram returns a histogram aggregate function input and
 // output.
-func (b Builder[N]) ExponentialBucketHistogram(maxSize, maxScale int32, noMinMax, noSum bool) (Measure[N], ComputeAggregation) {
+func (b Builder[N]) ExponentialBucketHistogram(
+	maxSize, maxScale int32,
+	noMinMax, noSum bool,
+) (Measure[N], ComputeAggregation) {
 	h := newExponentialHistogram[N](maxSize, maxScale, noMinMax, noSum, b.AggregationLimit, b.resFunc())
 	switch b.Temporality {
 	case metricdata.DeltaTemporality:
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go
index 32a62e1b..ae1f5934 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go
@@ -48,7 +48,12 @@ type expoHistogramDataPoint[N int64 | float64] struct {
 	zeroCount  uint64
 }
 
-func newExpoHistogramDataPoint[N int64 | float64](attrs attribute.Set, maxSize int, maxScale int32, noMinMax, noSum bool) *expoHistogramDataPoint[N] { // nolint:revive // we need this control flag
+func newExpoHistogramDataPoint[N int64 | float64](
+	attrs attribute.Set,
+	maxSize int,
+	maxScale int32,
+	noMinMax, noSum bool,
+) *expoHistogramDataPoint[N] { // nolint:revive // we need this control flag
 	f := math.MaxFloat64
 	ma := N(f) // if N is int64, max will overflow to -9223372036854775808
 	mi := N(-f)
@@ -283,7 +288,12 @@ func (b *expoBuckets) downscale(delta int32) {
 // newExponentialHistogram returns an Aggregator that summarizes a set of
 // measurements as an exponential histogram. Each histogram is scoped by attributes
 // and the aggregation cycle the measurements were made in.
-func newExponentialHistogram[N int64 | float64](maxSize, maxScale int32, noMinMax, noSum bool, limit int, r func(attribute.Set) FilteredExemplarReservoir[N]) *expoHistogram[N] {
+func newExponentialHistogram[N int64 | float64](
+	maxSize, maxScale int32,
+	noMinMax, noSum bool,
+	limit int,
+	r func(attribute.Set) FilteredExemplarReservoir[N],
+) *expoHistogram[N] {
 	return &expoHistogram[N]{
 		noSum:    noSum,
 		noMinMax: noMinMax,
@@ -314,7 +324,12 @@ type expoHistogram[N int64 | float64] struct {
 	start time.Time
 }
 
-func (e *expoHistogram[N]) measure(ctx context.Context, value N, fltrAttr attribute.Set, droppedAttr []attribute.KeyValue) {
+func (e *expoHistogram[N]) measure(
+	ctx context.Context,
+	value N,
+	fltrAttr attribute.Set,
+	droppedAttr []attribute.KeyValue,
+) {
 	// Ignore NaN and infinity.
 	if math.IsInf(float64(value), 0) || math.IsNaN(float64(value)) {
 		return
@@ -360,11 +375,19 @@ func (e *expoHistogram[N]) delta(dest *metricdata.Aggregation) int {
 		hDPts[i].ZeroThreshold = 0.0
 
 		hDPts[i].PositiveBucket.Offset = val.posBuckets.startBin
-		hDPts[i].PositiveBucket.Counts = reset(hDPts[i].PositiveBucket.Counts, len(val.posBuckets.counts), len(val.posBuckets.counts))
+		hDPts[i].PositiveBucket.Counts = reset(
+			hDPts[i].PositiveBucket.Counts,
+			len(val.posBuckets.counts),
+			len(val.posBuckets.counts),
+		)
 		copy(hDPts[i].PositiveBucket.Counts, val.posBuckets.counts)
 
 		hDPts[i].NegativeBucket.Offset = val.negBuckets.startBin
-		hDPts[i].NegativeBucket.Counts = reset(hDPts[i].NegativeBucket.Counts, len(val.negBuckets.counts), len(val.negBuckets.counts))
+		hDPts[i].NegativeBucket.Counts = reset(
+			hDPts[i].NegativeBucket.Counts,
+			len(val.negBuckets.counts),
+			len(val.negBuckets.counts),
+		)
 		copy(hDPts[i].NegativeBucket.Counts, val.negBuckets.counts)
 
 		if !e.noSum {
@@ -413,11 +436,19 @@ func (e *expoHistogram[N]) cumulative(dest *metricdata.Aggregation) int {
 		hDPts[i].ZeroThreshold = 0.0
 
 		hDPts[i].PositiveBucket.Offset = val.posBuckets.startBin
-		hDPts[i].PositiveBucket.Counts = reset(hDPts[i].PositiveBucket.Counts, len(val.posBuckets.counts), len(val.posBuckets.counts))
+		hDPts[i].PositiveBucket.Counts = reset(
+			hDPts[i].PositiveBucket.Counts,
+			len(val.posBuckets.counts),
+			len(val.posBuckets.counts),
+		)
 		copy(hDPts[i].PositiveBucket.Counts, val.posBuckets.counts)
 
 		hDPts[i].NegativeBucket.Offset = val.negBuckets.startBin
-		hDPts[i].NegativeBucket.Counts = reset(hDPts[i].NegativeBucket.Counts, len(val.negBuckets.counts), len(val.negBuckets.counts))
+		hDPts[i].NegativeBucket.Counts = reset(
+			hDPts[i].NegativeBucket.Counts,
+			len(val.negBuckets.counts),
+			len(val.negBuckets.counts),
+		)
 		copy(hDPts[i].NegativeBucket.Counts, val.negBuckets.counts)
 
 		if !e.noSum {
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/filtered_reservoir.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/filtered_reservoir.go
index 691a9106..d4c41642 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/filtered_reservoir.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/filtered_reservoir.go
@@ -33,7 +33,10 @@ type filteredExemplarReservoir[N int64 | float64] struct {
 
 // NewFilteredExemplarReservoir creates a [FilteredExemplarReservoir] which only offers values
 // that are allowed by the filter.
-func NewFilteredExemplarReservoir[N int64 | float64](f exemplar.Filter, r exemplar.Reservoir) FilteredExemplarReservoir[N] {
+func NewFilteredExemplarReservoir[N int64 | float64](
+	f exemplar.Filter,
+	r exemplar.Reservoir,
+) FilteredExemplarReservoir[N] {
 	return &filteredExemplarReservoir[N]{
 		filter:    f,
 		reservoir: r,
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go
index d577ae2c..d3068484 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go
@@ -53,7 +53,12 @@ type histValues[N int64 | float64] struct {
 	valuesMu sync.Mutex
 }
 
-func newHistValues[N int64 | float64](bounds []float64, noSum bool, limit int, r func(attribute.Set) FilteredExemplarReservoir[N]) *histValues[N] {
+func newHistValues[N int64 | float64](
+	bounds []float64,
+	noSum bool,
+	limit int,
+	r func(attribute.Set) FilteredExemplarReservoir[N],
+) *histValues[N] {
 	// The responsibility of keeping all buckets correctly associated with the
 	// passed boundaries is ultimately this type's responsibility. Make a copy
 	// here so we can always guarantee this. Or, in the case of failure, have
@@ -71,7 +76,12 @@ func newHistValues[N int64 | float64](bounds []float64, noSum bool, limit int, r
 
 // Aggregate records the measurement value, scoped by attr, and aggregates it
 // into a histogram.
-func (s *histValues[N]) measure(ctx context.Context, value N, fltrAttr attribute.Set, droppedAttr []attribute.KeyValue) {
+func (s *histValues[N]) measure(
+	ctx context.Context,
+	value N,
+	fltrAttr attribute.Set,
+	droppedAttr []attribute.KeyValue,
+) {
 	// This search will return an index in the range [0, len(s.bounds)], where
 	// it will return len(s.bounds) if value is greater than the last element
 	// of s.bounds. This aligns with the buckets in that the length of buckets
@@ -108,7 +118,12 @@ func (s *histValues[N]) measure(ctx context.Context, value N, fltrAttr attribute
 
 // newHistogram returns an Aggregator that summarizes a set of measurements as
 // an histogram.
-func newHistogram[N int64 | float64](boundaries []float64, noMinMax, noSum bool, limit int, r func(attribute.Set) FilteredExemplarReservoir[N]) *histogram[N] {
+func newHistogram[N int64 | float64](
+	boundaries []float64,
+	noMinMax, noSum bool,
+	limit int,
+	r func(attribute.Set) FilteredExemplarReservoir[N],
+) *histogram[N] {
 	return &histogram[N]{
 		histValues: newHistValues[N](boundaries, noSum, limit, r),
 		noMinMax:   noMinMax,
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go
index d3a93f08..350ccebd 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go
@@ -114,7 +114,10 @@ func (s *lastValue[N]) copyDpts(dest *[]metricdata.DataPoint[N], t time.Time) in
 
 // newPrecomputedLastValue returns an aggregator that summarizes a set of
 // observations as the last one made.
-func newPrecomputedLastValue[N int64 | float64](limit int, r func(attribute.Set) FilteredExemplarReservoir[N]) *precomputedLastValue[N] {
+func newPrecomputedLastValue[N int64 | float64](
+	limit int,
+	r func(attribute.Set) FilteredExemplarReservoir[N],
+) *precomputedLastValue[N] {
 	return &precomputedLastValue[N]{lastValue: newLastValue[N](limit, r)}
 }
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go
index 8e132ad6..612cde43 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go
@@ -143,7 +143,11 @@ func (s *sum[N]) cumulative(dest *metricdata.Aggregation) int {
 // newPrecomputedSum returns an aggregator that summarizes a set of
 // observations as their arithmetic sum. Each sum is scoped by attributes and
 // the aggregation cycle the measurements were made in.
-func newPrecomputedSum[N int64 | float64](monotonic bool, limit int, r func(attribute.Set) FilteredExemplarReservoir[N]) *precomputedSum[N] {
+func newPrecomputedSum[N int64 | float64](
+	monotonic bool,
+	limit int,
+	r func(attribute.Set) FilteredExemplarReservoir[N],
+) *precomputedSum[N] {
 	return &precomputedSum[N]{
 		valueMap:  newValueMap[N](limit, r),
 		monotonic: monotonic,
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/reuse_slice.go b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/reuse_slice.go
index 19ec6806..ea452be6 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/internal/reuse_slice.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/internal/reuse_slice.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package internal provides internal functionality for the metric package.
 package internal // import "go.opentelemetry.io/otel/sdk/metric/internal"
 
 // ReuseSlice returns a zeroed view of slice if its capacity is greater than or
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go b/vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go
index c495985b..96e77908 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go
@@ -58,7 +58,9 @@ func (mr *ManualReader) temporality(kind InstrumentKind) metricdata.Temporality
 }
 
 // aggregation returns what Aggregation to use for kind.
-func (mr *ManualReader) aggregation(kind InstrumentKind) Aggregation { // nolint:revive  // import-shadow for method scoped by type.
+func (mr *ManualReader) aggregation(
+	kind InstrumentKind,
+) Aggregation { // nolint:revive  // import-shadow for method scoped by type.
 	return mr.aggregationSelector(kind)
 }
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/meter.go b/vendor/go.opentelemetry.io/otel/sdk/metric/meter.go
index a6ccd117..c500fd9f 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/meter.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/meter.go
@@ -82,7 +82,10 @@ func (m *meter) Int64Counter(name string, options ...metric.Int64CounterOption)
 // Int64UpDownCounter returns a new instrument identified by name and
 // configured with options. The instrument is used to synchronously record
 // int64 measurements during a computational operation.
-func (m *meter) Int64UpDownCounter(name string, options ...metric.Int64UpDownCounterOption) (metric.Int64UpDownCounter, error) {
+func (m *meter) Int64UpDownCounter(
+	name string,
+	options ...metric.Int64UpDownCounterOption,
+) (metric.Int64UpDownCounter, error) {
 	cfg := metric.NewInt64UpDownCounterConfig(options...)
 	const kind = InstrumentKindUpDownCounter
 	p := int64InstProvider{m}
@@ -174,7 +177,10 @@ func (m *meter) int64ObservableInstrument(id Instrument, callbacks []metric.Int6
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64ObservableCounterOption) (metric.Int64ObservableCounter, error) {
+func (m *meter) Int64ObservableCounter(
+	name string,
+	options ...metric.Int64ObservableCounterOption,
+) (metric.Int64ObservableCounter, error) {
 	cfg := metric.NewInt64ObservableCounterConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -195,7 +201,10 @@ func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64Obser
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int64ObservableUpDownCounterOption) (metric.Int64ObservableUpDownCounter, error) {
+func (m *meter) Int64ObservableUpDownCounter(
+	name string,
+	options ...metric.Int64ObservableUpDownCounterOption,
+) (metric.Int64ObservableUpDownCounter, error) {
 	cfg := metric.NewInt64ObservableUpDownCounterConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -216,7 +225,10 @@ func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int6
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Int64ObservableGauge(name string, options ...metric.Int64ObservableGaugeOption) (metric.Int64ObservableGauge, error) {
+func (m *meter) Int64ObservableGauge(
+	name string,
+	options ...metric.Int64ObservableGaugeOption,
+) (metric.Int64ObservableGauge, error) {
 	cfg := metric.NewInt64ObservableGaugeConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -246,7 +258,10 @@ func (m *meter) Float64Counter(name string, options ...metric.Float64CounterOpti
 // Float64UpDownCounter returns a new instrument identified by name and
 // configured with options. The instrument is used to synchronously record
 // float64 measurements during a computational operation.
-func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDownCounterOption) (metric.Float64UpDownCounter, error) {
+func (m *meter) Float64UpDownCounter(
+	name string,
+	options ...metric.Float64UpDownCounterOption,
+) (metric.Float64UpDownCounter, error) {
 	cfg := metric.NewFloat64UpDownCounterConfig(options...)
 	const kind = InstrumentKindUpDownCounter
 	p := float64InstProvider{m}
@@ -261,7 +276,10 @@ func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDow
 // Float64Histogram returns a new instrument identified by name and configured
 // with options. The instrument is used to synchronously record the
 // distribution of float64 measurements during a computational operation.
-func (m *meter) Float64Histogram(name string, options ...metric.Float64HistogramOption) (metric.Float64Histogram, error) {
+func (m *meter) Float64Histogram(
+	name string,
+	options ...metric.Float64HistogramOption,
+) (metric.Float64Histogram, error) {
 	cfg := metric.NewFloat64HistogramConfig(options...)
 	p := float64InstProvider{m}
 	i, err := p.lookupHistogram(name, cfg)
@@ -289,7 +307,10 @@ func (m *meter) Float64Gauge(name string, options ...metric.Float64GaugeOption)
 
 // float64ObservableInstrument returns a new observable identified by the Instrument.
 // It registers callbacks for each reader's pipeline.
-func (m *meter) float64ObservableInstrument(id Instrument, callbacks []metric.Float64Callback) (float64Observable, error) {
+func (m *meter) float64ObservableInstrument(
+	id Instrument,
+	callbacks []metric.Float64Callback,
+) (float64Observable, error) {
 	key := instID{
 		Name:        id.Name,
 		Description: id.Description,
@@ -338,7 +359,10 @@ func (m *meter) float64ObservableInstrument(id Instrument, callbacks []metric.Fl
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64ObservableCounterOption) (metric.Float64ObservableCounter, error) {
+func (m *meter) Float64ObservableCounter(
+	name string,
+	options ...metric.Float64ObservableCounterOption,
+) (metric.Float64ObservableCounter, error) {
 	cfg := metric.NewFloat64ObservableCounterConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -359,7 +383,10 @@ func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64O
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Float64ObservableUpDownCounterOption) (metric.Float64ObservableUpDownCounter, error) {
+func (m *meter) Float64ObservableUpDownCounter(
+	name string,
+	options ...metric.Float64ObservableUpDownCounterOption,
+) (metric.Float64ObservableUpDownCounter, error) {
 	cfg := metric.NewFloat64ObservableUpDownCounterConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -380,7 +407,10 @@ func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Fl
 // Description, and Unit, only the first set of callbacks provided are used.
 // Use meter.RegisterCallback and Registration.Unregister to manage callbacks
 // if instrumentation can be created multiple times with different callbacks.
-func (m *meter) Float64ObservableGauge(name string, options ...metric.Float64ObservableGaugeOption) (metric.Float64ObservableGauge, error) {
+func (m *meter) Float64ObservableGauge(
+	name string,
+	options ...metric.Float64ObservableGaugeOption,
+) (metric.Float64ObservableGauge, error) {
 	cfg := metric.NewFloat64ObservableGaugeConfig(options...)
 	id := Instrument{
 		Name:        name,
@@ -426,8 +456,10 @@ func warnRepeatedObservableCallbacks(id Instrument) {
 		"Instrument{Name: %q, Description: %q, Kind: %q, Unit: %q}",
 		id.Name, id.Description, "InstrumentKind"+id.Kind.String(), id.Unit,
 	)
-	global.Warn("Repeated observable instrument creation with callbacks. Ignoring new callbacks. Use meter.RegisterCallback and Registration.Unregister to manage callbacks.",
-		"instrument", inst,
+	global.Warn(
+		"Repeated observable instrument creation with callbacks. Ignoring new callbacks. Use meter.RegisterCallback and Registration.Unregister to manage callbacks.",
+		"instrument",
+		inst,
 	)
 }
 
@@ -613,7 +645,10 @@ func (p int64InstProvider) aggs(kind InstrumentKind, name, desc, u string) ([]ag
 	return p.int64Resolver.Aggregators(inst)
 }
 
-func (p int64InstProvider) histogramAggs(name string, cfg metric.Int64HistogramConfig) ([]aggregate.Measure[int64], error) {
+func (p int64InstProvider) histogramAggs(
+	name string,
+	cfg metric.Int64HistogramConfig,
+) ([]aggregate.Measure[int64], error) {
 	boundaries := cfg.ExplicitBucketBoundaries()
 	aggError := AggregationExplicitBucketHistogram{Boundaries: boundaries}.err()
 	if aggError != nil {
@@ -633,7 +668,7 @@ func (p int64InstProvider) histogramAggs(name string, cfg metric.Int64HistogramC
 
 // lookup returns the resolved instrumentImpl.
 func (p int64InstProvider) lookup(kind InstrumentKind, name, desc, u string) (*int64Inst, error) {
-	return p.meter.int64Insts.Lookup(instID{
+	return p.int64Insts.Lookup(instID{
 		Name:        name,
 		Description: desc,
 		Unit:        u,
@@ -646,7 +681,7 @@ func (p int64InstProvider) lookup(kind InstrumentKind, name, desc, u string) (*i
 
 // lookupHistogram returns the resolved instrumentImpl.
 func (p int64InstProvider) lookupHistogram(name string, cfg metric.Int64HistogramConfig) (*int64Inst, error) {
-	return p.meter.int64Insts.Lookup(instID{
+	return p.int64Insts.Lookup(instID{
 		Name:        name,
 		Description: cfg.Description(),
 		Unit:        cfg.Unit(),
@@ -671,7 +706,10 @@ func (p float64InstProvider) aggs(kind InstrumentKind, name, desc, u string) ([]
 	return p.float64Resolver.Aggregators(inst)
 }
 
-func (p float64InstProvider) histogramAggs(name string, cfg metric.Float64HistogramConfig) ([]aggregate.Measure[float64], error) {
+func (p float64InstProvider) histogramAggs(
+	name string,
+	cfg metric.Float64HistogramConfig,
+) ([]aggregate.Measure[float64], error) {
 	boundaries := cfg.ExplicitBucketBoundaries()
 	aggError := AggregationExplicitBucketHistogram{Boundaries: boundaries}.err()
 	if aggError != nil {
@@ -691,7 +729,7 @@ func (p float64InstProvider) histogramAggs(name string, cfg metric.Float64Histog
 
 // lookup returns the resolved instrumentImpl.
 func (p float64InstProvider) lookup(kind InstrumentKind, name, desc, u string) (*float64Inst, error) {
-	return p.meter.float64Insts.Lookup(instID{
+	return p.float64Insts.Lookup(instID{
 		Name:        name,
 		Description: desc,
 		Unit:        u,
@@ -704,7 +742,7 @@ func (p float64InstProvider) lookup(kind InstrumentKind, name, desc, u string) (
 
 // lookupHistogram returns the resolved instrumentImpl.
 func (p float64InstProvider) lookupHistogram(name string, cfg metric.Float64HistogramConfig) (*float64Inst, error) {
-	return p.meter.float64Insts.Lookup(instID{
+	return p.float64Insts.Lookup(instID{
 		Name:        name,
 		Description: cfg.Description(),
 		Unit:        cfg.Unit(),
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/data.go b/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/data.go
index d32cfc67..af835e9d 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/data.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/data.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package metricdata provides types for the metric SDK data model.
 package metricdata // import "go.opentelemetry.io/otel/sdk/metric/metricdata"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/temporality.go b/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/temporality.go
index 187713da..2ac840ff 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/temporality.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/metricdata/temporality.go
@@ -10,7 +10,7 @@ type Temporality uint8
 
 const (
 	// undefinedTemporality represents an unset Temporality.
-	//nolint:deadcode,unused,varcheck
+	//nolint:unused
 	undefinedTemporality Temporality = iota
 
 	// CumulativeTemporality defines a measurement interval that continues to
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go b/vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go
index dcd2182d..0a48aed7 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go
@@ -193,14 +193,16 @@ func (r *PeriodicReader) temporality(kind InstrumentKind) metricdata.Temporality
 }
 
 // aggregation returns what Aggregation to use for kind.
-func (r *PeriodicReader) aggregation(kind InstrumentKind) Aggregation { // nolint:revive  // import-shadow for method scoped by type.
+func (r *PeriodicReader) aggregation(
+	kind InstrumentKind,
+) Aggregation { // nolint:revive  // import-shadow for method scoped by type.
 	return r.exporter.Aggregation(kind)
 }
 
 // collectAndExport gather all metric data related to the periodicReader r from
 // the SDK and exports it with r's exporter.
 func (r *PeriodicReader) collectAndExport(ctx context.Context) error {
-	ctx, cancel := context.WithTimeout(ctx, r.timeout)
+	ctx, cancel := context.WithTimeoutCause(ctx, r.timeout, errors.New("reader collect and export timeout"))
 	defer cancel()
 
 	// TODO (#3047): Use a sync.Pool or persistent pointer instead of allocating rm every Collect.
@@ -276,7 +278,7 @@ func (r *PeriodicReader) ForceFlush(ctx context.Context) error {
 	// Prioritize the ctx timeout if it is set.
 	if _, ok := ctx.Deadline(); !ok {
 		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, r.timeout)
+		ctx, cancel = context.WithTimeoutCause(ctx, r.timeout, errors.New("reader force flush timeout"))
 		defer cancel()
 	}
 
@@ -309,7 +311,7 @@ func (r *PeriodicReader) Shutdown(ctx context.Context) error {
 		// Prioritize the ctx timeout if it is set.
 		if _, ok := ctx.Deadline(); !ok {
 			var cancel context.CancelFunc
-			ctx, cancel = context.WithTimeout(ctx, r.timeout)
+			ctx, cancel = context.WithTimeoutCause(ctx, r.timeout, errors.New("reader shutdown timeout"))
 			defer cancel()
 		}
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go b/vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go
index 775e2452..7bdb699c 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go
@@ -121,6 +121,14 @@ func (p *pipeline) addMultiCallback(c multiCallback) (unregister func()) {
 //
 // This method is safe to call concurrently.
 func (p *pipeline) produce(ctx context.Context, rm *metricdata.ResourceMetrics) error {
+	// Only check if context is already cancelled before starting, not inside or after callback loops.
+	// If this method returns after executing some callbacks but before running all aggregations,
+	// internal aggregation state can be corrupted and result in incorrect data returned
+	// by future produce calls.
+	if err := ctx.Err(); err != nil {
+		return err
+	}
+
 	p.Lock()
 	defer p.Unlock()
 
@@ -130,12 +138,6 @@ func (p *pipeline) produce(ctx context.Context, rm *metricdata.ResourceMetrics)
 		if e := c(ctx); e != nil {
 			err = errors.Join(err, e)
 		}
-		if err := ctx.Err(); err != nil {
-			rm.Resource = nil
-			clear(rm.ScopeMetrics) // Erase elements to let GC collect objects.
-			rm.ScopeMetrics = rm.ScopeMetrics[:0]
-			return err
-		}
 	}
 	for e := p.multiCallbacks.Front(); e != nil; e = e.Next() {
 		// TODO make the callbacks parallel. ( #3034 )
@@ -143,13 +145,6 @@ func (p *pipeline) produce(ctx context.Context, rm *metricdata.ResourceMetrics)
 		if e := f(ctx); e != nil {
 			err = errors.Join(err, e)
 		}
-		if err := ctx.Err(); err != nil {
-			// This means the context expired before we finished running callbacks.
-			rm.Resource = nil
-			clear(rm.ScopeMetrics) // Erase elements to let GC collect objects.
-			rm.ScopeMetrics = rm.ScopeMetrics[:0]
-			return err
-		}
 	}
 
 	rm.Resource = p.resource
@@ -347,7 +342,12 @@ func (i *inserter[N]) readerDefaultAggregation(kind InstrumentKind) Aggregation
 //
 // If the instrument defines an unknown or incompatible aggregation, an error
 // is returned.
-func (i *inserter[N]) cachedAggregator(scope instrumentation.Scope, kind InstrumentKind, stream Stream, readerAggregation Aggregation) (meas aggregate.Measure[N], aggID uint64, err error) {
+func (i *inserter[N]) cachedAggregator(
+	scope instrumentation.Scope,
+	kind InstrumentKind,
+	stream Stream,
+	readerAggregation Aggregation,
+) (meas aggregate.Measure[N], aggID uint64, err error) {
 	switch stream.Aggregation.(type) {
 	case nil:
 		// The aggregation was not overridden with a view. Use the aggregation
@@ -379,8 +379,11 @@ func (i *inserter[N]) cachedAggregator(scope instrumentation.Scope, kind Instrum
 	normID := id.normalize()
 	cv := i.aggregators.Lookup(normID, func() aggVal[N] {
 		b := aggregate.Builder[N]{
-			Temporality:   i.pipeline.reader.temporality(kind),
-			ReservoirFunc: reservoirFunc[N](stream.ExemplarReservoirProviderSelector(stream.Aggregation), i.pipeline.exemplarFilter),
+			Temporality: i.pipeline.reader.temporality(kind),
+			ReservoirFunc: reservoirFunc[N](
+				stream.ExemplarReservoirProviderSelector(stream.Aggregation),
+				i.pipeline.exemplarFilter,
+			),
 		}
 		b.Filter = stream.AttributeFilter
 		// A value less than or equal to zero will disable the aggregation
@@ -471,7 +474,11 @@ func (i *inserter[N]) instID(kind InstrumentKind, stream Stream) instID {
 // aggregateFunc returns new aggregate functions matching agg, kind, and
 // monotonic. If the agg is unknown or temporality is invalid, an error is
 // returned.
-func (i *inserter[N]) aggregateFunc(b aggregate.Builder[N], agg Aggregation, kind InstrumentKind) (meas aggregate.Measure[N], comp aggregate.ComputeAggregation, err error) {
+func (i *inserter[N]) aggregateFunc(
+	b aggregate.Builder[N],
+	agg Aggregation,
+	kind InstrumentKind,
+) (meas aggregate.Measure[N], comp aggregate.ComputeAggregation, err error) {
 	switch a := agg.(type) {
 	case AggregationDefault:
 		return i.aggregateFunc(b, DefaultAggregationSelector(kind), kind)
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/reader.go b/vendor/go.opentelemetry.io/otel/sdk/metric/reader.go
index d13a7069..c96e500a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/reader.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/reader.go
@@ -146,7 +146,10 @@ type AggregationSelector func(InstrumentKind) Aggregation
 // Histogram ⇨ ExplicitBucketHistogram.
 func DefaultAggregationSelector(ik InstrumentKind) Aggregation {
 	switch ik {
-	case InstrumentKindCounter, InstrumentKindUpDownCounter, InstrumentKindObservableCounter, InstrumentKindObservableUpDownCounter:
+	case InstrumentKindCounter,
+		InstrumentKindUpDownCounter,
+		InstrumentKindObservableCounter,
+		InstrumentKindObservableUpDownCounter:
 		return AggregationSum{}
 	case InstrumentKindObservableGauge, InstrumentKindGauge:
 		return AggregationLastValue{}
diff --git a/vendor/go.opentelemetry.io/otel/sdk/metric/version.go b/vendor/go.opentelemetry.io/otel/sdk/metric/version.go
index 92d2589d..0e5adc1a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/metric/version.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/metric/version.go
@@ -5,5 +5,5 @@ package metric // import "go.opentelemetry.io/otel/sdk/metric"
 
 // version is the current release version of the metric SDK in use.
 func version() string {
-	return "1.35.0"
+	return "1.37.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go b/vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go
index cf3c88e1..cefe4ab9 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go
@@ -13,7 +13,7 @@ import (
 
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/sdk"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 type (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/container.go b/vendor/go.opentelemetry.io/otel/sdk/resource/container.go
index 5ecd859a..0d861971 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/container.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/container.go
@@ -11,7 +11,7 @@ import (
 	"os"
 	"regexp"
 
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 type containerIDProvider func() (string, error)
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/env.go b/vendor/go.opentelemetry.io/otel/sdk/resource/env.go
index 813f0562..16a062ad 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/env.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/env.go
@@ -12,7 +12,7 @@ import (
 
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 const (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go b/vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go
index 2d0f6549..78190392 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go
@@ -8,7 +8,7 @@ import (
 	"errors"
 	"strings"
 
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 type hostIDProvider func() (string, error)
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/os.go b/vendor/go.opentelemetry.io/otel/sdk/resource/os.go
index 8a48ab4f..01b4d27a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/os.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/os.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 type osDescriptionProvider func() (string, error)
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/process.go b/vendor/go.opentelemetry.io/otel/sdk/resource/process.go
index 085fe68f..6712ce80 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/process.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/process.go
@@ -11,7 +11,7 @@ import (
 	"path/filepath"
 	"runtime"
 
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 )
 
 type (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go b/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
index 6872cbb4..6966ed86 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
@@ -5,6 +5,7 @@ package trace // import "go.opentelemetry.io/otel/sdk/trace"
 
 import (
 	"context"
+	"errors"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -267,7 +268,7 @@ func (bsp *batchSpanProcessor) exportSpans(ctx context.Context) error {
 
 	if bsp.o.ExportTimeout > 0 {
 		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, bsp.o.ExportTimeout)
+		ctx, cancel = context.WithTimeoutCause(ctx, bsp.o.ExportTimeout, errors.New("processor export timeout"))
 		defer cancel()
 	}
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go b/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
index 925bcf99..c8d3fb7e 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
@@ -5,10 +5,8 @@ package trace // import "go.opentelemetry.io/otel/sdk/trace"
 
 import (
 	"context"
-	crand "crypto/rand"
 	"encoding/binary"
-	"math/rand"
-	"sync"
+	"math/rand/v2"
 
 	"go.opentelemetry.io/otel/trace"
 )
@@ -29,20 +27,15 @@ type IDGenerator interface {
 	// must never be done outside of a new major release.
 }
 
-type randomIDGenerator struct {
-	sync.Mutex
-	randSource *rand.Rand
-}
+type randomIDGenerator struct{}
 
 var _ IDGenerator = &randomIDGenerator{}
 
 // NewSpanID returns a non-zero span ID from a randomly-chosen sequence.
 func (gen *randomIDGenerator) NewSpanID(ctx context.Context, traceID trace.TraceID) trace.SpanID {
-	gen.Lock()
-	defer gen.Unlock()
 	sid := trace.SpanID{}
 	for {
-		_, _ = gen.randSource.Read(sid[:])
+		binary.NativeEndian.PutUint64(sid[:], rand.Uint64())
 		if sid.IsValid() {
 			break
 		}
@@ -53,18 +46,17 @@ func (gen *randomIDGenerator) NewSpanID(ctx context.Context, traceID trace.Trace
 // NewIDs returns a non-zero trace ID and a non-zero span ID from a
 // randomly-chosen sequence.
 func (gen *randomIDGenerator) NewIDs(ctx context.Context) (trace.TraceID, trace.SpanID) {
-	gen.Lock()
-	defer gen.Unlock()
 	tid := trace.TraceID{}
 	sid := trace.SpanID{}
 	for {
-		_, _ = gen.randSource.Read(tid[:])
+		binary.NativeEndian.PutUint64(tid[:8], rand.Uint64())
+		binary.NativeEndian.PutUint64(tid[8:], rand.Uint64())
 		if tid.IsValid() {
 			break
 		}
 	}
 	for {
-		_, _ = gen.randSource.Read(sid[:])
+		binary.NativeEndian.PutUint64(sid[:], rand.Uint64())
 		if sid.IsValid() {
 			break
 		}
@@ -73,9 +65,5 @@ func (gen *randomIDGenerator) NewIDs(ctx context.Context) (trace.TraceID, trace.
 }
 
 func defaultIDGenerator() IDGenerator {
-	gen := &randomIDGenerator{}
-	var rngSeed int64
-	_ = binary.Read(crand.Reader, binary.LittleEndian, &rngSeed)
-	gen.randSource = rand.New(rand.NewSource(rngSeed))
-	return gen
+	return &randomIDGenerator{}
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go b/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
index 185aa7c0..0e2a2e7c 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
@@ -169,7 +169,17 @@ func (p *TracerProvider) Tracer(name string, opts ...trace.TracerOption) trace.T
 		//   slowing down all tracing consumers.
 		// - Logging code may be instrumented with tracing and deadlock because it could try
 		//   acquiring the same non-reentrant mutex.
-		global.Info("Tracer created", "name", name, "version", is.Version, "schemaURL", is.SchemaURL, "attributes", is.Attributes)
+		global.Info(
+			"Tracer created",
+			"name",
+			name,
+			"version",
+			is.Version,
+			"schemaURL",
+			is.SchemaURL,
+			"attributes",
+			is.Attributes,
+		)
 	}
 	return t
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/span.go b/vendor/go.opentelemetry.io/otel/sdk/trace/span.go
index 8f4fc385..1785a4bb 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/span.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/span.go
@@ -20,7 +20,7 @@ import (
 	"go.opentelemetry.io/otel/internal/global"
 	"go.opentelemetry.io/otel/sdk/instrumentation"
 	"go.opentelemetry.io/otel/sdk/resource"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 	"go.opentelemetry.io/otel/trace"
 	"go.opentelemetry.io/otel/trace/embedded"
 )
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go b/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
index 43419d3b..0b65ae9a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
@@ -26,7 +26,11 @@ var _ trace.Tracer = &tracer{}
 // The Span is created with the provided name and as a child of any existing
 // span context found in the passed context. The created Span will be
 // configured appropriately by any SpanOption passed.
-func (tr *tracer) Start(ctx context.Context, name string, options ...trace.SpanStartOption) (context.Context, trace.Span) {
+func (tr *tracer) Start(
+	ctx context.Context,
+	name string,
+	options ...trace.SpanStartOption,
+) (context.Context, trace.Span) {
 	config := trace.NewSpanStartConfig(options...)
 
 	if ctx == nil {
@@ -112,7 +116,12 @@ func (tr *tracer) newSpan(ctx context.Context, name string, config *trace.SpanCo
 }
 
 // newRecordingSpan returns a new configured recordingSpan.
-func (tr *tracer) newRecordingSpan(psc, sc trace.SpanContext, name string, sr SamplingResult, config *trace.SpanConfig) *recordingSpan {
+func (tr *tracer) newRecordingSpan(
+	psc, sc trace.SpanContext,
+	name string,
+	sr SamplingResult,
+	config *trace.SpanConfig,
+) *recordingSpan {
 	startTime := config.Timestamp()
 	if startTime.IsZero() {
 		startTime = time.Now()
diff --git a/vendor/go.opentelemetry.io/otel/sdk/version.go b/vendor/go.opentelemetry.io/otel/sdk/version.go
index 2b797fbd..c0217af6 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/version.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/version.go
@@ -1,9 +1,10 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package sdk provides the OpenTelemetry default SDK for Go.
 package sdk // import "go.opentelemetry.io/otel/sdk"
 
 // Version is the current release version of the OpenTelemetry SDK in use.
 func Version() string {
-	return "1.35.0"
+	return "1.37.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md
new file mode 100644
index 00000000..02b56115
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md
@@ -0,0 +1,4 @@
+<!-- Generated. DO NOT MODIFY. -->
+# Migration from v1.33.0 to v1.34.0
+
+The `go.opentelemetry.io/otel/semconv/v1.34.0` package should be a drop-in replacement for `go.opentelemetry.io/otel/semconv/v1.33.0`.
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md
new file mode 100644
index 00000000..fab06c97
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md
@@ -0,0 +1,3 @@
+# Semconv v1.34.0
+
+[![PkgGoDev](https://pkg.go.dev/badge/go.opentelemetry.io/otel/semconv/v1.34.0)](https://pkg.go.dev/go.opentelemetry.io/otel/semconv/v1.34.0)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go
new file mode 100644
index 00000000..5b566625
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go
@@ -0,0 +1,13851 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated from semantic convention specification. DO NOT EDIT.
+
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+
+import "go.opentelemetry.io/otel/attribute"
+
+// Namespace: android
+const (
+	// AndroidAppStateKey is the attribute Key conforming to the "android.app.state"
+	// semantic conventions. It represents the this attribute represents the state
+	// of the application.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "created"
+	// Note: The Android lifecycle states are defined in
+	// [Activity lifecycle callbacks], and from which the `OS identifiers` are
+	// derived.
+	//
+	// [Activity lifecycle callbacks]: https://developer.android.com/guide/components/activities/activity-lifecycle#lc
+	AndroidAppStateKey = attribute.Key("android.app.state")
+
+	// AndroidOSAPILevelKey is the attribute Key conforming to the
+	// "android.os.api_level" semantic conventions. It represents the uniquely
+	// identifies the framework API revision offered by a version (`os.version`) of
+	// the android operating system. More information can be found [here].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "33", "32"
+	//
+	// [here]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
+	AndroidOSAPILevelKey = attribute.Key("android.os.api_level")
+)
+
+// AndroidOSAPILevel returns an attribute KeyValue conforming to the
+// "android.os.api_level" semantic conventions. It represents the uniquely
+// identifies the framework API revision offered by a version (`os.version`) of
+// the android operating system. More information can be found [here].
+//
+// [here]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
+func AndroidOSAPILevel(val string) attribute.KeyValue {
+	return AndroidOSAPILevelKey.String(val)
+}
+
+// Enum values for android.app.state
+var (
+	// Any time before Activity.onResume() or, if the app has no Activity,
+	// Context.startService() has been called in the app for the first time.
+	//
+	// Stability: development
+	AndroidAppStateCreated = AndroidAppStateKey.String("created")
+	// Any time after Activity.onPause() or, if the app has no Activity,
+	// Context.stopService() has been called when the app was in the foreground
+	// state.
+	//
+	// Stability: development
+	AndroidAppStateBackground = AndroidAppStateKey.String("background")
+	// Any time after Activity.onResume() or, if the app has no Activity,
+	// Context.startService() has been called when the app was in either the created
+	// or background states.
+	//
+	// Stability: development
+	AndroidAppStateForeground = AndroidAppStateKey.String("foreground")
+)
+
+// Namespace: app
+const (
+	// AppInstallationIDKey is the attribute Key conforming to the
+	// "app.installation.id" semantic conventions. It represents a unique identifier
+	// representing the installation of an application on a specific device.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2ab2916d-a51f-4ac8-80ee-45ac31a28092"
+	// Note: Its value SHOULD persist across launches of the same application
+	// installation, including through application upgrades.
+	// It SHOULD change if the application is uninstalled or if all applications of
+	// the vendor are uninstalled.
+	// Additionally, users might be able to reset this value (e.g. by clearing
+	// application data).
+	// If an app is installed multiple times on the same device (e.g. in different
+	// accounts on Android), each `app.installation.id` SHOULD have a different
+	// value.
+	// If multiple OpenTelemetry SDKs are used within the same application, they
+	// SHOULD use the same value for `app.installation.id`.
+	// Hardware IDs (e.g. serial number, IMEI, MAC address) MUST NOT be used as the
+	// `app.installation.id`.
+	//
+	// For iOS, this value SHOULD be equal to the [vendor identifier].
+	//
+	// For Android, examples of `app.installation.id` implementations include:
+	//
+	//   - [Firebase Installation ID].
+	//   - A globally unique UUID which is persisted across sessions in your
+	//     application.
+	//   - [App set ID].
+	//   - [`Settings.getString(Settings.Secure.ANDROID_ID)`].
+	//
+	// More information about Android identifier best practices can be found [here]
+	// .
+	//
+	// [vendor identifier]: https://developer.apple.com/documentation/uikit/uidevice/identifierforvendor
+	// [Firebase Installation ID]: https://firebase.google.com/docs/projects/manage-installations
+	// [App set ID]: https://developer.android.com/identity/app-set-id
+	// [`Settings.getString(Settings.Secure.ANDROID_ID)`]: https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID
+	// [here]: https://developer.android.com/training/articles/user-data-ids
+	AppInstallationIDKey = attribute.Key("app.installation.id")
+
+	// AppScreenCoordinateXKey is the attribute Key conforming to the
+	// "app.screen.coordinate.x" semantic conventions. It represents the x
+	// (horizontal) coordinate of a screen coordinate, in screen pixels.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0, 131
+	AppScreenCoordinateXKey = attribute.Key("app.screen.coordinate.x")
+
+	// AppScreenCoordinateYKey is the attribute Key conforming to the
+	// "app.screen.coordinate.y" semantic conventions. It represents the y
+	// (vertical) component of a screen coordinate, in screen pixels.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 12, 99
+	AppScreenCoordinateYKey = attribute.Key("app.screen.coordinate.y")
+
+	// AppWidgetIDKey is the attribute Key conforming to the "app.widget.id"
+	// semantic conventions. It represents an identifier that uniquely
+	// differentiates this widget from other widgets in the same application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "f9bc787d-ff05-48ad-90e1-fca1d46130b3", "submit_order_1829"
+	// Note: A widget is an application component, typically an on-screen visual GUI
+	// element.
+	AppWidgetIDKey = attribute.Key("app.widget.id")
+
+	// AppWidgetNameKey is the attribute Key conforming to the "app.widget.name"
+	// semantic conventions. It represents the name of an application widget.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "submit", "attack", "Clear Cart"
+	// Note: A widget is an application component, typically an on-screen visual GUI
+	// element.
+	AppWidgetNameKey = attribute.Key("app.widget.name")
+)
+
+// AppInstallationID returns an attribute KeyValue conforming to the
+// "app.installation.id" semantic conventions. It represents a unique identifier
+// representing the installation of an application on a specific device.
+func AppInstallationID(val string) attribute.KeyValue {
+	return AppInstallationIDKey.String(val)
+}
+
+// AppScreenCoordinateX returns an attribute KeyValue conforming to the
+// "app.screen.coordinate.x" semantic conventions. It represents the x
+// (horizontal) coordinate of a screen coordinate, in screen pixels.
+func AppScreenCoordinateX(val int) attribute.KeyValue {
+	return AppScreenCoordinateXKey.Int(val)
+}
+
+// AppScreenCoordinateY returns an attribute KeyValue conforming to the
+// "app.screen.coordinate.y" semantic conventions. It represents the y (vertical)
+// component of a screen coordinate, in screen pixels.
+func AppScreenCoordinateY(val int) attribute.KeyValue {
+	return AppScreenCoordinateYKey.Int(val)
+}
+
+// AppWidgetID returns an attribute KeyValue conforming to the "app.widget.id"
+// semantic conventions. It represents an identifier that uniquely differentiates
+// this widget from other widgets in the same application.
+func AppWidgetID(val string) attribute.KeyValue {
+	return AppWidgetIDKey.String(val)
+}
+
+// AppWidgetName returns an attribute KeyValue conforming to the
+// "app.widget.name" semantic conventions. It represents the name of an
+// application widget.
+func AppWidgetName(val string) attribute.KeyValue {
+	return AppWidgetNameKey.String(val)
+}
+
+// Namespace: artifact
+const (
+	// ArtifactAttestationFilenameKey is the attribute Key conforming to the
+	// "artifact.attestation.filename" semantic conventions. It represents the
+	// provenance filename of the built attestation which directly relates to the
+	// build artifact filename. This filename SHOULD accompany the artifact at
+	// publish time. See the [SLSA Relationship] specification for more information.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "golang-binary-amd64-v0.1.0.attestation",
+	// "docker-image-amd64-v0.1.0.intoto.json1", "release-1.tar.gz.attestation",
+	// "file-name-package.tar.gz.intoto.json1"
+	//
+	// [SLSA Relationship]: https://slsa.dev/spec/v1.0/distributing-provenance#relationship-between-artifacts-and-attestations
+	ArtifactAttestationFilenameKey = attribute.Key("artifact.attestation.filename")
+
+	// ArtifactAttestationHashKey is the attribute Key conforming to the
+	// "artifact.attestation.hash" semantic conventions. It represents the full
+	// [hash value (see glossary)], of the built attestation. Some envelopes in the
+	// [software attestation space] also refer to this as the **digest**.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1b31dfcd5b7f9267bf2ff47651df1cfb9147b9e4df1f335accf65b4cda498408"
+	//
+	// [hash value (see glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+	// [software attestation space]: https://github.com/in-toto/attestation/tree/main/spec
+	ArtifactAttestationHashKey = attribute.Key("artifact.attestation.hash")
+
+	// ArtifactAttestationIDKey is the attribute Key conforming to the
+	// "artifact.attestation.id" semantic conventions. It represents the id of the
+	// build [software attestation].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "123"
+	//
+	// [software attestation]: https://slsa.dev/attestation-model
+	ArtifactAttestationIDKey = attribute.Key("artifact.attestation.id")
+
+	// ArtifactFilenameKey is the attribute Key conforming to the
+	// "artifact.filename" semantic conventions. It represents the human readable
+	// file name of the artifact, typically generated during build and release
+	// processes. Often includes the package name and version in the file name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "golang-binary-amd64-v0.1.0", "docker-image-amd64-v0.1.0",
+	// "release-1.tar.gz", "file-name-package.tar.gz"
+	// Note: This file name can also act as the [Package Name]
+	// in cases where the package ecosystem maps accordingly.
+	// Additionally, the artifact [can be published]
+	// for others, but that is not a guarantee.
+	//
+	// [Package Name]: https://slsa.dev/spec/v1.0/terminology#package-model
+	// [can be published]: https://slsa.dev/spec/v1.0/terminology#software-supply-chain
+	ArtifactFilenameKey = attribute.Key("artifact.filename")
+
+	// ArtifactHashKey is the attribute Key conforming to the "artifact.hash"
+	// semantic conventions. It represents the full [hash value (see glossary)],
+	// often found in checksum.txt on a release of the artifact and used to verify
+	// package integrity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "9ff4c52759e2c4ac70b7d517bc7fcdc1cda631ca0045271ddd1b192544f8a3e9"
+	// Note: The specific algorithm used to create the cryptographic hash value is
+	// not defined. In situations where an artifact has multiple
+	// cryptographic hashes, it is up to the implementer to choose which
+	// hash value to set here; this should be the most secure hash algorithm
+	// that is suitable for the situation and consistent with the
+	// corresponding attestation. The implementer can then provide the other
+	// hash values through an additional set of attribute extensions as they
+	// deem necessary.
+	//
+	// [hash value (see glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+	ArtifactHashKey = attribute.Key("artifact.hash")
+
+	// ArtifactPurlKey is the attribute Key conforming to the "artifact.purl"
+	// semantic conventions. It represents the [Package URL] of the
+	// [package artifact] provides a standard way to identify and locate the
+	// packaged artifact.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "pkg:github/package-url/purl-spec@1209109710924",
+	// "pkg:npm/foo@12.12.3"
+	//
+	// [Package URL]: https://github.com/package-url/purl-spec
+	// [package artifact]: https://slsa.dev/spec/v1.0/terminology#package-model
+	ArtifactPurlKey = attribute.Key("artifact.purl")
+
+	// ArtifactVersionKey is the attribute Key conforming to the "artifact.version"
+	// semantic conventions. It represents the version of the artifact.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "v0.1.0", "1.2.1", "122691-build"
+	ArtifactVersionKey = attribute.Key("artifact.version")
+)
+
+// ArtifactAttestationFilename returns an attribute KeyValue conforming to the
+// "artifact.attestation.filename" semantic conventions. It represents the
+// provenance filename of the built attestation which directly relates to the
+// build artifact filename. This filename SHOULD accompany the artifact at
+// publish time. See the [SLSA Relationship] specification for more information.
+//
+// [SLSA Relationship]: https://slsa.dev/spec/v1.0/distributing-provenance#relationship-between-artifacts-and-attestations
+func ArtifactAttestationFilename(val string) attribute.KeyValue {
+	return ArtifactAttestationFilenameKey.String(val)
+}
+
+// ArtifactAttestationHash returns an attribute KeyValue conforming to the
+// "artifact.attestation.hash" semantic conventions. It represents the full
+// [hash value (see glossary)], of the built attestation. Some envelopes in the
+// [software attestation space] also refer to this as the **digest**.
+//
+// [hash value (see glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+// [software attestation space]: https://github.com/in-toto/attestation/tree/main/spec
+func ArtifactAttestationHash(val string) attribute.KeyValue {
+	return ArtifactAttestationHashKey.String(val)
+}
+
+// ArtifactAttestationID returns an attribute KeyValue conforming to the
+// "artifact.attestation.id" semantic conventions. It represents the id of the
+// build [software attestation].
+//
+// [software attestation]: https://slsa.dev/attestation-model
+func ArtifactAttestationID(val string) attribute.KeyValue {
+	return ArtifactAttestationIDKey.String(val)
+}
+
+// ArtifactFilename returns an attribute KeyValue conforming to the
+// "artifact.filename" semantic conventions. It represents the human readable
+// file name of the artifact, typically generated during build and release
+// processes. Often includes the package name and version in the file name.
+func ArtifactFilename(val string) attribute.KeyValue {
+	return ArtifactFilenameKey.String(val)
+}
+
+// ArtifactHash returns an attribute KeyValue conforming to the "artifact.hash"
+// semantic conventions. It represents the full [hash value (see glossary)],
+// often found in checksum.txt on a release of the artifact and used to verify
+// package integrity.
+//
+// [hash value (see glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+func ArtifactHash(val string) attribute.KeyValue {
+	return ArtifactHashKey.String(val)
+}
+
+// ArtifactPurl returns an attribute KeyValue conforming to the "artifact.purl"
+// semantic conventions. It represents the [Package URL] of the
+// [package artifact] provides a standard way to identify and locate the packaged
+// artifact.
+//
+// [Package URL]: https://github.com/package-url/purl-spec
+// [package artifact]: https://slsa.dev/spec/v1.0/terminology#package-model
+func ArtifactPurl(val string) attribute.KeyValue {
+	return ArtifactPurlKey.String(val)
+}
+
+// ArtifactVersion returns an attribute KeyValue conforming to the
+// "artifact.version" semantic conventions. It represents the version of the
+// artifact.
+func ArtifactVersion(val string) attribute.KeyValue {
+	return ArtifactVersionKey.String(val)
+}
+
+// Namespace: aws
+const (
+	// AWSBedrockGuardrailIDKey is the attribute Key conforming to the
+	// "aws.bedrock.guardrail.id" semantic conventions. It represents the unique
+	// identifier of the AWS Bedrock Guardrail. A [guardrail] helps safeguard and
+	// prevent unwanted behavior from model responses or user messages.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "sgi5gkybzqak"
+	//
+	// [guardrail]: https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html
+	AWSBedrockGuardrailIDKey = attribute.Key("aws.bedrock.guardrail.id")
+
+	// AWSBedrockKnowledgeBaseIDKey is the attribute Key conforming to the
+	// "aws.bedrock.knowledge_base.id" semantic conventions. It represents the
+	// unique identifier of the AWS Bedrock Knowledge base. A [knowledge base] is a
+	// bank of information that can be queried by models to generate more relevant
+	// responses and augment prompts.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "XFWUPB9PAW"
+	//
+	// [knowledge base]: https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html
+	AWSBedrockKnowledgeBaseIDKey = attribute.Key("aws.bedrock.knowledge_base.id")
+
+	// AWSDynamoDBAttributeDefinitionsKey is the attribute Key conforming to the
+	// "aws.dynamodb.attribute_definitions" semantic conventions. It represents the
+	// JSON-serialized value of each item in the `AttributeDefinitions` request
+	// field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "AttributeName": "string", "AttributeType": "string" }"
+	AWSDynamoDBAttributeDefinitionsKey = attribute.Key("aws.dynamodb.attribute_definitions")
+
+	// AWSDynamoDBAttributesToGetKey is the attribute Key conforming to the
+	// "aws.dynamodb.attributes_to_get" semantic conventions. It represents the
+	// value of the `AttributesToGet` request parameter.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "lives", "id"
+	AWSDynamoDBAttributesToGetKey = attribute.Key("aws.dynamodb.attributes_to_get")
+
+	// AWSDynamoDBConsistentReadKey is the attribute Key conforming to the
+	// "aws.dynamodb.consistent_read" semantic conventions. It represents the value
+	// of the `ConsistentRead` request parameter.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	AWSDynamoDBConsistentReadKey = attribute.Key("aws.dynamodb.consistent_read")
+
+	// AWSDynamoDBConsumedCapacityKey is the attribute Key conforming to the
+	// "aws.dynamodb.consumed_capacity" semantic conventions. It represents the
+	// JSON-serialized value of each item in the `ConsumedCapacity` response field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "CapacityUnits": number, "GlobalSecondaryIndexes": { "string" :
+	// { "CapacityUnits": number, "ReadCapacityUnits": number, "WriteCapacityUnits":
+	// number } }, "LocalSecondaryIndexes": { "string" : { "CapacityUnits": number,
+	// "ReadCapacityUnits": number, "WriteCapacityUnits": number } },
+	// "ReadCapacityUnits": number, "Table": { "CapacityUnits": number,
+	// "ReadCapacityUnits": number, "WriteCapacityUnits": number }, "TableName":
+	// "string", "WriteCapacityUnits": number }"
+	AWSDynamoDBConsumedCapacityKey = attribute.Key("aws.dynamodb.consumed_capacity")
+
+	// AWSDynamoDBCountKey is the attribute Key conforming to the
+	// "aws.dynamodb.count" semantic conventions. It represents the value of the
+	// `Count` response parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 10
+	AWSDynamoDBCountKey = attribute.Key("aws.dynamodb.count")
+
+	// AWSDynamoDBExclusiveStartTableKey is the attribute Key conforming to the
+	// "aws.dynamodb.exclusive_start_table" semantic conventions. It represents the
+	// value of the `ExclusiveStartTableName` request parameter.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Users", "CatsTable"
+	AWSDynamoDBExclusiveStartTableKey = attribute.Key("aws.dynamodb.exclusive_start_table")
+
+	// AWSDynamoDBGlobalSecondaryIndexUpdatesKey is the attribute Key conforming to
+	// the "aws.dynamodb.global_secondary_index_updates" semantic conventions. It
+	// represents the JSON-serialized value of each item in the
+	// `GlobalSecondaryIndexUpdates` request field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "Create": { "IndexName": "string", "KeySchema": [ {
+	// "AttributeName": "string", "KeyType": "string" } ], "Projection": {
+	// "NonKeyAttributes": [ "string" ], "ProjectionType": "string" },
+	// "ProvisionedThroughput": { "ReadCapacityUnits": number, "WriteCapacityUnits":
+	// number } }"
+	AWSDynamoDBGlobalSecondaryIndexUpdatesKey = attribute.Key("aws.dynamodb.global_secondary_index_updates")
+
+	// AWSDynamoDBGlobalSecondaryIndexesKey is the attribute Key conforming to the
+	// "aws.dynamodb.global_secondary_indexes" semantic conventions. It represents
+	// the JSON-serialized value of each item of the `GlobalSecondaryIndexes`
+	// request field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "IndexName": "string", "KeySchema": [ { "AttributeName":
+	// "string", "KeyType": "string" } ], "Projection": { "NonKeyAttributes": [
+	// "string" ], "ProjectionType": "string" }, "ProvisionedThroughput": {
+	// "ReadCapacityUnits": number, "WriteCapacityUnits": number } }"
+	AWSDynamoDBGlobalSecondaryIndexesKey = attribute.Key("aws.dynamodb.global_secondary_indexes")
+
+	// AWSDynamoDBIndexNameKey is the attribute Key conforming to the
+	// "aws.dynamodb.index_name" semantic conventions. It represents the value of
+	// the `IndexName` request parameter.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "name_to_group"
+	AWSDynamoDBIndexNameKey = attribute.Key("aws.dynamodb.index_name")
+
+	// AWSDynamoDBItemCollectionMetricsKey is the attribute Key conforming to the
+	// "aws.dynamodb.item_collection_metrics" semantic conventions. It represents
+	// the JSON-serialized value of the `ItemCollectionMetrics` response field.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "string" : [ { "ItemCollectionKey": { "string" : { "B": blob,
+	// "BOOL": boolean, "BS": [ blob ], "L": [ "AttributeValue" ], "M": { "string" :
+	// "AttributeValue" }, "N": "string", "NS": [ "string" ], "NULL": boolean, "S":
+	// "string", "SS": [ "string" ] } }, "SizeEstimateRangeGB": [ number ] } ] }"
+	AWSDynamoDBItemCollectionMetricsKey = attribute.Key("aws.dynamodb.item_collection_metrics")
+
+	// AWSDynamoDBLimitKey is the attribute Key conforming to the
+	// "aws.dynamodb.limit" semantic conventions. It represents the value of the
+	// `Limit` request parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 10
+	AWSDynamoDBLimitKey = attribute.Key("aws.dynamodb.limit")
+
+	// AWSDynamoDBLocalSecondaryIndexesKey is the attribute Key conforming to the
+	// "aws.dynamodb.local_secondary_indexes" semantic conventions. It represents
+	// the JSON-serialized value of each item of the `LocalSecondaryIndexes` request
+	// field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "{ "IndexArn": "string", "IndexName": "string", "IndexSizeBytes":
+	// number, "ItemCount": number, "KeySchema": [ { "AttributeName": "string",
+	// "KeyType": "string" } ], "Projection": { "NonKeyAttributes": [ "string" ],
+	// "ProjectionType": "string" } }"
+	AWSDynamoDBLocalSecondaryIndexesKey = attribute.Key("aws.dynamodb.local_secondary_indexes")
+
+	// AWSDynamoDBProjectionKey is the attribute Key conforming to the
+	// "aws.dynamodb.projection" semantic conventions. It represents the value of
+	// the `ProjectionExpression` request parameter.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Title", "Title, Price, Color", "Title, Description, RelatedItems,
+	// ProductReviews"
+	AWSDynamoDBProjectionKey = attribute.Key("aws.dynamodb.projection")
+
+	// AWSDynamoDBProvisionedReadCapacityKey is the attribute Key conforming to the
+	// "aws.dynamodb.provisioned_read_capacity" semantic conventions. It represents
+	// the value of the `ProvisionedThroughput.ReadCapacityUnits` request parameter.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0, 2.0
+	AWSDynamoDBProvisionedReadCapacityKey = attribute.Key("aws.dynamodb.provisioned_read_capacity")
+
+	// AWSDynamoDBProvisionedWriteCapacityKey is the attribute Key conforming to the
+	// "aws.dynamodb.provisioned_write_capacity" semantic conventions. It represents
+	// the value of the `ProvisionedThroughput.WriteCapacityUnits` request
+	// parameter.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0, 2.0
+	AWSDynamoDBProvisionedWriteCapacityKey = attribute.Key("aws.dynamodb.provisioned_write_capacity")
+
+	// AWSDynamoDBScanForwardKey is the attribute Key conforming to the
+	// "aws.dynamodb.scan_forward" semantic conventions. It represents the value of
+	// the `ScanIndexForward` request parameter.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	AWSDynamoDBScanForwardKey = attribute.Key("aws.dynamodb.scan_forward")
+
+	// AWSDynamoDBScannedCountKey is the attribute Key conforming to the
+	// "aws.dynamodb.scanned_count" semantic conventions. It represents the value of
+	// the `ScannedCount` response parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 50
+	AWSDynamoDBScannedCountKey = attribute.Key("aws.dynamodb.scanned_count")
+
+	// AWSDynamoDBSegmentKey is the attribute Key conforming to the
+	// "aws.dynamodb.segment" semantic conventions. It represents the value of the
+	// `Segment` request parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 10
+	AWSDynamoDBSegmentKey = attribute.Key("aws.dynamodb.segment")
+
+	// AWSDynamoDBSelectKey is the attribute Key conforming to the
+	// "aws.dynamodb.select" semantic conventions. It represents the value of the
+	// `Select` request parameter.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ALL_ATTRIBUTES", "COUNT"
+	AWSDynamoDBSelectKey = attribute.Key("aws.dynamodb.select")
+
+	// AWSDynamoDBTableCountKey is the attribute Key conforming to the
+	// "aws.dynamodb.table_count" semantic conventions. It represents the number of
+	// items in the `TableNames` response parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 20
+	AWSDynamoDBTableCountKey = attribute.Key("aws.dynamodb.table_count")
+
+	// AWSDynamoDBTableNamesKey is the attribute Key conforming to the
+	// "aws.dynamodb.table_names" semantic conventions. It represents the keys in
+	// the `RequestItems` object field.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Users", "Cats"
+	AWSDynamoDBTableNamesKey = attribute.Key("aws.dynamodb.table_names")
+
+	// AWSDynamoDBTotalSegmentsKey is the attribute Key conforming to the
+	// "aws.dynamodb.total_segments" semantic conventions. It represents the value
+	// of the `TotalSegments` request parameter.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 100
+	AWSDynamoDBTotalSegmentsKey = attribute.Key("aws.dynamodb.total_segments")
+
+	// AWSECSClusterARNKey is the attribute Key conforming to the
+	// "aws.ecs.cluster.arn" semantic conventions. It represents the ARN of an
+	// [ECS cluster].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:ecs:us-west-2:123456789123:cluster/my-cluster"
+	//
+	// [ECS cluster]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.html
+	AWSECSClusterARNKey = attribute.Key("aws.ecs.cluster.arn")
+
+	// AWSECSContainerARNKey is the attribute Key conforming to the
+	// "aws.ecs.container.arn" semantic conventions. It represents the Amazon
+	// Resource Name (ARN) of an [ECS container instance].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "arn:aws:ecs:us-west-1:123456789123:container/32624152-9086-4f0e-acae-1a75b14fe4d9"
+	//
+	// [ECS container instance]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html
+	AWSECSContainerARNKey = attribute.Key("aws.ecs.container.arn")
+
+	// AWSECSLaunchtypeKey is the attribute Key conforming to the
+	// "aws.ecs.launchtype" semantic conventions. It represents the [launch type]
+	// for an ECS task.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [launch type]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html
+	AWSECSLaunchtypeKey = attribute.Key("aws.ecs.launchtype")
+
+	// AWSECSTaskARNKey is the attribute Key conforming to the "aws.ecs.task.arn"
+	// semantic conventions. It represents the ARN of a running [ECS task].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "arn:aws:ecs:us-west-1:123456789123:task/10838bed-421f-43ef-870a-f43feacbbb5b",
+	// "arn:aws:ecs:us-west-1:123456789123:task/my-cluster/task-id/23ebb8ac-c18f-46c6-8bbe-d55d0e37cfbd"
+	//
+	// [ECS task]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids
+	AWSECSTaskARNKey = attribute.Key("aws.ecs.task.arn")
+
+	// AWSECSTaskFamilyKey is the attribute Key conforming to the
+	// "aws.ecs.task.family" semantic conventions. It represents the family name of
+	// the [ECS task definition] used to create the ECS task.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry-family"
+	//
+	// [ECS task definition]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html
+	AWSECSTaskFamilyKey = attribute.Key("aws.ecs.task.family")
+
+	// AWSECSTaskIDKey is the attribute Key conforming to the "aws.ecs.task.id"
+	// semantic conventions. It represents the ID of a running ECS task. The ID MUST
+	// be extracted from `task.arn`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "10838bed-421f-43ef-870a-f43feacbbb5b",
+	// "23ebb8ac-c18f-46c6-8bbe-d55d0e37cfbd"
+	AWSECSTaskIDKey = attribute.Key("aws.ecs.task.id")
+
+	// AWSECSTaskRevisionKey is the attribute Key conforming to the
+	// "aws.ecs.task.revision" semantic conventions. It represents the revision for
+	// the task definition used to create the ECS task.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "8", "26"
+	AWSECSTaskRevisionKey = attribute.Key("aws.ecs.task.revision")
+
+	// AWSEKSClusterARNKey is the attribute Key conforming to the
+	// "aws.eks.cluster.arn" semantic conventions. It represents the ARN of an EKS
+	// cluster.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:ecs:us-west-2:123456789123:cluster/my-cluster"
+	AWSEKSClusterARNKey = attribute.Key("aws.eks.cluster.arn")
+
+	// AWSExtendedRequestIDKey is the attribute Key conforming to the
+	// "aws.extended_request_id" semantic conventions. It represents the AWS
+	// extended request ID as returned in the response header `x-amz-id-2`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "wzHcyEWfmOGDIE5QOhTAqFDoDWP3y8IUvpNINCwL9N4TEHbUw0/gZJ+VZTmCNCWR7fezEN3eCiQ="
+	AWSExtendedRequestIDKey = attribute.Key("aws.extended_request_id")
+
+	// AWSKinesisStreamNameKey is the attribute Key conforming to the
+	// "aws.kinesis.stream_name" semantic conventions. It represents the name of the
+	// AWS Kinesis [stream] the request refers to. Corresponds to the
+	// `--stream-name` parameter of the Kinesis [describe-stream] operation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "some-stream-name"
+	//
+	// [stream]: https://docs.aws.amazon.com/streams/latest/dev/introduction.html
+	// [describe-stream]: https://docs.aws.amazon.com/cli/latest/reference/kinesis/describe-stream.html
+	AWSKinesisStreamNameKey = attribute.Key("aws.kinesis.stream_name")
+
+	// AWSLambdaInvokedARNKey is the attribute Key conforming to the
+	// "aws.lambda.invoked_arn" semantic conventions. It represents the full invoked
+	// ARN as provided on the `Context` passed to the function (
+	// `Lambda-Runtime-Invoked-Function-Arn` header on the
+	// `/runtime/invocation/next` applicable).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:lambda:us-east-1:123456:function:myfunction:myalias"
+	// Note: This may be different from `cloud.resource_id` if an alias is involved.
+	AWSLambdaInvokedARNKey = attribute.Key("aws.lambda.invoked_arn")
+
+	// AWSLambdaResourceMappingIDKey is the attribute Key conforming to the
+	// "aws.lambda.resource_mapping.id" semantic conventions. It represents the UUID
+	// of the [AWS Lambda EvenSource Mapping]. An event source is mapped to a lambda
+	// function. It's contents are read by Lambda and used to trigger a function.
+	// This isn't available in the lambda execution context or the lambda runtime
+	// environtment. This is going to be populated by the AWS SDK for each language
+	// when that UUID is present. Some of these operations are
+	// Create/Delete/Get/List/Update EventSourceMapping.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "587ad24b-03b9-4413-8202-bbd56b36e5b7"
+	//
+	// [AWS Lambda EvenSource Mapping]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html
+	AWSLambdaResourceMappingIDKey = attribute.Key("aws.lambda.resource_mapping.id")
+
+	// AWSLogGroupARNsKey is the attribute Key conforming to the
+	// "aws.log.group.arns" semantic conventions. It represents the Amazon Resource
+	// Name(s) (ARN) of the AWS log group(s).
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:logs:us-west-1:123456789012:log-group:/aws/my/group:*"
+	// Note: See the [log group ARN format documentation].
+	//
+	// [log group ARN format documentation]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#CWL_ARN_Format
+	AWSLogGroupARNsKey = attribute.Key("aws.log.group.arns")
+
+	// AWSLogGroupNamesKey is the attribute Key conforming to the
+	// "aws.log.group.names" semantic conventions. It represents the name(s) of the
+	// AWS log group(s) an application is writing to.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/aws/lambda/my-function", "opentelemetry-service"
+	// Note: Multiple log groups must be supported for cases like multi-container
+	// applications, where a single application has sidecar containers, and each
+	// write to their own log group.
+	AWSLogGroupNamesKey = attribute.Key("aws.log.group.names")
+
+	// AWSLogStreamARNsKey is the attribute Key conforming to the
+	// "aws.log.stream.arns" semantic conventions. It represents the ARN(s) of the
+	// AWS log stream(s).
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "arn:aws:logs:us-west-1:123456789012:log-group:/aws/my/group:log-stream:logs/main/10838bed-421f-43ef-870a-f43feacbbb5b"
+	// Note: See the [log stream ARN format documentation]. One log group can
+	// contain several log streams, so these ARNs necessarily identify both a log
+	// group and a log stream.
+	//
+	// [log stream ARN format documentation]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html#CWL_ARN_Format
+	AWSLogStreamARNsKey = attribute.Key("aws.log.stream.arns")
+
+	// AWSLogStreamNamesKey is the attribute Key conforming to the
+	// "aws.log.stream.names" semantic conventions. It represents the name(s) of the
+	// AWS log stream(s) an application is writing to.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "logs/main/10838bed-421f-43ef-870a-f43feacbbb5b"
+	AWSLogStreamNamesKey = attribute.Key("aws.log.stream.names")
+
+	// AWSRequestIDKey is the attribute Key conforming to the "aws.request_id"
+	// semantic conventions. It represents the AWS request ID as returned in the
+	// response headers `x-amzn-requestid`, `x-amzn-request-id` or
+	// `x-amz-request-id`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "79b9da39-b7ae-508a-a6bc-864b2829c622", "C9ER4AJX75574TDJ"
+	AWSRequestIDKey = attribute.Key("aws.request_id")
+
+	// AWSS3BucketKey is the attribute Key conforming to the "aws.s3.bucket"
+	// semantic conventions. It represents the S3 bucket name the request refers to.
+	// Corresponds to the `--bucket` parameter of the [S3 API] operations.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "some-bucket-name"
+	// Note: The `bucket` attribute is applicable to all S3 operations that
+	// reference a bucket, i.e. that require the bucket name as a mandatory
+	// parameter.
+	// This applies to almost all S3 operations except `list-buckets`.
+	//
+	// [S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
+	AWSS3BucketKey = attribute.Key("aws.s3.bucket")
+
+	// AWSS3CopySourceKey is the attribute Key conforming to the
+	// "aws.s3.copy_source" semantic conventions. It represents the source object
+	// (in the form `bucket`/`key`) for the copy operation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "someFile.yml"
+	// Note: The `copy_source` attribute applies to S3 copy operations and
+	// corresponds to the `--copy-source` parameter
+	// of the [copy-object operation within the S3 API].
+	// This applies in particular to the following operations:
+	//
+	//   - [copy-object]
+	//   - [upload-part-copy]
+	//
+	//
+	// [copy-object operation within the S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html
+	// [copy-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html
+	// [upload-part-copy]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html
+	AWSS3CopySourceKey = attribute.Key("aws.s3.copy_source")
+
+	// AWSS3DeleteKey is the attribute Key conforming to the "aws.s3.delete"
+	// semantic conventions. It represents the delete request container that
+	// specifies the objects to be deleted.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "Objects=[{Key=string,VersionId=string},{Key=string,VersionId=string}],Quiet=boolean"
+	// Note: The `delete` attribute is only applicable to the [delete-object]
+	// operation.
+	// The `delete` attribute corresponds to the `--delete` parameter of the
+	// [delete-objects operation within the S3 API].
+	//
+	// [delete-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object.html
+	// [delete-objects operation within the S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-objects.html
+	AWSS3DeleteKey = attribute.Key("aws.s3.delete")
+
+	// AWSS3KeyKey is the attribute Key conforming to the "aws.s3.key" semantic
+	// conventions. It represents the S3 object key the request refers to.
+	// Corresponds to the `--key` parameter of the [S3 API] operations.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "someFile.yml"
+	// Note: The `key` attribute is applicable to all object-related S3 operations,
+	// i.e. that require the object key as a mandatory parameter.
+	// This applies in particular to the following operations:
+	//
+	//   - [copy-object]
+	//   - [delete-object]
+	//   - [get-object]
+	//   - [head-object]
+	//   - [put-object]
+	//   - [restore-object]
+	//   - [select-object-content]
+	//   - [abort-multipart-upload]
+	//   - [complete-multipart-upload]
+	//   - [create-multipart-upload]
+	//   - [list-parts]
+	//   - [upload-part]
+	//   - [upload-part-copy]
+	//
+	//
+	// [S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
+	// [copy-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/copy-object.html
+	// [delete-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-object.html
+	// [get-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object.html
+	// [head-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html
+	// [put-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html
+	// [restore-object]: https://docs.aws.amazon.com/cli/latest/reference/s3api/restore-object.html
+	// [select-object-content]: https://docs.aws.amazon.com/cli/latest/reference/s3api/select-object-content.html
+	// [abort-multipart-upload]: https://docs.aws.amazon.com/cli/latest/reference/s3api/abort-multipart-upload.html
+	// [complete-multipart-upload]: https://docs.aws.amazon.com/cli/latest/reference/s3api/complete-multipart-upload.html
+	// [create-multipart-upload]: https://docs.aws.amazon.com/cli/latest/reference/s3api/create-multipart-upload.html
+	// [list-parts]: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-parts.html
+	// [upload-part]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html
+	// [upload-part-copy]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html
+	AWSS3KeyKey = attribute.Key("aws.s3.key")
+
+	// AWSS3PartNumberKey is the attribute Key conforming to the
+	// "aws.s3.part_number" semantic conventions. It represents the part number of
+	// the part being uploaded in a multipart-upload operation. This is a positive
+	// integer between 1 and 10,000.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 3456
+	// Note: The `part_number` attribute is only applicable to the [upload-part]
+	// and [upload-part-copy] operations.
+	// The `part_number` attribute corresponds to the `--part-number` parameter of
+	// the
+	// [upload-part operation within the S3 API].
+	//
+	// [upload-part]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html
+	// [upload-part-copy]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html
+	// [upload-part operation within the S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html
+	AWSS3PartNumberKey = attribute.Key("aws.s3.part_number")
+
+	// AWSS3UploadIDKey is the attribute Key conforming to the "aws.s3.upload_id"
+	// semantic conventions. It represents the upload ID that identifies the
+	// multipart upload.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "dfRtDYWFbkRONycy.Yxwh66Yjlx.cph0gtNBtJ"
+	// Note: The `upload_id` attribute applies to S3 multipart-upload operations and
+	// corresponds to the `--upload-id` parameter
+	// of the [S3 API] multipart operations.
+	// This applies in particular to the following operations:
+	//
+	//   - [abort-multipart-upload]
+	//   - [complete-multipart-upload]
+	//   - [list-parts]
+	//   - [upload-part]
+	//   - [upload-part-copy]
+	//
+	//
+	// [S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
+	// [abort-multipart-upload]: https://docs.aws.amazon.com/cli/latest/reference/s3api/abort-multipart-upload.html
+	// [complete-multipart-upload]: https://docs.aws.amazon.com/cli/latest/reference/s3api/complete-multipart-upload.html
+	// [list-parts]: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-parts.html
+	// [upload-part]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part.html
+	// [upload-part-copy]: https://docs.aws.amazon.com/cli/latest/reference/s3api/upload-part-copy.html
+	AWSS3UploadIDKey = attribute.Key("aws.s3.upload_id")
+
+	// AWSSecretsmanagerSecretARNKey is the attribute Key conforming to the
+	// "aws.secretsmanager.secret.arn" semantic conventions. It represents the ARN
+	// of the Secret stored in the Secrets Mangger.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "arn:aws:secretsmanager:us-east-1:123456789012:secret:SecretName-6RandomCharacters"
+	AWSSecretsmanagerSecretARNKey = attribute.Key("aws.secretsmanager.secret.arn")
+
+	// AWSSNSTopicARNKey is the attribute Key conforming to the "aws.sns.topic.arn"
+	// semantic conventions. It represents the ARN of the AWS SNS Topic. An Amazon
+	// SNS [topic] is a logical access point that acts as a communication channel.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:sns:us-east-1:123456789012:mystack-mytopic-NZJ5JSMVGFIE"
+	//
+	// [topic]: https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html
+	AWSSNSTopicARNKey = attribute.Key("aws.sns.topic.arn")
+
+	// AWSSQSQueueURLKey is the attribute Key conforming to the "aws.sqs.queue.url"
+	// semantic conventions. It represents the URL of the AWS SQS Queue. It's a
+	// unique identifier for a queue in Amazon Simple Queue Service (SQS) and is
+	// used to access the queue and perform actions on it.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue"
+	AWSSQSQueueURLKey = attribute.Key("aws.sqs.queue.url")
+
+	// AWSStepFunctionsActivityARNKey is the attribute Key conforming to the
+	// "aws.step_functions.activity.arn" semantic conventions. It represents the ARN
+	// of the AWS Step Functions Activity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:states:us-east-1:123456789012:activity:get-greeting"
+	AWSStepFunctionsActivityARNKey = attribute.Key("aws.step_functions.activity.arn")
+
+	// AWSStepFunctionsStateMachineARNKey is the attribute Key conforming to the
+	// "aws.step_functions.state_machine.arn" semantic conventions. It represents
+	// the ARN of the AWS Step Functions State Machine.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "arn:aws:states:us-east-1:123456789012:stateMachine:myStateMachine:1"
+	AWSStepFunctionsStateMachineARNKey = attribute.Key("aws.step_functions.state_machine.arn")
+)
+
+// AWSBedrockGuardrailID returns an attribute KeyValue conforming to the
+// "aws.bedrock.guardrail.id" semantic conventions. It represents the unique
+// identifier of the AWS Bedrock Guardrail. A [guardrail] helps safeguard and
+// prevent unwanted behavior from model responses or user messages.
+//
+// [guardrail]: https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html
+func AWSBedrockGuardrailID(val string) attribute.KeyValue {
+	return AWSBedrockGuardrailIDKey.String(val)
+}
+
+// AWSBedrockKnowledgeBaseID returns an attribute KeyValue conforming to the
+// "aws.bedrock.knowledge_base.id" semantic conventions. It represents the unique
+// identifier of the AWS Bedrock Knowledge base. A [knowledge base] is a bank of
+// information that can be queried by models to generate more relevant responses
+// and augment prompts.
+//
+// [knowledge base]: https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html
+func AWSBedrockKnowledgeBaseID(val string) attribute.KeyValue {
+	return AWSBedrockKnowledgeBaseIDKey.String(val)
+}
+
+// AWSDynamoDBAttributeDefinitions returns an attribute KeyValue conforming to
+// the "aws.dynamodb.attribute_definitions" semantic conventions. It represents
+// the JSON-serialized value of each item in the `AttributeDefinitions` request
+// field.
+func AWSDynamoDBAttributeDefinitions(val ...string) attribute.KeyValue {
+	return AWSDynamoDBAttributeDefinitionsKey.StringSlice(val)
+}
+
+// AWSDynamoDBAttributesToGet returns an attribute KeyValue conforming to the
+// "aws.dynamodb.attributes_to_get" semantic conventions. It represents the value
+// of the `AttributesToGet` request parameter.
+func AWSDynamoDBAttributesToGet(val ...string) attribute.KeyValue {
+	return AWSDynamoDBAttributesToGetKey.StringSlice(val)
+}
+
+// AWSDynamoDBConsistentRead returns an attribute KeyValue conforming to the
+// "aws.dynamodb.consistent_read" semantic conventions. It represents the value
+// of the `ConsistentRead` request parameter.
+func AWSDynamoDBConsistentRead(val bool) attribute.KeyValue {
+	return AWSDynamoDBConsistentReadKey.Bool(val)
+}
+
+// AWSDynamoDBConsumedCapacity returns an attribute KeyValue conforming to the
+// "aws.dynamodb.consumed_capacity" semantic conventions. It represents the
+// JSON-serialized value of each item in the `ConsumedCapacity` response field.
+func AWSDynamoDBConsumedCapacity(val ...string) attribute.KeyValue {
+	return AWSDynamoDBConsumedCapacityKey.StringSlice(val)
+}
+
+// AWSDynamoDBCount returns an attribute KeyValue conforming to the
+// "aws.dynamodb.count" semantic conventions. It represents the value of the
+// `Count` response parameter.
+func AWSDynamoDBCount(val int) attribute.KeyValue {
+	return AWSDynamoDBCountKey.Int(val)
+}
+
+// AWSDynamoDBExclusiveStartTable returns an attribute KeyValue conforming to the
+// "aws.dynamodb.exclusive_start_table" semantic conventions. It represents the
+// value of the `ExclusiveStartTableName` request parameter.
+func AWSDynamoDBExclusiveStartTable(val string) attribute.KeyValue {
+	return AWSDynamoDBExclusiveStartTableKey.String(val)
+}
+
+// AWSDynamoDBGlobalSecondaryIndexUpdates returns an attribute KeyValue
+// conforming to the "aws.dynamodb.global_secondary_index_updates" semantic
+// conventions. It represents the JSON-serialized value of each item in the
+// `GlobalSecondaryIndexUpdates` request field.
+func AWSDynamoDBGlobalSecondaryIndexUpdates(val ...string) attribute.KeyValue {
+	return AWSDynamoDBGlobalSecondaryIndexUpdatesKey.StringSlice(val)
+}
+
+// AWSDynamoDBGlobalSecondaryIndexes returns an attribute KeyValue conforming to
+// the "aws.dynamodb.global_secondary_indexes" semantic conventions. It
+// represents the JSON-serialized value of each item of the
+// `GlobalSecondaryIndexes` request field.
+func AWSDynamoDBGlobalSecondaryIndexes(val ...string) attribute.KeyValue {
+	return AWSDynamoDBGlobalSecondaryIndexesKey.StringSlice(val)
+}
+
+// AWSDynamoDBIndexName returns an attribute KeyValue conforming to the
+// "aws.dynamodb.index_name" semantic conventions. It represents the value of the
+// `IndexName` request parameter.
+func AWSDynamoDBIndexName(val string) attribute.KeyValue {
+	return AWSDynamoDBIndexNameKey.String(val)
+}
+
+// AWSDynamoDBItemCollectionMetrics returns an attribute KeyValue conforming to
+// the "aws.dynamodb.item_collection_metrics" semantic conventions. It represents
+// the JSON-serialized value of the `ItemCollectionMetrics` response field.
+func AWSDynamoDBItemCollectionMetrics(val string) attribute.KeyValue {
+	return AWSDynamoDBItemCollectionMetricsKey.String(val)
+}
+
+// AWSDynamoDBLimit returns an attribute KeyValue conforming to the
+// "aws.dynamodb.limit" semantic conventions. It represents the value of the
+// `Limit` request parameter.
+func AWSDynamoDBLimit(val int) attribute.KeyValue {
+	return AWSDynamoDBLimitKey.Int(val)
+}
+
+// AWSDynamoDBLocalSecondaryIndexes returns an attribute KeyValue conforming to
+// the "aws.dynamodb.local_secondary_indexes" semantic conventions. It represents
+// the JSON-serialized value of each item of the `LocalSecondaryIndexes` request
+// field.
+func AWSDynamoDBLocalSecondaryIndexes(val ...string) attribute.KeyValue {
+	return AWSDynamoDBLocalSecondaryIndexesKey.StringSlice(val)
+}
+
+// AWSDynamoDBProjection returns an attribute KeyValue conforming to the
+// "aws.dynamodb.projection" semantic conventions. It represents the value of the
+// `ProjectionExpression` request parameter.
+func AWSDynamoDBProjection(val string) attribute.KeyValue {
+	return AWSDynamoDBProjectionKey.String(val)
+}
+
+// AWSDynamoDBProvisionedReadCapacity returns an attribute KeyValue conforming to
+// the "aws.dynamodb.provisioned_read_capacity" semantic conventions. It
+// represents the value of the `ProvisionedThroughput.ReadCapacityUnits` request
+// parameter.
+func AWSDynamoDBProvisionedReadCapacity(val float64) attribute.KeyValue {
+	return AWSDynamoDBProvisionedReadCapacityKey.Float64(val)
+}
+
+// AWSDynamoDBProvisionedWriteCapacity returns an attribute KeyValue conforming
+// to the "aws.dynamodb.provisioned_write_capacity" semantic conventions. It
+// represents the value of the `ProvisionedThroughput.WriteCapacityUnits` request
+// parameter.
+func AWSDynamoDBProvisionedWriteCapacity(val float64) attribute.KeyValue {
+	return AWSDynamoDBProvisionedWriteCapacityKey.Float64(val)
+}
+
+// AWSDynamoDBScanForward returns an attribute KeyValue conforming to the
+// "aws.dynamodb.scan_forward" semantic conventions. It represents the value of
+// the `ScanIndexForward` request parameter.
+func AWSDynamoDBScanForward(val bool) attribute.KeyValue {
+	return AWSDynamoDBScanForwardKey.Bool(val)
+}
+
+// AWSDynamoDBScannedCount returns an attribute KeyValue conforming to the
+// "aws.dynamodb.scanned_count" semantic conventions. It represents the value of
+// the `ScannedCount` response parameter.
+func AWSDynamoDBScannedCount(val int) attribute.KeyValue {
+	return AWSDynamoDBScannedCountKey.Int(val)
+}
+
+// AWSDynamoDBSegment returns an attribute KeyValue conforming to the
+// "aws.dynamodb.segment" semantic conventions. It represents the value of the
+// `Segment` request parameter.
+func AWSDynamoDBSegment(val int) attribute.KeyValue {
+	return AWSDynamoDBSegmentKey.Int(val)
+}
+
+// AWSDynamoDBSelect returns an attribute KeyValue conforming to the
+// "aws.dynamodb.select" semantic conventions. It represents the value of the
+// `Select` request parameter.
+func AWSDynamoDBSelect(val string) attribute.KeyValue {
+	return AWSDynamoDBSelectKey.String(val)
+}
+
+// AWSDynamoDBTableCount returns an attribute KeyValue conforming to the
+// "aws.dynamodb.table_count" semantic conventions. It represents the number of
+// items in the `TableNames` response parameter.
+func AWSDynamoDBTableCount(val int) attribute.KeyValue {
+	return AWSDynamoDBTableCountKey.Int(val)
+}
+
+// AWSDynamoDBTableNames returns an attribute KeyValue conforming to the
+// "aws.dynamodb.table_names" semantic conventions. It represents the keys in the
+// `RequestItems` object field.
+func AWSDynamoDBTableNames(val ...string) attribute.KeyValue {
+	return AWSDynamoDBTableNamesKey.StringSlice(val)
+}
+
+// AWSDynamoDBTotalSegments returns an attribute KeyValue conforming to the
+// "aws.dynamodb.total_segments" semantic conventions. It represents the value of
+// the `TotalSegments` request parameter.
+func AWSDynamoDBTotalSegments(val int) attribute.KeyValue {
+	return AWSDynamoDBTotalSegmentsKey.Int(val)
+}
+
+// AWSECSClusterARN returns an attribute KeyValue conforming to the
+// "aws.ecs.cluster.arn" semantic conventions. It represents the ARN of an
+// [ECS cluster].
+//
+// [ECS cluster]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.html
+func AWSECSClusterARN(val string) attribute.KeyValue {
+	return AWSECSClusterARNKey.String(val)
+}
+
+// AWSECSContainerARN returns an attribute KeyValue conforming to the
+// "aws.ecs.container.arn" semantic conventions. It represents the Amazon
+// Resource Name (ARN) of an [ECS container instance].
+//
+// [ECS container instance]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html
+func AWSECSContainerARN(val string) attribute.KeyValue {
+	return AWSECSContainerARNKey.String(val)
+}
+
+// AWSECSTaskARN returns an attribute KeyValue conforming to the
+// "aws.ecs.task.arn" semantic conventions. It represents the ARN of a running
+// [ECS task].
+//
+// [ECS task]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids
+func AWSECSTaskARN(val string) attribute.KeyValue {
+	return AWSECSTaskARNKey.String(val)
+}
+
+// AWSECSTaskFamily returns an attribute KeyValue conforming to the
+// "aws.ecs.task.family" semantic conventions. It represents the family name of
+// the [ECS task definition] used to create the ECS task.
+//
+// [ECS task definition]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html
+func AWSECSTaskFamily(val string) attribute.KeyValue {
+	return AWSECSTaskFamilyKey.String(val)
+}
+
+// AWSECSTaskID returns an attribute KeyValue conforming to the "aws.ecs.task.id"
+// semantic conventions. It represents the ID of a running ECS task. The ID MUST
+// be extracted from `task.arn`.
+func AWSECSTaskID(val string) attribute.KeyValue {
+	return AWSECSTaskIDKey.String(val)
+}
+
+// AWSECSTaskRevision returns an attribute KeyValue conforming to the
+// "aws.ecs.task.revision" semantic conventions. It represents the revision for
+// the task definition used to create the ECS task.
+func AWSECSTaskRevision(val string) attribute.KeyValue {
+	return AWSECSTaskRevisionKey.String(val)
+}
+
+// AWSEKSClusterARN returns an attribute KeyValue conforming to the
+// "aws.eks.cluster.arn" semantic conventions. It represents the ARN of an EKS
+// cluster.
+func AWSEKSClusterARN(val string) attribute.KeyValue {
+	return AWSEKSClusterARNKey.String(val)
+}
+
+// AWSExtendedRequestID returns an attribute KeyValue conforming to the
+// "aws.extended_request_id" semantic conventions. It represents the AWS extended
+// request ID as returned in the response header `x-amz-id-2`.
+func AWSExtendedRequestID(val string) attribute.KeyValue {
+	return AWSExtendedRequestIDKey.String(val)
+}
+
+// AWSKinesisStreamName returns an attribute KeyValue conforming to the
+// "aws.kinesis.stream_name" semantic conventions. It represents the name of the
+// AWS Kinesis [stream] the request refers to. Corresponds to the `--stream-name`
+//  parameter of the Kinesis [describe-stream] operation.
+//
+// [stream]: https://docs.aws.amazon.com/streams/latest/dev/introduction.html
+// [describe-stream]: https://docs.aws.amazon.com/cli/latest/reference/kinesis/describe-stream.html
+func AWSKinesisStreamName(val string) attribute.KeyValue {
+	return AWSKinesisStreamNameKey.String(val)
+}
+
+// AWSLambdaInvokedARN returns an attribute KeyValue conforming to the
+// "aws.lambda.invoked_arn" semantic conventions. It represents the full invoked
+// ARN as provided on the `Context` passed to the function (
+// `Lambda-Runtime-Invoked-Function-Arn` header on the `/runtime/invocation/next`
+//  applicable).
+func AWSLambdaInvokedARN(val string) attribute.KeyValue {
+	return AWSLambdaInvokedARNKey.String(val)
+}
+
+// AWSLambdaResourceMappingID returns an attribute KeyValue conforming to the
+// "aws.lambda.resource_mapping.id" semantic conventions. It represents the UUID
+// of the [AWS Lambda EvenSource Mapping]. An event source is mapped to a lambda
+// function. It's contents are read by Lambda and used to trigger a function.
+// This isn't available in the lambda execution context or the lambda runtime
+// environtment. This is going to be populated by the AWS SDK for each language
+// when that UUID is present. Some of these operations are
+// Create/Delete/Get/List/Update EventSourceMapping.
+//
+// [AWS Lambda EvenSource Mapping]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html
+func AWSLambdaResourceMappingID(val string) attribute.KeyValue {
+	return AWSLambdaResourceMappingIDKey.String(val)
+}
+
+// AWSLogGroupARNs returns an attribute KeyValue conforming to the
+// "aws.log.group.arns" semantic conventions. It represents the Amazon Resource
+// Name(s) (ARN) of the AWS log group(s).
+func AWSLogGroupARNs(val ...string) attribute.KeyValue {
+	return AWSLogGroupARNsKey.StringSlice(val)
+}
+
+// AWSLogGroupNames returns an attribute KeyValue conforming to the
+// "aws.log.group.names" semantic conventions. It represents the name(s) of the
+// AWS log group(s) an application is writing to.
+func AWSLogGroupNames(val ...string) attribute.KeyValue {
+	return AWSLogGroupNamesKey.StringSlice(val)
+}
+
+// AWSLogStreamARNs returns an attribute KeyValue conforming to the
+// "aws.log.stream.arns" semantic conventions. It represents the ARN(s) of the
+// AWS log stream(s).
+func AWSLogStreamARNs(val ...string) attribute.KeyValue {
+	return AWSLogStreamARNsKey.StringSlice(val)
+}
+
+// AWSLogStreamNames returns an attribute KeyValue conforming to the
+// "aws.log.stream.names" semantic conventions. It represents the name(s) of the
+// AWS log stream(s) an application is writing to.
+func AWSLogStreamNames(val ...string) attribute.KeyValue {
+	return AWSLogStreamNamesKey.StringSlice(val)
+}
+
+// AWSRequestID returns an attribute KeyValue conforming to the "aws.request_id"
+// semantic conventions. It represents the AWS request ID as returned in the
+// response headers `x-amzn-requestid`, `x-amzn-request-id` or `x-amz-request-id`
+// .
+func AWSRequestID(val string) attribute.KeyValue {
+	return AWSRequestIDKey.String(val)
+}
+
+// AWSS3Bucket returns an attribute KeyValue conforming to the "aws.s3.bucket"
+// semantic conventions. It represents the S3 bucket name the request refers to.
+// Corresponds to the `--bucket` parameter of the [S3 API] operations.
+//
+// [S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
+func AWSS3Bucket(val string) attribute.KeyValue {
+	return AWSS3BucketKey.String(val)
+}
+
+// AWSS3CopySource returns an attribute KeyValue conforming to the
+// "aws.s3.copy_source" semantic conventions. It represents the source object (in
+// the form `bucket`/`key`) for the copy operation.
+func AWSS3CopySource(val string) attribute.KeyValue {
+	return AWSS3CopySourceKey.String(val)
+}
+
+// AWSS3Delete returns an attribute KeyValue conforming to the "aws.s3.delete"
+// semantic conventions. It represents the delete request container that
+// specifies the objects to be deleted.
+func AWSS3Delete(val string) attribute.KeyValue {
+	return AWSS3DeleteKey.String(val)
+}
+
+// AWSS3Key returns an attribute KeyValue conforming to the "aws.s3.key" semantic
+// conventions. It represents the S3 object key the request refers to.
+// Corresponds to the `--key` parameter of the [S3 API] operations.
+//
+// [S3 API]: https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
+func AWSS3Key(val string) attribute.KeyValue {
+	return AWSS3KeyKey.String(val)
+}
+
+// AWSS3PartNumber returns an attribute KeyValue conforming to the
+// "aws.s3.part_number" semantic conventions. It represents the part number of
+// the part being uploaded in a multipart-upload operation. This is a positive
+// integer between 1 and 10,000.
+func AWSS3PartNumber(val int) attribute.KeyValue {
+	return AWSS3PartNumberKey.Int(val)
+}
+
+// AWSS3UploadID returns an attribute KeyValue conforming to the
+// "aws.s3.upload_id" semantic conventions. It represents the upload ID that
+// identifies the multipart upload.
+func AWSS3UploadID(val string) attribute.KeyValue {
+	return AWSS3UploadIDKey.String(val)
+}
+
+// AWSSecretsmanagerSecretARN returns an attribute KeyValue conforming to the
+// "aws.secretsmanager.secret.arn" semantic conventions. It represents the ARN of
+// the Secret stored in the Secrets Mangger.
+func AWSSecretsmanagerSecretARN(val string) attribute.KeyValue {
+	return AWSSecretsmanagerSecretARNKey.String(val)
+}
+
+// AWSSNSTopicARN returns an attribute KeyValue conforming to the
+// "aws.sns.topic.arn" semantic conventions. It represents the ARN of the AWS SNS
+// Topic. An Amazon SNS [topic] is a logical access point that acts as a
+// communication channel.
+//
+// [topic]: https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html
+func AWSSNSTopicARN(val string) attribute.KeyValue {
+	return AWSSNSTopicARNKey.String(val)
+}
+
+// AWSSQSQueueURL returns an attribute KeyValue conforming to the
+// "aws.sqs.queue.url" semantic conventions. It represents the URL of the AWS SQS
+// Queue. It's a unique identifier for a queue in Amazon Simple Queue Service
+// (SQS) and is used to access the queue and perform actions on it.
+func AWSSQSQueueURL(val string) attribute.KeyValue {
+	return AWSSQSQueueURLKey.String(val)
+}
+
+// AWSStepFunctionsActivityARN returns an attribute KeyValue conforming to the
+// "aws.step_functions.activity.arn" semantic conventions. It represents the ARN
+// of the AWS Step Functions Activity.
+func AWSStepFunctionsActivityARN(val string) attribute.KeyValue {
+	return AWSStepFunctionsActivityARNKey.String(val)
+}
+
+// AWSStepFunctionsStateMachineARN returns an attribute KeyValue conforming to
+// the "aws.step_functions.state_machine.arn" semantic conventions. It represents
+// the ARN of the AWS Step Functions State Machine.
+func AWSStepFunctionsStateMachineARN(val string) attribute.KeyValue {
+	return AWSStepFunctionsStateMachineARNKey.String(val)
+}
+
+// Enum values for aws.ecs.launchtype
+var (
+	// ec2
+	// Stability: development
+	AWSECSLaunchtypeEC2 = AWSECSLaunchtypeKey.String("ec2")
+	// fargate
+	// Stability: development
+	AWSECSLaunchtypeFargate = AWSECSLaunchtypeKey.String("fargate")
+)
+
+// Namespace: az
+const (
+	// AzNamespaceKey is the attribute Key conforming to the "az.namespace" semantic
+	// conventions. It represents the [Azure Resource Provider Namespace] as
+	// recognized by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Microsoft.Storage", "Microsoft.KeyVault", "Microsoft.ServiceBus"
+	//
+	// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
+	AzNamespaceKey = attribute.Key("az.namespace")
+
+	// AzServiceRequestIDKey is the attribute Key conforming to the
+	// "az.service_request_id" semantic conventions. It represents the unique
+	// identifier of the service request. It's generated by the Azure service and
+	// returned with the response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "00000000-0000-0000-0000-000000000000"
+	AzServiceRequestIDKey = attribute.Key("az.service_request_id")
+)
+
+// AzNamespace returns an attribute KeyValue conforming to the "az.namespace"
+// semantic conventions. It represents the [Azure Resource Provider Namespace] as
+// recognized by the client.
+//
+// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
+func AzNamespace(val string) attribute.KeyValue {
+	return AzNamespaceKey.String(val)
+}
+
+// AzServiceRequestID returns an attribute KeyValue conforming to the
+// "az.service_request_id" semantic conventions. It represents the unique
+// identifier of the service request. It's generated by the Azure service and
+// returned with the response.
+func AzServiceRequestID(val string) attribute.KeyValue {
+	return AzServiceRequestIDKey.String(val)
+}
+
+// Namespace: azure
+const (
+	// AzureClientIDKey is the attribute Key conforming to the "azure.client.id"
+	// semantic conventions. It represents the unique identifier of the client
+	// instance.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "3ba4827d-4422-483f-b59f-85b74211c11d", "storage-client-1"
+	AzureClientIDKey = attribute.Key("azure.client.id")
+
+	// AzureCosmosDBConnectionModeKey is the attribute Key conforming to the
+	// "azure.cosmosdb.connection.mode" semantic conventions. It represents the
+	// cosmos client connection mode.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	AzureCosmosDBConnectionModeKey = attribute.Key("azure.cosmosdb.connection.mode")
+
+	// AzureCosmosDBConsistencyLevelKey is the attribute Key conforming to the
+	// "azure.cosmosdb.consistency.level" semantic conventions. It represents the
+	// account or request [consistency level].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Eventual", "ConsistentPrefix", "BoundedStaleness", "Strong",
+	// "Session"
+	//
+	// [consistency level]: https://learn.microsoft.com/azure/cosmos-db/consistency-levels
+	AzureCosmosDBConsistencyLevelKey = attribute.Key("azure.cosmosdb.consistency.level")
+
+	// AzureCosmosDBOperationContactedRegionsKey is the attribute Key conforming to
+	// the "azure.cosmosdb.operation.contacted_regions" semantic conventions. It
+	// represents the list of regions contacted during operation in the order that
+	// they were contacted. If there is more than one region listed, it indicates
+	// that the operation was performed on multiple regions i.e. cross-regional
+	// call.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "North Central US", "Australia East", "Australia Southeast"
+	// Note: Region name matches the format of `displayName` in [Azure Location API]
+	//
+	// [Azure Location API]: https://learn.microsoft.com/rest/api/subscription/subscriptions/list-locations?view=rest-subscription-2021-10-01&tabs=HTTP#location
+	AzureCosmosDBOperationContactedRegionsKey = attribute.Key("azure.cosmosdb.operation.contacted_regions")
+
+	// AzureCosmosDBOperationRequestChargeKey is the attribute Key conforming to the
+	// "azure.cosmosdb.operation.request_charge" semantic conventions. It represents
+	// the number of request units consumed by the operation.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 46.18, 1.0
+	AzureCosmosDBOperationRequestChargeKey = attribute.Key("azure.cosmosdb.operation.request_charge")
+
+	// AzureCosmosDBRequestBodySizeKey is the attribute Key conforming to the
+	// "azure.cosmosdb.request.body.size" semantic conventions. It represents the
+	// request payload size in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	AzureCosmosDBRequestBodySizeKey = attribute.Key("azure.cosmosdb.request.body.size")
+
+	// AzureCosmosDBResponseSubStatusCodeKey is the attribute Key conforming to the
+	// "azure.cosmosdb.response.sub_status_code" semantic conventions. It represents
+	// the cosmos DB sub status code.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1000, 1002
+	AzureCosmosDBResponseSubStatusCodeKey = attribute.Key("azure.cosmosdb.response.sub_status_code")
+)
+
+// AzureClientID returns an attribute KeyValue conforming to the
+// "azure.client.id" semantic conventions. It represents the unique identifier of
+// the client instance.
+func AzureClientID(val string) attribute.KeyValue {
+	return AzureClientIDKey.String(val)
+}
+
+// AzureCosmosDBOperationContactedRegions returns an attribute KeyValue
+// conforming to the "azure.cosmosdb.operation.contacted_regions" semantic
+// conventions. It represents the list of regions contacted during operation in
+// the order that they were contacted. If there is more than one region listed,
+// it indicates that the operation was performed on multiple regions i.e.
+// cross-regional call.
+func AzureCosmosDBOperationContactedRegions(val ...string) attribute.KeyValue {
+	return AzureCosmosDBOperationContactedRegionsKey.StringSlice(val)
+}
+
+// AzureCosmosDBOperationRequestCharge returns an attribute KeyValue conforming
+// to the "azure.cosmosdb.operation.request_charge" semantic conventions. It
+// represents the number of request units consumed by the operation.
+func AzureCosmosDBOperationRequestCharge(val float64) attribute.KeyValue {
+	return AzureCosmosDBOperationRequestChargeKey.Float64(val)
+}
+
+// AzureCosmosDBRequestBodySize returns an attribute KeyValue conforming to the
+// "azure.cosmosdb.request.body.size" semantic conventions. It represents the
+// request payload size in bytes.
+func AzureCosmosDBRequestBodySize(val int) attribute.KeyValue {
+	return AzureCosmosDBRequestBodySizeKey.Int(val)
+}
+
+// AzureCosmosDBResponseSubStatusCode returns an attribute KeyValue conforming to
+// the "azure.cosmosdb.response.sub_status_code" semantic conventions. It
+// represents the cosmos DB sub status code.
+func AzureCosmosDBResponseSubStatusCode(val int) attribute.KeyValue {
+	return AzureCosmosDBResponseSubStatusCodeKey.Int(val)
+}
+
+// Enum values for azure.cosmosdb.connection.mode
+var (
+	// Gateway (HTTP) connection.
+	// Stability: development
+	AzureCosmosDBConnectionModeGateway = AzureCosmosDBConnectionModeKey.String("gateway")
+	// Direct connection.
+	// Stability: development
+	AzureCosmosDBConnectionModeDirect = AzureCosmosDBConnectionModeKey.String("direct")
+)
+
+// Enum values for azure.cosmosdb.consistency.level
+var (
+	// strong
+	// Stability: development
+	AzureCosmosDBConsistencyLevelStrong = AzureCosmosDBConsistencyLevelKey.String("Strong")
+	// bounded_staleness
+	// Stability: development
+	AzureCosmosDBConsistencyLevelBoundedStaleness = AzureCosmosDBConsistencyLevelKey.String("BoundedStaleness")
+	// session
+	// Stability: development
+	AzureCosmosDBConsistencyLevelSession = AzureCosmosDBConsistencyLevelKey.String("Session")
+	// eventual
+	// Stability: development
+	AzureCosmosDBConsistencyLevelEventual = AzureCosmosDBConsistencyLevelKey.String("Eventual")
+	// consistent_prefix
+	// Stability: development
+	AzureCosmosDBConsistencyLevelConsistentPrefix = AzureCosmosDBConsistencyLevelKey.String("ConsistentPrefix")
+)
+
+// Namespace: browser
+const (
+	// BrowserBrandsKey is the attribute Key conforming to the "browser.brands"
+	// semantic conventions. It represents the array of brand name and version
+	// separated by a space.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: " Not A;Brand 99", "Chromium 99", "Chrome 99"
+	// Note: This value is intended to be taken from the [UA client hints API] (
+	// `navigator.userAgentData.brands`).
+	//
+	// [UA client hints API]: https://wicg.github.io/ua-client-hints/#interface
+	BrowserBrandsKey = attribute.Key("browser.brands")
+
+	// BrowserLanguageKey is the attribute Key conforming to the "browser.language"
+	// semantic conventions. It represents the preferred language of the user using
+	// the browser.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "en", "en-US", "fr", "fr-FR"
+	// Note: This value is intended to be taken from the Navigator API
+	// `navigator.language`.
+	BrowserLanguageKey = attribute.Key("browser.language")
+
+	// BrowserMobileKey is the attribute Key conforming to the "browser.mobile"
+	// semantic conventions. It represents a boolean that is true if the browser is
+	// running on a mobile device.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: This value is intended to be taken from the [UA client hints API] (
+	// `navigator.userAgentData.mobile`). If unavailable, this attribute SHOULD be
+	// left unset.
+	//
+	// [UA client hints API]: https://wicg.github.io/ua-client-hints/#interface
+	BrowserMobileKey = attribute.Key("browser.mobile")
+
+	// BrowserPlatformKey is the attribute Key conforming to the "browser.platform"
+	// semantic conventions. It represents the platform on which the browser is
+	// running.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Windows", "macOS", "Android"
+	// Note: This value is intended to be taken from the [UA client hints API] (
+	// `navigator.userAgentData.platform`). If unavailable, the legacy
+	// `navigator.platform` API SHOULD NOT be used instead and this attribute SHOULD
+	// be left unset in order for the values to be consistent.
+	// The list of possible values is defined in the
+	// [W3C User-Agent Client Hints specification]. Note that some (but not all) of
+	// these values can overlap with values in the
+	// [`os.type` and `os.name` attributes]. However, for consistency, the values in
+	// the `browser.platform` attribute should capture the exact value that the user
+	// agent provides.
+	//
+	// [UA client hints API]: https://wicg.github.io/ua-client-hints/#interface
+	// [W3C User-Agent Client Hints specification]: https://wicg.github.io/ua-client-hints/#sec-ch-ua-platform
+	// [`os.type` and `os.name` attributes]: ./os.md
+	BrowserPlatformKey = attribute.Key("browser.platform")
+)
+
+// BrowserBrands returns an attribute KeyValue conforming to the "browser.brands"
+// semantic conventions. It represents the array of brand name and version
+// separated by a space.
+func BrowserBrands(val ...string) attribute.KeyValue {
+	return BrowserBrandsKey.StringSlice(val)
+}
+
+// BrowserLanguage returns an attribute KeyValue conforming to the
+// "browser.language" semantic conventions. It represents the preferred language
+// of the user using the browser.
+func BrowserLanguage(val string) attribute.KeyValue {
+	return BrowserLanguageKey.String(val)
+}
+
+// BrowserMobile returns an attribute KeyValue conforming to the "browser.mobile"
+// semantic conventions. It represents a boolean that is true if the browser is
+// running on a mobile device.
+func BrowserMobile(val bool) attribute.KeyValue {
+	return BrowserMobileKey.Bool(val)
+}
+
+// BrowserPlatform returns an attribute KeyValue conforming to the
+// "browser.platform" semantic conventions. It represents the platform on which
+// the browser is running.
+func BrowserPlatform(val string) attribute.KeyValue {
+	return BrowserPlatformKey.String(val)
+}
+
+// Namespace: cassandra
+const (
+	// CassandraConsistencyLevelKey is the attribute Key conforming to the
+	// "cassandra.consistency.level" semantic conventions. It represents the
+	// consistency level of the query. Based on consistency values from [CQL].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [CQL]: https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/dml/dmlConfigConsistency.html
+	CassandraConsistencyLevelKey = attribute.Key("cassandra.consistency.level")
+
+	// CassandraCoordinatorDCKey is the attribute Key conforming to the
+	// "cassandra.coordinator.dc" semantic conventions. It represents the data
+	// center of the coordinating node for a query.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: us-west-2
+	CassandraCoordinatorDCKey = attribute.Key("cassandra.coordinator.dc")
+
+	// CassandraCoordinatorIDKey is the attribute Key conforming to the
+	// "cassandra.coordinator.id" semantic conventions. It represents the ID of the
+	// coordinating node for a query.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: be13faa2-8574-4d71-926d-27f16cf8a7af
+	CassandraCoordinatorIDKey = attribute.Key("cassandra.coordinator.id")
+
+	// CassandraPageSizeKey is the attribute Key conforming to the
+	// "cassandra.page.size" semantic conventions. It represents the fetch size used
+	// for paging, i.e. how many rows will be returned at once.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 5000
+	CassandraPageSizeKey = attribute.Key("cassandra.page.size")
+
+	// CassandraQueryIdempotentKey is the attribute Key conforming to the
+	// "cassandra.query.idempotent" semantic conventions. It represents the whether
+	// or not the query is idempotent.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	CassandraQueryIdempotentKey = attribute.Key("cassandra.query.idempotent")
+
+	// CassandraSpeculativeExecutionCountKey is the attribute Key conforming to the
+	// "cassandra.speculative_execution.count" semantic conventions. It represents
+	// the number of times a query was speculatively executed. Not set or `0` if the
+	// query was not executed speculatively.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0, 2
+	CassandraSpeculativeExecutionCountKey = attribute.Key("cassandra.speculative_execution.count")
+)
+
+// CassandraCoordinatorDC returns an attribute KeyValue conforming to the
+// "cassandra.coordinator.dc" semantic conventions. It represents the data center
+// of the coordinating node for a query.
+func CassandraCoordinatorDC(val string) attribute.KeyValue {
+	return CassandraCoordinatorDCKey.String(val)
+}
+
+// CassandraCoordinatorID returns an attribute KeyValue conforming to the
+// "cassandra.coordinator.id" semantic conventions. It represents the ID of the
+// coordinating node for a query.
+func CassandraCoordinatorID(val string) attribute.KeyValue {
+	return CassandraCoordinatorIDKey.String(val)
+}
+
+// CassandraPageSize returns an attribute KeyValue conforming to the
+// "cassandra.page.size" semantic conventions. It represents the fetch size used
+// for paging, i.e. how many rows will be returned at once.
+func CassandraPageSize(val int) attribute.KeyValue {
+	return CassandraPageSizeKey.Int(val)
+}
+
+// CassandraQueryIdempotent returns an attribute KeyValue conforming to the
+// "cassandra.query.idempotent" semantic conventions. It represents the whether
+// or not the query is idempotent.
+func CassandraQueryIdempotent(val bool) attribute.KeyValue {
+	return CassandraQueryIdempotentKey.Bool(val)
+}
+
+// CassandraSpeculativeExecutionCount returns an attribute KeyValue conforming to
+// the "cassandra.speculative_execution.count" semantic conventions. It
+// represents the number of times a query was speculatively executed. Not set or
+// `0` if the query was not executed speculatively.
+func CassandraSpeculativeExecutionCount(val int) attribute.KeyValue {
+	return CassandraSpeculativeExecutionCountKey.Int(val)
+}
+
+// Enum values for cassandra.consistency.level
+var (
+	// all
+	// Stability: development
+	CassandraConsistencyLevelAll = CassandraConsistencyLevelKey.String("all")
+	// each_quorum
+	// Stability: development
+	CassandraConsistencyLevelEachQuorum = CassandraConsistencyLevelKey.String("each_quorum")
+	// quorum
+	// Stability: development
+	CassandraConsistencyLevelQuorum = CassandraConsistencyLevelKey.String("quorum")
+	// local_quorum
+	// Stability: development
+	CassandraConsistencyLevelLocalQuorum = CassandraConsistencyLevelKey.String("local_quorum")
+	// one
+	// Stability: development
+	CassandraConsistencyLevelOne = CassandraConsistencyLevelKey.String("one")
+	// two
+	// Stability: development
+	CassandraConsistencyLevelTwo = CassandraConsistencyLevelKey.String("two")
+	// three
+	// Stability: development
+	CassandraConsistencyLevelThree = CassandraConsistencyLevelKey.String("three")
+	// local_one
+	// Stability: development
+	CassandraConsistencyLevelLocalOne = CassandraConsistencyLevelKey.String("local_one")
+	// any
+	// Stability: development
+	CassandraConsistencyLevelAny = CassandraConsistencyLevelKey.String("any")
+	// serial
+	// Stability: development
+	CassandraConsistencyLevelSerial = CassandraConsistencyLevelKey.String("serial")
+	// local_serial
+	// Stability: development
+	CassandraConsistencyLevelLocalSerial = CassandraConsistencyLevelKey.String("local_serial")
+)
+
+// Namespace: cicd
+const (
+	// CICDPipelineActionNameKey is the attribute Key conforming to the
+	// "cicd.pipeline.action.name" semantic conventions. It represents the kind of
+	// action a pipeline run is performing.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "BUILD", "RUN", "SYNC"
+	CICDPipelineActionNameKey = attribute.Key("cicd.pipeline.action.name")
+
+	// CICDPipelineNameKey is the attribute Key conforming to the
+	// "cicd.pipeline.name" semantic conventions. It represents the human readable
+	// name of the pipeline within a CI/CD system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Build and Test", "Lint", "Deploy Go Project",
+	// "deploy_to_environment"
+	CICDPipelineNameKey = attribute.Key("cicd.pipeline.name")
+
+	// CICDPipelineResultKey is the attribute Key conforming to the
+	// "cicd.pipeline.result" semantic conventions. It represents the result of a
+	// pipeline run.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "success", "failure", "timeout", "skipped"
+	CICDPipelineResultKey = attribute.Key("cicd.pipeline.result")
+
+	// CICDPipelineRunIDKey is the attribute Key conforming to the
+	// "cicd.pipeline.run.id" semantic conventions. It represents the unique
+	// identifier of a pipeline run within a CI/CD system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "120912"
+	CICDPipelineRunIDKey = attribute.Key("cicd.pipeline.run.id")
+
+	// CICDPipelineRunStateKey is the attribute Key conforming to the
+	// "cicd.pipeline.run.state" semantic conventions. It represents the pipeline
+	// run goes through these states during its lifecycle.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "pending", "executing", "finalizing"
+	CICDPipelineRunStateKey = attribute.Key("cicd.pipeline.run.state")
+
+	// CICDPipelineRunURLFullKey is the attribute Key conforming to the
+	// "cicd.pipeline.run.url.full" semantic conventions. It represents the [URL] of
+	// the pipeline run, providing the complete address in order to locate and
+	// identify the pipeline run.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "https://github.com/open-telemetry/semantic-conventions/actions/runs/9753949763?pr=1075"
+	//
+	// [URL]: https://wikipedia.org/wiki/URL
+	CICDPipelineRunURLFullKey = attribute.Key("cicd.pipeline.run.url.full")
+
+	// CICDPipelineTaskNameKey is the attribute Key conforming to the
+	// "cicd.pipeline.task.name" semantic conventions. It represents the human
+	// readable name of a task within a pipeline. Task here most closely aligns with
+	// a [computing process] in a pipeline. Other terms for tasks include commands,
+	// steps, and procedures.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Run GoLang Linter", "Go Build", "go-test", "deploy_binary"
+	//
+	// [computing process]: https://wikipedia.org/wiki/Pipeline_(computing)
+	CICDPipelineTaskNameKey = attribute.Key("cicd.pipeline.task.name")
+
+	// CICDPipelineTaskRunIDKey is the attribute Key conforming to the
+	// "cicd.pipeline.task.run.id" semantic conventions. It represents the unique
+	// identifier of a task run within a pipeline.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "12097"
+	CICDPipelineTaskRunIDKey = attribute.Key("cicd.pipeline.task.run.id")
+
+	// CICDPipelineTaskRunResultKey is the attribute Key conforming to the
+	// "cicd.pipeline.task.run.result" semantic conventions. It represents the
+	// result of a task run.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "success", "failure", "timeout", "skipped"
+	CICDPipelineTaskRunResultKey = attribute.Key("cicd.pipeline.task.run.result")
+
+	// CICDPipelineTaskRunURLFullKey is the attribute Key conforming to the
+	// "cicd.pipeline.task.run.url.full" semantic conventions. It represents the
+	// [URL] of the pipeline task run, providing the complete address in order to
+	// locate and identify the pipeline task run.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "https://github.com/open-telemetry/semantic-conventions/actions/runs/9753949763/job/26920038674?pr=1075"
+	//
+	// [URL]: https://wikipedia.org/wiki/URL
+	CICDPipelineTaskRunURLFullKey = attribute.Key("cicd.pipeline.task.run.url.full")
+
+	// CICDPipelineTaskTypeKey is the attribute Key conforming to the
+	// "cicd.pipeline.task.type" semantic conventions. It represents the type of the
+	// task within a pipeline.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "build", "test", "deploy"
+	CICDPipelineTaskTypeKey = attribute.Key("cicd.pipeline.task.type")
+
+	// CICDSystemComponentKey is the attribute Key conforming to the
+	// "cicd.system.component" semantic conventions. It represents the name of a
+	// component of the CICD system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "controller", "scheduler", "agent"
+	CICDSystemComponentKey = attribute.Key("cicd.system.component")
+
+	// CICDWorkerIDKey is the attribute Key conforming to the "cicd.worker.id"
+	// semantic conventions. It represents the unique identifier of a worker within
+	// a CICD system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "abc123", "10.0.1.2", "controller"
+	CICDWorkerIDKey = attribute.Key("cicd.worker.id")
+
+	// CICDWorkerNameKey is the attribute Key conforming to the "cicd.worker.name"
+	// semantic conventions. It represents the name of a worker within a CICD
+	// system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "agent-abc", "controller", "Ubuntu LTS"
+	CICDWorkerNameKey = attribute.Key("cicd.worker.name")
+
+	// CICDWorkerStateKey is the attribute Key conforming to the "cicd.worker.state"
+	// semantic conventions. It represents the state of a CICD worker / agent.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "idle", "busy", "down"
+	CICDWorkerStateKey = attribute.Key("cicd.worker.state")
+
+	// CICDWorkerURLFullKey is the attribute Key conforming to the
+	// "cicd.worker.url.full" semantic conventions. It represents the [URL] of the
+	// worker, providing the complete address in order to locate and identify the
+	// worker.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://cicd.example.org/worker/abc123"
+	//
+	// [URL]: https://wikipedia.org/wiki/URL
+	CICDWorkerURLFullKey = attribute.Key("cicd.worker.url.full")
+)
+
+// CICDPipelineName returns an attribute KeyValue conforming to the
+// "cicd.pipeline.name" semantic conventions. It represents the human readable
+// name of the pipeline within a CI/CD system.
+func CICDPipelineName(val string) attribute.KeyValue {
+	return CICDPipelineNameKey.String(val)
+}
+
+// CICDPipelineRunID returns an attribute KeyValue conforming to the
+// "cicd.pipeline.run.id" semantic conventions. It represents the unique
+// identifier of a pipeline run within a CI/CD system.
+func CICDPipelineRunID(val string) attribute.KeyValue {
+	return CICDPipelineRunIDKey.String(val)
+}
+
+// CICDPipelineRunURLFull returns an attribute KeyValue conforming to the
+// "cicd.pipeline.run.url.full" semantic conventions. It represents the [URL] of
+// the pipeline run, providing the complete address in order to locate and
+// identify the pipeline run.
+//
+// [URL]: https://wikipedia.org/wiki/URL
+func CICDPipelineRunURLFull(val string) attribute.KeyValue {
+	return CICDPipelineRunURLFullKey.String(val)
+}
+
+// CICDPipelineTaskName returns an attribute KeyValue conforming to the
+// "cicd.pipeline.task.name" semantic conventions. It represents the human
+// readable name of a task within a pipeline. Task here most closely aligns with
+// a [computing process] in a pipeline. Other terms for tasks include commands,
+// steps, and procedures.
+//
+// [computing process]: https://wikipedia.org/wiki/Pipeline_(computing)
+func CICDPipelineTaskName(val string) attribute.KeyValue {
+	return CICDPipelineTaskNameKey.String(val)
+}
+
+// CICDPipelineTaskRunID returns an attribute KeyValue conforming to the
+// "cicd.pipeline.task.run.id" semantic conventions. It represents the unique
+// identifier of a task run within a pipeline.
+func CICDPipelineTaskRunID(val string) attribute.KeyValue {
+	return CICDPipelineTaskRunIDKey.String(val)
+}
+
+// CICDPipelineTaskRunURLFull returns an attribute KeyValue conforming to the
+// "cicd.pipeline.task.run.url.full" semantic conventions. It represents the
+// [URL] of the pipeline task run, providing the complete address in order to
+// locate and identify the pipeline task run.
+//
+// [URL]: https://wikipedia.org/wiki/URL
+func CICDPipelineTaskRunURLFull(val string) attribute.KeyValue {
+	return CICDPipelineTaskRunURLFullKey.String(val)
+}
+
+// CICDSystemComponent returns an attribute KeyValue conforming to the
+// "cicd.system.component" semantic conventions. It represents the name of a
+// component of the CICD system.
+func CICDSystemComponent(val string) attribute.KeyValue {
+	return CICDSystemComponentKey.String(val)
+}
+
+// CICDWorkerID returns an attribute KeyValue conforming to the "cicd.worker.id"
+// semantic conventions. It represents the unique identifier of a worker within a
+// CICD system.
+func CICDWorkerID(val string) attribute.KeyValue {
+	return CICDWorkerIDKey.String(val)
+}
+
+// CICDWorkerName returns an attribute KeyValue conforming to the
+// "cicd.worker.name" semantic conventions. It represents the name of a worker
+// within a CICD system.
+func CICDWorkerName(val string) attribute.KeyValue {
+	return CICDWorkerNameKey.String(val)
+}
+
+// CICDWorkerURLFull returns an attribute KeyValue conforming to the
+// "cicd.worker.url.full" semantic conventions. It represents the [URL] of the
+// worker, providing the complete address in order to locate and identify the
+// worker.
+//
+// [URL]: https://wikipedia.org/wiki/URL
+func CICDWorkerURLFull(val string) attribute.KeyValue {
+	return CICDWorkerURLFullKey.String(val)
+}
+
+// Enum values for cicd.pipeline.action.name
+var (
+	// The pipeline run is executing a build.
+	// Stability: development
+	CICDPipelineActionNameBuild = CICDPipelineActionNameKey.String("BUILD")
+	// The pipeline run is executing.
+	// Stability: development
+	CICDPipelineActionNameRun = CICDPipelineActionNameKey.String("RUN")
+	// The pipeline run is executing a sync.
+	// Stability: development
+	CICDPipelineActionNameSync = CICDPipelineActionNameKey.String("SYNC")
+)
+
+// Enum values for cicd.pipeline.result
+var (
+	// The pipeline run finished successfully.
+	// Stability: development
+	CICDPipelineResultSuccess = CICDPipelineResultKey.String("success")
+	// The pipeline run did not finish successfully, eg. due to a compile error or a
+	// failing test. Such failures are usually detected by non-zero exit codes of
+	// the tools executed in the pipeline run.
+	// Stability: development
+	CICDPipelineResultFailure = CICDPipelineResultKey.String("failure")
+	// The pipeline run failed due to an error in the CICD system, eg. due to the
+	// worker being killed.
+	// Stability: development
+	CICDPipelineResultError = CICDPipelineResultKey.String("error")
+	// A timeout caused the pipeline run to be interrupted.
+	// Stability: development
+	CICDPipelineResultTimeout = CICDPipelineResultKey.String("timeout")
+	// The pipeline run was cancelled, eg. by a user manually cancelling the
+	// pipeline run.
+	// Stability: development
+	CICDPipelineResultCancellation = CICDPipelineResultKey.String("cancellation")
+	// The pipeline run was skipped, eg. due to a precondition not being met.
+	// Stability: development
+	CICDPipelineResultSkip = CICDPipelineResultKey.String("skip")
+)
+
+// Enum values for cicd.pipeline.run.state
+var (
+	// The run pending state spans from the event triggering the pipeline run until
+	// the execution of the run starts (eg. time spent in a queue, provisioning
+	// agents, creating run resources).
+	//
+	// Stability: development
+	CICDPipelineRunStatePending = CICDPipelineRunStateKey.String("pending")
+	// The executing state spans the execution of any run tasks (eg. build, test).
+	// Stability: development
+	CICDPipelineRunStateExecuting = CICDPipelineRunStateKey.String("executing")
+	// The finalizing state spans from when the run has finished executing (eg.
+	// cleanup of run resources).
+	// Stability: development
+	CICDPipelineRunStateFinalizing = CICDPipelineRunStateKey.String("finalizing")
+)
+
+// Enum values for cicd.pipeline.task.run.result
+var (
+	// The task run finished successfully.
+	// Stability: development
+	CICDPipelineTaskRunResultSuccess = CICDPipelineTaskRunResultKey.String("success")
+	// The task run did not finish successfully, eg. due to a compile error or a
+	// failing test. Such failures are usually detected by non-zero exit codes of
+	// the tools executed in the task run.
+	// Stability: development
+	CICDPipelineTaskRunResultFailure = CICDPipelineTaskRunResultKey.String("failure")
+	// The task run failed due to an error in the CICD system, eg. due to the worker
+	// being killed.
+	// Stability: development
+	CICDPipelineTaskRunResultError = CICDPipelineTaskRunResultKey.String("error")
+	// A timeout caused the task run to be interrupted.
+	// Stability: development
+	CICDPipelineTaskRunResultTimeout = CICDPipelineTaskRunResultKey.String("timeout")
+	// The task run was cancelled, eg. by a user manually cancelling the task run.
+	// Stability: development
+	CICDPipelineTaskRunResultCancellation = CICDPipelineTaskRunResultKey.String("cancellation")
+	// The task run was skipped, eg. due to a precondition not being met.
+	// Stability: development
+	CICDPipelineTaskRunResultSkip = CICDPipelineTaskRunResultKey.String("skip")
+)
+
+// Enum values for cicd.pipeline.task.type
+var (
+	// build
+	// Stability: development
+	CICDPipelineTaskTypeBuild = CICDPipelineTaskTypeKey.String("build")
+	// test
+	// Stability: development
+	CICDPipelineTaskTypeTest = CICDPipelineTaskTypeKey.String("test")
+	// deploy
+	// Stability: development
+	CICDPipelineTaskTypeDeploy = CICDPipelineTaskTypeKey.String("deploy")
+)
+
+// Enum values for cicd.worker.state
+var (
+	// The worker is not performing work for the CICD system. It is available to the
+	// CICD system to perform work on (online / idle).
+	// Stability: development
+	CICDWorkerStateAvailable = CICDWorkerStateKey.String("available")
+	// The worker is performing work for the CICD system.
+	// Stability: development
+	CICDWorkerStateBusy = CICDWorkerStateKey.String("busy")
+	// The worker is not available to the CICD system (disconnected / down).
+	// Stability: development
+	CICDWorkerStateOffline = CICDWorkerStateKey.String("offline")
+)
+
+// Namespace: client
+const (
+	// ClientAddressKey is the attribute Key conforming to the "client.address"
+	// semantic conventions. It represents the client address - domain name if
+	// available without reverse DNS lookup; otherwise, IP address or Unix domain
+	// socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "client.example.com", "10.1.2.80", "/tmp/my.sock"
+	// Note: When observed from the server side, and when communicating through an
+	// intermediary, `client.address` SHOULD represent the client address behind any
+	// intermediaries, for example proxies, if it's available.
+	ClientAddressKey = attribute.Key("client.address")
+
+	// ClientPortKey is the attribute Key conforming to the "client.port" semantic
+	// conventions. It represents the client port number.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 65123
+	// Note: When observed from the server side, and when communicating through an
+	// intermediary, `client.port` SHOULD represent the client port behind any
+	// intermediaries, for example proxies, if it's available.
+	ClientPortKey = attribute.Key("client.port")
+)
+
+// ClientAddress returns an attribute KeyValue conforming to the "client.address"
+// semantic conventions. It represents the client address - domain name if
+// available without reverse DNS lookup; otherwise, IP address or Unix domain
+// socket name.
+func ClientAddress(val string) attribute.KeyValue {
+	return ClientAddressKey.String(val)
+}
+
+// ClientPort returns an attribute KeyValue conforming to the "client.port"
+// semantic conventions. It represents the client port number.
+func ClientPort(val int) attribute.KeyValue {
+	return ClientPortKey.Int(val)
+}
+
+// Namespace: cloud
+const (
+	// CloudAccountIDKey is the attribute Key conforming to the "cloud.account.id"
+	// semantic conventions. It represents the cloud account ID the resource is
+	// assigned to.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "111111111111", "opentelemetry"
+	CloudAccountIDKey = attribute.Key("cloud.account.id")
+
+	// CloudAvailabilityZoneKey is the attribute Key conforming to the
+	// "cloud.availability_zone" semantic conventions. It represents the cloud
+	// regions often have multiple, isolated locations known as zones to increase
+	// availability. Availability zone represents the zone where the resource is
+	// running.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "us-east-1c"
+	// Note: Availability zones are called "zones" on Alibaba Cloud and Google
+	// Cloud.
+	CloudAvailabilityZoneKey = attribute.Key("cloud.availability_zone")
+
+	// CloudPlatformKey is the attribute Key conforming to the "cloud.platform"
+	// semantic conventions. It represents the cloud platform in use.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: The prefix of the service SHOULD match the one specified in
+	// `cloud.provider`.
+	CloudPlatformKey = attribute.Key("cloud.platform")
+
+	// CloudProviderKey is the attribute Key conforming to the "cloud.provider"
+	// semantic conventions. It represents the name of the cloud provider.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	CloudProviderKey = attribute.Key("cloud.provider")
+
+	// CloudRegionKey is the attribute Key conforming to the "cloud.region" semantic
+	// conventions. It represents the geographical region within a cloud provider.
+	// When associated with a resource, this attribute specifies the region where
+	// the resource operates. When calling services or APIs deployed on a cloud,
+	// this attribute identifies the region where the called destination is
+	// deployed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "us-central1", "us-east-1"
+	// Note: Refer to your provider's docs to see the available regions, for example
+	// [Alibaba Cloud regions], [AWS regions], [Azure regions],
+	// [Google Cloud regions], or [Tencent Cloud regions].
+	//
+	// [Alibaba Cloud regions]: https://www.alibabacloud.com/help/doc-detail/40654.htm
+	// [AWS regions]: https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
+	// [Azure regions]: https://azure.microsoft.com/global-infrastructure/geographies/
+	// [Google Cloud regions]: https://cloud.google.com/about/locations
+	// [Tencent Cloud regions]: https://www.tencentcloud.com/document/product/213/6091
+	CloudRegionKey = attribute.Key("cloud.region")
+
+	// CloudResourceIDKey is the attribute Key conforming to the "cloud.resource_id"
+	// semantic conventions. It represents the cloud provider-specific native
+	// identifier of the monitored cloud resource (e.g. an [ARN] on AWS, a
+	// [fully qualified resource ID] on Azure, a [full resource name] on GCP).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "arn:aws:lambda:REGION:ACCOUNT_ID:function:my-function",
+	// "//run.googleapis.com/projects/PROJECT_ID/locations/LOCATION_ID/services/SERVICE_ID",
+	// "/subscriptions/<SUBSCRIPTION_GUID>/resourceGroups/<RG>
+	// /providers/Microsoft.Web/sites/<FUNCAPP>/functions/<FUNC>"
+	// Note: On some cloud providers, it may not be possible to determine the full
+	// ID at startup,
+	// so it may be necessary to set `cloud.resource_id` as a span attribute
+	// instead.
+	//
+	// The exact value to use for `cloud.resource_id` depends on the cloud provider.
+	// The following well-known definitions MUST be used if you set this attribute
+	// and they apply:
+	//
+	//   - **AWS Lambda:** The function [ARN].
+	//     Take care not to use the "invoked ARN" directly but replace any
+	//     [alias suffix]
+	//     with the resolved function version, as the same runtime instance may be
+	//     invocable with
+	//     multiple different aliases.
+	//   - **GCP:** The [URI of the resource]
+	//   - **Azure:** The [Fully Qualified Resource ID] of the invoked function,
+	//     *not* the function app, having the form
+	//
+	//     `/subscriptions/<SUBSCRIPTION_GUID>/resourceGroups/<RG>/providers/Microsoft.Web/sites/<FUNCAPP>/functions/<FUNC>`
+	//     .
+	//     This means that a span attribute MUST be used, as an Azure function app
+	//     can host multiple functions that would usually share
+	//     a TracerProvider.
+	//
+	//
+	// [ARN]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+	// [fully qualified resource ID]: https://learn.microsoft.com/rest/api/resources/resources/get-by-id
+	// [full resource name]: https://google.aip.dev/122#full-resource-names
+	// [ARN]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+	// [alias suffix]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
+	// [URI of the resource]: https://cloud.google.com/iam/docs/full-resource-names
+	// [Fully Qualified Resource ID]: https://docs.microsoft.com/rest/api/resources/resources/get-by-id
+	CloudResourceIDKey = attribute.Key("cloud.resource_id")
+)
+
+// CloudAccountID returns an attribute KeyValue conforming to the
+// "cloud.account.id" semantic conventions. It represents the cloud account ID
+// the resource is assigned to.
+func CloudAccountID(val string) attribute.KeyValue {
+	return CloudAccountIDKey.String(val)
+}
+
+// CloudAvailabilityZone returns an attribute KeyValue conforming to the
+// "cloud.availability_zone" semantic conventions. It represents the cloud
+// regions often have multiple, isolated locations known as zones to increase
+// availability. Availability zone represents the zone where the resource is
+// running.
+func CloudAvailabilityZone(val string) attribute.KeyValue {
+	return CloudAvailabilityZoneKey.String(val)
+}
+
+// CloudRegion returns an attribute KeyValue conforming to the "cloud.region"
+// semantic conventions. It represents the geographical region within a cloud
+// provider. When associated with a resource, this attribute specifies the region
+// where the resource operates. When calling services or APIs deployed on a
+// cloud, this attribute identifies the region where the called destination is
+// deployed.
+func CloudRegion(val string) attribute.KeyValue {
+	return CloudRegionKey.String(val)
+}
+
+// CloudResourceID returns an attribute KeyValue conforming to the
+// "cloud.resource_id" semantic conventions. It represents the cloud
+// provider-specific native identifier of the monitored cloud resource (e.g. an
+// [ARN] on AWS, a [fully qualified resource ID] on Azure, a [full resource name]
+//  on GCP).
+//
+// [ARN]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+// [fully qualified resource ID]: https://learn.microsoft.com/rest/api/resources/resources/get-by-id
+// [full resource name]: https://google.aip.dev/122#full-resource-names
+func CloudResourceID(val string) attribute.KeyValue {
+	return CloudResourceIDKey.String(val)
+}
+
+// Enum values for cloud.platform
+var (
+	// Alibaba Cloud Elastic Compute Service
+	// Stability: development
+	CloudPlatformAlibabaCloudECS = CloudPlatformKey.String("alibaba_cloud_ecs")
+	// Alibaba Cloud Function Compute
+	// Stability: development
+	CloudPlatformAlibabaCloudFC = CloudPlatformKey.String("alibaba_cloud_fc")
+	// Red Hat OpenShift on Alibaba Cloud
+	// Stability: development
+	CloudPlatformAlibabaCloudOpenShift = CloudPlatformKey.String("alibaba_cloud_openshift")
+	// AWS Elastic Compute Cloud
+	// Stability: development
+	CloudPlatformAWSEC2 = CloudPlatformKey.String("aws_ec2")
+	// AWS Elastic Container Service
+	// Stability: development
+	CloudPlatformAWSECS = CloudPlatformKey.String("aws_ecs")
+	// AWS Elastic Kubernetes Service
+	// Stability: development
+	CloudPlatformAWSEKS = CloudPlatformKey.String("aws_eks")
+	// AWS Lambda
+	// Stability: development
+	CloudPlatformAWSLambda = CloudPlatformKey.String("aws_lambda")
+	// AWS Elastic Beanstalk
+	// Stability: development
+	CloudPlatformAWSElasticBeanstalk = CloudPlatformKey.String("aws_elastic_beanstalk")
+	// AWS App Runner
+	// Stability: development
+	CloudPlatformAWSAppRunner = CloudPlatformKey.String("aws_app_runner")
+	// Red Hat OpenShift on AWS (ROSA)
+	// Stability: development
+	CloudPlatformAWSOpenShift = CloudPlatformKey.String("aws_openshift")
+	// Azure Virtual Machines
+	// Stability: development
+	CloudPlatformAzureVM = CloudPlatformKey.String("azure_vm")
+	// Azure Container Apps
+	// Stability: development
+	CloudPlatformAzureContainerApps = CloudPlatformKey.String("azure_container_apps")
+	// Azure Container Instances
+	// Stability: development
+	CloudPlatformAzureContainerInstances = CloudPlatformKey.String("azure_container_instances")
+	// Azure Kubernetes Service
+	// Stability: development
+	CloudPlatformAzureAKS = CloudPlatformKey.String("azure_aks")
+	// Azure Functions
+	// Stability: development
+	CloudPlatformAzureFunctions = CloudPlatformKey.String("azure_functions")
+	// Azure App Service
+	// Stability: development
+	CloudPlatformAzureAppService = CloudPlatformKey.String("azure_app_service")
+	// Azure Red Hat OpenShift
+	// Stability: development
+	CloudPlatformAzureOpenShift = CloudPlatformKey.String("azure_openshift")
+	// Google Bare Metal Solution (BMS)
+	// Stability: development
+	CloudPlatformGCPBareMetalSolution = CloudPlatformKey.String("gcp_bare_metal_solution")
+	// Google Cloud Compute Engine (GCE)
+	// Stability: development
+	CloudPlatformGCPComputeEngine = CloudPlatformKey.String("gcp_compute_engine")
+	// Google Cloud Run
+	// Stability: development
+	CloudPlatformGCPCloudRun = CloudPlatformKey.String("gcp_cloud_run")
+	// Google Cloud Kubernetes Engine (GKE)
+	// Stability: development
+	CloudPlatformGCPKubernetesEngine = CloudPlatformKey.String("gcp_kubernetes_engine")
+	// Google Cloud Functions (GCF)
+	// Stability: development
+	CloudPlatformGCPCloudFunctions = CloudPlatformKey.String("gcp_cloud_functions")
+	// Google Cloud App Engine (GAE)
+	// Stability: development
+	CloudPlatformGCPAppEngine = CloudPlatformKey.String("gcp_app_engine")
+	// Red Hat OpenShift on Google Cloud
+	// Stability: development
+	CloudPlatformGCPOpenShift = CloudPlatformKey.String("gcp_openshift")
+	// Red Hat OpenShift on IBM Cloud
+	// Stability: development
+	CloudPlatformIBMCloudOpenShift = CloudPlatformKey.String("ibm_cloud_openshift")
+	// Compute on Oracle Cloud Infrastructure (OCI)
+	// Stability: development
+	CloudPlatformOracleCloudCompute = CloudPlatformKey.String("oracle_cloud_compute")
+	// Kubernetes Engine (OKE) on Oracle Cloud Infrastructure (OCI)
+	// Stability: development
+	CloudPlatformOracleCloudOKE = CloudPlatformKey.String("oracle_cloud_oke")
+	// Tencent Cloud Cloud Virtual Machine (CVM)
+	// Stability: development
+	CloudPlatformTencentCloudCVM = CloudPlatformKey.String("tencent_cloud_cvm")
+	// Tencent Cloud Elastic Kubernetes Service (EKS)
+	// Stability: development
+	CloudPlatformTencentCloudEKS = CloudPlatformKey.String("tencent_cloud_eks")
+	// Tencent Cloud Serverless Cloud Function (SCF)
+	// Stability: development
+	CloudPlatformTencentCloudSCF = CloudPlatformKey.String("tencent_cloud_scf")
+)
+
+// Enum values for cloud.provider
+var (
+	// Alibaba Cloud
+	// Stability: development
+	CloudProviderAlibabaCloud = CloudProviderKey.String("alibaba_cloud")
+	// Amazon Web Services
+	// Stability: development
+	CloudProviderAWS = CloudProviderKey.String("aws")
+	// Microsoft Azure
+	// Stability: development
+	CloudProviderAzure = CloudProviderKey.String("azure")
+	// Google Cloud Platform
+	// Stability: development
+	CloudProviderGCP = CloudProviderKey.String("gcp")
+	// Heroku Platform as a Service
+	// Stability: development
+	CloudProviderHeroku = CloudProviderKey.String("heroku")
+	// IBM Cloud
+	// Stability: development
+	CloudProviderIBMCloud = CloudProviderKey.String("ibm_cloud")
+	// Oracle Cloud Infrastructure (OCI)
+	// Stability: development
+	CloudProviderOracleCloud = CloudProviderKey.String("oracle_cloud")
+	// Tencent Cloud
+	// Stability: development
+	CloudProviderTencentCloud = CloudProviderKey.String("tencent_cloud")
+)
+
+// Namespace: cloudevents
+const (
+	// CloudEventsEventIDKey is the attribute Key conforming to the
+	// "cloudevents.event_id" semantic conventions. It represents the [event_id]
+	// uniquely identifies the event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "123e4567-e89b-12d3-a456-426614174000", "0001"
+	//
+	// [event_id]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#id
+	CloudEventsEventIDKey = attribute.Key("cloudevents.event_id")
+
+	// CloudEventsEventSourceKey is the attribute Key conforming to the
+	// "cloudevents.event_source" semantic conventions. It represents the [source]
+	// identifies the context in which an event happened.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://github.com/cloudevents", "/cloudevents/spec/pull/123",
+	// "my-service"
+	//
+	// [source]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#source-1
+	CloudEventsEventSourceKey = attribute.Key("cloudevents.event_source")
+
+	// CloudEventsEventSpecVersionKey is the attribute Key conforming to the
+	// "cloudevents.event_spec_version" semantic conventions. It represents the
+	// [version of the CloudEvents specification] which the event uses.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0
+	//
+	// [version of the CloudEvents specification]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#specversion
+	CloudEventsEventSpecVersionKey = attribute.Key("cloudevents.event_spec_version")
+
+	// CloudEventsEventSubjectKey is the attribute Key conforming to the
+	// "cloudevents.event_subject" semantic conventions. It represents the [subject]
+	//  of the event in the context of the event producer (identified by source).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: mynewfile.jpg
+	//
+	// [subject]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#subject
+	CloudEventsEventSubjectKey = attribute.Key("cloudevents.event_subject")
+
+	// CloudEventsEventTypeKey is the attribute Key conforming to the
+	// "cloudevents.event_type" semantic conventions. It represents the [event_type]
+	//  contains a value describing the type of event related to the originating
+	// occurrence.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "com.github.pull_request.opened", "com.example.object.deleted.v2"
+	//
+	// [event_type]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#type
+	CloudEventsEventTypeKey = attribute.Key("cloudevents.event_type")
+)
+
+// CloudEventsEventID returns an attribute KeyValue conforming to the
+// "cloudevents.event_id" semantic conventions. It represents the [event_id]
+// uniquely identifies the event.
+//
+// [event_id]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#id
+func CloudEventsEventID(val string) attribute.KeyValue {
+	return CloudEventsEventIDKey.String(val)
+}
+
+// CloudEventsEventSource returns an attribute KeyValue conforming to the
+// "cloudevents.event_source" semantic conventions. It represents the [source]
+// identifies the context in which an event happened.
+//
+// [source]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#source-1
+func CloudEventsEventSource(val string) attribute.KeyValue {
+	return CloudEventsEventSourceKey.String(val)
+}
+
+// CloudEventsEventSpecVersion returns an attribute KeyValue conforming to the
+// "cloudevents.event_spec_version" semantic conventions. It represents the
+// [version of the CloudEvents specification] which the event uses.
+//
+// [version of the CloudEvents specification]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#specversion
+func CloudEventsEventSpecVersion(val string) attribute.KeyValue {
+	return CloudEventsEventSpecVersionKey.String(val)
+}
+
+// CloudEventsEventSubject returns an attribute KeyValue conforming to the
+// "cloudevents.event_subject" semantic conventions. It represents the [subject]
+// of the event in the context of the event producer (identified by source).
+//
+// [subject]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#subject
+func CloudEventsEventSubject(val string) attribute.KeyValue {
+	return CloudEventsEventSubjectKey.String(val)
+}
+
+// CloudEventsEventType returns an attribute KeyValue conforming to the
+// "cloudevents.event_type" semantic conventions. It represents the [event_type]
+// contains a value describing the type of event related to the originating
+// occurrence.
+//
+// [event_type]: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#type
+func CloudEventsEventType(val string) attribute.KeyValue {
+	return CloudEventsEventTypeKey.String(val)
+}
+
+// Namespace: cloudfoundry
+const (
+	// CloudFoundryAppIDKey is the attribute Key conforming to the
+	// "cloudfoundry.app.id" semantic conventions. It represents the guid of the
+	// application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.application_id`. This is the same value as
+	// reported by `cf app <app-name> --guid`.
+	CloudFoundryAppIDKey = attribute.Key("cloudfoundry.app.id")
+
+	// CloudFoundryAppInstanceIDKey is the attribute Key conforming to the
+	// "cloudfoundry.app.instance.id" semantic conventions. It represents the index
+	// of the application instance. 0 when just one instance is active.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0", "1"
+	// Note: CloudFoundry defines the `instance_id` in the [Loggregator v2 envelope]
+	// .
+	// It is used for logs and metrics emitted by CloudFoundry. It is
+	// supposed to contain the application instance index for applications
+	// deployed on the runtime.
+	//
+	// Application instrumentation should use the value from environment
+	// variable `CF_INSTANCE_INDEX`.
+	//
+	// [Loggregator v2 envelope]: https://github.com/cloudfoundry/loggregator-api#v2-envelope
+	CloudFoundryAppInstanceIDKey = attribute.Key("cloudfoundry.app.instance.id")
+
+	// CloudFoundryAppNameKey is the attribute Key conforming to the
+	// "cloudfoundry.app.name" semantic conventions. It represents the name of the
+	// application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-app-name"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.application_name`. This is the same value
+	// as reported by `cf apps`.
+	CloudFoundryAppNameKey = attribute.Key("cloudfoundry.app.name")
+
+	// CloudFoundryOrgIDKey is the attribute Key conforming to the
+	// "cloudfoundry.org.id" semantic conventions. It represents the guid of the
+	// CloudFoundry org the application is running in.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.org_id`. This is the same value as
+	// reported by `cf org <org-name> --guid`.
+	CloudFoundryOrgIDKey = attribute.Key("cloudfoundry.org.id")
+
+	// CloudFoundryOrgNameKey is the attribute Key conforming to the
+	// "cloudfoundry.org.name" semantic conventions. It represents the name of the
+	// CloudFoundry organization the app is running in.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-org-name"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.org_name`. This is the same value as
+	// reported by `cf orgs`.
+	CloudFoundryOrgNameKey = attribute.Key("cloudfoundry.org.name")
+
+	// CloudFoundryProcessIDKey is the attribute Key conforming to the
+	// "cloudfoundry.process.id" semantic conventions. It represents the UID
+	// identifying the process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.process_id`. It is supposed to be equal to
+	// `VCAP_APPLICATION.app_id` for applications deployed to the runtime.
+	// For system components, this could be the actual PID.
+	CloudFoundryProcessIDKey = attribute.Key("cloudfoundry.process.id")
+
+	// CloudFoundryProcessTypeKey is the attribute Key conforming to the
+	// "cloudfoundry.process.type" semantic conventions. It represents the type of
+	// process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "web"
+	// Note: CloudFoundry applications can consist of multiple jobs. Usually the
+	// main process will be of type `web`. There can be additional background
+	// tasks or side-cars with different process types.
+	CloudFoundryProcessTypeKey = attribute.Key("cloudfoundry.process.type")
+
+	// CloudFoundrySpaceIDKey is the attribute Key conforming to the
+	// "cloudfoundry.space.id" semantic conventions. It represents the guid of the
+	// CloudFoundry space the application is running in.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.space_id`. This is the same value as
+	// reported by `cf space <space-name> --guid`.
+	CloudFoundrySpaceIDKey = attribute.Key("cloudfoundry.space.id")
+
+	// CloudFoundrySpaceNameKey is the attribute Key conforming to the
+	// "cloudfoundry.space.name" semantic conventions. It represents the name of the
+	// CloudFoundry space the application is running in.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-space-name"
+	// Note: Application instrumentation should use the value from environment
+	// variable `VCAP_APPLICATION.space_name`. This is the same value as
+	// reported by `cf spaces`.
+	CloudFoundrySpaceNameKey = attribute.Key("cloudfoundry.space.name")
+
+	// CloudFoundrySystemIDKey is the attribute Key conforming to the
+	// "cloudfoundry.system.id" semantic conventions. It represents a guid or
+	// another name describing the event source.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cf/gorouter"
+	// Note: CloudFoundry defines the `source_id` in the [Loggregator v2 envelope].
+	// It is used for logs and metrics emitted by CloudFoundry. It is
+	// supposed to contain the component name, e.g. "gorouter", for
+	// CloudFoundry components.
+	//
+	// When system components are instrumented, values from the
+	// [Bosh spec]
+	// should be used. The `system.id` should be set to
+	// `spec.deployment/spec.name`.
+	//
+	// [Loggregator v2 envelope]: https://github.com/cloudfoundry/loggregator-api#v2-envelope
+	// [Bosh spec]: https://bosh.io/docs/jobs/#properties-spec
+	CloudFoundrySystemIDKey = attribute.Key("cloudfoundry.system.id")
+
+	// CloudFoundrySystemInstanceIDKey is the attribute Key conforming to the
+	// "cloudfoundry.system.instance.id" semantic conventions. It represents a guid
+	// describing the concrete instance of the event source.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: CloudFoundry defines the `instance_id` in the [Loggregator v2 envelope]
+	// .
+	// It is used for logs and metrics emitted by CloudFoundry. It is
+	// supposed to contain the vm id for CloudFoundry components.
+	//
+	// When system components are instrumented, values from the
+	// [Bosh spec]
+	// should be used. The `system.instance.id` should be set to `spec.id`.
+	//
+	// [Loggregator v2 envelope]: https://github.com/cloudfoundry/loggregator-api#v2-envelope
+	// [Bosh spec]: https://bosh.io/docs/jobs/#properties-spec
+	CloudFoundrySystemInstanceIDKey = attribute.Key("cloudfoundry.system.instance.id")
+)
+
+// CloudFoundryAppID returns an attribute KeyValue conforming to the
+// "cloudfoundry.app.id" semantic conventions. It represents the guid of the
+// application.
+func CloudFoundryAppID(val string) attribute.KeyValue {
+	return CloudFoundryAppIDKey.String(val)
+}
+
+// CloudFoundryAppInstanceID returns an attribute KeyValue conforming to the
+// "cloudfoundry.app.instance.id" semantic conventions. It represents the index
+// of the application instance. 0 when just one instance is active.
+func CloudFoundryAppInstanceID(val string) attribute.KeyValue {
+	return CloudFoundryAppInstanceIDKey.String(val)
+}
+
+// CloudFoundryAppName returns an attribute KeyValue conforming to the
+// "cloudfoundry.app.name" semantic conventions. It represents the name of the
+// application.
+func CloudFoundryAppName(val string) attribute.KeyValue {
+	return CloudFoundryAppNameKey.String(val)
+}
+
+// CloudFoundryOrgID returns an attribute KeyValue conforming to the
+// "cloudfoundry.org.id" semantic conventions. It represents the guid of the
+// CloudFoundry org the application is running in.
+func CloudFoundryOrgID(val string) attribute.KeyValue {
+	return CloudFoundryOrgIDKey.String(val)
+}
+
+// CloudFoundryOrgName returns an attribute KeyValue conforming to the
+// "cloudfoundry.org.name" semantic conventions. It represents the name of the
+// CloudFoundry organization the app is running in.
+func CloudFoundryOrgName(val string) attribute.KeyValue {
+	return CloudFoundryOrgNameKey.String(val)
+}
+
+// CloudFoundryProcessID returns an attribute KeyValue conforming to the
+// "cloudfoundry.process.id" semantic conventions. It represents the UID
+// identifying the process.
+func CloudFoundryProcessID(val string) attribute.KeyValue {
+	return CloudFoundryProcessIDKey.String(val)
+}
+
+// CloudFoundryProcessType returns an attribute KeyValue conforming to the
+// "cloudfoundry.process.type" semantic conventions. It represents the type of
+// process.
+func CloudFoundryProcessType(val string) attribute.KeyValue {
+	return CloudFoundryProcessTypeKey.String(val)
+}
+
+// CloudFoundrySpaceID returns an attribute KeyValue conforming to the
+// "cloudfoundry.space.id" semantic conventions. It represents the guid of the
+// CloudFoundry space the application is running in.
+func CloudFoundrySpaceID(val string) attribute.KeyValue {
+	return CloudFoundrySpaceIDKey.String(val)
+}
+
+// CloudFoundrySpaceName returns an attribute KeyValue conforming to the
+// "cloudfoundry.space.name" semantic conventions. It represents the name of the
+// CloudFoundry space the application is running in.
+func CloudFoundrySpaceName(val string) attribute.KeyValue {
+	return CloudFoundrySpaceNameKey.String(val)
+}
+
+// CloudFoundrySystemID returns an attribute KeyValue conforming to the
+// "cloudfoundry.system.id" semantic conventions. It represents a guid or another
+// name describing the event source.
+func CloudFoundrySystemID(val string) attribute.KeyValue {
+	return CloudFoundrySystemIDKey.String(val)
+}
+
+// CloudFoundrySystemInstanceID returns an attribute KeyValue conforming to the
+// "cloudfoundry.system.instance.id" semantic conventions. It represents a guid
+// describing the concrete instance of the event source.
+func CloudFoundrySystemInstanceID(val string) attribute.KeyValue {
+	return CloudFoundrySystemInstanceIDKey.String(val)
+}
+
+// Namespace: code
+const (
+	// CodeColumnNumberKey is the attribute Key conforming to the
+	// "code.column.number" semantic conventions. It represents the column number in
+	// `code.file.path` best representing the operation. It SHOULD point within the
+	// code unit named in `code.function.name`. This attribute MUST NOT be used on
+	// the Profile signal since the data is already captured in 'message Line'. This
+	// constraint is imposed to prevent redundancy and maintain data integrity.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	CodeColumnNumberKey = attribute.Key("code.column.number")
+
+	// CodeFilePathKey is the attribute Key conforming to the "code.file.path"
+	// semantic conventions. It represents the source code file name that identifies
+	// the code unit as uniquely as possible (preferably an absolute file path).
+	// This attribute MUST NOT be used on the Profile signal since the data is
+	// already captured in 'message Function'. This constraint is imposed to prevent
+	// redundancy and maintain data integrity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: /usr/local/MyApplication/content_root/app/index.php
+	CodeFilePathKey = attribute.Key("code.file.path")
+
+	// CodeFunctionNameKey is the attribute Key conforming to the
+	// "code.function.name" semantic conventions. It represents the method or
+	// function fully-qualified name without arguments. The value should fit the
+	// natural representation of the language runtime, which is also likely the same
+	// used within `code.stacktrace` attribute value. This attribute MUST NOT be
+	// used on the Profile signal since the data is already captured in 'message
+	// Function'. This constraint is imposed to prevent redundancy and maintain data
+	// integrity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "com.example.MyHttpService.serveRequest",
+	// "GuzzleHttp\Client::transfer", "fopen"
+	// Note: Values and format depends on each language runtime, thus it is
+	// impossible to provide an exhaustive list of examples.
+	// The values are usually the same (or prefixes of) the ones found in native
+	// stack trace representation stored in
+	// `code.stacktrace` without information on arguments.
+	//
+	// Examples:
+	//
+	//   - Java method: `com.example.MyHttpService.serveRequest`
+	//   - Java anonymous class method: `com.mycompany.Main$1.myMethod`
+	//   - Java lambda method:
+	//     `com.mycompany.Main$$Lambda/0x0000748ae4149c00.myMethod`
+	//   - PHP function: `GuzzleHttp\Client::transfer`
+	//   - Go function: `github.com/my/repo/pkg.foo.func5`
+	//   - Elixir: `OpenTelemetry.Ctx.new`
+	//   - Erlang: `opentelemetry_ctx:new`
+	//   - Rust: `playground::my_module::my_cool_func`
+	//   - C function: `fopen`
+	CodeFunctionNameKey = attribute.Key("code.function.name")
+
+	// CodeLineNumberKey is the attribute Key conforming to the "code.line.number"
+	// semantic conventions. It represents the line number in `code.file.path` best
+	// representing the operation. It SHOULD point within the code unit named in
+	// `code.function.name`. This attribute MUST NOT be used on the Profile signal
+	// since the data is already captured in 'message Line'. This constraint is
+	// imposed to prevent redundancy and maintain data integrity.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	CodeLineNumberKey = attribute.Key("code.line.number")
+
+	// CodeStacktraceKey is the attribute Key conforming to the "code.stacktrace"
+	// semantic conventions. It represents a stacktrace as a string in the natural
+	// representation for the language runtime. The representation is identical to
+	// [`exception.stacktrace`]. This attribute MUST NOT be used on the Profile
+	// signal since the data is already captured in 'message Location'. This
+	// constraint is imposed to prevent redundancy and maintain data integrity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: at com.example.GenerateTrace.methodB(GenerateTrace.java:13)\n at
+	// com.example.GenerateTrace.methodA(GenerateTrace.java:9)\n at
+	// com.example.GenerateTrace.main(GenerateTrace.java:5)
+	//
+	// [`exception.stacktrace`]: /docs/exceptions/exceptions-spans.md#stacktrace-representation
+	CodeStacktraceKey = attribute.Key("code.stacktrace")
+)
+
+// CodeColumnNumber returns an attribute KeyValue conforming to the
+// "code.column.number" semantic conventions. It represents the column number in
+// `code.file.path` best representing the operation. It SHOULD point within the
+// code unit named in `code.function.name`. This attribute MUST NOT be used on
+// the Profile signal since the data is already captured in 'message Line'. This
+// constraint is imposed to prevent redundancy and maintain data integrity.
+func CodeColumnNumber(val int) attribute.KeyValue {
+	return CodeColumnNumberKey.Int(val)
+}
+
+// CodeFilePath returns an attribute KeyValue conforming to the "code.file.path"
+// semantic conventions. It represents the source code file name that identifies
+// the code unit as uniquely as possible (preferably an absolute file path). This
+// attribute MUST NOT be used on the Profile signal since the data is already
+// captured in 'message Function'. This constraint is imposed to prevent
+// redundancy and maintain data integrity.
+func CodeFilePath(val string) attribute.KeyValue {
+	return CodeFilePathKey.String(val)
+}
+
+// CodeFunctionName returns an attribute KeyValue conforming to the
+// "code.function.name" semantic conventions. It represents the method or
+// function fully-qualified name without arguments. The value should fit the
+// natural representation of the language runtime, which is also likely the same
+// used within `code.stacktrace` attribute value. This attribute MUST NOT be used
+// on the Profile signal since the data is already captured in 'message
+// Function'. This constraint is imposed to prevent redundancy and maintain data
+// integrity.
+func CodeFunctionName(val string) attribute.KeyValue {
+	return CodeFunctionNameKey.String(val)
+}
+
+// CodeLineNumber returns an attribute KeyValue conforming to the
+// "code.line.number" semantic conventions. It represents the line number in
+// `code.file.path` best representing the operation. It SHOULD point within the
+// code unit named in `code.function.name`. This attribute MUST NOT be used on
+// the Profile signal since the data is already captured in 'message Line'. This
+// constraint is imposed to prevent redundancy and maintain data integrity.
+func CodeLineNumber(val int) attribute.KeyValue {
+	return CodeLineNumberKey.Int(val)
+}
+
+// CodeStacktrace returns an attribute KeyValue conforming to the
+// "code.stacktrace" semantic conventions. It represents a stacktrace as a string
+// in the natural representation for the language runtime. The representation is
+// identical to [`exception.stacktrace`]. This attribute MUST NOT be used on the
+// Profile signal since the data is already captured in 'message Location'. This
+// constraint is imposed to prevent redundancy and maintain data integrity.
+//
+// [`exception.stacktrace`]: /docs/exceptions/exceptions-spans.md#stacktrace-representation
+func CodeStacktrace(val string) attribute.KeyValue {
+	return CodeStacktraceKey.String(val)
+}
+
+// Namespace: container
+const (
+	// ContainerCommandKey is the attribute Key conforming to the
+	// "container.command" semantic conventions. It represents the command used to
+	// run the container (i.e. the command name).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "otelcontribcol"
+	// Note: If using embedded credentials or sensitive data, it is recommended to
+	// remove them to prevent potential leakage.
+	ContainerCommandKey = attribute.Key("container.command")
+
+	// ContainerCommandArgsKey is the attribute Key conforming to the
+	// "container.command_args" semantic conventions. It represents the all the
+	// command arguments (including the command/executable itself) run by the
+	// container.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "otelcontribcol", "--config", "config.yaml"
+	ContainerCommandArgsKey = attribute.Key("container.command_args")
+
+	// ContainerCommandLineKey is the attribute Key conforming to the
+	// "container.command_line" semantic conventions. It represents the full command
+	// run by the container as a single string representing the full command.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "otelcontribcol --config config.yaml"
+	ContainerCommandLineKey = attribute.Key("container.command_line")
+
+	// ContainerCSIPluginNameKey is the attribute Key conforming to the
+	// "container.csi.plugin.name" semantic conventions. It represents the name of
+	// the CSI ([Container Storage Interface]) plugin used by the volume.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "pd.csi.storage.gke.io"
+	// Note: This can sometimes be referred to as a "driver" in CSI implementations.
+	// This should represent the `name` field of the GetPluginInfo RPC.
+	//
+	// [Container Storage Interface]: https://github.com/container-storage-interface/spec
+	ContainerCSIPluginNameKey = attribute.Key("container.csi.plugin.name")
+
+	// ContainerCSIVolumeIDKey is the attribute Key conforming to the
+	// "container.csi.volume.id" semantic conventions. It represents the unique
+	// volume ID returned by the CSI ([Container Storage Interface]) plugin.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "projects/my-gcp-project/zones/my-gcp-zone/disks/my-gcp-disk"
+	// Note: This can sometimes be referred to as a "volume handle" in CSI
+	// implementations. This should represent the `Volume.volume_id` field in CSI
+	// spec.
+	//
+	// [Container Storage Interface]: https://github.com/container-storage-interface/spec
+	ContainerCSIVolumeIDKey = attribute.Key("container.csi.volume.id")
+
+	// ContainerIDKey is the attribute Key conforming to the "container.id" semantic
+	// conventions. It represents the container ID. Usually a UUID, as for example
+	// used to [identify Docker containers]. The UUID might be abbreviated.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "a3bf90e006b2"
+	//
+	// [identify Docker containers]: https://docs.docker.com/engine/containers/run/#container-identification
+	ContainerIDKey = attribute.Key("container.id")
+
+	// ContainerImageIDKey is the attribute Key conforming to the
+	// "container.image.id" semantic conventions. It represents the runtime specific
+	// image identifier. Usually a hash algorithm followed by a UUID.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f"
+	// Note: Docker defines a sha256 of the image id; `container.image.id`
+	// corresponds to the `Image` field from the Docker container inspect [API]
+	// endpoint.
+	// K8s defines a link to the container registry repository with digest
+	// `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`
+	// .
+	// The ID is assigned by the container runtime and can vary in different
+	// environments. Consider using `oci.manifest.digest` if it is important to
+	// identify the same image in different environments/runtimes.
+	//
+	// [API]: https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect
+	ContainerImageIDKey = attribute.Key("container.image.id")
+
+	// ContainerImageNameKey is the attribute Key conforming to the
+	// "container.image.name" semantic conventions. It represents the name of the
+	// image the container was built on.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "gcr.io/opentelemetry/operator"
+	ContainerImageNameKey = attribute.Key("container.image.name")
+
+	// ContainerImageRepoDigestsKey is the attribute Key conforming to the
+	// "container.image.repo_digests" semantic conventions. It represents the repo
+	// digests of the container image as provided by the container runtime.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "example@sha256:afcc7f1ac1b49db317a7196c902e61c6c3c4607d63599ee1a82d702d249a0ccb",
+	// "internal.registry.example.com:5000/example@sha256:b69959407d21e8a062e0416bf13405bb2b71ed7a84dde4158ebafacfa06f5578"
+	// Note: [Docker] and [CRI] report those under the `RepoDigests` field.
+	//
+	// [Docker]: https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect
+	// [CRI]: https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238
+	ContainerImageRepoDigestsKey = attribute.Key("container.image.repo_digests")
+
+	// ContainerImageTagsKey is the attribute Key conforming to the
+	// "container.image.tags" semantic conventions. It represents the container
+	// image tags. An example can be found in [Docker Image Inspect]. Should be only
+	// the `<tag>` section of the full name for example from
+	// `registry.example.com/my-org/my-image:<tag>`.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "v1.27.1", "3.5.7-0"
+	//
+	// [Docker Image Inspect]: https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect
+	ContainerImageTagsKey = attribute.Key("container.image.tags")
+
+	// ContainerNameKey is the attribute Key conforming to the "container.name"
+	// semantic conventions. It represents the container name used by container
+	// runtime.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry-autoconf"
+	ContainerNameKey = attribute.Key("container.name")
+
+	// ContainerRuntimeKey is the attribute Key conforming to the
+	// "container.runtime" semantic conventions. It represents the container runtime
+	// managing this container.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "docker", "containerd", "rkt"
+	ContainerRuntimeKey = attribute.Key("container.runtime")
+)
+
+// ContainerCommand returns an attribute KeyValue conforming to the
+// "container.command" semantic conventions. It represents the command used to
+// run the container (i.e. the command name).
+func ContainerCommand(val string) attribute.KeyValue {
+	return ContainerCommandKey.String(val)
+}
+
+// ContainerCommandArgs returns an attribute KeyValue conforming to the
+// "container.command_args" semantic conventions. It represents the all the
+// command arguments (including the command/executable itself) run by the
+// container.
+func ContainerCommandArgs(val ...string) attribute.KeyValue {
+	return ContainerCommandArgsKey.StringSlice(val)
+}
+
+// ContainerCommandLine returns an attribute KeyValue conforming to the
+// "container.command_line" semantic conventions. It represents the full command
+// run by the container as a single string representing the full command.
+func ContainerCommandLine(val string) attribute.KeyValue {
+	return ContainerCommandLineKey.String(val)
+}
+
+// ContainerCSIPluginName returns an attribute KeyValue conforming to the
+// "container.csi.plugin.name" semantic conventions. It represents the name of
+// the CSI ([Container Storage Interface]) plugin used by the volume.
+//
+// [Container Storage Interface]: https://github.com/container-storage-interface/spec
+func ContainerCSIPluginName(val string) attribute.KeyValue {
+	return ContainerCSIPluginNameKey.String(val)
+}
+
+// ContainerCSIVolumeID returns an attribute KeyValue conforming to the
+// "container.csi.volume.id" semantic conventions. It represents the unique
+// volume ID returned by the CSI ([Container Storage Interface]) plugin.
+//
+// [Container Storage Interface]: https://github.com/container-storage-interface/spec
+func ContainerCSIVolumeID(val string) attribute.KeyValue {
+	return ContainerCSIVolumeIDKey.String(val)
+}
+
+// ContainerID returns an attribute KeyValue conforming to the "container.id"
+// semantic conventions. It represents the container ID. Usually a UUID, as for
+// example used to [identify Docker containers]. The UUID might be abbreviated.
+//
+// [identify Docker containers]: https://docs.docker.com/engine/containers/run/#container-identification
+func ContainerID(val string) attribute.KeyValue {
+	return ContainerIDKey.String(val)
+}
+
+// ContainerImageID returns an attribute KeyValue conforming to the
+// "container.image.id" semantic conventions. It represents the runtime specific
+// image identifier. Usually a hash algorithm followed by a UUID.
+func ContainerImageID(val string) attribute.KeyValue {
+	return ContainerImageIDKey.String(val)
+}
+
+// ContainerImageName returns an attribute KeyValue conforming to the
+// "container.image.name" semantic conventions. It represents the name of the
+// image the container was built on.
+func ContainerImageName(val string) attribute.KeyValue {
+	return ContainerImageNameKey.String(val)
+}
+
+// ContainerImageRepoDigests returns an attribute KeyValue conforming to the
+// "container.image.repo_digests" semantic conventions. It represents the repo
+// digests of the container image as provided by the container runtime.
+func ContainerImageRepoDigests(val ...string) attribute.KeyValue {
+	return ContainerImageRepoDigestsKey.StringSlice(val)
+}
+
+// ContainerImageTags returns an attribute KeyValue conforming to the
+// "container.image.tags" semantic conventions. It represents the container image
+// tags. An example can be found in [Docker Image Inspect]. Should be only the
+// `<tag>` section of the full name for example from
+// `registry.example.com/my-org/my-image:<tag>`.
+//
+// [Docker Image Inspect]: https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect
+func ContainerImageTags(val ...string) attribute.KeyValue {
+	return ContainerImageTagsKey.StringSlice(val)
+}
+
+// ContainerName returns an attribute KeyValue conforming to the "container.name"
+// semantic conventions. It represents the container name used by container
+// runtime.
+func ContainerName(val string) attribute.KeyValue {
+	return ContainerNameKey.String(val)
+}
+
+// ContainerRuntime returns an attribute KeyValue conforming to the
+// "container.runtime" semantic conventions. It represents the container runtime
+// managing this container.
+func ContainerRuntime(val string) attribute.KeyValue {
+	return ContainerRuntimeKey.String(val)
+}
+
+// Namespace: cpu
+const (
+	// CPULogicalNumberKey is the attribute Key conforming to the
+	// "cpu.logical_number" semantic conventions. It represents the logical CPU
+	// number [0..n-1].
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1
+	CPULogicalNumberKey = attribute.Key("cpu.logical_number")
+
+	// CPUModeKey is the attribute Key conforming to the "cpu.mode" semantic
+	// conventions. It represents the mode of the CPU.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "user", "system"
+	CPUModeKey = attribute.Key("cpu.mode")
+)
+
+// CPULogicalNumber returns an attribute KeyValue conforming to the
+// "cpu.logical_number" semantic conventions. It represents the logical CPU
+// number [0..n-1].
+func CPULogicalNumber(val int) attribute.KeyValue {
+	return CPULogicalNumberKey.Int(val)
+}
+
+// Enum values for cpu.mode
+var (
+	// user
+	// Stability: development
+	CPUModeUser = CPUModeKey.String("user")
+	// system
+	// Stability: development
+	CPUModeSystem = CPUModeKey.String("system")
+	// nice
+	// Stability: development
+	CPUModeNice = CPUModeKey.String("nice")
+	// idle
+	// Stability: development
+	CPUModeIdle = CPUModeKey.String("idle")
+	// iowait
+	// Stability: development
+	CPUModeIOWait = CPUModeKey.String("iowait")
+	// interrupt
+	// Stability: development
+	CPUModeInterrupt = CPUModeKey.String("interrupt")
+	// steal
+	// Stability: development
+	CPUModeSteal = CPUModeKey.String("steal")
+	// kernel
+	// Stability: development
+	CPUModeKernel = CPUModeKey.String("kernel")
+)
+
+// Namespace: db
+const (
+	// DBClientConnectionPoolNameKey is the attribute Key conforming to the
+	// "db.client.connection.pool.name" semantic conventions. It represents the name
+	// of the connection pool; unique within the instrumented application. In case
+	// the connection pool implementation doesn't provide a name, instrumentation
+	// SHOULD use a combination of parameters that would make the name unique, for
+	// example, combining attributes `server.address`, `server.port`, and
+	// `db.namespace`, formatted as `server.address:server.port/db.namespace`.
+	// Instrumentations that generate connection pool name following different
+	// patterns SHOULD document it.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "myDataSource"
+	DBClientConnectionPoolNameKey = attribute.Key("db.client.connection.pool.name")
+
+	// DBClientConnectionStateKey is the attribute Key conforming to the
+	// "db.client.connection.state" semantic conventions. It represents the state of
+	// a connection in the pool.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "idle"
+	DBClientConnectionStateKey = attribute.Key("db.client.connection.state")
+
+	// DBCollectionNameKey is the attribute Key conforming to the
+	// "db.collection.name" semantic conventions. It represents the name of a
+	// collection (table, container) within the database.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "public.users", "customers"
+	// Note: It is RECOMMENDED to capture the value as provided by the application
+	// without attempting to do any case normalization.
+	//
+	// The collection name SHOULD NOT be extracted from `db.query.text`,
+	// when the database system supports query text with multiple collections
+	// in non-batch operations.
+	//
+	// For batch operations, if the individual operations are known to have the same
+	// collection name then that collection name SHOULD be used.
+	DBCollectionNameKey = attribute.Key("db.collection.name")
+
+	// DBNamespaceKey is the attribute Key conforming to the "db.namespace" semantic
+	// conventions. It represents the name of the database, fully qualified within
+	// the server address and port.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "customers", "test.users"
+	// Note: If a database system has multiple namespace components, they SHOULD be
+	// concatenated from the most general to the most specific namespace component,
+	// using `|` as a separator between the components. Any missing components (and
+	// their associated separators) SHOULD be omitted.
+	// Semantic conventions for individual database systems SHOULD document what
+	// `db.namespace` means in the context of that system.
+	// It is RECOMMENDED to capture the value as provided by the application without
+	// attempting to do any case normalization.
+	DBNamespaceKey = attribute.Key("db.namespace")
+
+	// DBOperationBatchSizeKey is the attribute Key conforming to the
+	// "db.operation.batch.size" semantic conventions. It represents the number of
+	// queries included in a batch operation.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 2, 3, 4
+	// Note: Operations are only considered batches when they contain two or more
+	// operations, and so `db.operation.batch.size` SHOULD never be `1`.
+	DBOperationBatchSizeKey = attribute.Key("db.operation.batch.size")
+
+	// DBOperationNameKey is the attribute Key conforming to the "db.operation.name"
+	// semantic conventions. It represents the name of the operation or command
+	// being executed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "findAndModify", "HMSET", "SELECT"
+	// Note: It is RECOMMENDED to capture the value as provided by the application
+	// without attempting to do any case normalization.
+	//
+	// The operation name SHOULD NOT be extracted from `db.query.text`,
+	// when the database system supports query text with multiple operations
+	// in non-batch operations.
+	//
+	// If spaces can occur in the operation name, multiple consecutive spaces
+	// SHOULD be normalized to a single space.
+	//
+	// For batch operations, if the individual operations are known to have the same
+	// operation name
+	// then that operation name SHOULD be used prepended by `BATCH `,
+	// otherwise `db.operation.name` SHOULD be `BATCH` or some other database
+	// system specific term if more applicable.
+	DBOperationNameKey = attribute.Key("db.operation.name")
+
+	// DBQuerySummaryKey is the attribute Key conforming to the "db.query.summary"
+	// semantic conventions. It represents the low cardinality summary of a database
+	// query.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "SELECT wuser_table", "INSERT shipping_details SELECT orders", "get
+	// user by id"
+	// Note: The query summary describes a class of database queries and is useful
+	// as a grouping key, especially when analyzing telemetry for database
+	// calls involving complex queries.
+	//
+	// Summary may be available to the instrumentation through
+	// instrumentation hooks or other means. If it is not available,
+	// instrumentations
+	// that support query parsing SHOULD generate a summary following
+	// [Generating query summary]
+	// section.
+	//
+	// [Generating query summary]: /docs/database/database-spans.md#generating-a-summary-of-the-query
+	DBQuerySummaryKey = attribute.Key("db.query.summary")
+
+	// DBQueryTextKey is the attribute Key conforming to the "db.query.text"
+	// semantic conventions. It represents the database query being executed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "SELECT * FROM wuser_table where username = ?", "SET mykey ?"
+	// Note: For sanitization see [Sanitization of `db.query.text`].
+	// For batch operations, if the individual operations are known to have the same
+	// query text then that query text SHOULD be used, otherwise all of the
+	// individual query texts SHOULD be concatenated with separator `; ` or some
+	// other database system specific separator if more applicable.
+	// Parameterized query text SHOULD NOT be sanitized. Even though parameterized
+	// query text can potentially have sensitive data, by using a parameterized
+	// query the user is giving a strong signal that any sensitive data will be
+	// passed as parameter values, and the benefit to observability of capturing the
+	// static part of the query text by default outweighs the risk.
+	//
+	// [Sanitization of `db.query.text`]: /docs/database/database-spans.md#sanitization-of-dbquerytext
+	DBQueryTextKey = attribute.Key("db.query.text")
+
+	// DBResponseReturnedRowsKey is the attribute Key conforming to the
+	// "db.response.returned_rows" semantic conventions. It represents the number of
+	// rows returned by the operation.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 10, 30, 1000
+	DBResponseReturnedRowsKey = attribute.Key("db.response.returned_rows")
+
+	// DBResponseStatusCodeKey is the attribute Key conforming to the
+	// "db.response.status_code" semantic conventions. It represents the database
+	// response status code.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "102", "ORA-17002", "08P01", "404"
+	// Note: The status code returned by the database. Usually it represents an
+	// error code, but may also represent partial success, warning, or differentiate
+	// between various types of successful outcomes.
+	// Semantic conventions for individual database systems SHOULD document what
+	// `db.response.status_code` means in the context of that system.
+	DBResponseStatusCodeKey = attribute.Key("db.response.status_code")
+
+	// DBStoredProcedureNameKey is the attribute Key conforming to the
+	// "db.stored_procedure.name" semantic conventions. It represents the name of a
+	// stored procedure within the database.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "GetCustomer"
+	// Note: It is RECOMMENDED to capture the value as provided by the application
+	// without attempting to do any case normalization.
+	//
+	// For batch operations, if the individual operations are known to have the same
+	// stored procedure name then that stored procedure name SHOULD be used.
+	DBStoredProcedureNameKey = attribute.Key("db.stored_procedure.name")
+
+	// DBSystemNameKey is the attribute Key conforming to the "db.system.name"
+	// semantic conventions. It represents the database management system (DBMS)
+	// product as identified by the client instrumentation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples:
+	// Note: The actual DBMS may differ from the one identified by the client. For
+	// example, when using PostgreSQL client libraries to connect to a CockroachDB,
+	// the `db.system.name` is set to `postgresql` based on the instrumentation's
+	// best knowledge.
+	DBSystemNameKey = attribute.Key("db.system.name")
+)
+
+// DBClientConnectionPoolName returns an attribute KeyValue conforming to the
+// "db.client.connection.pool.name" semantic conventions. It represents the name
+// of the connection pool; unique within the instrumented application. In case
+// the connection pool implementation doesn't provide a name, instrumentation
+// SHOULD use a combination of parameters that would make the name unique, for
+// example, combining attributes `server.address`, `server.port`, and
+// `db.namespace`, formatted as `server.address:server.port/db.namespace`.
+// Instrumentations that generate connection pool name following different
+// patterns SHOULD document it.
+func DBClientConnectionPoolName(val string) attribute.KeyValue {
+	return DBClientConnectionPoolNameKey.String(val)
+}
+
+// DBCollectionName returns an attribute KeyValue conforming to the
+// "db.collection.name" semantic conventions. It represents the name of a
+// collection (table, container) within the database.
+func DBCollectionName(val string) attribute.KeyValue {
+	return DBCollectionNameKey.String(val)
+}
+
+// DBNamespace returns an attribute KeyValue conforming to the "db.namespace"
+// semantic conventions. It represents the name of the database, fully qualified
+// within the server address and port.
+func DBNamespace(val string) attribute.KeyValue {
+	return DBNamespaceKey.String(val)
+}
+
+// DBOperationBatchSize returns an attribute KeyValue conforming to the
+// "db.operation.batch.size" semantic conventions. It represents the number of
+// queries included in a batch operation.
+func DBOperationBatchSize(val int) attribute.KeyValue {
+	return DBOperationBatchSizeKey.Int(val)
+}
+
+// DBOperationName returns an attribute KeyValue conforming to the
+// "db.operation.name" semantic conventions. It represents the name of the
+// operation or command being executed.
+func DBOperationName(val string) attribute.KeyValue {
+	return DBOperationNameKey.String(val)
+}
+
+// DBQuerySummary returns an attribute KeyValue conforming to the
+// "db.query.summary" semantic conventions. It represents the low cardinality
+// summary of a database query.
+func DBQuerySummary(val string) attribute.KeyValue {
+	return DBQuerySummaryKey.String(val)
+}
+
+// DBQueryText returns an attribute KeyValue conforming to the "db.query.text"
+// semantic conventions. It represents the database query being executed.
+func DBQueryText(val string) attribute.KeyValue {
+	return DBQueryTextKey.String(val)
+}
+
+// DBResponseReturnedRows returns an attribute KeyValue conforming to the
+// "db.response.returned_rows" semantic conventions. It represents the number of
+// rows returned by the operation.
+func DBResponseReturnedRows(val int) attribute.KeyValue {
+	return DBResponseReturnedRowsKey.Int(val)
+}
+
+// DBResponseStatusCode returns an attribute KeyValue conforming to the
+// "db.response.status_code" semantic conventions. It represents the database
+// response status code.
+func DBResponseStatusCode(val string) attribute.KeyValue {
+	return DBResponseStatusCodeKey.String(val)
+}
+
+// DBStoredProcedureName returns an attribute KeyValue conforming to the
+// "db.stored_procedure.name" semantic conventions. It represents the name of a
+// stored procedure within the database.
+func DBStoredProcedureName(val string) attribute.KeyValue {
+	return DBStoredProcedureNameKey.String(val)
+}
+
+// Enum values for db.client.connection.state
+var (
+	// idle
+	// Stability: development
+	DBClientConnectionStateIdle = DBClientConnectionStateKey.String("idle")
+	// used
+	// Stability: development
+	DBClientConnectionStateUsed = DBClientConnectionStateKey.String("used")
+)
+
+// Enum values for db.system.name
+var (
+	// Some other SQL database. Fallback only.
+	// Stability: development
+	DBSystemNameOtherSQL = DBSystemNameKey.String("other_sql")
+	// [Adabas (Adaptable Database System)]
+	// Stability: development
+	//
+	// [Adabas (Adaptable Database System)]: https://documentation.softwareag.com/?pf=adabas
+	DBSystemNameSoftwareagAdabas = DBSystemNameKey.String("softwareag.adabas")
+	// [Actian Ingres]
+	// Stability: development
+	//
+	// [Actian Ingres]: https://www.actian.com/databases/ingres/
+	DBSystemNameActianIngres = DBSystemNameKey.String("actian.ingres")
+	// [Amazon DynamoDB]
+	// Stability: development
+	//
+	// [Amazon DynamoDB]: https://aws.amazon.com/pm/dynamodb/
+	DBSystemNameAWSDynamoDB = DBSystemNameKey.String("aws.dynamodb")
+	// [Amazon Redshift]
+	// Stability: development
+	//
+	// [Amazon Redshift]: https://aws.amazon.com/redshift/
+	DBSystemNameAWSRedshift = DBSystemNameKey.String("aws.redshift")
+	// [Azure Cosmos DB]
+	// Stability: development
+	//
+	// [Azure Cosmos DB]: https://learn.microsoft.com/azure/cosmos-db
+	DBSystemNameAzureCosmosDB = DBSystemNameKey.String("azure.cosmosdb")
+	// [InterSystems Caché]
+	// Stability: development
+	//
+	// [InterSystems Caché]: https://www.intersystems.com/products/cache/
+	DBSystemNameIntersystemsCache = DBSystemNameKey.String("intersystems.cache")
+	// [Apache Cassandra]
+	// Stability: development
+	//
+	// [Apache Cassandra]: https://cassandra.apache.org/
+	DBSystemNameCassandra = DBSystemNameKey.String("cassandra")
+	// [ClickHouse]
+	// Stability: development
+	//
+	// [ClickHouse]: https://clickhouse.com/
+	DBSystemNameClickHouse = DBSystemNameKey.String("clickhouse")
+	// [CockroachDB]
+	// Stability: development
+	//
+	// [CockroachDB]: https://www.cockroachlabs.com/
+	DBSystemNameCockroachDB = DBSystemNameKey.String("cockroachdb")
+	// [Couchbase]
+	// Stability: development
+	//
+	// [Couchbase]: https://www.couchbase.com/
+	DBSystemNameCouchbase = DBSystemNameKey.String("couchbase")
+	// [Apache CouchDB]
+	// Stability: development
+	//
+	// [Apache CouchDB]: https://couchdb.apache.org/
+	DBSystemNameCouchDB = DBSystemNameKey.String("couchdb")
+	// [Apache Derby]
+	// Stability: development
+	//
+	// [Apache Derby]: https://db.apache.org/derby/
+	DBSystemNameDerby = DBSystemNameKey.String("derby")
+	// [Elasticsearch]
+	// Stability: development
+	//
+	// [Elasticsearch]: https://www.elastic.co/elasticsearch
+	DBSystemNameElasticsearch = DBSystemNameKey.String("elasticsearch")
+	// [Firebird]
+	// Stability: development
+	//
+	// [Firebird]: https://www.firebirdsql.org/
+	DBSystemNameFirebirdSQL = DBSystemNameKey.String("firebirdsql")
+	// [Google Cloud Spanner]
+	// Stability: development
+	//
+	// [Google Cloud Spanner]: https://cloud.google.com/spanner
+	DBSystemNameGCPSpanner = DBSystemNameKey.String("gcp.spanner")
+	// [Apache Geode]
+	// Stability: development
+	//
+	// [Apache Geode]: https://geode.apache.org/
+	DBSystemNameGeode = DBSystemNameKey.String("geode")
+	// [H2 Database]
+	// Stability: development
+	//
+	// [H2 Database]: https://h2database.com/
+	DBSystemNameH2database = DBSystemNameKey.String("h2database")
+	// [Apache HBase]
+	// Stability: development
+	//
+	// [Apache HBase]: https://hbase.apache.org/
+	DBSystemNameHBase = DBSystemNameKey.String("hbase")
+	// [Apache Hive]
+	// Stability: development
+	//
+	// [Apache Hive]: https://hive.apache.org/
+	DBSystemNameHive = DBSystemNameKey.String("hive")
+	// [HyperSQL Database]
+	// Stability: development
+	//
+	// [HyperSQL Database]: https://hsqldb.org/
+	DBSystemNameHSQLDB = DBSystemNameKey.String("hsqldb")
+	// [IBM Db2]
+	// Stability: development
+	//
+	// [IBM Db2]: https://www.ibm.com/db2
+	DBSystemNameIBMDB2 = DBSystemNameKey.String("ibm.db2")
+	// [IBM Informix]
+	// Stability: development
+	//
+	// [IBM Informix]: https://www.ibm.com/products/informix
+	DBSystemNameIBMInformix = DBSystemNameKey.String("ibm.informix")
+	// [IBM Netezza]
+	// Stability: development
+	//
+	// [IBM Netezza]: https://www.ibm.com/products/netezza
+	DBSystemNameIBMNetezza = DBSystemNameKey.String("ibm.netezza")
+	// [InfluxDB]
+	// Stability: development
+	//
+	// [InfluxDB]: https://www.influxdata.com/
+	DBSystemNameInfluxDB = DBSystemNameKey.String("influxdb")
+	// [Instant]
+	// Stability: development
+	//
+	// [Instant]: https://www.instantdb.com/
+	DBSystemNameInstantDB = DBSystemNameKey.String("instantdb")
+	// [MariaDB]
+	// Stability: stable
+	//
+	// [MariaDB]: https://mariadb.org/
+	DBSystemNameMariaDB = DBSystemNameKey.String("mariadb")
+	// [Memcached]
+	// Stability: development
+	//
+	// [Memcached]: https://memcached.org/
+	DBSystemNameMemcached = DBSystemNameKey.String("memcached")
+	// [MongoDB]
+	// Stability: development
+	//
+	// [MongoDB]: https://www.mongodb.com/
+	DBSystemNameMongoDB = DBSystemNameKey.String("mongodb")
+	// [Microsoft SQL Server]
+	// Stability: stable
+	//
+	// [Microsoft SQL Server]: https://www.microsoft.com/sql-server
+	DBSystemNameMicrosoftSQLServer = DBSystemNameKey.String("microsoft.sql_server")
+	// [MySQL]
+	// Stability: stable
+	//
+	// [MySQL]: https://www.mysql.com/
+	DBSystemNameMySQL = DBSystemNameKey.String("mysql")
+	// [Neo4j]
+	// Stability: development
+	//
+	// [Neo4j]: https://neo4j.com/
+	DBSystemNameNeo4j = DBSystemNameKey.String("neo4j")
+	// [OpenSearch]
+	// Stability: development
+	//
+	// [OpenSearch]: https://opensearch.org/
+	DBSystemNameOpenSearch = DBSystemNameKey.String("opensearch")
+	// [Oracle Database]
+	// Stability: development
+	//
+	// [Oracle Database]: https://www.oracle.com/database/
+	DBSystemNameOracleDB = DBSystemNameKey.String("oracle.db")
+	// [PostgreSQL]
+	// Stability: stable
+	//
+	// [PostgreSQL]: https://www.postgresql.org/
+	DBSystemNamePostgreSQL = DBSystemNameKey.String("postgresql")
+	// [Redis]
+	// Stability: development
+	//
+	// [Redis]: https://redis.io/
+	DBSystemNameRedis = DBSystemNameKey.String("redis")
+	// [SAP HANA]
+	// Stability: development
+	//
+	// [SAP HANA]: https://www.sap.com/products/technology-platform/hana/what-is-sap-hana.html
+	DBSystemNameSAPHANA = DBSystemNameKey.String("sap.hana")
+	// [SAP MaxDB]
+	// Stability: development
+	//
+	// [SAP MaxDB]: https://maxdb.sap.com/
+	DBSystemNameSAPMaxDB = DBSystemNameKey.String("sap.maxdb")
+	// [SQLite]
+	// Stability: development
+	//
+	// [SQLite]: https://www.sqlite.org/
+	DBSystemNameSQLite = DBSystemNameKey.String("sqlite")
+	// [Teradata]
+	// Stability: development
+	//
+	// [Teradata]: https://www.teradata.com/
+	DBSystemNameTeradata = DBSystemNameKey.String("teradata")
+	// [Trino]
+	// Stability: development
+	//
+	// [Trino]: https://trino.io/
+	DBSystemNameTrino = DBSystemNameKey.String("trino")
+)
+
+// Namespace: deployment
+const (
+	// DeploymentEnvironmentNameKey is the attribute Key conforming to the
+	// "deployment.environment.name" semantic conventions. It represents the name of
+	// the [deployment environment] (aka deployment tier).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "staging", "production"
+	// Note: `deployment.environment.name` does not affect the uniqueness
+	// constraints defined through
+	// the `service.namespace`, `service.name` and `service.instance.id` resource
+	// attributes.
+	// This implies that resources carrying the following attribute combinations
+	// MUST be
+	// considered to be identifying the same service:
+	//
+	//   - `service.name=frontend`, `deployment.environment.name=production`
+	//   - `service.name=frontend`, `deployment.environment.name=staging`.
+	//
+	//
+	// [deployment environment]: https://wikipedia.org/wiki/Deployment_environment
+	DeploymentEnvironmentNameKey = attribute.Key("deployment.environment.name")
+
+	// DeploymentIDKey is the attribute Key conforming to the "deployment.id"
+	// semantic conventions. It represents the id of the deployment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1208"
+	DeploymentIDKey = attribute.Key("deployment.id")
+
+	// DeploymentNameKey is the attribute Key conforming to the "deployment.name"
+	// semantic conventions. It represents the name of the deployment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "deploy my app", "deploy-frontend"
+	DeploymentNameKey = attribute.Key("deployment.name")
+
+	// DeploymentStatusKey is the attribute Key conforming to the
+	// "deployment.status" semantic conventions. It represents the status of the
+	// deployment.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	DeploymentStatusKey = attribute.Key("deployment.status")
+)
+
+// DeploymentEnvironmentName returns an attribute KeyValue conforming to the
+// "deployment.environment.name" semantic conventions. It represents the name of
+// the [deployment environment] (aka deployment tier).
+//
+// [deployment environment]: https://wikipedia.org/wiki/Deployment_environment
+func DeploymentEnvironmentName(val string) attribute.KeyValue {
+	return DeploymentEnvironmentNameKey.String(val)
+}
+
+// DeploymentID returns an attribute KeyValue conforming to the "deployment.id"
+// semantic conventions. It represents the id of the deployment.
+func DeploymentID(val string) attribute.KeyValue {
+	return DeploymentIDKey.String(val)
+}
+
+// DeploymentName returns an attribute KeyValue conforming to the
+// "deployment.name" semantic conventions. It represents the name of the
+// deployment.
+func DeploymentName(val string) attribute.KeyValue {
+	return DeploymentNameKey.String(val)
+}
+
+// Enum values for deployment.status
+var (
+	// failed
+	// Stability: development
+	DeploymentStatusFailed = DeploymentStatusKey.String("failed")
+	// succeeded
+	// Stability: development
+	DeploymentStatusSucceeded = DeploymentStatusKey.String("succeeded")
+)
+
+// Namespace: destination
+const (
+	// DestinationAddressKey is the attribute Key conforming to the
+	// "destination.address" semantic conventions. It represents the destination
+	// address - domain name if available without reverse DNS lookup; otherwise, IP
+	// address or Unix domain socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "destination.example.com", "10.1.2.80", "/tmp/my.sock"
+	// Note: When observed from the source side, and when communicating through an
+	// intermediary, `destination.address` SHOULD represent the destination address
+	// behind any intermediaries, for example proxies, if it's available.
+	DestinationAddressKey = attribute.Key("destination.address")
+
+	// DestinationPortKey is the attribute Key conforming to the "destination.port"
+	// semantic conventions. It represents the destination port number.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 3389, 2888
+	DestinationPortKey = attribute.Key("destination.port")
+)
+
+// DestinationAddress returns an attribute KeyValue conforming to the
+// "destination.address" semantic conventions. It represents the destination
+// address - domain name if available without reverse DNS lookup; otherwise, IP
+// address or Unix domain socket name.
+func DestinationAddress(val string) attribute.KeyValue {
+	return DestinationAddressKey.String(val)
+}
+
+// DestinationPort returns an attribute KeyValue conforming to the
+// "destination.port" semantic conventions. It represents the destination port
+// number.
+func DestinationPort(val int) attribute.KeyValue {
+	return DestinationPortKey.Int(val)
+}
+
+// Namespace: device
+const (
+	// DeviceIDKey is the attribute Key conforming to the "device.id" semantic
+	// conventions. It represents a unique identifier representing the device.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "123456789012345", "01:23:45:67:89:AB"
+	// Note: Its value SHOULD be identical for all apps on a device and it SHOULD
+	// NOT change if an app is uninstalled and re-installed.
+	// However, it might be resettable by the user for all apps on a device.
+	// Hardware IDs (e.g. vendor-specific serial number, IMEI or MAC address) MAY be
+	// used as values.
+	//
+	// More information about Android identifier best practices can be found [here]
+	// .
+	//
+	// > [!WARNING]> This attribute may contain sensitive (PII) information. Caution
+	// > should be taken when storing personal data or anything which can identify a
+	// > user. GDPR and data protection laws may apply,
+	// > ensure you do your own due diligence.> Due to these reasons, this
+	// > identifier is not recommended for consumer applications and will likely
+	// > result in rejection from both Google Play and App Store.
+	// > However, it may be appropriate for specific enterprise scenarios, such as
+	// > kiosk devices or enterprise-managed devices, with appropriate compliance
+	// > clearance.
+	// > Any instrumentation providing this identifier MUST implement it as an
+	// > opt-in feature.> See [`app.installation.id`]>  for a more
+	// > privacy-preserving alternative.
+	//
+	// [here]: https://developer.android.com/training/articles/user-data-ids
+	// [`app.installation.id`]: /docs/registry/attributes/app.md#app-installation-id
+	DeviceIDKey = attribute.Key("device.id")
+
+	// DeviceManufacturerKey is the attribute Key conforming to the
+	// "device.manufacturer" semantic conventions. It represents the name of the
+	// device manufacturer.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Apple", "Samsung"
+	// Note: The Android OS provides this field via [Build]. iOS apps SHOULD
+	// hardcode the value `Apple`.
+	//
+	// [Build]: https://developer.android.com/reference/android/os/Build#MANUFACTURER
+	DeviceManufacturerKey = attribute.Key("device.manufacturer")
+
+	// DeviceModelIdentifierKey is the attribute Key conforming to the
+	// "device.model.identifier" semantic conventions. It represents the model
+	// identifier for the device.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "iPhone3,4", "SM-G920F"
+	// Note: It's recommended this value represents a machine-readable version of
+	// the model identifier rather than the market or consumer-friendly name of the
+	// device.
+	DeviceModelIdentifierKey = attribute.Key("device.model.identifier")
+
+	// DeviceModelNameKey is the attribute Key conforming to the "device.model.name"
+	// semantic conventions. It represents the marketing name for the device model.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "iPhone 6s Plus", "Samsung Galaxy S6"
+	// Note: It's recommended this value represents a human-readable version of the
+	// device model rather than a machine-readable alternative.
+	DeviceModelNameKey = attribute.Key("device.model.name")
+)
+
+// DeviceID returns an attribute KeyValue conforming to the "device.id" semantic
+// conventions. It represents a unique identifier representing the device.
+func DeviceID(val string) attribute.KeyValue {
+	return DeviceIDKey.String(val)
+}
+
+// DeviceManufacturer returns an attribute KeyValue conforming to the
+// "device.manufacturer" semantic conventions. It represents the name of the
+// device manufacturer.
+func DeviceManufacturer(val string) attribute.KeyValue {
+	return DeviceManufacturerKey.String(val)
+}
+
+// DeviceModelIdentifier returns an attribute KeyValue conforming to the
+// "device.model.identifier" semantic conventions. It represents the model
+// identifier for the device.
+func DeviceModelIdentifier(val string) attribute.KeyValue {
+	return DeviceModelIdentifierKey.String(val)
+}
+
+// DeviceModelName returns an attribute KeyValue conforming to the
+// "device.model.name" semantic conventions. It represents the marketing name for
+// the device model.
+func DeviceModelName(val string) attribute.KeyValue {
+	return DeviceModelNameKey.String(val)
+}
+
+// Namespace: disk
+const (
+	// DiskIODirectionKey is the attribute Key conforming to the "disk.io.direction"
+	// semantic conventions. It represents the disk IO operation direction.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "read"
+	DiskIODirectionKey = attribute.Key("disk.io.direction")
+)
+
+// Enum values for disk.io.direction
+var (
+	// read
+	// Stability: development
+	DiskIODirectionRead = DiskIODirectionKey.String("read")
+	// write
+	// Stability: development
+	DiskIODirectionWrite = DiskIODirectionKey.String("write")
+)
+
+// Namespace: dns
+const (
+	// DNSQuestionNameKey is the attribute Key conforming to the "dns.question.name"
+	// semantic conventions. It represents the name being queried.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "www.example.com", "opentelemetry.io"
+	// Note: If the name field contains non-printable characters (below 32 or above
+	// 126), those characters should be represented as escaped base 10 integers
+	// (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns,
+	// and line feeds should be converted to \t, \r, and \n respectively.
+	DNSQuestionNameKey = attribute.Key("dns.question.name")
+)
+
+// DNSQuestionName returns an attribute KeyValue conforming to the
+// "dns.question.name" semantic conventions. It represents the name being
+// queried.
+func DNSQuestionName(val string) attribute.KeyValue {
+	return DNSQuestionNameKey.String(val)
+}
+
+// Namespace: elasticsearch
+const (
+	// ElasticsearchNodeNameKey is the attribute Key conforming to the
+	// "elasticsearch.node.name" semantic conventions. It represents the represents
+	// the human-readable identifier of the node/instance to which a request was
+	// routed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "instance-0000000001"
+	ElasticsearchNodeNameKey = attribute.Key("elasticsearch.node.name")
+)
+
+// ElasticsearchNodeName returns an attribute KeyValue conforming to the
+// "elasticsearch.node.name" semantic conventions. It represents the represents
+// the human-readable identifier of the node/instance to which a request was
+// routed.
+func ElasticsearchNodeName(val string) attribute.KeyValue {
+	return ElasticsearchNodeNameKey.String(val)
+}
+
+// Namespace: enduser
+const (
+	// EnduserIDKey is the attribute Key conforming to the "enduser.id" semantic
+	// conventions. It represents the unique identifier of an end user in the
+	// system. It maybe a username, email address, or other identifier.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "username"
+	// Note: Unique identifier of an end user in the system.
+	//
+	// > [!Warning]
+	// > This field contains sensitive (PII) information.
+	EnduserIDKey = attribute.Key("enduser.id")
+
+	// EnduserPseudoIDKey is the attribute Key conforming to the "enduser.pseudo.id"
+	// semantic conventions. It represents the pseudonymous identifier of an end
+	// user. This identifier should be a random value that is not directly linked or
+	// associated with the end user's actual identity.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "QdH5CAWJgqVT4rOr0qtumf"
+	// Note: Pseudonymous identifier of an end user.
+	//
+	// > [!Warning]
+	// > This field contains sensitive (linkable PII) information.
+	EnduserPseudoIDKey = attribute.Key("enduser.pseudo.id")
+)
+
+// EnduserID returns an attribute KeyValue conforming to the "enduser.id"
+// semantic conventions. It represents the unique identifier of an end user in
+// the system. It maybe a username, email address, or other identifier.
+func EnduserID(val string) attribute.KeyValue {
+	return EnduserIDKey.String(val)
+}
+
+// EnduserPseudoID returns an attribute KeyValue conforming to the
+// "enduser.pseudo.id" semantic conventions. It represents the pseudonymous
+// identifier of an end user. This identifier should be a random value that is
+// not directly linked or associated with the end user's actual identity.
+func EnduserPseudoID(val string) attribute.KeyValue {
+	return EnduserPseudoIDKey.String(val)
+}
+
+// Namespace: error
+const (
+	// ErrorMessageKey is the attribute Key conforming to the "error.message"
+	// semantic conventions. It represents a message providing more detail about an
+	// error in human-readable form.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Unexpected input type: string", "The user has exceeded their
+	// storage quota"
+	// Note: `error.message` should provide additional context and detail about an
+	// error.
+	// It is NOT RECOMMENDED to duplicate the value of `error.type` in
+	// `error.message`.
+	// It is also NOT RECOMMENDED to duplicate the value of `exception.message` in
+	// `error.message`.
+	//
+	// `error.message` is NOT RECOMMENDED for metrics or spans due to its unbounded
+	// cardinality and overlap with span status.
+	ErrorMessageKey = attribute.Key("error.message")
+
+	// ErrorTypeKey is the attribute Key conforming to the "error.type" semantic
+	// conventions. It represents the describes a class of error the operation ended
+	// with.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "timeout", "java.net.UnknownHostException",
+	// "server_certificate_invalid", "500"
+	// Note: The `error.type` SHOULD be predictable, and SHOULD have low
+	// cardinality.
+	//
+	// When `error.type` is set to a type (e.g., an exception type), its
+	// canonical class name identifying the type within the artifact SHOULD be used.
+	//
+	// Instrumentations SHOULD document the list of errors they report.
+	//
+	// The cardinality of `error.type` within one instrumentation library SHOULD be
+	// low.
+	// Telemetry consumers that aggregate data from multiple instrumentation
+	// libraries and applications
+	// should be prepared for `error.type` to have high cardinality at query time
+	// when no
+	// additional filters are applied.
+	//
+	// If the operation has completed successfully, instrumentations SHOULD NOT set
+	// `error.type`.
+	//
+	// If a specific domain defines its own set of error identifiers (such as HTTP
+	// or gRPC status codes),
+	// it's RECOMMENDED to:
+	//
+	//   - Use a domain-specific attribute
+	//   - Set `error.type` to capture all errors, regardless of whether they are
+	//     defined within the domain-specific set or not.
+	ErrorTypeKey = attribute.Key("error.type")
+)
+
+// ErrorMessage returns an attribute KeyValue conforming to the "error.message"
+// semantic conventions. It represents a message providing more detail about an
+// error in human-readable form.
+func ErrorMessage(val string) attribute.KeyValue {
+	return ErrorMessageKey.String(val)
+}
+
+// Enum values for error.type
+var (
+	// A fallback error value to be used when the instrumentation doesn't define a
+	// custom value.
+	//
+	// Stability: stable
+	ErrorTypeOther = ErrorTypeKey.String("_OTHER")
+)
+
+// Namespace: exception
+const (
+	// ExceptionMessageKey is the attribute Key conforming to the
+	// "exception.message" semantic conventions. It represents the exception
+	// message.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "Division by zero", "Can't convert 'int' object to str implicitly"
+	ExceptionMessageKey = attribute.Key("exception.message")
+
+	// ExceptionStacktraceKey is the attribute Key conforming to the
+	// "exception.stacktrace" semantic conventions. It represents a stacktrace as a
+	// string in the natural representation for the language runtime. The
+	// representation is to be determined and documented by each language SIG.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: Exception in thread "main" java.lang.RuntimeException: Test
+	// exception\n at com.example.GenerateTrace.methodB(GenerateTrace.java:13)\n at
+	// com.example.GenerateTrace.methodA(GenerateTrace.java:9)\n at
+	// com.example.GenerateTrace.main(GenerateTrace.java:5)
+	ExceptionStacktraceKey = attribute.Key("exception.stacktrace")
+
+	// ExceptionTypeKey is the attribute Key conforming to the "exception.type"
+	// semantic conventions. It represents the type of the exception (its
+	// fully-qualified class name, if applicable). The dynamic type of the exception
+	// should be preferred over the static type in languages that support it.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "java.net.ConnectException", "OSError"
+	ExceptionTypeKey = attribute.Key("exception.type")
+)
+
+// ExceptionMessage returns an attribute KeyValue conforming to the
+// "exception.message" semantic conventions. It represents the exception message.
+func ExceptionMessage(val string) attribute.KeyValue {
+	return ExceptionMessageKey.String(val)
+}
+
+// ExceptionStacktrace returns an attribute KeyValue conforming to the
+// "exception.stacktrace" semantic conventions. It represents a stacktrace as a
+// string in the natural representation for the language runtime. The
+// representation is to be determined and documented by each language SIG.
+func ExceptionStacktrace(val string) attribute.KeyValue {
+	return ExceptionStacktraceKey.String(val)
+}
+
+// ExceptionType returns an attribute KeyValue conforming to the "exception.type"
+// semantic conventions. It represents the type of the exception (its
+// fully-qualified class name, if applicable). The dynamic type of the exception
+// should be preferred over the static type in languages that support it.
+func ExceptionType(val string) attribute.KeyValue {
+	return ExceptionTypeKey.String(val)
+}
+
+// Namespace: faas
+const (
+	// FaaSColdstartKey is the attribute Key conforming to the "faas.coldstart"
+	// semantic conventions. It represents a boolean that is true if the serverless
+	// function is executed for the first time (aka cold-start).
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	FaaSColdstartKey = attribute.Key("faas.coldstart")
+
+	// FaaSCronKey is the attribute Key conforming to the "faas.cron" semantic
+	// conventions. It represents a string containing the schedule period as
+	// [Cron Expression].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0/5 * * * ? *
+	//
+	// [Cron Expression]: https://docs.oracle.com/cd/E12058_01/doc/doc.1014/e12030/cron_expressions.htm
+	FaaSCronKey = attribute.Key("faas.cron")
+
+	// FaaSDocumentCollectionKey is the attribute Key conforming to the
+	// "faas.document.collection" semantic conventions. It represents the name of
+	// the source on which the triggering operation was performed. For example, in
+	// Cloud Storage or S3 corresponds to the bucket name, and in Cosmos DB to the
+	// database name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "myBucketName", "myDbName"
+	FaaSDocumentCollectionKey = attribute.Key("faas.document.collection")
+
+	// FaaSDocumentNameKey is the attribute Key conforming to the
+	// "faas.document.name" semantic conventions. It represents the document
+	// name/table subjected to the operation. For example, in Cloud Storage or S3 is
+	// the name of the file, and in Cosmos DB the table name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "myFile.txt", "myTableName"
+	FaaSDocumentNameKey = attribute.Key("faas.document.name")
+
+	// FaaSDocumentOperationKey is the attribute Key conforming to the
+	// "faas.document.operation" semantic conventions. It represents the describes
+	// the type of the operation that was performed on the data.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	FaaSDocumentOperationKey = attribute.Key("faas.document.operation")
+
+	// FaaSDocumentTimeKey is the attribute Key conforming to the
+	// "faas.document.time" semantic conventions. It represents a string containing
+	// the time when the data was accessed in the [ISO 8601] format expressed in
+	// [UTC].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 2020-01-23T13:47:06Z
+	//
+	// [ISO 8601]: https://www.iso.org/iso-8601-date-and-time-format.html
+	// [UTC]: https://www.w3.org/TR/NOTE-datetime
+	FaaSDocumentTimeKey = attribute.Key("faas.document.time")
+
+	// FaaSInstanceKey is the attribute Key conforming to the "faas.instance"
+	// semantic conventions. It represents the execution environment ID as a string,
+	// that will be potentially reused for other invocations to the same
+	// function/function version.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021/06/28/[$LATEST]2f399eb14537447da05ab2a2e39309de"
+	// Note: - **AWS Lambda:** Use the (full) log stream name.
+	FaaSInstanceKey = attribute.Key("faas.instance")
+
+	// FaaSInvocationIDKey is the attribute Key conforming to the
+	// "faas.invocation_id" semantic conventions. It represents the invocation ID of
+	// the current function invocation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: af9d5aa4-a685-4c5f-a22b-444f80b3cc28
+	FaaSInvocationIDKey = attribute.Key("faas.invocation_id")
+
+	// FaaSInvokedNameKey is the attribute Key conforming to the "faas.invoked_name"
+	// semantic conventions. It represents the name of the invoked function.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: my-function
+	// Note: SHOULD be equal to the `faas.name` resource attribute of the invoked
+	// function.
+	FaaSInvokedNameKey = attribute.Key("faas.invoked_name")
+
+	// FaaSInvokedProviderKey is the attribute Key conforming to the
+	// "faas.invoked_provider" semantic conventions. It represents the cloud
+	// provider of the invoked function.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: SHOULD be equal to the `cloud.provider` resource attribute of the
+	// invoked function.
+	FaaSInvokedProviderKey = attribute.Key("faas.invoked_provider")
+
+	// FaaSInvokedRegionKey is the attribute Key conforming to the
+	// "faas.invoked_region" semantic conventions. It represents the cloud region of
+	// the invoked function.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: eu-central-1
+	// Note: SHOULD be equal to the `cloud.region` resource attribute of the invoked
+	// function.
+	FaaSInvokedRegionKey = attribute.Key("faas.invoked_region")
+
+	// FaaSMaxMemoryKey is the attribute Key conforming to the "faas.max_memory"
+	// semantic conventions. It represents the amount of memory available to the
+	// serverless function converted to Bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Note: It's recommended to set this attribute since e.g. too little memory can
+	// easily stop a Java AWS Lambda function from working correctly. On AWS Lambda,
+	// the environment variable `AWS_LAMBDA_FUNCTION_MEMORY_SIZE` provides this
+	// information (which must be multiplied by 1,048,576).
+	FaaSMaxMemoryKey = attribute.Key("faas.max_memory")
+
+	// FaaSNameKey is the attribute Key conforming to the "faas.name" semantic
+	// conventions. It represents the name of the single function that this runtime
+	// instance executes.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-function", "myazurefunctionapp/some-function-name"
+	// Note: This is the name of the function as configured/deployed on the FaaS
+	// platform and is usually different from the name of the callback
+	// function (which may be stored in the
+	// [`code.namespace`/`code.function.name`]
+	// span attributes).
+	//
+	// For some cloud providers, the above definition is ambiguous. The following
+	// definition of function name MUST be used for this attribute
+	// (and consequently the span name) for the listed cloud providers/products:
+	//
+	//   - **Azure:** The full name `<FUNCAPP>/<FUNC>`, i.e., function app name
+	//     followed by a forward slash followed by the function name (this form
+	//     can also be seen in the resource JSON for the function).
+	//     This means that a span attribute MUST be used, as an Azure function
+	//     app can host multiple functions that would usually share
+	//     a TracerProvider (see also the `cloud.resource_id` attribute).
+	//
+	//
+	// [`code.namespace`/`code.function.name`]: /docs/general/attributes.md#source-code-attributes
+	FaaSNameKey = attribute.Key("faas.name")
+
+	// FaaSTimeKey is the attribute Key conforming to the "faas.time" semantic
+	// conventions. It represents a string containing the function invocation time
+	// in the [ISO 8601] format expressed in [UTC].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 2020-01-23T13:47:06Z
+	//
+	// [ISO 8601]: https://www.iso.org/iso-8601-date-and-time-format.html
+	// [UTC]: https://www.w3.org/TR/NOTE-datetime
+	FaaSTimeKey = attribute.Key("faas.time")
+
+	// FaaSTriggerKey is the attribute Key conforming to the "faas.trigger" semantic
+	// conventions. It represents the type of the trigger which caused this function
+	// invocation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	FaaSTriggerKey = attribute.Key("faas.trigger")
+
+	// FaaSVersionKey is the attribute Key conforming to the "faas.version" semantic
+	// conventions. It represents the immutable version of the function being
+	// executed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "26", "pinkfroid-00002"
+	// Note: Depending on the cloud provider and platform, use:
+	//
+	//   - **AWS Lambda:** The [function version]
+	//     (an integer represented as a decimal string).
+	//   - **Google Cloud Run (Services):** The [revision]
+	//     (i.e., the function name plus the revision suffix).
+	//   - **Google Cloud Functions:** The value of the
+	//     [`K_REVISION` environment variable].
+	//   - **Azure Functions:** Not applicable. Do not set this attribute.
+	//
+	//
+	// [function version]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html
+	// [revision]: https://cloud.google.com/run/docs/managing/revisions
+	// [`K_REVISION` environment variable]: https://cloud.google.com/functions/docs/env-var#runtime_environment_variables_set_automatically
+	FaaSVersionKey = attribute.Key("faas.version")
+)
+
+// FaaSColdstart returns an attribute KeyValue conforming to the "faas.coldstart"
+// semantic conventions. It represents a boolean that is true if the serverless
+// function is executed for the first time (aka cold-start).
+func FaaSColdstart(val bool) attribute.KeyValue {
+	return FaaSColdstartKey.Bool(val)
+}
+
+// FaaSCron returns an attribute KeyValue conforming to the "faas.cron" semantic
+// conventions. It represents a string containing the schedule period as
+// [Cron Expression].
+//
+// [Cron Expression]: https://docs.oracle.com/cd/E12058_01/doc/doc.1014/e12030/cron_expressions.htm
+func FaaSCron(val string) attribute.KeyValue {
+	return FaaSCronKey.String(val)
+}
+
+// FaaSDocumentCollection returns an attribute KeyValue conforming to the
+// "faas.document.collection" semantic conventions. It represents the name of the
+// source on which the triggering operation was performed. For example, in Cloud
+// Storage or S3 corresponds to the bucket name, and in Cosmos DB to the database
+// name.
+func FaaSDocumentCollection(val string) attribute.KeyValue {
+	return FaaSDocumentCollectionKey.String(val)
+}
+
+// FaaSDocumentName returns an attribute KeyValue conforming to the
+// "faas.document.name" semantic conventions. It represents the document
+// name/table subjected to the operation. For example, in Cloud Storage or S3 is
+// the name of the file, and in Cosmos DB the table name.
+func FaaSDocumentName(val string) attribute.KeyValue {
+	return FaaSDocumentNameKey.String(val)
+}
+
+// FaaSDocumentTime returns an attribute KeyValue conforming to the
+// "faas.document.time" semantic conventions. It represents a string containing
+// the time when the data was accessed in the [ISO 8601] format expressed in
+// [UTC].
+//
+// [ISO 8601]: https://www.iso.org/iso-8601-date-and-time-format.html
+// [UTC]: https://www.w3.org/TR/NOTE-datetime
+func FaaSDocumentTime(val string) attribute.KeyValue {
+	return FaaSDocumentTimeKey.String(val)
+}
+
+// FaaSInstance returns an attribute KeyValue conforming to the "faas.instance"
+// semantic conventions. It represents the execution environment ID as a string,
+// that will be potentially reused for other invocations to the same
+// function/function version.
+func FaaSInstance(val string) attribute.KeyValue {
+	return FaaSInstanceKey.String(val)
+}
+
+// FaaSInvocationID returns an attribute KeyValue conforming to the
+// "faas.invocation_id" semantic conventions. It represents the invocation ID of
+// the current function invocation.
+func FaaSInvocationID(val string) attribute.KeyValue {
+	return FaaSInvocationIDKey.String(val)
+}
+
+// FaaSInvokedName returns an attribute KeyValue conforming to the
+// "faas.invoked_name" semantic conventions. It represents the name of the
+// invoked function.
+func FaaSInvokedName(val string) attribute.KeyValue {
+	return FaaSInvokedNameKey.String(val)
+}
+
+// FaaSInvokedRegion returns an attribute KeyValue conforming to the
+// "faas.invoked_region" semantic conventions. It represents the cloud region of
+// the invoked function.
+func FaaSInvokedRegion(val string) attribute.KeyValue {
+	return FaaSInvokedRegionKey.String(val)
+}
+
+// FaaSMaxMemory returns an attribute KeyValue conforming to the
+// "faas.max_memory" semantic conventions. It represents the amount of memory
+// available to the serverless function converted to Bytes.
+func FaaSMaxMemory(val int) attribute.KeyValue {
+	return FaaSMaxMemoryKey.Int(val)
+}
+
+// FaaSName returns an attribute KeyValue conforming to the "faas.name" semantic
+// conventions. It represents the name of the single function that this runtime
+// instance executes.
+func FaaSName(val string) attribute.KeyValue {
+	return FaaSNameKey.String(val)
+}
+
+// FaaSTime returns an attribute KeyValue conforming to the "faas.time" semantic
+// conventions. It represents a string containing the function invocation time in
+// the [ISO 8601] format expressed in [UTC].
+//
+// [ISO 8601]: https://www.iso.org/iso-8601-date-and-time-format.html
+// [UTC]: https://www.w3.org/TR/NOTE-datetime
+func FaaSTime(val string) attribute.KeyValue {
+	return FaaSTimeKey.String(val)
+}
+
+// FaaSVersion returns an attribute KeyValue conforming to the "faas.version"
+// semantic conventions. It represents the immutable version of the function
+// being executed.
+func FaaSVersion(val string) attribute.KeyValue {
+	return FaaSVersionKey.String(val)
+}
+
+// Enum values for faas.document.operation
+var (
+	// When a new object is created.
+	// Stability: development
+	FaaSDocumentOperationInsert = FaaSDocumentOperationKey.String("insert")
+	// When an object is modified.
+	// Stability: development
+	FaaSDocumentOperationEdit = FaaSDocumentOperationKey.String("edit")
+	// When an object is deleted.
+	// Stability: development
+	FaaSDocumentOperationDelete = FaaSDocumentOperationKey.String("delete")
+)
+
+// Enum values for faas.invoked_provider
+var (
+	// Alibaba Cloud
+	// Stability: development
+	FaaSInvokedProviderAlibabaCloud = FaaSInvokedProviderKey.String("alibaba_cloud")
+	// Amazon Web Services
+	// Stability: development
+	FaaSInvokedProviderAWS = FaaSInvokedProviderKey.String("aws")
+	// Microsoft Azure
+	// Stability: development
+	FaaSInvokedProviderAzure = FaaSInvokedProviderKey.String("azure")
+	// Google Cloud Platform
+	// Stability: development
+	FaaSInvokedProviderGCP = FaaSInvokedProviderKey.String("gcp")
+	// Tencent Cloud
+	// Stability: development
+	FaaSInvokedProviderTencentCloud = FaaSInvokedProviderKey.String("tencent_cloud")
+)
+
+// Enum values for faas.trigger
+var (
+	// A response to some data source operation such as a database or filesystem
+	// read/write
+	// Stability: development
+	FaaSTriggerDatasource = FaaSTriggerKey.String("datasource")
+	// To provide an answer to an inbound HTTP request
+	// Stability: development
+	FaaSTriggerHTTP = FaaSTriggerKey.String("http")
+	// A function is set to be executed when messages are sent to a messaging system
+	// Stability: development
+	FaaSTriggerPubSub = FaaSTriggerKey.String("pubsub")
+	// A function is scheduled to be executed regularly
+	// Stability: development
+	FaaSTriggerTimer = FaaSTriggerKey.String("timer")
+	// If none of the others apply
+	// Stability: development
+	FaaSTriggerOther = FaaSTriggerKey.String("other")
+)
+
+// Namespace: feature_flag
+const (
+	// FeatureFlagContextIDKey is the attribute Key conforming to the
+	// "feature_flag.context.id" semantic conventions. It represents the unique
+	// identifier for the flag evaluation context. For example, the targeting key.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "5157782b-2203-4c80-a857-dbbd5e7761db"
+	FeatureFlagContextIDKey = attribute.Key("feature_flag.context.id")
+
+	// FeatureFlagKeyKey is the attribute Key conforming to the "feature_flag.key"
+	// semantic conventions. It represents the lookup key of the feature flag.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "logo-color"
+	FeatureFlagKeyKey = attribute.Key("feature_flag.key")
+
+	// FeatureFlagProviderNameKey is the attribute Key conforming to the
+	// "feature_flag.provider.name" semantic conventions. It represents the
+	// identifies the feature flag provider.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Flag Manager"
+	FeatureFlagProviderNameKey = attribute.Key("feature_flag.provider.name")
+
+	// FeatureFlagResultReasonKey is the attribute Key conforming to the
+	// "feature_flag.result.reason" semantic conventions. It represents the reason
+	// code which shows how a feature flag value was determined.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "static", "targeting_match", "error", "default"
+	FeatureFlagResultReasonKey = attribute.Key("feature_flag.result.reason")
+
+	// FeatureFlagResultValueKey is the attribute Key conforming to the
+	// "feature_flag.result.value" semantic conventions. It represents the evaluated
+	// value of the feature flag.
+	//
+	// Type: any
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "#ff0000", true, 3
+	// Note: With some feature flag providers, feature flag results can be quite
+	// large or contain private or sensitive details.
+	// Because of this, `feature_flag.result.variant` is often the preferred
+	// attribute if it is available.
+	//
+	// It may be desirable to redact or otherwise limit the size and scope of
+	// `feature_flag.result.value` if possible.
+	// Because the evaluated flag value is unstructured and may be any type, it is
+	// left to the instrumentation author to determine how best to achieve this.
+	FeatureFlagResultValueKey = attribute.Key("feature_flag.result.value")
+
+	// FeatureFlagResultVariantKey is the attribute Key conforming to the
+	// "feature_flag.result.variant" semantic conventions. It represents a semantic
+	// identifier for an evaluated flag value.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "red", "true", "on"
+	// Note: A semantic identifier, commonly referred to as a variant, provides a
+	// means
+	// for referring to a value without including the value itself. This can
+	// provide additional context for understanding the meaning behind a value.
+	// For example, the variant `red` maybe be used for the value `#c05543`.
+	FeatureFlagResultVariantKey = attribute.Key("feature_flag.result.variant")
+
+	// FeatureFlagSetIDKey is the attribute Key conforming to the
+	// "feature_flag.set.id" semantic conventions. It represents the identifier of
+	// the [flag set] to which the feature flag belongs.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "proj-1", "ab98sgs", "service1/dev"
+	//
+	// [flag set]: https://openfeature.dev/specification/glossary/#flag-set
+	FeatureFlagSetIDKey = attribute.Key("feature_flag.set.id")
+
+	// FeatureFlagVersionKey is the attribute Key conforming to the
+	// "feature_flag.version" semantic conventions. It represents the version of the
+	// ruleset used during the evaluation. This may be any stable value which
+	// uniquely identifies the ruleset.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1", "01ABCDEF"
+	FeatureFlagVersionKey = attribute.Key("feature_flag.version")
+)
+
+// FeatureFlagContextID returns an attribute KeyValue conforming to the
+// "feature_flag.context.id" semantic conventions. It represents the unique
+// identifier for the flag evaluation context. For example, the targeting key.
+func FeatureFlagContextID(val string) attribute.KeyValue {
+	return FeatureFlagContextIDKey.String(val)
+}
+
+// FeatureFlagKey returns an attribute KeyValue conforming to the
+// "feature_flag.key" semantic conventions. It represents the lookup key of the
+// feature flag.
+func FeatureFlagKey(val string) attribute.KeyValue {
+	return FeatureFlagKeyKey.String(val)
+}
+
+// FeatureFlagProviderName returns an attribute KeyValue conforming to the
+// "feature_flag.provider.name" semantic conventions. It represents the
+// identifies the feature flag provider.
+func FeatureFlagProviderName(val string) attribute.KeyValue {
+	return FeatureFlagProviderNameKey.String(val)
+}
+
+// FeatureFlagResultVariant returns an attribute KeyValue conforming to the
+// "feature_flag.result.variant" semantic conventions. It represents a semantic
+// identifier for an evaluated flag value.
+func FeatureFlagResultVariant(val string) attribute.KeyValue {
+	return FeatureFlagResultVariantKey.String(val)
+}
+
+// FeatureFlagSetID returns an attribute KeyValue conforming to the
+// "feature_flag.set.id" semantic conventions. It represents the identifier of
+// the [flag set] to which the feature flag belongs.
+//
+// [flag set]: https://openfeature.dev/specification/glossary/#flag-set
+func FeatureFlagSetID(val string) attribute.KeyValue {
+	return FeatureFlagSetIDKey.String(val)
+}
+
+// FeatureFlagVersion returns an attribute KeyValue conforming to the
+// "feature_flag.version" semantic conventions. It represents the version of the
+// ruleset used during the evaluation. This may be any stable value which
+// uniquely identifies the ruleset.
+func FeatureFlagVersion(val string) attribute.KeyValue {
+	return FeatureFlagVersionKey.String(val)
+}
+
+// Enum values for feature_flag.result.reason
+var (
+	// The resolved value is static (no dynamic evaluation).
+	// Stability: development
+	FeatureFlagResultReasonStatic = FeatureFlagResultReasonKey.String("static")
+	// The resolved value fell back to a pre-configured value (no dynamic evaluation
+	// occurred or dynamic evaluation yielded no result).
+	// Stability: development
+	FeatureFlagResultReasonDefault = FeatureFlagResultReasonKey.String("default")
+	// The resolved value was the result of a dynamic evaluation, such as a rule or
+	// specific user-targeting.
+	// Stability: development
+	FeatureFlagResultReasonTargetingMatch = FeatureFlagResultReasonKey.String("targeting_match")
+	// The resolved value was the result of pseudorandom assignment.
+	// Stability: development
+	FeatureFlagResultReasonSplit = FeatureFlagResultReasonKey.String("split")
+	// The resolved value was retrieved from cache.
+	// Stability: development
+	FeatureFlagResultReasonCached = FeatureFlagResultReasonKey.String("cached")
+	// The resolved value was the result of the flag being disabled in the
+	// management system.
+	// Stability: development
+	FeatureFlagResultReasonDisabled = FeatureFlagResultReasonKey.String("disabled")
+	// The reason for the resolved value could not be determined.
+	// Stability: development
+	FeatureFlagResultReasonUnknown = FeatureFlagResultReasonKey.String("unknown")
+	// The resolved value is non-authoritative or possibly out of date
+	// Stability: development
+	FeatureFlagResultReasonStale = FeatureFlagResultReasonKey.String("stale")
+	// The resolved value was the result of an error.
+	// Stability: development
+	FeatureFlagResultReasonError = FeatureFlagResultReasonKey.String("error")
+)
+
+// Namespace: file
+const (
+	// FileAccessedKey is the attribute Key conforming to the "file.accessed"
+	// semantic conventions. It represents the time when the file was last accessed,
+	// in ISO 8601 format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T12:00:00Z"
+	// Note: This attribute might not be supported by some file systems — NFS,
+	// FAT32, in embedded OS, etc.
+	FileAccessedKey = attribute.Key("file.accessed")
+
+	// FileAttributesKey is the attribute Key conforming to the "file.attributes"
+	// semantic conventions. It represents the array of file attributes.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "readonly", "hidden"
+	// Note: Attributes names depend on the OS or file system. Here’s a
+	// non-exhaustive list of values expected for this attribute: `archive`,
+	// `compressed`, `directory`, `encrypted`, `execute`, `hidden`, `immutable`,
+	// `journaled`, `read`, `readonly`, `symbolic link`, `system`, `temporary`,
+	// `write`.
+	FileAttributesKey = attribute.Key("file.attributes")
+
+	// FileChangedKey is the attribute Key conforming to the "file.changed" semantic
+	// conventions. It represents the time when the file attributes or metadata was
+	// last changed, in ISO 8601 format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T12:00:00Z"
+	// Note: `file.changed` captures the time when any of the file's properties or
+	// attributes (including the content) are changed, while `file.modified`
+	// captures the timestamp when the file content is modified.
+	FileChangedKey = attribute.Key("file.changed")
+
+	// FileCreatedKey is the attribute Key conforming to the "file.created" semantic
+	// conventions. It represents the time when the file was created, in ISO 8601
+	// format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T12:00:00Z"
+	// Note: This attribute might not be supported by some file systems — NFS,
+	// FAT32, in embedded OS, etc.
+	FileCreatedKey = attribute.Key("file.created")
+
+	// FileDirectoryKey is the attribute Key conforming to the "file.directory"
+	// semantic conventions. It represents the directory where the file is located.
+	// It should include the drive letter, when appropriate.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/home/user", "C:\Program Files\MyApp"
+	FileDirectoryKey = attribute.Key("file.directory")
+
+	// FileExtensionKey is the attribute Key conforming to the "file.extension"
+	// semantic conventions. It represents the file extension, excluding the leading
+	// dot.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "png", "gz"
+	// Note: When the file name has multiple extensions (example.tar.gz), only the
+	// last one should be captured ("gz", not "tar.gz").
+	FileExtensionKey = attribute.Key("file.extension")
+
+	// FileForkNameKey is the attribute Key conforming to the "file.fork_name"
+	// semantic conventions. It represents the name of the fork. A fork is
+	// additional data associated with a filesystem object.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Zone.Identifer"
+	// Note: On Linux, a resource fork is used to store additional data with a
+	// filesystem object. A file always has at least one fork for the data portion,
+	// and additional forks may exist.
+	// On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+	// data stream for a file is just called $DATA. Zone.Identifier is commonly used
+	// by Windows to track contents downloaded from the Internet. An ADS is
+	// typically of the form: C:\path\to\filename.extension:some_fork_name, and
+	// some_fork_name is the value that should populate `fork_name`.
+	// `filename.extension` should populate `file.name`, and `extension` should
+	// populate `file.extension`. The full path, `file.path`, will include the fork
+	// name.
+	FileForkNameKey = attribute.Key("file.fork_name")
+
+	// FileGroupIDKey is the attribute Key conforming to the "file.group.id"
+	// semantic conventions. It represents the primary Group ID (GID) of the file.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1000"
+	FileGroupIDKey = attribute.Key("file.group.id")
+
+	// FileGroupNameKey is the attribute Key conforming to the "file.group.name"
+	// semantic conventions. It represents the primary group name of the file.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "users"
+	FileGroupNameKey = attribute.Key("file.group.name")
+
+	// FileInodeKey is the attribute Key conforming to the "file.inode" semantic
+	// conventions. It represents the inode representing the file in the filesystem.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "256383"
+	FileInodeKey = attribute.Key("file.inode")
+
+	// FileModeKey is the attribute Key conforming to the "file.mode" semantic
+	// conventions. It represents the mode of the file in octal representation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0640"
+	FileModeKey = attribute.Key("file.mode")
+
+	// FileModifiedKey is the attribute Key conforming to the "file.modified"
+	// semantic conventions. It represents the time when the file content was last
+	// modified, in ISO 8601 format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T12:00:00Z"
+	FileModifiedKey = attribute.Key("file.modified")
+
+	// FileNameKey is the attribute Key conforming to the "file.name" semantic
+	// conventions. It represents the name of the file including the extension,
+	// without the directory.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "example.png"
+	FileNameKey = attribute.Key("file.name")
+
+	// FileOwnerIDKey is the attribute Key conforming to the "file.owner.id"
+	// semantic conventions. It represents the user ID (UID) or security identifier
+	// (SID) of the file owner.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1000"
+	FileOwnerIDKey = attribute.Key("file.owner.id")
+
+	// FileOwnerNameKey is the attribute Key conforming to the "file.owner.name"
+	// semantic conventions. It represents the username of the file owner.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "root"
+	FileOwnerNameKey = attribute.Key("file.owner.name")
+
+	// FilePathKey is the attribute Key conforming to the "file.path" semantic
+	// conventions. It represents the full path to the file, including the file
+	// name. It should include the drive letter, when appropriate.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/home/alice/example.png", "C:\Program Files\MyApp\myapp.exe"
+	FilePathKey = attribute.Key("file.path")
+
+	// FileSizeKey is the attribute Key conforming to the "file.size" semantic
+	// conventions. It represents the file size in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	FileSizeKey = attribute.Key("file.size")
+
+	// FileSymbolicLinkTargetPathKey is the attribute Key conforming to the
+	// "file.symbolic_link.target_path" semantic conventions. It represents the path
+	// to the target of a symbolic link.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/usr/bin/python3"
+	// Note: This attribute is only applicable to symbolic links.
+	FileSymbolicLinkTargetPathKey = attribute.Key("file.symbolic_link.target_path")
+)
+
+// FileAccessed returns an attribute KeyValue conforming to the "file.accessed"
+// semantic conventions. It represents the time when the file was last accessed,
+// in ISO 8601 format.
+func FileAccessed(val string) attribute.KeyValue {
+	return FileAccessedKey.String(val)
+}
+
+// FileAttributes returns an attribute KeyValue conforming to the
+// "file.attributes" semantic conventions. It represents the array of file
+// attributes.
+func FileAttributes(val ...string) attribute.KeyValue {
+	return FileAttributesKey.StringSlice(val)
+}
+
+// FileChanged returns an attribute KeyValue conforming to the "file.changed"
+// semantic conventions. It represents the time when the file attributes or
+// metadata was last changed, in ISO 8601 format.
+func FileChanged(val string) attribute.KeyValue {
+	return FileChangedKey.String(val)
+}
+
+// FileCreated returns an attribute KeyValue conforming to the "file.created"
+// semantic conventions. It represents the time when the file was created, in ISO
+// 8601 format.
+func FileCreated(val string) attribute.KeyValue {
+	return FileCreatedKey.String(val)
+}
+
+// FileDirectory returns an attribute KeyValue conforming to the "file.directory"
+// semantic conventions. It represents the directory where the file is located.
+// It should include the drive letter, when appropriate.
+func FileDirectory(val string) attribute.KeyValue {
+	return FileDirectoryKey.String(val)
+}
+
+// FileExtension returns an attribute KeyValue conforming to the "file.extension"
+// semantic conventions. It represents the file extension, excluding the leading
+// dot.
+func FileExtension(val string) attribute.KeyValue {
+	return FileExtensionKey.String(val)
+}
+
+// FileForkName returns an attribute KeyValue conforming to the "file.fork_name"
+// semantic conventions. It represents the name of the fork. A fork is additional
+// data associated with a filesystem object.
+func FileForkName(val string) attribute.KeyValue {
+	return FileForkNameKey.String(val)
+}
+
+// FileGroupID returns an attribute KeyValue conforming to the "file.group.id"
+// semantic conventions. It represents the primary Group ID (GID) of the file.
+func FileGroupID(val string) attribute.KeyValue {
+	return FileGroupIDKey.String(val)
+}
+
+// FileGroupName returns an attribute KeyValue conforming to the
+// "file.group.name" semantic conventions. It represents the primary group name
+// of the file.
+func FileGroupName(val string) attribute.KeyValue {
+	return FileGroupNameKey.String(val)
+}
+
+// FileInode returns an attribute KeyValue conforming to the "file.inode"
+// semantic conventions. It represents the inode representing the file in the
+// filesystem.
+func FileInode(val string) attribute.KeyValue {
+	return FileInodeKey.String(val)
+}
+
+// FileMode returns an attribute KeyValue conforming to the "file.mode" semantic
+// conventions. It represents the mode of the file in octal representation.
+func FileMode(val string) attribute.KeyValue {
+	return FileModeKey.String(val)
+}
+
+// FileModified returns an attribute KeyValue conforming to the "file.modified"
+// semantic conventions. It represents the time when the file content was last
+// modified, in ISO 8601 format.
+func FileModified(val string) attribute.KeyValue {
+	return FileModifiedKey.String(val)
+}
+
+// FileName returns an attribute KeyValue conforming to the "file.name" semantic
+// conventions. It represents the name of the file including the extension,
+// without the directory.
+func FileName(val string) attribute.KeyValue {
+	return FileNameKey.String(val)
+}
+
+// FileOwnerID returns an attribute KeyValue conforming to the "file.owner.id"
+// semantic conventions. It represents the user ID (UID) or security identifier
+// (SID) of the file owner.
+func FileOwnerID(val string) attribute.KeyValue {
+	return FileOwnerIDKey.String(val)
+}
+
+// FileOwnerName returns an attribute KeyValue conforming to the
+// "file.owner.name" semantic conventions. It represents the username of the file
+// owner.
+func FileOwnerName(val string) attribute.KeyValue {
+	return FileOwnerNameKey.String(val)
+}
+
+// FilePath returns an attribute KeyValue conforming to the "file.path" semantic
+// conventions. It represents the full path to the file, including the file name.
+// It should include the drive letter, when appropriate.
+func FilePath(val string) attribute.KeyValue {
+	return FilePathKey.String(val)
+}
+
+// FileSize returns an attribute KeyValue conforming to the "file.size" semantic
+// conventions. It represents the file size in bytes.
+func FileSize(val int) attribute.KeyValue {
+	return FileSizeKey.Int(val)
+}
+
+// FileSymbolicLinkTargetPath returns an attribute KeyValue conforming to the
+// "file.symbolic_link.target_path" semantic conventions. It represents the path
+// to the target of a symbolic link.
+func FileSymbolicLinkTargetPath(val string) attribute.KeyValue {
+	return FileSymbolicLinkTargetPathKey.String(val)
+}
+
+// Namespace: gcp
+const (
+	// GCPAppHubApplicationContainerKey is the attribute Key conforming to the
+	// "gcp.apphub.application.container" semantic conventions. It represents the
+	// container within GCP where the AppHub application is defined.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "projects/my-container-project"
+	GCPAppHubApplicationContainerKey = attribute.Key("gcp.apphub.application.container")
+
+	// GCPAppHubApplicationIDKey is the attribute Key conforming to the
+	// "gcp.apphub.application.id" semantic conventions. It represents the name of
+	// the application as configured in AppHub.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-application"
+	GCPAppHubApplicationIDKey = attribute.Key("gcp.apphub.application.id")
+
+	// GCPAppHubApplicationLocationKey is the attribute Key conforming to the
+	// "gcp.apphub.application.location" semantic conventions. It represents the GCP
+	// zone or region where the application is defined.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "us-central1"
+	GCPAppHubApplicationLocationKey = attribute.Key("gcp.apphub.application.location")
+
+	// GCPAppHubServiceCriticalityTypeKey is the attribute Key conforming to the
+	// "gcp.apphub.service.criticality_type" semantic conventions. It represents the
+	// criticality of a service indicates its importance to the business.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: [See AppHub type enum]
+	//
+	// [See AppHub type enum]: https://cloud.google.com/app-hub/docs/reference/rest/v1/Attributes#type
+	GCPAppHubServiceCriticalityTypeKey = attribute.Key("gcp.apphub.service.criticality_type")
+
+	// GCPAppHubServiceEnvironmentTypeKey is the attribute Key conforming to the
+	// "gcp.apphub.service.environment_type" semantic conventions. It represents the
+	// environment of a service is the stage of a software lifecycle.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: [See AppHub environment type]
+	//
+	// [See AppHub environment type]: https://cloud.google.com/app-hub/docs/reference/rest/v1/Attributes#type_1
+	GCPAppHubServiceEnvironmentTypeKey = attribute.Key("gcp.apphub.service.environment_type")
+
+	// GCPAppHubServiceIDKey is the attribute Key conforming to the
+	// "gcp.apphub.service.id" semantic conventions. It represents the name of the
+	// service as configured in AppHub.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-service"
+	GCPAppHubServiceIDKey = attribute.Key("gcp.apphub.service.id")
+
+	// GCPAppHubWorkloadCriticalityTypeKey is the attribute Key conforming to the
+	// "gcp.apphub.workload.criticality_type" semantic conventions. It represents
+	// the criticality of a workload indicates its importance to the business.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: [See AppHub type enum]
+	//
+	// [See AppHub type enum]: https://cloud.google.com/app-hub/docs/reference/rest/v1/Attributes#type
+	GCPAppHubWorkloadCriticalityTypeKey = attribute.Key("gcp.apphub.workload.criticality_type")
+
+	// GCPAppHubWorkloadEnvironmentTypeKey is the attribute Key conforming to the
+	// "gcp.apphub.workload.environment_type" semantic conventions. It represents
+	// the environment of a workload is the stage of a software lifecycle.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: [See AppHub environment type]
+	//
+	// [See AppHub environment type]: https://cloud.google.com/app-hub/docs/reference/rest/v1/Attributes#type_1
+	GCPAppHubWorkloadEnvironmentTypeKey = attribute.Key("gcp.apphub.workload.environment_type")
+
+	// GCPAppHubWorkloadIDKey is the attribute Key conforming to the
+	// "gcp.apphub.workload.id" semantic conventions. It represents the name of the
+	// workload as configured in AppHub.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-workload"
+	GCPAppHubWorkloadIDKey = attribute.Key("gcp.apphub.workload.id")
+
+	// GCPClientServiceKey is the attribute Key conforming to the
+	// "gcp.client.service" semantic conventions. It represents the identifies the
+	// Google Cloud service for which the official client library is intended.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "appengine", "run", "firestore", "alloydb", "spanner"
+	// Note: Intended to be a stable identifier for Google Cloud client libraries
+	// that is uniform across implementation languages. The value should be derived
+	// from the canonical service domain for the service; for example,
+	// 'foo.googleapis.com' should result in a value of 'foo'.
+	GCPClientServiceKey = attribute.Key("gcp.client.service")
+
+	// GCPCloudRunJobExecutionKey is the attribute Key conforming to the
+	// "gcp.cloud_run.job.execution" semantic conventions. It represents the name of
+	// the Cloud Run [execution] being run for the Job, as set by the
+	// [`CLOUD_RUN_EXECUTION`] environment variable.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "job-name-xxxx", "sample-job-mdw84"
+	//
+	// [execution]: https://cloud.google.com/run/docs/managing/job-executions
+	// [`CLOUD_RUN_EXECUTION`]: https://cloud.google.com/run/docs/container-contract#jobs-env-vars
+	GCPCloudRunJobExecutionKey = attribute.Key("gcp.cloud_run.job.execution")
+
+	// GCPCloudRunJobTaskIndexKey is the attribute Key conforming to the
+	// "gcp.cloud_run.job.task_index" semantic conventions. It represents the index
+	// for a task within an execution as provided by the [`CLOUD_RUN_TASK_INDEX`]
+	// environment variable.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0, 1
+	//
+	// [`CLOUD_RUN_TASK_INDEX`]: https://cloud.google.com/run/docs/container-contract#jobs-env-vars
+	GCPCloudRunJobTaskIndexKey = attribute.Key("gcp.cloud_run.job.task_index")
+
+	// GCPGCEInstanceHostnameKey is the attribute Key conforming to the
+	// "gcp.gce.instance.hostname" semantic conventions. It represents the hostname
+	// of a GCE instance. This is the full value of the default or [custom hostname]
+	// .
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-host1234.example.com",
+	// "sample-vm.us-west1-b.c.my-project.internal"
+	//
+	// [custom hostname]: https://cloud.google.com/compute/docs/instances/custom-hostname-vm
+	GCPGCEInstanceHostnameKey = attribute.Key("gcp.gce.instance.hostname")
+
+	// GCPGCEInstanceNameKey is the attribute Key conforming to the
+	// "gcp.gce.instance.name" semantic conventions. It represents the instance name
+	// of a GCE instance. This is the value provided by `host.name`, the visible
+	// name of the instance in the Cloud Console UI, and the prefix for the default
+	// hostname of the instance as defined by the [default internal DNS name].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "instance-1", "my-vm-name"
+	//
+	// [default internal DNS name]: https://cloud.google.com/compute/docs/internal-dns#instance-fully-qualified-domain-names
+	GCPGCEInstanceNameKey = attribute.Key("gcp.gce.instance.name")
+)
+
+// GCPAppHubApplicationContainer returns an attribute KeyValue conforming to the
+// "gcp.apphub.application.container" semantic conventions. It represents the
+// container within GCP where the AppHub application is defined.
+func GCPAppHubApplicationContainer(val string) attribute.KeyValue {
+	return GCPAppHubApplicationContainerKey.String(val)
+}
+
+// GCPAppHubApplicationID returns an attribute KeyValue conforming to the
+// "gcp.apphub.application.id" semantic conventions. It represents the name of
+// the application as configured in AppHub.
+func GCPAppHubApplicationID(val string) attribute.KeyValue {
+	return GCPAppHubApplicationIDKey.String(val)
+}
+
+// GCPAppHubApplicationLocation returns an attribute KeyValue conforming to the
+// "gcp.apphub.application.location" semantic conventions. It represents the GCP
+// zone or region where the application is defined.
+func GCPAppHubApplicationLocation(val string) attribute.KeyValue {
+	return GCPAppHubApplicationLocationKey.String(val)
+}
+
+// GCPAppHubServiceID returns an attribute KeyValue conforming to the
+// "gcp.apphub.service.id" semantic conventions. It represents the name of the
+// service as configured in AppHub.
+func GCPAppHubServiceID(val string) attribute.KeyValue {
+	return GCPAppHubServiceIDKey.String(val)
+}
+
+// GCPAppHubWorkloadID returns an attribute KeyValue conforming to the
+// "gcp.apphub.workload.id" semantic conventions. It represents the name of the
+// workload as configured in AppHub.
+func GCPAppHubWorkloadID(val string) attribute.KeyValue {
+	return GCPAppHubWorkloadIDKey.String(val)
+}
+
+// GCPClientService returns an attribute KeyValue conforming to the
+// "gcp.client.service" semantic conventions. It represents the identifies the
+// Google Cloud service for which the official client library is intended.
+func GCPClientService(val string) attribute.KeyValue {
+	return GCPClientServiceKey.String(val)
+}
+
+// GCPCloudRunJobExecution returns an attribute KeyValue conforming to the
+// "gcp.cloud_run.job.execution" semantic conventions. It represents the name of
+// the Cloud Run [execution] being run for the Job, as set by the
+// [`CLOUD_RUN_EXECUTION`] environment variable.
+//
+// [execution]: https://cloud.google.com/run/docs/managing/job-executions
+// [`CLOUD_RUN_EXECUTION`]: https://cloud.google.com/run/docs/container-contract#jobs-env-vars
+func GCPCloudRunJobExecution(val string) attribute.KeyValue {
+	return GCPCloudRunJobExecutionKey.String(val)
+}
+
+// GCPCloudRunJobTaskIndex returns an attribute KeyValue conforming to the
+// "gcp.cloud_run.job.task_index" semantic conventions. It represents the index
+// for a task within an execution as provided by the [`CLOUD_RUN_TASK_INDEX`]
+// environment variable.
+//
+// [`CLOUD_RUN_TASK_INDEX`]: https://cloud.google.com/run/docs/container-contract#jobs-env-vars
+func GCPCloudRunJobTaskIndex(val int) attribute.KeyValue {
+	return GCPCloudRunJobTaskIndexKey.Int(val)
+}
+
+// GCPGCEInstanceHostname returns an attribute KeyValue conforming to the
+// "gcp.gce.instance.hostname" semantic conventions. It represents the hostname
+// of a GCE instance. This is the full value of the default or [custom hostname]
+// .
+//
+// [custom hostname]: https://cloud.google.com/compute/docs/instances/custom-hostname-vm
+func GCPGCEInstanceHostname(val string) attribute.KeyValue {
+	return GCPGCEInstanceHostnameKey.String(val)
+}
+
+// GCPGCEInstanceName returns an attribute KeyValue conforming to the
+// "gcp.gce.instance.name" semantic conventions. It represents the instance name
+// of a GCE instance. This is the value provided by `host.name`, the visible name
+// of the instance in the Cloud Console UI, and the prefix for the default
+// hostname of the instance as defined by the [default internal DNS name].
+//
+// [default internal DNS name]: https://cloud.google.com/compute/docs/internal-dns#instance-fully-qualified-domain-names
+func GCPGCEInstanceName(val string) attribute.KeyValue {
+	return GCPGCEInstanceNameKey.String(val)
+}
+
+// Enum values for gcp.apphub.service.criticality_type
+var (
+	// Mission critical service.
+	// Stability: development
+	GCPAppHubServiceCriticalityTypeMissionCritical = GCPAppHubServiceCriticalityTypeKey.String("MISSION_CRITICAL")
+	// High impact.
+	// Stability: development
+	GCPAppHubServiceCriticalityTypeHigh = GCPAppHubServiceCriticalityTypeKey.String("HIGH")
+	// Medium impact.
+	// Stability: development
+	GCPAppHubServiceCriticalityTypeMedium = GCPAppHubServiceCriticalityTypeKey.String("MEDIUM")
+	// Low impact.
+	// Stability: development
+	GCPAppHubServiceCriticalityTypeLow = GCPAppHubServiceCriticalityTypeKey.String("LOW")
+)
+
+// Enum values for gcp.apphub.service.environment_type
+var (
+	// Production environment.
+	// Stability: development
+	GCPAppHubServiceEnvironmentTypeProduction = GCPAppHubServiceEnvironmentTypeKey.String("PRODUCTION")
+	// Staging environment.
+	// Stability: development
+	GCPAppHubServiceEnvironmentTypeStaging = GCPAppHubServiceEnvironmentTypeKey.String("STAGING")
+	// Test environment.
+	// Stability: development
+	GCPAppHubServiceEnvironmentTypeTest = GCPAppHubServiceEnvironmentTypeKey.String("TEST")
+	// Development environment.
+	// Stability: development
+	GCPAppHubServiceEnvironmentTypeDevelopment = GCPAppHubServiceEnvironmentTypeKey.String("DEVELOPMENT")
+)
+
+// Enum values for gcp.apphub.workload.criticality_type
+var (
+	// Mission critical service.
+	// Stability: development
+	GCPAppHubWorkloadCriticalityTypeMissionCritical = GCPAppHubWorkloadCriticalityTypeKey.String("MISSION_CRITICAL")
+	// High impact.
+	// Stability: development
+	GCPAppHubWorkloadCriticalityTypeHigh = GCPAppHubWorkloadCriticalityTypeKey.String("HIGH")
+	// Medium impact.
+	// Stability: development
+	GCPAppHubWorkloadCriticalityTypeMedium = GCPAppHubWorkloadCriticalityTypeKey.String("MEDIUM")
+	// Low impact.
+	// Stability: development
+	GCPAppHubWorkloadCriticalityTypeLow = GCPAppHubWorkloadCriticalityTypeKey.String("LOW")
+)
+
+// Enum values for gcp.apphub.workload.environment_type
+var (
+	// Production environment.
+	// Stability: development
+	GCPAppHubWorkloadEnvironmentTypeProduction = GCPAppHubWorkloadEnvironmentTypeKey.String("PRODUCTION")
+	// Staging environment.
+	// Stability: development
+	GCPAppHubWorkloadEnvironmentTypeStaging = GCPAppHubWorkloadEnvironmentTypeKey.String("STAGING")
+	// Test environment.
+	// Stability: development
+	GCPAppHubWorkloadEnvironmentTypeTest = GCPAppHubWorkloadEnvironmentTypeKey.String("TEST")
+	// Development environment.
+	// Stability: development
+	GCPAppHubWorkloadEnvironmentTypeDevelopment = GCPAppHubWorkloadEnvironmentTypeKey.String("DEVELOPMENT")
+)
+
+// Namespace: gen_ai
+const (
+	// GenAIAgentDescriptionKey is the attribute Key conforming to the
+	// "gen_ai.agent.description" semantic conventions. It represents the free-form
+	// description of the GenAI agent provided by the application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Helps with math problems", "Generates fiction stories"
+	GenAIAgentDescriptionKey = attribute.Key("gen_ai.agent.description")
+
+	// GenAIAgentIDKey is the attribute Key conforming to the "gen_ai.agent.id"
+	// semantic conventions. It represents the unique identifier of the GenAI agent.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "asst_5j66UpCpwteGg4YSxUnt7lPY"
+	GenAIAgentIDKey = attribute.Key("gen_ai.agent.id")
+
+	// GenAIAgentNameKey is the attribute Key conforming to the "gen_ai.agent.name"
+	// semantic conventions. It represents the human-readable name of the GenAI
+	// agent provided by the application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Math Tutor", "Fiction Writer"
+	GenAIAgentNameKey = attribute.Key("gen_ai.agent.name")
+
+	// GenAIConversationIDKey is the attribute Key conforming to the
+	// "gen_ai.conversation.id" semantic conventions. It represents the unique
+	// identifier for a conversation (session, thread), used to store and correlate
+	// messages within this conversation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "conv_5j66UpCpwteGg4YSxUnt7lPY"
+	GenAIConversationIDKey = attribute.Key("gen_ai.conversation.id")
+
+	// GenAIDataSourceIDKey is the attribute Key conforming to the
+	// "gen_ai.data_source.id" semantic conventions. It represents the data source
+	// identifier.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "H7STPQYOND"
+	// Note: Data sources are used by AI agents and RAG applications to store
+	// grounding data. A data source may be an external database, object store,
+	// document collection, website, or any other storage system used by the GenAI
+	// agent or application. The `gen_ai.data_source.id` SHOULD match the identifier
+	// used by the GenAI system rather than a name specific to the external storage,
+	// such as a database or object store. Semantic conventions referencing
+	// `gen_ai.data_source.id` MAY also leverage additional attributes, such as
+	// `db.*`, to further identify and describe the data source.
+	GenAIDataSourceIDKey = attribute.Key("gen_ai.data_source.id")
+
+	// GenAIOpenAIRequestServiceTierKey is the attribute Key conforming to the
+	// "gen_ai.openai.request.service_tier" semantic conventions. It represents the
+	// service tier requested. May be a specific tier, default, or auto.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "auto", "default"
+	GenAIOpenAIRequestServiceTierKey = attribute.Key("gen_ai.openai.request.service_tier")
+
+	// GenAIOpenAIResponseServiceTierKey is the attribute Key conforming to the
+	// "gen_ai.openai.response.service_tier" semantic conventions. It represents the
+	// service tier used for the response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "scale", "default"
+	GenAIOpenAIResponseServiceTierKey = attribute.Key("gen_ai.openai.response.service_tier")
+
+	// GenAIOpenAIResponseSystemFingerprintKey is the attribute Key conforming to
+	// the "gen_ai.openai.response.system_fingerprint" semantic conventions. It
+	// represents a fingerprint to track any eventual change in the Generative AI
+	// environment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "fp_44709d6fcb"
+	GenAIOpenAIResponseSystemFingerprintKey = attribute.Key("gen_ai.openai.response.system_fingerprint")
+
+	// GenAIOperationNameKey is the attribute Key conforming to the
+	// "gen_ai.operation.name" semantic conventions. It represents the name of the
+	// operation being performed.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: If one of the predefined values applies, but specific system uses a
+	// different name it's RECOMMENDED to document it in the semantic conventions
+	// for specific GenAI system and use system-specific name in the
+	// instrumentation. If a different name is not documented, instrumentation
+	// libraries SHOULD use applicable predefined value.
+	GenAIOperationNameKey = attribute.Key("gen_ai.operation.name")
+
+	// GenAIOutputTypeKey is the attribute Key conforming to the
+	// "gen_ai.output.type" semantic conventions. It represents the represents the
+	// content type requested by the client.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: This attribute SHOULD be used when the client requests output of a
+	// specific type. The model may return zero or more outputs of this type.
+	// This attribute specifies the output modality and not the actual output
+	// format. For example, if an image is requested, the actual output could be a
+	// URL pointing to an image file.
+	// Additional output format details may be recorded in the future in the
+	// `gen_ai.output.{type}.*` attributes.
+	GenAIOutputTypeKey = attribute.Key("gen_ai.output.type")
+
+	// GenAIRequestChoiceCountKey is the attribute Key conforming to the
+	// "gen_ai.request.choice.count" semantic conventions. It represents the target
+	// number of candidate completions to return.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 3
+	GenAIRequestChoiceCountKey = attribute.Key("gen_ai.request.choice.count")
+
+	// GenAIRequestEncodingFormatsKey is the attribute Key conforming to the
+	// "gen_ai.request.encoding_formats" semantic conventions. It represents the
+	// encoding formats requested in an embeddings operation, if specified.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "base64"], ["float", "binary"
+	// Note: In some GenAI systems the encoding formats are called embedding types.
+	// Also, some GenAI systems only accept a single format per request.
+	GenAIRequestEncodingFormatsKey = attribute.Key("gen_ai.request.encoding_formats")
+
+	// GenAIRequestFrequencyPenaltyKey is the attribute Key conforming to the
+	// "gen_ai.request.frequency_penalty" semantic conventions. It represents the
+	// frequency penalty setting for the GenAI request.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0.1
+	GenAIRequestFrequencyPenaltyKey = attribute.Key("gen_ai.request.frequency_penalty")
+
+	// GenAIRequestMaxTokensKey is the attribute Key conforming to the
+	// "gen_ai.request.max_tokens" semantic conventions. It represents the maximum
+	// number of tokens the model generates for a request.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 100
+	GenAIRequestMaxTokensKey = attribute.Key("gen_ai.request.max_tokens")
+
+	// GenAIRequestModelKey is the attribute Key conforming to the
+	// "gen_ai.request.model" semantic conventions. It represents the name of the
+	// GenAI model a request is being made to.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: gpt-4
+	GenAIRequestModelKey = attribute.Key("gen_ai.request.model")
+
+	// GenAIRequestPresencePenaltyKey is the attribute Key conforming to the
+	// "gen_ai.request.presence_penalty" semantic conventions. It represents the
+	// presence penalty setting for the GenAI request.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0.1
+	GenAIRequestPresencePenaltyKey = attribute.Key("gen_ai.request.presence_penalty")
+
+	// GenAIRequestSeedKey is the attribute Key conforming to the
+	// "gen_ai.request.seed" semantic conventions. It represents the requests with
+	// same seed value more likely to return same result.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 100
+	GenAIRequestSeedKey = attribute.Key("gen_ai.request.seed")
+
+	// GenAIRequestStopSequencesKey is the attribute Key conforming to the
+	// "gen_ai.request.stop_sequences" semantic conventions. It represents the list
+	// of sequences that the model will use to stop generating further tokens.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "forest", "lived"
+	GenAIRequestStopSequencesKey = attribute.Key("gen_ai.request.stop_sequences")
+
+	// GenAIRequestTemperatureKey is the attribute Key conforming to the
+	// "gen_ai.request.temperature" semantic conventions. It represents the
+	// temperature setting for the GenAI request.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0.0
+	GenAIRequestTemperatureKey = attribute.Key("gen_ai.request.temperature")
+
+	// GenAIRequestTopKKey is the attribute Key conforming to the
+	// "gen_ai.request.top_k" semantic conventions. It represents the top_k sampling
+	// setting for the GenAI request.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0
+	GenAIRequestTopKKey = attribute.Key("gen_ai.request.top_k")
+
+	// GenAIRequestTopPKey is the attribute Key conforming to the
+	// "gen_ai.request.top_p" semantic conventions. It represents the top_p sampling
+	// setting for the GenAI request.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0
+	GenAIRequestTopPKey = attribute.Key("gen_ai.request.top_p")
+
+	// GenAIResponseFinishReasonsKey is the attribute Key conforming to the
+	// "gen_ai.response.finish_reasons" semantic conventions. It represents the
+	// array of reasons the model stopped generating tokens, corresponding to each
+	// generation received.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "stop"], ["stop", "length"
+	GenAIResponseFinishReasonsKey = attribute.Key("gen_ai.response.finish_reasons")
+
+	// GenAIResponseIDKey is the attribute Key conforming to the
+	// "gen_ai.response.id" semantic conventions. It represents the unique
+	// identifier for the completion.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "chatcmpl-123"
+	GenAIResponseIDKey = attribute.Key("gen_ai.response.id")
+
+	// GenAIResponseModelKey is the attribute Key conforming to the
+	// "gen_ai.response.model" semantic conventions. It represents the name of the
+	// model that generated the response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "gpt-4-0613"
+	GenAIResponseModelKey = attribute.Key("gen_ai.response.model")
+
+	// GenAISystemKey is the attribute Key conforming to the "gen_ai.system"
+	// semantic conventions. It represents the Generative AI product as identified
+	// by the client or server instrumentation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: openai
+	// Note: The `gen_ai.system` describes a family of GenAI models with specific
+	// model identified
+	// by `gen_ai.request.model` and `gen_ai.response.model` attributes.
+	//
+	// The actual GenAI product may differ from the one identified by the client.
+	// Multiple systems, including Azure OpenAI and Gemini, are accessible by OpenAI
+	// client
+	// libraries. In such cases, the `gen_ai.system` is set to `openai` based on the
+	// instrumentation's best knowledge, instead of the actual system. The
+	// `server.address`
+	// attribute may help identify the actual system in use for `openai`.
+	//
+	// For custom model, a custom friendly name SHOULD be used.
+	// If none of these options apply, the `gen_ai.system` SHOULD be set to `_OTHER`
+	// .
+	GenAISystemKey = attribute.Key("gen_ai.system")
+
+	// GenAITokenTypeKey is the attribute Key conforming to the "gen_ai.token.type"
+	// semantic conventions. It represents the type of token being counted.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "input", "output"
+	GenAITokenTypeKey = attribute.Key("gen_ai.token.type")
+
+	// GenAIToolCallIDKey is the attribute Key conforming to the
+	// "gen_ai.tool.call.id" semantic conventions. It represents the tool call
+	// identifier.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "call_mszuSIzqtI65i1wAUOE8w5H4"
+	GenAIToolCallIDKey = attribute.Key("gen_ai.tool.call.id")
+
+	// GenAIToolDescriptionKey is the attribute Key conforming to the
+	// "gen_ai.tool.description" semantic conventions. It represents the tool
+	// description.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Multiply two numbers"
+	GenAIToolDescriptionKey = attribute.Key("gen_ai.tool.description")
+
+	// GenAIToolNameKey is the attribute Key conforming to the "gen_ai.tool.name"
+	// semantic conventions. It represents the name of the tool utilized by the
+	// agent.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Flights"
+	GenAIToolNameKey = attribute.Key("gen_ai.tool.name")
+
+	// GenAIToolTypeKey is the attribute Key conforming to the "gen_ai.tool.type"
+	// semantic conventions. It represents the type of the tool utilized by the
+	// agent.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "function", "extension", "datastore"
+	// Note: Extension: A tool executed on the agent-side to directly call external
+	// APIs, bridging the gap between the agent and real-world systems.
+	// Agent-side operations involve actions that are performed by the agent on the
+	// server or within the agent's controlled environment.
+	// Function: A tool executed on the client-side, where the agent generates
+	// parameters for a predefined function, and the client executes the logic.
+	// Client-side operations are actions taken on the user's end or within the
+	// client application.
+	// Datastore: A tool used by the agent to access and query structured or
+	// unstructured external data for retrieval-augmented tasks or knowledge
+	// updates.
+	GenAIToolTypeKey = attribute.Key("gen_ai.tool.type")
+
+	// GenAIUsageInputTokensKey is the attribute Key conforming to the
+	// "gen_ai.usage.input_tokens" semantic conventions. It represents the number of
+	// tokens used in the GenAI input (prompt).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 100
+	GenAIUsageInputTokensKey = attribute.Key("gen_ai.usage.input_tokens")
+
+	// GenAIUsageOutputTokensKey is the attribute Key conforming to the
+	// "gen_ai.usage.output_tokens" semantic conventions. It represents the number
+	// of tokens used in the GenAI response (completion).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 180
+	GenAIUsageOutputTokensKey = attribute.Key("gen_ai.usage.output_tokens")
+)
+
+// GenAIAgentDescription returns an attribute KeyValue conforming to the
+// "gen_ai.agent.description" semantic conventions. It represents the free-form
+// description of the GenAI agent provided by the application.
+func GenAIAgentDescription(val string) attribute.KeyValue {
+	return GenAIAgentDescriptionKey.String(val)
+}
+
+// GenAIAgentID returns an attribute KeyValue conforming to the "gen_ai.agent.id"
+// semantic conventions. It represents the unique identifier of the GenAI agent.
+func GenAIAgentID(val string) attribute.KeyValue {
+	return GenAIAgentIDKey.String(val)
+}
+
+// GenAIAgentName returns an attribute KeyValue conforming to the
+// "gen_ai.agent.name" semantic conventions. It represents the human-readable
+// name of the GenAI agent provided by the application.
+func GenAIAgentName(val string) attribute.KeyValue {
+	return GenAIAgentNameKey.String(val)
+}
+
+// GenAIConversationID returns an attribute KeyValue conforming to the
+// "gen_ai.conversation.id" semantic conventions. It represents the unique
+// identifier for a conversation (session, thread), used to store and correlate
+// messages within this conversation.
+func GenAIConversationID(val string) attribute.KeyValue {
+	return GenAIConversationIDKey.String(val)
+}
+
+// GenAIDataSourceID returns an attribute KeyValue conforming to the
+// "gen_ai.data_source.id" semantic conventions. It represents the data source
+// identifier.
+func GenAIDataSourceID(val string) attribute.KeyValue {
+	return GenAIDataSourceIDKey.String(val)
+}
+
+// GenAIOpenAIResponseServiceTier returns an attribute KeyValue conforming to the
+// "gen_ai.openai.response.service_tier" semantic conventions. It represents the
+// service tier used for the response.
+func GenAIOpenAIResponseServiceTier(val string) attribute.KeyValue {
+	return GenAIOpenAIResponseServiceTierKey.String(val)
+}
+
+// GenAIOpenAIResponseSystemFingerprint returns an attribute KeyValue conforming
+// to the "gen_ai.openai.response.system_fingerprint" semantic conventions. It
+// represents a fingerprint to track any eventual change in the Generative AI
+// environment.
+func GenAIOpenAIResponseSystemFingerprint(val string) attribute.KeyValue {
+	return GenAIOpenAIResponseSystemFingerprintKey.String(val)
+}
+
+// GenAIRequestChoiceCount returns an attribute KeyValue conforming to the
+// "gen_ai.request.choice.count" semantic conventions. It represents the target
+// number of candidate completions to return.
+func GenAIRequestChoiceCount(val int) attribute.KeyValue {
+	return GenAIRequestChoiceCountKey.Int(val)
+}
+
+// GenAIRequestEncodingFormats returns an attribute KeyValue conforming to the
+// "gen_ai.request.encoding_formats" semantic conventions. It represents the
+// encoding formats requested in an embeddings operation, if specified.
+func GenAIRequestEncodingFormats(val ...string) attribute.KeyValue {
+	return GenAIRequestEncodingFormatsKey.StringSlice(val)
+}
+
+// GenAIRequestFrequencyPenalty returns an attribute KeyValue conforming to the
+// "gen_ai.request.frequency_penalty" semantic conventions. It represents the
+// frequency penalty setting for the GenAI request.
+func GenAIRequestFrequencyPenalty(val float64) attribute.KeyValue {
+	return GenAIRequestFrequencyPenaltyKey.Float64(val)
+}
+
+// GenAIRequestMaxTokens returns an attribute KeyValue conforming to the
+// "gen_ai.request.max_tokens" semantic conventions. It represents the maximum
+// number of tokens the model generates for a request.
+func GenAIRequestMaxTokens(val int) attribute.KeyValue {
+	return GenAIRequestMaxTokensKey.Int(val)
+}
+
+// GenAIRequestModel returns an attribute KeyValue conforming to the
+// "gen_ai.request.model" semantic conventions. It represents the name of the
+// GenAI model a request is being made to.
+func GenAIRequestModel(val string) attribute.KeyValue {
+	return GenAIRequestModelKey.String(val)
+}
+
+// GenAIRequestPresencePenalty returns an attribute KeyValue conforming to the
+// "gen_ai.request.presence_penalty" semantic conventions. It represents the
+// presence penalty setting for the GenAI request.
+func GenAIRequestPresencePenalty(val float64) attribute.KeyValue {
+	return GenAIRequestPresencePenaltyKey.Float64(val)
+}
+
+// GenAIRequestSeed returns an attribute KeyValue conforming to the
+// "gen_ai.request.seed" semantic conventions. It represents the requests with
+// same seed value more likely to return same result.
+func GenAIRequestSeed(val int) attribute.KeyValue {
+	return GenAIRequestSeedKey.Int(val)
+}
+
+// GenAIRequestStopSequences returns an attribute KeyValue conforming to the
+// "gen_ai.request.stop_sequences" semantic conventions. It represents the list
+// of sequences that the model will use to stop generating further tokens.
+func GenAIRequestStopSequences(val ...string) attribute.KeyValue {
+	return GenAIRequestStopSequencesKey.StringSlice(val)
+}
+
+// GenAIRequestTemperature returns an attribute KeyValue conforming to the
+// "gen_ai.request.temperature" semantic conventions. It represents the
+// temperature setting for the GenAI request.
+func GenAIRequestTemperature(val float64) attribute.KeyValue {
+	return GenAIRequestTemperatureKey.Float64(val)
+}
+
+// GenAIRequestTopK returns an attribute KeyValue conforming to the
+// "gen_ai.request.top_k" semantic conventions. It represents the top_k sampling
+// setting for the GenAI request.
+func GenAIRequestTopK(val float64) attribute.KeyValue {
+	return GenAIRequestTopKKey.Float64(val)
+}
+
+// GenAIRequestTopP returns an attribute KeyValue conforming to the
+// "gen_ai.request.top_p" semantic conventions. It represents the top_p sampling
+// setting for the GenAI request.
+func GenAIRequestTopP(val float64) attribute.KeyValue {
+	return GenAIRequestTopPKey.Float64(val)
+}
+
+// GenAIResponseFinishReasons returns an attribute KeyValue conforming to the
+// "gen_ai.response.finish_reasons" semantic conventions. It represents the array
+// of reasons the model stopped generating tokens, corresponding to each
+// generation received.
+func GenAIResponseFinishReasons(val ...string) attribute.KeyValue {
+	return GenAIResponseFinishReasonsKey.StringSlice(val)
+}
+
+// GenAIResponseID returns an attribute KeyValue conforming to the
+// "gen_ai.response.id" semantic conventions. It represents the unique identifier
+// for the completion.
+func GenAIResponseID(val string) attribute.KeyValue {
+	return GenAIResponseIDKey.String(val)
+}
+
+// GenAIResponseModel returns an attribute KeyValue conforming to the
+// "gen_ai.response.model" semantic conventions. It represents the name of the
+// model that generated the response.
+func GenAIResponseModel(val string) attribute.KeyValue {
+	return GenAIResponseModelKey.String(val)
+}
+
+// GenAIToolCallID returns an attribute KeyValue conforming to the
+// "gen_ai.tool.call.id" semantic conventions. It represents the tool call
+// identifier.
+func GenAIToolCallID(val string) attribute.KeyValue {
+	return GenAIToolCallIDKey.String(val)
+}
+
+// GenAIToolDescription returns an attribute KeyValue conforming to the
+// "gen_ai.tool.description" semantic conventions. It represents the tool
+// description.
+func GenAIToolDescription(val string) attribute.KeyValue {
+	return GenAIToolDescriptionKey.String(val)
+}
+
+// GenAIToolName returns an attribute KeyValue conforming to the
+// "gen_ai.tool.name" semantic conventions. It represents the name of the tool
+// utilized by the agent.
+func GenAIToolName(val string) attribute.KeyValue {
+	return GenAIToolNameKey.String(val)
+}
+
+// GenAIToolType returns an attribute KeyValue conforming to the
+// "gen_ai.tool.type" semantic conventions. It represents the type of the tool
+// utilized by the agent.
+func GenAIToolType(val string) attribute.KeyValue {
+	return GenAIToolTypeKey.String(val)
+}
+
+// GenAIUsageInputTokens returns an attribute KeyValue conforming to the
+// "gen_ai.usage.input_tokens" semantic conventions. It represents the number of
+// tokens used in the GenAI input (prompt).
+func GenAIUsageInputTokens(val int) attribute.KeyValue {
+	return GenAIUsageInputTokensKey.Int(val)
+}
+
+// GenAIUsageOutputTokens returns an attribute KeyValue conforming to the
+// "gen_ai.usage.output_tokens" semantic conventions. It represents the number of
+// tokens used in the GenAI response (completion).
+func GenAIUsageOutputTokens(val int) attribute.KeyValue {
+	return GenAIUsageOutputTokensKey.Int(val)
+}
+
+// Enum values for gen_ai.openai.request.service_tier
+var (
+	// The system will utilize scale tier credits until they are exhausted.
+	// Stability: development
+	GenAIOpenAIRequestServiceTierAuto = GenAIOpenAIRequestServiceTierKey.String("auto")
+	// The system will utilize the default scale tier.
+	// Stability: development
+	GenAIOpenAIRequestServiceTierDefault = GenAIOpenAIRequestServiceTierKey.String("default")
+)
+
+// Enum values for gen_ai.operation.name
+var (
+	// Chat completion operation such as [OpenAI Chat API]
+	// Stability: development
+	//
+	// [OpenAI Chat API]: https://platform.openai.com/docs/api-reference/chat
+	GenAIOperationNameChat = GenAIOperationNameKey.String("chat")
+	// Multimodal content generation operation such as [Gemini Generate Content]
+	// Stability: development
+	//
+	// [Gemini Generate Content]: https://ai.google.dev/api/generate-content
+	GenAIOperationNameGenerateContent = GenAIOperationNameKey.String("generate_content")
+	// Text completions operation such as [OpenAI Completions API (Legacy)]
+	// Stability: development
+	//
+	// [OpenAI Completions API (Legacy)]: https://platform.openai.com/docs/api-reference/completions
+	GenAIOperationNameTextCompletion = GenAIOperationNameKey.String("text_completion")
+	// Embeddings operation such as [OpenAI Create embeddings API]
+	// Stability: development
+	//
+	// [OpenAI Create embeddings API]: https://platform.openai.com/docs/api-reference/embeddings/create
+	GenAIOperationNameEmbeddings = GenAIOperationNameKey.String("embeddings")
+	// Create GenAI agent
+	// Stability: development
+	GenAIOperationNameCreateAgent = GenAIOperationNameKey.String("create_agent")
+	// Invoke GenAI agent
+	// Stability: development
+	GenAIOperationNameInvokeAgent = GenAIOperationNameKey.String("invoke_agent")
+	// Execute a tool
+	// Stability: development
+	GenAIOperationNameExecuteTool = GenAIOperationNameKey.String("execute_tool")
+)
+
+// Enum values for gen_ai.output.type
+var (
+	// Plain text
+	// Stability: development
+	GenAIOutputTypeText = GenAIOutputTypeKey.String("text")
+	// JSON object with known or unknown schema
+	// Stability: development
+	GenAIOutputTypeJSON = GenAIOutputTypeKey.String("json")
+	// Image
+	// Stability: development
+	GenAIOutputTypeImage = GenAIOutputTypeKey.String("image")
+	// Speech
+	// Stability: development
+	GenAIOutputTypeSpeech = GenAIOutputTypeKey.String("speech")
+)
+
+// Enum values for gen_ai.system
+var (
+	// OpenAI
+	// Stability: development
+	GenAISystemOpenAI = GenAISystemKey.String("openai")
+	// Any Google generative AI endpoint
+	// Stability: development
+	GenAISystemGCPGenAI = GenAISystemKey.String("gcp.gen_ai")
+	// Vertex AI
+	// Stability: development
+	GenAISystemGCPVertexAI = GenAISystemKey.String("gcp.vertex_ai")
+	// Gemini
+	// Stability: development
+	GenAISystemGCPGemini = GenAISystemKey.String("gcp.gemini")
+	// Deprecated: Use 'gcp.vertex_ai' instead.
+	GenAISystemVertexAI = GenAISystemKey.String("vertex_ai")
+	// Deprecated: Use 'gcp.gemini' instead.
+	GenAISystemGemini = GenAISystemKey.String("gemini")
+	// Anthropic
+	// Stability: development
+	GenAISystemAnthropic = GenAISystemKey.String("anthropic")
+	// Cohere
+	// Stability: development
+	GenAISystemCohere = GenAISystemKey.String("cohere")
+	// Azure AI Inference
+	// Stability: development
+	GenAISystemAzAIInference = GenAISystemKey.String("az.ai.inference")
+	// Azure OpenAI
+	// Stability: development
+	GenAISystemAzAIOpenAI = GenAISystemKey.String("az.ai.openai")
+	// IBM Watsonx AI
+	// Stability: development
+	GenAISystemIBMWatsonxAI = GenAISystemKey.String("ibm.watsonx.ai")
+	// AWS Bedrock
+	// Stability: development
+	GenAISystemAWSBedrock = GenAISystemKey.String("aws.bedrock")
+	// Perplexity
+	// Stability: development
+	GenAISystemPerplexity = GenAISystemKey.String("perplexity")
+	// xAI
+	// Stability: development
+	GenAISystemXai = GenAISystemKey.String("xai")
+	// DeepSeek
+	// Stability: development
+	GenAISystemDeepseek = GenAISystemKey.String("deepseek")
+	// Groq
+	// Stability: development
+	GenAISystemGroq = GenAISystemKey.String("groq")
+	// Mistral AI
+	// Stability: development
+	GenAISystemMistralAI = GenAISystemKey.String("mistral_ai")
+)
+
+// Enum values for gen_ai.token.type
+var (
+	// Input tokens (prompt, input, etc.)
+	// Stability: development
+	GenAITokenTypeInput = GenAITokenTypeKey.String("input")
+	// Deprecated: Replaced by `output`.
+	GenAITokenTypeCompletion = GenAITokenTypeKey.String("output")
+	// Output tokens (completion, response, etc.)
+	// Stability: development
+	GenAITokenTypeOutput = GenAITokenTypeKey.String("output")
+)
+
+// Namespace: geo
+const (
+	// GeoContinentCodeKey is the attribute Key conforming to the
+	// "geo.continent.code" semantic conventions. It represents the two-letter code
+	// representing continent’s name.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	GeoContinentCodeKey = attribute.Key("geo.continent.code")
+
+	// GeoCountryISOCodeKey is the attribute Key conforming to the
+	// "geo.country.iso_code" semantic conventions. It represents the two-letter ISO
+	// Country Code ([ISO 3166-1 alpha2]).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CA"
+	//
+	// [ISO 3166-1 alpha2]: https://wikipedia.org/wiki/ISO_3166-1#Codes
+	GeoCountryISOCodeKey = attribute.Key("geo.country.iso_code")
+
+	// GeoLocalityNameKey is the attribute Key conforming to the "geo.locality.name"
+	// semantic conventions. It represents the locality name. Represents the name of
+	// a city, town, village, or similar populated place.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Montreal", "Berlin"
+	GeoLocalityNameKey = attribute.Key("geo.locality.name")
+
+	// GeoLocationLatKey is the attribute Key conforming to the "geo.location.lat"
+	// semantic conventions. It represents the latitude of the geo location in
+	// [WGS84].
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 45.505918
+	//
+	// [WGS84]: https://wikipedia.org/wiki/World_Geodetic_System#WGS84
+	GeoLocationLatKey = attribute.Key("geo.location.lat")
+
+	// GeoLocationLonKey is the attribute Key conforming to the "geo.location.lon"
+	// semantic conventions. It represents the longitude of the geo location in
+	// [WGS84].
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: -73.61483
+	//
+	// [WGS84]: https://wikipedia.org/wiki/World_Geodetic_System#WGS84
+	GeoLocationLonKey = attribute.Key("geo.location.lon")
+
+	// GeoPostalCodeKey is the attribute Key conforming to the "geo.postal_code"
+	// semantic conventions. It represents the postal code associated with the
+	// location. Values appropriate for this field may also be known as a postcode
+	// or ZIP code and will vary widely from country to country.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "94040"
+	GeoPostalCodeKey = attribute.Key("geo.postal_code")
+
+	// GeoRegionISOCodeKey is the attribute Key conforming to the
+	// "geo.region.iso_code" semantic conventions. It represents the region ISO code
+	// ([ISO 3166-2]).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CA-QC"
+	//
+	// [ISO 3166-2]: https://wikipedia.org/wiki/ISO_3166-2
+	GeoRegionISOCodeKey = attribute.Key("geo.region.iso_code")
+)
+
+// GeoCountryISOCode returns an attribute KeyValue conforming to the
+// "geo.country.iso_code" semantic conventions. It represents the two-letter ISO
+// Country Code ([ISO 3166-1 alpha2]).
+//
+// [ISO 3166-1 alpha2]: https://wikipedia.org/wiki/ISO_3166-1#Codes
+func GeoCountryISOCode(val string) attribute.KeyValue {
+	return GeoCountryISOCodeKey.String(val)
+}
+
+// GeoLocalityName returns an attribute KeyValue conforming to the
+// "geo.locality.name" semantic conventions. It represents the locality name.
+// Represents the name of a city, town, village, or similar populated place.
+func GeoLocalityName(val string) attribute.KeyValue {
+	return GeoLocalityNameKey.String(val)
+}
+
+// GeoLocationLat returns an attribute KeyValue conforming to the
+// "geo.location.lat" semantic conventions. It represents the latitude of the geo
+// location in [WGS84].
+//
+// [WGS84]: https://wikipedia.org/wiki/World_Geodetic_System#WGS84
+func GeoLocationLat(val float64) attribute.KeyValue {
+	return GeoLocationLatKey.Float64(val)
+}
+
+// GeoLocationLon returns an attribute KeyValue conforming to the
+// "geo.location.lon" semantic conventions. It represents the longitude of the
+// geo location in [WGS84].
+//
+// [WGS84]: https://wikipedia.org/wiki/World_Geodetic_System#WGS84
+func GeoLocationLon(val float64) attribute.KeyValue {
+	return GeoLocationLonKey.Float64(val)
+}
+
+// GeoPostalCode returns an attribute KeyValue conforming to the
+// "geo.postal_code" semantic conventions. It represents the postal code
+// associated with the location. Values appropriate for this field may also be
+// known as a postcode or ZIP code and will vary widely from country to country.
+func GeoPostalCode(val string) attribute.KeyValue {
+	return GeoPostalCodeKey.String(val)
+}
+
+// GeoRegionISOCode returns an attribute KeyValue conforming to the
+// "geo.region.iso_code" semantic conventions. It represents the region ISO code
+// ([ISO 3166-2]).
+//
+// [ISO 3166-2]: https://wikipedia.org/wiki/ISO_3166-2
+func GeoRegionISOCode(val string) attribute.KeyValue {
+	return GeoRegionISOCodeKey.String(val)
+}
+
+// Enum values for geo.continent.code
+var (
+	// Africa
+	// Stability: development
+	GeoContinentCodeAf = GeoContinentCodeKey.String("AF")
+	// Antarctica
+	// Stability: development
+	GeoContinentCodeAn = GeoContinentCodeKey.String("AN")
+	// Asia
+	// Stability: development
+	GeoContinentCodeAs = GeoContinentCodeKey.String("AS")
+	// Europe
+	// Stability: development
+	GeoContinentCodeEu = GeoContinentCodeKey.String("EU")
+	// North America
+	// Stability: development
+	GeoContinentCodeNa = GeoContinentCodeKey.String("NA")
+	// Oceania
+	// Stability: development
+	GeoContinentCodeOc = GeoContinentCodeKey.String("OC")
+	// South America
+	// Stability: development
+	GeoContinentCodeSa = GeoContinentCodeKey.String("SA")
+)
+
+// Namespace: go
+const (
+	// GoMemoryTypeKey is the attribute Key conforming to the "go.memory.type"
+	// semantic conventions. It represents the type of memory.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "other", "stack"
+	GoMemoryTypeKey = attribute.Key("go.memory.type")
+)
+
+// Enum values for go.memory.type
+var (
+	// Memory allocated from the heap that is reserved for stack space, whether or
+	// not it is currently in-use.
+	// Stability: development
+	GoMemoryTypeStack = GoMemoryTypeKey.String("stack")
+	// Memory used by the Go runtime, excluding other categories of memory usage
+	// described in this enumeration.
+	// Stability: development
+	GoMemoryTypeOther = GoMemoryTypeKey.String("other")
+)
+
+// Namespace: graphql
+const (
+	// GraphQLDocumentKey is the attribute Key conforming to the "graphql.document"
+	// semantic conventions. It represents the GraphQL document being executed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: query findBookById { bookById(id: ?) { name } }
+	// Note: The value may be sanitized to exclude sensitive information.
+	GraphQLDocumentKey = attribute.Key("graphql.document")
+
+	// GraphQLOperationNameKey is the attribute Key conforming to the
+	// "graphql.operation.name" semantic conventions. It represents the name of the
+	// operation being executed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: findBookById
+	GraphQLOperationNameKey = attribute.Key("graphql.operation.name")
+
+	// GraphQLOperationTypeKey is the attribute Key conforming to the
+	// "graphql.operation.type" semantic conventions. It represents the type of the
+	// operation being executed.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "query", "mutation", "subscription"
+	GraphQLOperationTypeKey = attribute.Key("graphql.operation.type")
+)
+
+// GraphQLDocument returns an attribute KeyValue conforming to the
+// "graphql.document" semantic conventions. It represents the GraphQL document
+// being executed.
+func GraphQLDocument(val string) attribute.KeyValue {
+	return GraphQLDocumentKey.String(val)
+}
+
+// GraphQLOperationName returns an attribute KeyValue conforming to the
+// "graphql.operation.name" semantic conventions. It represents the name of the
+// operation being executed.
+func GraphQLOperationName(val string) attribute.KeyValue {
+	return GraphQLOperationNameKey.String(val)
+}
+
+// Enum values for graphql.operation.type
+var (
+	// GraphQL query
+	// Stability: development
+	GraphQLOperationTypeQuery = GraphQLOperationTypeKey.String("query")
+	// GraphQL mutation
+	// Stability: development
+	GraphQLOperationTypeMutation = GraphQLOperationTypeKey.String("mutation")
+	// GraphQL subscription
+	// Stability: development
+	GraphQLOperationTypeSubscription = GraphQLOperationTypeKey.String("subscription")
+)
+
+// Namespace: heroku
+const (
+	// HerokuAppIDKey is the attribute Key conforming to the "heroku.app.id"
+	// semantic conventions. It represents the unique identifier for the
+	// application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2daa2797-e42b-4624-9322-ec3f968df4da"
+	HerokuAppIDKey = attribute.Key("heroku.app.id")
+
+	// HerokuReleaseCommitKey is the attribute Key conforming to the
+	// "heroku.release.commit" semantic conventions. It represents the commit hash
+	// for the current release.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "e6134959463efd8966b20e75b913cafe3f5ec"
+	HerokuReleaseCommitKey = attribute.Key("heroku.release.commit")
+
+	// HerokuReleaseCreationTimestampKey is the attribute Key conforming to the
+	// "heroku.release.creation_timestamp" semantic conventions. It represents the
+	// time and date the release was created.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2022-10-23T18:00:42Z"
+	HerokuReleaseCreationTimestampKey = attribute.Key("heroku.release.creation_timestamp")
+)
+
+// HerokuAppID returns an attribute KeyValue conforming to the "heroku.app.id"
+// semantic conventions. It represents the unique identifier for the application.
+func HerokuAppID(val string) attribute.KeyValue {
+	return HerokuAppIDKey.String(val)
+}
+
+// HerokuReleaseCommit returns an attribute KeyValue conforming to the
+// "heroku.release.commit" semantic conventions. It represents the commit hash
+// for the current release.
+func HerokuReleaseCommit(val string) attribute.KeyValue {
+	return HerokuReleaseCommitKey.String(val)
+}
+
+// HerokuReleaseCreationTimestamp returns an attribute KeyValue conforming to the
+// "heroku.release.creation_timestamp" semantic conventions. It represents the
+// time and date the release was created.
+func HerokuReleaseCreationTimestamp(val string) attribute.KeyValue {
+	return HerokuReleaseCreationTimestampKey.String(val)
+}
+
+// Namespace: host
+const (
+	// HostArchKey is the attribute Key conforming to the "host.arch" semantic
+	// conventions. It represents the CPU architecture the host system is running
+	// on.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HostArchKey = attribute.Key("host.arch")
+
+	// HostCPUCacheL2SizeKey is the attribute Key conforming to the
+	// "host.cpu.cache.l2.size" semantic conventions. It represents the amount of
+	// level 2 memory cache available to the processor (in Bytes).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 12288000
+	HostCPUCacheL2SizeKey = attribute.Key("host.cpu.cache.l2.size")
+
+	// HostCPUFamilyKey is the attribute Key conforming to the "host.cpu.family"
+	// semantic conventions. It represents the family or generation of the CPU.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "6", "PA-RISC 1.1e"
+	HostCPUFamilyKey = attribute.Key("host.cpu.family")
+
+	// HostCPUModelIDKey is the attribute Key conforming to the "host.cpu.model.id"
+	// semantic conventions. It represents the model identifier. It provides more
+	// granular information about the CPU, distinguishing it from other CPUs within
+	// the same family.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "6", "9000/778/B180L"
+	HostCPUModelIDKey = attribute.Key("host.cpu.model.id")
+
+	// HostCPUModelNameKey is the attribute Key conforming to the
+	// "host.cpu.model.name" semantic conventions. It represents the model
+	// designation of the processor.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz"
+	HostCPUModelNameKey = attribute.Key("host.cpu.model.name")
+
+	// HostCPUSteppingKey is the attribute Key conforming to the "host.cpu.stepping"
+	// semantic conventions. It represents the stepping or core revisions.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1", "r1p1"
+	HostCPUSteppingKey = attribute.Key("host.cpu.stepping")
+
+	// HostCPUVendorIDKey is the attribute Key conforming to the
+	// "host.cpu.vendor.id" semantic conventions. It represents the processor
+	// manufacturer identifier. A maximum 12-character string.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "GenuineIntel"
+	// Note: [CPUID] command returns the vendor ID string in EBX, EDX and ECX
+	// registers. Writing these to memory in this order results in a 12-character
+	// string.
+	//
+	// [CPUID]: https://wiki.osdev.org/CPUID
+	HostCPUVendorIDKey = attribute.Key("host.cpu.vendor.id")
+
+	// HostIDKey is the attribute Key conforming to the "host.id" semantic
+	// conventions. It represents the unique host ID. For Cloud, this must be the
+	// instance_id assigned by the cloud provider. For non-containerized systems,
+	// this should be the `machine-id`. See the table below for the sources to use
+	// to determine the `machine-id` based on operating system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "fdbf79e8af94cb7f9e8df36789187052"
+	HostIDKey = attribute.Key("host.id")
+
+	// HostImageIDKey is the attribute Key conforming to the "host.image.id"
+	// semantic conventions. It represents the VM image ID or host OS image ID. For
+	// Cloud, this value is from the provider.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ami-07b06b442921831e5"
+	HostImageIDKey = attribute.Key("host.image.id")
+
+	// HostImageNameKey is the attribute Key conforming to the "host.image.name"
+	// semantic conventions. It represents the name of the VM image or OS install
+	// the host was instantiated from.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "infra-ami-eks-worker-node-7d4ec78312", "CentOS-8-x86_64-1905"
+	HostImageNameKey = attribute.Key("host.image.name")
+
+	// HostImageVersionKey is the attribute Key conforming to the
+	// "host.image.version" semantic conventions. It represents the version string
+	// of the VM image or host OS as defined in [Version Attributes].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0.1"
+	//
+	// [Version Attributes]: /docs/resource/README.md#version-attributes
+	HostImageVersionKey = attribute.Key("host.image.version")
+
+	// HostIPKey is the attribute Key conforming to the "host.ip" semantic
+	// conventions. It represents the available IP addresses of the host, excluding
+	// loopback interfaces.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "192.168.1.140", "fe80::abc2:4a28:737a:609e"
+	// Note: IPv4 Addresses MUST be specified in dotted-quad notation. IPv6
+	// addresses MUST be specified in the [RFC 5952] format.
+	//
+	// [RFC 5952]: https://www.rfc-editor.org/rfc/rfc5952.html
+	HostIPKey = attribute.Key("host.ip")
+
+	// HostMacKey is the attribute Key conforming to the "host.mac" semantic
+	// conventions. It represents the available MAC addresses of the host, excluding
+	// loopback interfaces.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "AC-DE-48-23-45-67", "AC-DE-48-23-45-67-01-9F"
+	// Note: MAC Addresses MUST be represented in [IEEE RA hexadecimal form]: as
+	// hyphen-separated octets in uppercase hexadecimal form from most to least
+	// significant.
+	//
+	// [IEEE RA hexadecimal form]: https://standards.ieee.org/wp-content/uploads/import/documents/tutorials/eui.pdf
+	HostMacKey = attribute.Key("host.mac")
+
+	// HostNameKey is the attribute Key conforming to the "host.name" semantic
+	// conventions. It represents the name of the host. On Unix systems, it may
+	// contain what the hostname command returns, or the fully qualified hostname,
+	// or another name specified by the user.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry-test"
+	HostNameKey = attribute.Key("host.name")
+
+	// HostTypeKey is the attribute Key conforming to the "host.type" semantic
+	// conventions. It represents the type of host. For Cloud, this must be the
+	// machine type.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "n1-standard-1"
+	HostTypeKey = attribute.Key("host.type")
+)
+
+// HostCPUCacheL2Size returns an attribute KeyValue conforming to the
+// "host.cpu.cache.l2.size" semantic conventions. It represents the amount of
+// level 2 memory cache available to the processor (in Bytes).
+func HostCPUCacheL2Size(val int) attribute.KeyValue {
+	return HostCPUCacheL2SizeKey.Int(val)
+}
+
+// HostCPUFamily returns an attribute KeyValue conforming to the
+// "host.cpu.family" semantic conventions. It represents the family or generation
+// of the CPU.
+func HostCPUFamily(val string) attribute.KeyValue {
+	return HostCPUFamilyKey.String(val)
+}
+
+// HostCPUModelID returns an attribute KeyValue conforming to the
+// "host.cpu.model.id" semantic conventions. It represents the model identifier.
+// It provides more granular information about the CPU, distinguishing it from
+// other CPUs within the same family.
+func HostCPUModelID(val string) attribute.KeyValue {
+	return HostCPUModelIDKey.String(val)
+}
+
+// HostCPUModelName returns an attribute KeyValue conforming to the
+// "host.cpu.model.name" semantic conventions. It represents the model
+// designation of the processor.
+func HostCPUModelName(val string) attribute.KeyValue {
+	return HostCPUModelNameKey.String(val)
+}
+
+// HostCPUStepping returns an attribute KeyValue conforming to the
+// "host.cpu.stepping" semantic conventions. It represents the stepping or core
+// revisions.
+func HostCPUStepping(val string) attribute.KeyValue {
+	return HostCPUSteppingKey.String(val)
+}
+
+// HostCPUVendorID returns an attribute KeyValue conforming to the
+// "host.cpu.vendor.id" semantic conventions. It represents the processor
+// manufacturer identifier. A maximum 12-character string.
+func HostCPUVendorID(val string) attribute.KeyValue {
+	return HostCPUVendorIDKey.String(val)
+}
+
+// HostID returns an attribute KeyValue conforming to the "host.id" semantic
+// conventions. It represents the unique host ID. For Cloud, this must be the
+// instance_id assigned by the cloud provider. For non-containerized systems,
+// this should be the `machine-id`. See the table below for the sources to use to
+// determine the `machine-id` based on operating system.
+func HostID(val string) attribute.KeyValue {
+	return HostIDKey.String(val)
+}
+
+// HostImageID returns an attribute KeyValue conforming to the "host.image.id"
+// semantic conventions. It represents the VM image ID or host OS image ID. For
+// Cloud, this value is from the provider.
+func HostImageID(val string) attribute.KeyValue {
+	return HostImageIDKey.String(val)
+}
+
+// HostImageName returns an attribute KeyValue conforming to the
+// "host.image.name" semantic conventions. It represents the name of the VM image
+// or OS install the host was instantiated from.
+func HostImageName(val string) attribute.KeyValue {
+	return HostImageNameKey.String(val)
+}
+
+// HostImageVersion returns an attribute KeyValue conforming to the
+// "host.image.version" semantic conventions. It represents the version string of
+// the VM image or host OS as defined in [Version Attributes].
+//
+// [Version Attributes]: /docs/resource/README.md#version-attributes
+func HostImageVersion(val string) attribute.KeyValue {
+	return HostImageVersionKey.String(val)
+}
+
+// HostIP returns an attribute KeyValue conforming to the "host.ip" semantic
+// conventions. It represents the available IP addresses of the host, excluding
+// loopback interfaces.
+func HostIP(val ...string) attribute.KeyValue {
+	return HostIPKey.StringSlice(val)
+}
+
+// HostMac returns an attribute KeyValue conforming to the "host.mac" semantic
+// conventions. It represents the available MAC addresses of the host, excluding
+// loopback interfaces.
+func HostMac(val ...string) attribute.KeyValue {
+	return HostMacKey.StringSlice(val)
+}
+
+// HostName returns an attribute KeyValue conforming to the "host.name" semantic
+// conventions. It represents the name of the host. On Unix systems, it may
+// contain what the hostname command returns, or the fully qualified hostname, or
+// another name specified by the user.
+func HostName(val string) attribute.KeyValue {
+	return HostNameKey.String(val)
+}
+
+// HostType returns an attribute KeyValue conforming to the "host.type" semantic
+// conventions. It represents the type of host. For Cloud, this must be the
+// machine type.
+func HostType(val string) attribute.KeyValue {
+	return HostTypeKey.String(val)
+}
+
+// Enum values for host.arch
+var (
+	// AMD64
+	// Stability: development
+	HostArchAMD64 = HostArchKey.String("amd64")
+	// ARM32
+	// Stability: development
+	HostArchARM32 = HostArchKey.String("arm32")
+	// ARM64
+	// Stability: development
+	HostArchARM64 = HostArchKey.String("arm64")
+	// Itanium
+	// Stability: development
+	HostArchIA64 = HostArchKey.String("ia64")
+	// 32-bit PowerPC
+	// Stability: development
+	HostArchPPC32 = HostArchKey.String("ppc32")
+	// 64-bit PowerPC
+	// Stability: development
+	HostArchPPC64 = HostArchKey.String("ppc64")
+	// IBM z/Architecture
+	// Stability: development
+	HostArchS390x = HostArchKey.String("s390x")
+	// 32-bit x86
+	// Stability: development
+	HostArchX86 = HostArchKey.String("x86")
+)
+
+// Namespace: http
+const (
+	// HTTPConnectionStateKey is the attribute Key conforming to the
+	// "http.connection.state" semantic conventions. It represents the state of the
+	// HTTP connection in the HTTP connection pool.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "active", "idle"
+	HTTPConnectionStateKey = attribute.Key("http.connection.state")
+
+	// HTTPRequestBodySizeKey is the attribute Key conforming to the
+	// "http.request.body.size" semantic conventions. It represents the size of the
+	// request payload body in bytes. This is the number of bytes transferred
+	// excluding headers and is often, but not always, present as the
+	// [Content-Length] header. For requests using transport encoding, this should
+	// be the compressed size.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+	HTTPRequestBodySizeKey = attribute.Key("http.request.body.size")
+
+	// HTTPRequestMethodKey is the attribute Key conforming to the
+	// "http.request.method" semantic conventions. It represents the HTTP request
+	// method.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "GET", "POST", "HEAD"
+	// Note: HTTP request method value SHOULD be "known" to the instrumentation.
+	// By default, this convention defines "known" methods as the ones listed in
+	// [RFC9110]
+	// and the PATCH method defined in [RFC5789].
+	//
+	// If the HTTP request method is not known to instrumentation, it MUST set the
+	// `http.request.method` attribute to `_OTHER`.
+	//
+	// If the HTTP instrumentation could end up converting valid HTTP request
+	// methods to `_OTHER`, then it MUST provide a way to override
+	// the list of known HTTP methods. If this override is done via environment
+	// variable, then the environment variable MUST be named
+	// OTEL_INSTRUMENTATION_HTTP_KNOWN_METHODS and support a comma-separated list of
+	// case-sensitive known HTTP methods
+	// (this list MUST be a full override of the default known method, it is not a
+	// list of known methods in addition to the defaults).
+	//
+	// HTTP method names are case-sensitive and `http.request.method` attribute
+	// value MUST match a known HTTP method name exactly.
+	// Instrumentations for specific web frameworks that consider HTTP methods to be
+	// case insensitive, SHOULD populate a canonical equivalent.
+	// Tracing instrumentations that do so, MUST also set
+	// `http.request.method_original` to the original value.
+	//
+	// [RFC9110]: https://www.rfc-editor.org/rfc/rfc9110.html#name-methods
+	// [RFC5789]: https://www.rfc-editor.org/rfc/rfc5789.html
+	HTTPRequestMethodKey = attribute.Key("http.request.method")
+
+	// HTTPRequestMethodOriginalKey is the attribute Key conforming to the
+	// "http.request.method_original" semantic conventions. It represents the
+	// original HTTP method sent by the client in the request line.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "GeT", "ACL", "foo"
+	HTTPRequestMethodOriginalKey = attribute.Key("http.request.method_original")
+
+	// HTTPRequestResendCountKey is the attribute Key conforming to the
+	// "http.request.resend_count" semantic conventions. It represents the ordinal
+	// number of request resending attempt (for any reason, including redirects).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Note: The resend count SHOULD be updated each time an HTTP request gets
+	// resent by the client, regardless of what was the cause of the resending (e.g.
+	// redirection, authorization failure, 503 Server Unavailable, network issues,
+	// or any other).
+	HTTPRequestResendCountKey = attribute.Key("http.request.resend_count")
+
+	// HTTPRequestSizeKey is the attribute Key conforming to the "http.request.size"
+	// semantic conventions. It represents the total size of the request in bytes.
+	// This should be the total number of bytes sent over the wire, including the
+	// request line (HTTP/1.1), framing (HTTP/2 and HTTP/3), headers, and request
+	// body if any.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	HTTPRequestSizeKey = attribute.Key("http.request.size")
+
+	// HTTPResponseBodySizeKey is the attribute Key conforming to the
+	// "http.response.body.size" semantic conventions. It represents the size of the
+	// response payload body in bytes. This is the number of bytes transferred
+	// excluding headers and is often, but not always, present as the
+	// [Content-Length] header. For requests using transport encoding, this should
+	// be the compressed size.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+	HTTPResponseBodySizeKey = attribute.Key("http.response.body.size")
+
+	// HTTPResponseSizeKey is the attribute Key conforming to the
+	// "http.response.size" semantic conventions. It represents the total size of
+	// the response in bytes. This should be the total number of bytes sent over the
+	// wire, including the status line (HTTP/1.1), framing (HTTP/2 and HTTP/3),
+	// headers, and response body and trailers if any.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	HTTPResponseSizeKey = attribute.Key("http.response.size")
+
+	// HTTPResponseStatusCodeKey is the attribute Key conforming to the
+	// "http.response.status_code" semantic conventions. It represents the
+	// [HTTP response status code].
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 200
+	//
+	// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+	HTTPResponseStatusCodeKey = attribute.Key("http.response.status_code")
+
+	// HTTPRouteKey is the attribute Key conforming to the "http.route" semantic
+	// conventions. It represents the matched route, that is, the path template in
+	// the format used by the respective server framework.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "/users/:userID?", "{controller}/{action}/{id?}"
+	// Note: MUST NOT be populated when this is not supported by the HTTP server
+	// framework as the route attribute should have low-cardinality and the URI path
+	// can NOT substitute it.
+	// SHOULD include the [application root] if there is one.
+	//
+	// [application root]: /docs/http/http-spans.md#http-server-definitions
+	HTTPRouteKey = attribute.Key("http.route")
+)
+
+// HTTPRequestBodySize returns an attribute KeyValue conforming to the
+// "http.request.body.size" semantic conventions. It represents the size of the
+// request payload body in bytes. This is the number of bytes transferred
+// excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func HTTPRequestBodySize(val int) attribute.KeyValue {
+	return HTTPRequestBodySizeKey.Int(val)
+}
+
+// HTTPRequestMethodOriginal returns an attribute KeyValue conforming to the
+// "http.request.method_original" semantic conventions. It represents the
+// original HTTP method sent by the client in the request line.
+func HTTPRequestMethodOriginal(val string) attribute.KeyValue {
+	return HTTPRequestMethodOriginalKey.String(val)
+}
+
+// HTTPRequestResendCount returns an attribute KeyValue conforming to the
+// "http.request.resend_count" semantic conventions. It represents the ordinal
+// number of request resending attempt (for any reason, including redirects).
+func HTTPRequestResendCount(val int) attribute.KeyValue {
+	return HTTPRequestResendCountKey.Int(val)
+}
+
+// HTTPRequestSize returns an attribute KeyValue conforming to the
+// "http.request.size" semantic conventions. It represents the total size of the
+// request in bytes. This should be the total number of bytes sent over the wire,
+// including the request line (HTTP/1.1), framing (HTTP/2 and HTTP/3), headers,
+// and request body if any.
+func HTTPRequestSize(val int) attribute.KeyValue {
+	return HTTPRequestSizeKey.Int(val)
+}
+
+// HTTPResponseBodySize returns an attribute KeyValue conforming to the
+// "http.response.body.size" semantic conventions. It represents the size of the
+// response payload body in bytes. This is the number of bytes transferred
+// excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func HTTPResponseBodySize(val int) attribute.KeyValue {
+	return HTTPResponseBodySizeKey.Int(val)
+}
+
+// HTTPResponseSize returns an attribute KeyValue conforming to the
+// "http.response.size" semantic conventions. It represents the total size of the
+// response in bytes. This should be the total number of bytes sent over the
+// wire, including the status line (HTTP/1.1), framing (HTTP/2 and HTTP/3),
+// headers, and response body and trailers if any.
+func HTTPResponseSize(val int) attribute.KeyValue {
+	return HTTPResponseSizeKey.Int(val)
+}
+
+// HTTPResponseStatusCode returns an attribute KeyValue conforming to the
+// "http.response.status_code" semantic conventions. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func HTTPResponseStatusCode(val int) attribute.KeyValue {
+	return HTTPResponseStatusCodeKey.Int(val)
+}
+
+// HTTPRoute returns an attribute KeyValue conforming to the "http.route"
+// semantic conventions. It represents the matched route, that is, the path
+// template in the format used by the respective server framework.
+func HTTPRoute(val string) attribute.KeyValue {
+	return HTTPRouteKey.String(val)
+}
+
+// Enum values for http.connection.state
+var (
+	// active state.
+	// Stability: development
+	HTTPConnectionStateActive = HTTPConnectionStateKey.String("active")
+	// idle state.
+	// Stability: development
+	HTTPConnectionStateIdle = HTTPConnectionStateKey.String("idle")
+)
+
+// Enum values for http.request.method
+var (
+	// CONNECT method.
+	// Stability: stable
+	HTTPRequestMethodConnect = HTTPRequestMethodKey.String("CONNECT")
+	// DELETE method.
+	// Stability: stable
+	HTTPRequestMethodDelete = HTTPRequestMethodKey.String("DELETE")
+	// GET method.
+	// Stability: stable
+	HTTPRequestMethodGet = HTTPRequestMethodKey.String("GET")
+	// HEAD method.
+	// Stability: stable
+	HTTPRequestMethodHead = HTTPRequestMethodKey.String("HEAD")
+	// OPTIONS method.
+	// Stability: stable
+	HTTPRequestMethodOptions = HTTPRequestMethodKey.String("OPTIONS")
+	// PATCH method.
+	// Stability: stable
+	HTTPRequestMethodPatch = HTTPRequestMethodKey.String("PATCH")
+	// POST method.
+	// Stability: stable
+	HTTPRequestMethodPost = HTTPRequestMethodKey.String("POST")
+	// PUT method.
+	// Stability: stable
+	HTTPRequestMethodPut = HTTPRequestMethodKey.String("PUT")
+	// TRACE method.
+	// Stability: stable
+	HTTPRequestMethodTrace = HTTPRequestMethodKey.String("TRACE")
+	// Any HTTP method that the instrumentation has no prior knowledge of.
+	// Stability: stable
+	HTTPRequestMethodOther = HTTPRequestMethodKey.String("_OTHER")
+)
+
+// Namespace: hw
+const (
+	// HwIDKey is the attribute Key conforming to the "hw.id" semantic conventions.
+	// It represents an identifier for the hardware component, unique within the
+	// monitored host.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "win32battery_battery_testsysa33_1"
+	HwIDKey = attribute.Key("hw.id")
+
+	// HwNameKey is the attribute Key conforming to the "hw.name" semantic
+	// conventions. It represents an easily-recognizable name for the hardware
+	// component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "eth0"
+	HwNameKey = attribute.Key("hw.name")
+
+	// HwParentKey is the attribute Key conforming to the "hw.parent" semantic
+	// conventions. It represents the unique identifier of the parent component
+	// (typically the `hw.id` attribute of the enclosure, or disk controller).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "dellStorage_perc_0"
+	HwParentKey = attribute.Key("hw.parent")
+
+	// HwStateKey is the attribute Key conforming to the "hw.state" semantic
+	// conventions. It represents the current state of the component.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwStateKey = attribute.Key("hw.state")
+
+	// HwTypeKey is the attribute Key conforming to the "hw.type" semantic
+	// conventions. It represents the type of the component.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: Describes the category of the hardware component for which `hw.state`
+	// is being reported. For example, `hw.type=temperature` along with
+	// `hw.state=degraded` would indicate that the temperature of the hardware
+	// component has been reported as `degraded`.
+	HwTypeKey = attribute.Key("hw.type")
+)
+
+// HwID returns an attribute KeyValue conforming to the "hw.id" semantic
+// conventions. It represents an identifier for the hardware component, unique
+// within the monitored host.
+func HwID(val string) attribute.KeyValue {
+	return HwIDKey.String(val)
+}
+
+// HwName returns an attribute KeyValue conforming to the "hw.name" semantic
+// conventions. It represents an easily-recognizable name for the hardware
+// component.
+func HwName(val string) attribute.KeyValue {
+	return HwNameKey.String(val)
+}
+
+// HwParent returns an attribute KeyValue conforming to the "hw.parent" semantic
+// conventions. It represents the unique identifier of the parent component
+// (typically the `hw.id` attribute of the enclosure, or disk controller).
+func HwParent(val string) attribute.KeyValue {
+	return HwParentKey.String(val)
+}
+
+// Enum values for hw.state
+var (
+	// Ok
+	// Stability: development
+	HwStateOk = HwStateKey.String("ok")
+	// Degraded
+	// Stability: development
+	HwStateDegraded = HwStateKey.String("degraded")
+	// Failed
+	// Stability: development
+	HwStateFailed = HwStateKey.String("failed")
+)
+
+// Enum values for hw.type
+var (
+	// Battery
+	// Stability: development
+	HwTypeBattery = HwTypeKey.String("battery")
+	// CPU
+	// Stability: development
+	HwTypeCPU = HwTypeKey.String("cpu")
+	// Disk controller
+	// Stability: development
+	HwTypeDiskController = HwTypeKey.String("disk_controller")
+	// Enclosure
+	// Stability: development
+	HwTypeEnclosure = HwTypeKey.String("enclosure")
+	// Fan
+	// Stability: development
+	HwTypeFan = HwTypeKey.String("fan")
+	// GPU
+	// Stability: development
+	HwTypeGpu = HwTypeKey.String("gpu")
+	// Logical disk
+	// Stability: development
+	HwTypeLogicalDisk = HwTypeKey.String("logical_disk")
+	// Memory
+	// Stability: development
+	HwTypeMemory = HwTypeKey.String("memory")
+	// Network
+	// Stability: development
+	HwTypeNetwork = HwTypeKey.String("network")
+	// Physical disk
+	// Stability: development
+	HwTypePhysicalDisk = HwTypeKey.String("physical_disk")
+	// Power supply
+	// Stability: development
+	HwTypePowerSupply = HwTypeKey.String("power_supply")
+	// Tape drive
+	// Stability: development
+	HwTypeTapeDrive = HwTypeKey.String("tape_drive")
+	// Temperature
+	// Stability: development
+	HwTypeTemperature = HwTypeKey.String("temperature")
+	// Voltage
+	// Stability: development
+	HwTypeVoltage = HwTypeKey.String("voltage")
+)
+
+// Namespace: ios
+const (
+	// IOSAppStateKey is the attribute Key conforming to the "ios.app.state"
+	// semantic conventions. It represents the this attribute represents the state
+	// of the application.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: The iOS lifecycle states are defined in the
+	// [UIApplicationDelegate documentation], and from which the `OS terminology`
+	// column values are derived.
+	//
+	// [UIApplicationDelegate documentation]: https://developer.apple.com/documentation/uikit/uiapplicationdelegate
+	IOSAppStateKey = attribute.Key("ios.app.state")
+)
+
+// Enum values for ios.app.state
+var (
+	// The app has become `active`. Associated with UIKit notification
+	// `applicationDidBecomeActive`.
+	//
+	// Stability: development
+	IOSAppStateActive = IOSAppStateKey.String("active")
+	// The app is now `inactive`. Associated with UIKit notification
+	// `applicationWillResignActive`.
+	//
+	// Stability: development
+	IOSAppStateInactive = IOSAppStateKey.String("inactive")
+	// The app is now in the background. This value is associated with UIKit
+	// notification `applicationDidEnterBackground`.
+	//
+	// Stability: development
+	IOSAppStateBackground = IOSAppStateKey.String("background")
+	// The app is now in the foreground. This value is associated with UIKit
+	// notification `applicationWillEnterForeground`.
+	//
+	// Stability: development
+	IOSAppStateForeground = IOSAppStateKey.String("foreground")
+	// The app is about to terminate. Associated with UIKit notification
+	// `applicationWillTerminate`.
+	//
+	// Stability: development
+	IOSAppStateTerminate = IOSAppStateKey.String("terminate")
+)
+
+// Namespace: k8s
+const (
+	// K8SClusterNameKey is the attribute Key conforming to the "k8s.cluster.name"
+	// semantic conventions. It represents the name of the cluster.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry-cluster"
+	K8SClusterNameKey = attribute.Key("k8s.cluster.name")
+
+	// K8SClusterUIDKey is the attribute Key conforming to the "k8s.cluster.uid"
+	// semantic conventions. It represents a pseudo-ID for the cluster, set to the
+	// UID of the `kube-system` namespace.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "218fc5a9-a5f1-4b54-aa05-46717d0ab26d"
+	// Note: K8s doesn't have support for obtaining a cluster ID. If this is ever
+	// added, we will recommend collecting the `k8s.cluster.uid` through the
+	// official APIs. In the meantime, we are able to use the `uid` of the
+	// `kube-system` namespace as a proxy for cluster ID. Read on for the
+	// rationale.
+	//
+	// Every object created in a K8s cluster is assigned a distinct UID. The
+	// `kube-system` namespace is used by Kubernetes itself and will exist
+	// for the lifetime of the cluster. Using the `uid` of the `kube-system`
+	// namespace is a reasonable proxy for the K8s ClusterID as it will only
+	// change if the cluster is rebuilt. Furthermore, Kubernetes UIDs are
+	// UUIDs as standardized by
+	// [ISO/IEC 9834-8 and ITU-T X.667].
+	// Which states:
+	//
+	// > If generated according to one of the mechanisms defined in Rec.
+	// > ITU-T X.667 | ISO/IEC 9834-8, a UUID is either guaranteed to be
+	// > different from all other UUIDs generated before 3603 A.D., or is
+	// > extremely likely to be different (depending on the mechanism chosen).
+	//
+	// Therefore, UIDs between clusters should be extremely unlikely to
+	// conflict.
+	//
+	// [ISO/IEC 9834-8 and ITU-T X.667]: https://www.itu.int/ITU-T/studygroups/com17/oid.html
+	K8SClusterUIDKey = attribute.Key("k8s.cluster.uid")
+
+	// K8SContainerNameKey is the attribute Key conforming to the
+	// "k8s.container.name" semantic conventions. It represents the name of the
+	// Container from Pod specification, must be unique within a Pod. Container
+	// runtime usually uses different globally unique name (`container.name`).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "redis"
+	K8SContainerNameKey = attribute.Key("k8s.container.name")
+
+	// K8SContainerRestartCountKey is the attribute Key conforming to the
+	// "k8s.container.restart_count" semantic conventions. It represents the number
+	// of times the container was restarted. This attribute can be used to identify
+	// a particular container (running or stopped) within a container spec.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	K8SContainerRestartCountKey = attribute.Key("k8s.container.restart_count")
+
+	// K8SContainerStatusLastTerminatedReasonKey is the attribute Key conforming to
+	// the "k8s.container.status.last_terminated_reason" semantic conventions. It
+	// represents the last terminated reason of the Container.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Evicted", "Error"
+	K8SContainerStatusLastTerminatedReasonKey = attribute.Key("k8s.container.status.last_terminated_reason")
+
+	// K8SCronJobNameKey is the attribute Key conforming to the "k8s.cronjob.name"
+	// semantic conventions. It represents the name of the CronJob.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SCronJobNameKey = attribute.Key("k8s.cronjob.name")
+
+	// K8SCronJobUIDKey is the attribute Key conforming to the "k8s.cronjob.uid"
+	// semantic conventions. It represents the UID of the CronJob.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SCronJobUIDKey = attribute.Key("k8s.cronjob.uid")
+
+	// K8SDaemonSetNameKey is the attribute Key conforming to the
+	// "k8s.daemonset.name" semantic conventions. It represents the name of the
+	// DaemonSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SDaemonSetNameKey = attribute.Key("k8s.daemonset.name")
+
+	// K8SDaemonSetUIDKey is the attribute Key conforming to the "k8s.daemonset.uid"
+	// semantic conventions. It represents the UID of the DaemonSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SDaemonSetUIDKey = attribute.Key("k8s.daemonset.uid")
+
+	// K8SDeploymentNameKey is the attribute Key conforming to the
+	// "k8s.deployment.name" semantic conventions. It represents the name of the
+	// Deployment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SDeploymentNameKey = attribute.Key("k8s.deployment.name")
+
+	// K8SDeploymentUIDKey is the attribute Key conforming to the
+	// "k8s.deployment.uid" semantic conventions. It represents the UID of the
+	// Deployment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SDeploymentUIDKey = attribute.Key("k8s.deployment.uid")
+
+	// K8SHPANameKey is the attribute Key conforming to the "k8s.hpa.name" semantic
+	// conventions. It represents the name of the horizontal pod autoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SHPANameKey = attribute.Key("k8s.hpa.name")
+
+	// K8SHPAUIDKey is the attribute Key conforming to the "k8s.hpa.uid" semantic
+	// conventions. It represents the UID of the horizontal pod autoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SHPAUIDKey = attribute.Key("k8s.hpa.uid")
+
+	// K8SJobNameKey is the attribute Key conforming to the "k8s.job.name" semantic
+	// conventions. It represents the name of the Job.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SJobNameKey = attribute.Key("k8s.job.name")
+
+	// K8SJobUIDKey is the attribute Key conforming to the "k8s.job.uid" semantic
+	// conventions. It represents the UID of the Job.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SJobUIDKey = attribute.Key("k8s.job.uid")
+
+	// K8SNamespaceNameKey is the attribute Key conforming to the
+	// "k8s.namespace.name" semantic conventions. It represents the name of the
+	// namespace that the pod is running in.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "default"
+	K8SNamespaceNameKey = attribute.Key("k8s.namespace.name")
+
+	// K8SNamespacePhaseKey is the attribute Key conforming to the
+	// "k8s.namespace.phase" semantic conventions. It represents the phase of the
+	// K8s namespace.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "active", "terminating"
+	// Note: This attribute aligns with the `phase` field of the
+	// [K8s NamespaceStatus]
+	//
+	// [K8s NamespaceStatus]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#namespacestatus-v1-core
+	K8SNamespacePhaseKey = attribute.Key("k8s.namespace.phase")
+
+	// K8SNodeNameKey is the attribute Key conforming to the "k8s.node.name"
+	// semantic conventions. It represents the name of the Node.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "node-1"
+	K8SNodeNameKey = attribute.Key("k8s.node.name")
+
+	// K8SNodeUIDKey is the attribute Key conforming to the "k8s.node.uid" semantic
+	// conventions. It represents the UID of the Node.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1eb3a0c6-0477-4080-a9cb-0cb7db65c6a2"
+	K8SNodeUIDKey = attribute.Key("k8s.node.uid")
+
+	// K8SPodNameKey is the attribute Key conforming to the "k8s.pod.name" semantic
+	// conventions. It represents the name of the Pod.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry-pod-autoconf"
+	K8SPodNameKey = attribute.Key("k8s.pod.name")
+
+	// K8SPodUIDKey is the attribute Key conforming to the "k8s.pod.uid" semantic
+	// conventions. It represents the UID of the Pod.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SPodUIDKey = attribute.Key("k8s.pod.uid")
+
+	// K8SReplicaSetNameKey is the attribute Key conforming to the
+	// "k8s.replicaset.name" semantic conventions. It represents the name of the
+	// ReplicaSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SReplicaSetNameKey = attribute.Key("k8s.replicaset.name")
+
+	// K8SReplicaSetUIDKey is the attribute Key conforming to the
+	// "k8s.replicaset.uid" semantic conventions. It represents the UID of the
+	// ReplicaSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SReplicaSetUIDKey = attribute.Key("k8s.replicaset.uid")
+
+	// K8SReplicationControllerNameKey is the attribute Key conforming to the
+	// "k8s.replicationcontroller.name" semantic conventions. It represents the name
+	// of the replication controller.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SReplicationControllerNameKey = attribute.Key("k8s.replicationcontroller.name")
+
+	// K8SReplicationControllerUIDKey is the attribute Key conforming to the
+	// "k8s.replicationcontroller.uid" semantic conventions. It represents the UID
+	// of the replication controller.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SReplicationControllerUIDKey = attribute.Key("k8s.replicationcontroller.uid")
+
+	// K8SResourceQuotaNameKey is the attribute Key conforming to the
+	// "k8s.resourcequota.name" semantic conventions. It represents the name of the
+	// resource quota.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SResourceQuotaNameKey = attribute.Key("k8s.resourcequota.name")
+
+	// K8SResourceQuotaUIDKey is the attribute Key conforming to the
+	// "k8s.resourcequota.uid" semantic conventions. It represents the UID of the
+	// resource quota.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SResourceQuotaUIDKey = attribute.Key("k8s.resourcequota.uid")
+
+	// K8SStatefulSetNameKey is the attribute Key conforming to the
+	// "k8s.statefulset.name" semantic conventions. It represents the name of the
+	// StatefulSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "opentelemetry"
+	K8SStatefulSetNameKey = attribute.Key("k8s.statefulset.name")
+
+	// K8SStatefulSetUIDKey is the attribute Key conforming to the
+	// "k8s.statefulset.uid" semantic conventions. It represents the UID of the
+	// StatefulSet.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
+	K8SStatefulSetUIDKey = attribute.Key("k8s.statefulset.uid")
+
+	// K8SVolumeNameKey is the attribute Key conforming to the "k8s.volume.name"
+	// semantic conventions. It represents the name of the K8s volume.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "volume0"
+	K8SVolumeNameKey = attribute.Key("k8s.volume.name")
+
+	// K8SVolumeTypeKey is the attribute Key conforming to the "k8s.volume.type"
+	// semantic conventions. It represents the type of the K8s volume.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "emptyDir", "persistentVolumeClaim"
+	K8SVolumeTypeKey = attribute.Key("k8s.volume.type")
+)
+
+// K8SClusterName returns an attribute KeyValue conforming to the
+// "k8s.cluster.name" semantic conventions. It represents the name of the
+// cluster.
+func K8SClusterName(val string) attribute.KeyValue {
+	return K8SClusterNameKey.String(val)
+}
+
+// K8SClusterUID returns an attribute KeyValue conforming to the
+// "k8s.cluster.uid" semantic conventions. It represents a pseudo-ID for the
+// cluster, set to the UID of the `kube-system` namespace.
+func K8SClusterUID(val string) attribute.KeyValue {
+	return K8SClusterUIDKey.String(val)
+}
+
+// K8SContainerName returns an attribute KeyValue conforming to the
+// "k8s.container.name" semantic conventions. It represents the name of the
+// Container from Pod specification, must be unique within a Pod. Container
+// runtime usually uses different globally unique name (`container.name`).
+func K8SContainerName(val string) attribute.KeyValue {
+	return K8SContainerNameKey.String(val)
+}
+
+// K8SContainerRestartCount returns an attribute KeyValue conforming to the
+// "k8s.container.restart_count" semantic conventions. It represents the number
+// of times the container was restarted. This attribute can be used to identify a
+// particular container (running or stopped) within a container spec.
+func K8SContainerRestartCount(val int) attribute.KeyValue {
+	return K8SContainerRestartCountKey.Int(val)
+}
+
+// K8SContainerStatusLastTerminatedReason returns an attribute KeyValue
+// conforming to the "k8s.container.status.last_terminated_reason" semantic
+// conventions. It represents the last terminated reason of the Container.
+func K8SContainerStatusLastTerminatedReason(val string) attribute.KeyValue {
+	return K8SContainerStatusLastTerminatedReasonKey.String(val)
+}
+
+// K8SCronJobName returns an attribute KeyValue conforming to the
+// "k8s.cronjob.name" semantic conventions. It represents the name of the
+// CronJob.
+func K8SCronJobName(val string) attribute.KeyValue {
+	return K8SCronJobNameKey.String(val)
+}
+
+// K8SCronJobUID returns an attribute KeyValue conforming to the
+// "k8s.cronjob.uid" semantic conventions. It represents the UID of the CronJob.
+func K8SCronJobUID(val string) attribute.KeyValue {
+	return K8SCronJobUIDKey.String(val)
+}
+
+// K8SDaemonSetName returns an attribute KeyValue conforming to the
+// "k8s.daemonset.name" semantic conventions. It represents the name of the
+// DaemonSet.
+func K8SDaemonSetName(val string) attribute.KeyValue {
+	return K8SDaemonSetNameKey.String(val)
+}
+
+// K8SDaemonSetUID returns an attribute KeyValue conforming to the
+// "k8s.daemonset.uid" semantic conventions. It represents the UID of the
+// DaemonSet.
+func K8SDaemonSetUID(val string) attribute.KeyValue {
+	return K8SDaemonSetUIDKey.String(val)
+}
+
+// K8SDeploymentName returns an attribute KeyValue conforming to the
+// "k8s.deployment.name" semantic conventions. It represents the name of the
+// Deployment.
+func K8SDeploymentName(val string) attribute.KeyValue {
+	return K8SDeploymentNameKey.String(val)
+}
+
+// K8SDeploymentUID returns an attribute KeyValue conforming to the
+// "k8s.deployment.uid" semantic conventions. It represents the UID of the
+// Deployment.
+func K8SDeploymentUID(val string) attribute.KeyValue {
+	return K8SDeploymentUIDKey.String(val)
+}
+
+// K8SHPAName returns an attribute KeyValue conforming to the "k8s.hpa.name"
+// semantic conventions. It represents the name of the horizontal pod autoscaler.
+func K8SHPAName(val string) attribute.KeyValue {
+	return K8SHPANameKey.String(val)
+}
+
+// K8SHPAUID returns an attribute KeyValue conforming to the "k8s.hpa.uid"
+// semantic conventions. It represents the UID of the horizontal pod autoscaler.
+func K8SHPAUID(val string) attribute.KeyValue {
+	return K8SHPAUIDKey.String(val)
+}
+
+// K8SJobName returns an attribute KeyValue conforming to the "k8s.job.name"
+// semantic conventions. It represents the name of the Job.
+func K8SJobName(val string) attribute.KeyValue {
+	return K8SJobNameKey.String(val)
+}
+
+// K8SJobUID returns an attribute KeyValue conforming to the "k8s.job.uid"
+// semantic conventions. It represents the UID of the Job.
+func K8SJobUID(val string) attribute.KeyValue {
+	return K8SJobUIDKey.String(val)
+}
+
+// K8SNamespaceName returns an attribute KeyValue conforming to the
+// "k8s.namespace.name" semantic conventions. It represents the name of the
+// namespace that the pod is running in.
+func K8SNamespaceName(val string) attribute.KeyValue {
+	return K8SNamespaceNameKey.String(val)
+}
+
+// K8SNodeName returns an attribute KeyValue conforming to the "k8s.node.name"
+// semantic conventions. It represents the name of the Node.
+func K8SNodeName(val string) attribute.KeyValue {
+	return K8SNodeNameKey.String(val)
+}
+
+// K8SNodeUID returns an attribute KeyValue conforming to the "k8s.node.uid"
+// semantic conventions. It represents the UID of the Node.
+func K8SNodeUID(val string) attribute.KeyValue {
+	return K8SNodeUIDKey.String(val)
+}
+
+// K8SPodName returns an attribute KeyValue conforming to the "k8s.pod.name"
+// semantic conventions. It represents the name of the Pod.
+func K8SPodName(val string) attribute.KeyValue {
+	return K8SPodNameKey.String(val)
+}
+
+// K8SPodUID returns an attribute KeyValue conforming to the "k8s.pod.uid"
+// semantic conventions. It represents the UID of the Pod.
+func K8SPodUID(val string) attribute.KeyValue {
+	return K8SPodUIDKey.String(val)
+}
+
+// K8SReplicaSetName returns an attribute KeyValue conforming to the
+// "k8s.replicaset.name" semantic conventions. It represents the name of the
+// ReplicaSet.
+func K8SReplicaSetName(val string) attribute.KeyValue {
+	return K8SReplicaSetNameKey.String(val)
+}
+
+// K8SReplicaSetUID returns an attribute KeyValue conforming to the
+// "k8s.replicaset.uid" semantic conventions. It represents the UID of the
+// ReplicaSet.
+func K8SReplicaSetUID(val string) attribute.KeyValue {
+	return K8SReplicaSetUIDKey.String(val)
+}
+
+// K8SReplicationControllerName returns an attribute KeyValue conforming to the
+// "k8s.replicationcontroller.name" semantic conventions. It represents the name
+// of the replication controller.
+func K8SReplicationControllerName(val string) attribute.KeyValue {
+	return K8SReplicationControllerNameKey.String(val)
+}
+
+// K8SReplicationControllerUID returns an attribute KeyValue conforming to the
+// "k8s.replicationcontroller.uid" semantic conventions. It represents the UID of
+// the replication controller.
+func K8SReplicationControllerUID(val string) attribute.KeyValue {
+	return K8SReplicationControllerUIDKey.String(val)
+}
+
+// K8SResourceQuotaName returns an attribute KeyValue conforming to the
+// "k8s.resourcequota.name" semantic conventions. It represents the name of the
+// resource quota.
+func K8SResourceQuotaName(val string) attribute.KeyValue {
+	return K8SResourceQuotaNameKey.String(val)
+}
+
+// K8SResourceQuotaUID returns an attribute KeyValue conforming to the
+// "k8s.resourcequota.uid" semantic conventions. It represents the UID of the
+// resource quota.
+func K8SResourceQuotaUID(val string) attribute.KeyValue {
+	return K8SResourceQuotaUIDKey.String(val)
+}
+
+// K8SStatefulSetName returns an attribute KeyValue conforming to the
+// "k8s.statefulset.name" semantic conventions. It represents the name of the
+// StatefulSet.
+func K8SStatefulSetName(val string) attribute.KeyValue {
+	return K8SStatefulSetNameKey.String(val)
+}
+
+// K8SStatefulSetUID returns an attribute KeyValue conforming to the
+// "k8s.statefulset.uid" semantic conventions. It represents the UID of the
+// StatefulSet.
+func K8SStatefulSetUID(val string) attribute.KeyValue {
+	return K8SStatefulSetUIDKey.String(val)
+}
+
+// K8SVolumeName returns an attribute KeyValue conforming to the
+// "k8s.volume.name" semantic conventions. It represents the name of the K8s
+// volume.
+func K8SVolumeName(val string) attribute.KeyValue {
+	return K8SVolumeNameKey.String(val)
+}
+
+// Enum values for k8s.namespace.phase
+var (
+	// Active namespace phase as described by [K8s API]
+	// Stability: development
+	//
+	// [K8s API]: https://pkg.go.dev/k8s.io/api@v0.31.3/core/v1#NamespacePhase
+	K8SNamespacePhaseActive = K8SNamespacePhaseKey.String("active")
+	// Terminating namespace phase as described by [K8s API]
+	// Stability: development
+	//
+	// [K8s API]: https://pkg.go.dev/k8s.io/api@v0.31.3/core/v1#NamespacePhase
+	K8SNamespacePhaseTerminating = K8SNamespacePhaseKey.String("terminating")
+)
+
+// Enum values for k8s.volume.type
+var (
+	// A [persistentVolumeClaim] volume
+	// Stability: development
+	//
+	// [persistentVolumeClaim]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#persistentvolumeclaim
+	K8SVolumeTypePersistentVolumeClaim = K8SVolumeTypeKey.String("persistentVolumeClaim")
+	// A [configMap] volume
+	// Stability: development
+	//
+	// [configMap]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#configmap
+	K8SVolumeTypeConfigMap = K8SVolumeTypeKey.String("configMap")
+	// A [downwardAPI] volume
+	// Stability: development
+	//
+	// [downwardAPI]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#downwardapi
+	K8SVolumeTypeDownwardAPI = K8SVolumeTypeKey.String("downwardAPI")
+	// An [emptyDir] volume
+	// Stability: development
+	//
+	// [emptyDir]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#emptydir
+	K8SVolumeTypeEmptyDir = K8SVolumeTypeKey.String("emptyDir")
+	// A [secret] volume
+	// Stability: development
+	//
+	// [secret]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#secret
+	K8SVolumeTypeSecret = K8SVolumeTypeKey.String("secret")
+	// A [local] volume
+	// Stability: development
+	//
+	// [local]: https://v1-30.docs.kubernetes.io/docs/concepts/storage/volumes/#local
+	K8SVolumeTypeLocal = K8SVolumeTypeKey.String("local")
+)
+
+// Namespace: linux
+const (
+	// LinuxMemorySlabStateKey is the attribute Key conforming to the
+	// "linux.memory.slab.state" semantic conventions. It represents the Linux Slab
+	// memory state.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "reclaimable", "unreclaimable"
+	LinuxMemorySlabStateKey = attribute.Key("linux.memory.slab.state")
+)
+
+// Enum values for linux.memory.slab.state
+var (
+	// reclaimable
+	// Stability: development
+	LinuxMemorySlabStateReclaimable = LinuxMemorySlabStateKey.String("reclaimable")
+	// unreclaimable
+	// Stability: development
+	LinuxMemorySlabStateUnreclaimable = LinuxMemorySlabStateKey.String("unreclaimable")
+)
+
+// Namespace: log
+const (
+	// LogFileNameKey is the attribute Key conforming to the "log.file.name"
+	// semantic conventions. It represents the basename of the file.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "audit.log"
+	LogFileNameKey = attribute.Key("log.file.name")
+
+	// LogFileNameResolvedKey is the attribute Key conforming to the
+	// "log.file.name_resolved" semantic conventions. It represents the basename of
+	// the file, with symlinks resolved.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "uuid.log"
+	LogFileNameResolvedKey = attribute.Key("log.file.name_resolved")
+
+	// LogFilePathKey is the attribute Key conforming to the "log.file.path"
+	// semantic conventions. It represents the full path to the file.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/var/log/mysql/audit.log"
+	LogFilePathKey = attribute.Key("log.file.path")
+
+	// LogFilePathResolvedKey is the attribute Key conforming to the
+	// "log.file.path_resolved" semantic conventions. It represents the full path to
+	// the file, with symlinks resolved.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/var/lib/docker/uuid.log"
+	LogFilePathResolvedKey = attribute.Key("log.file.path_resolved")
+
+	// LogIostreamKey is the attribute Key conforming to the "log.iostream" semantic
+	// conventions. It represents the stream associated with the log. See below for
+	// a list of well-known values.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	LogIostreamKey = attribute.Key("log.iostream")
+
+	// LogRecordOriginalKey is the attribute Key conforming to the
+	// "log.record.original" semantic conventions. It represents the complete
+	// original Log Record.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "77 <86>1 2015-08-06T21:58:59.694Z 192.168.2.133 inactive - - -
+	// Something happened", "[INFO] 8/3/24 12:34:56 Something happened"
+	// Note: This value MAY be added when processing a Log Record which was
+	// originally transmitted as a string or equivalent data type AND the Body field
+	// of the Log Record does not contain the same value. (e.g. a syslog or a log
+	// record read from a file.)
+	LogRecordOriginalKey = attribute.Key("log.record.original")
+
+	// LogRecordUIDKey is the attribute Key conforming to the "log.record.uid"
+	// semantic conventions. It represents a unique identifier for the Log Record.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "01ARZ3NDEKTSV4RRFFQ69G5FAV"
+	// Note: If an id is provided, other log records with the same id will be
+	// considered duplicates and can be removed safely. This means, that two
+	// distinguishable log records MUST have different values.
+	// The id MAY be an
+	// [Universally Unique Lexicographically Sortable Identifier (ULID)], but other
+	// identifiers (e.g. UUID) may be used as needed.
+	//
+	// [Universally Unique Lexicographically Sortable Identifier (ULID)]: https://github.com/ulid/spec
+	LogRecordUIDKey = attribute.Key("log.record.uid")
+)
+
+// LogFileName returns an attribute KeyValue conforming to the "log.file.name"
+// semantic conventions. It represents the basename of the file.
+func LogFileName(val string) attribute.KeyValue {
+	return LogFileNameKey.String(val)
+}
+
+// LogFileNameResolved returns an attribute KeyValue conforming to the
+// "log.file.name_resolved" semantic conventions. It represents the basename of
+// the file, with symlinks resolved.
+func LogFileNameResolved(val string) attribute.KeyValue {
+	return LogFileNameResolvedKey.String(val)
+}
+
+// LogFilePath returns an attribute KeyValue conforming to the "log.file.path"
+// semantic conventions. It represents the full path to the file.
+func LogFilePath(val string) attribute.KeyValue {
+	return LogFilePathKey.String(val)
+}
+
+// LogFilePathResolved returns an attribute KeyValue conforming to the
+// "log.file.path_resolved" semantic conventions. It represents the full path to
+// the file, with symlinks resolved.
+func LogFilePathResolved(val string) attribute.KeyValue {
+	return LogFilePathResolvedKey.String(val)
+}
+
+// LogRecordOriginal returns an attribute KeyValue conforming to the
+// "log.record.original" semantic conventions. It represents the complete
+// original Log Record.
+func LogRecordOriginal(val string) attribute.KeyValue {
+	return LogRecordOriginalKey.String(val)
+}
+
+// LogRecordUID returns an attribute KeyValue conforming to the "log.record.uid"
+// semantic conventions. It represents a unique identifier for the Log Record.
+func LogRecordUID(val string) attribute.KeyValue {
+	return LogRecordUIDKey.String(val)
+}
+
+// Enum values for log.iostream
+var (
+	// Logs from stdout stream
+	// Stability: development
+	LogIostreamStdout = LogIostreamKey.String("stdout")
+	// Events from stderr stream
+	// Stability: development
+	LogIostreamStderr = LogIostreamKey.String("stderr")
+)
+
+// Namespace: messaging
+const (
+	// MessagingBatchMessageCountKey is the attribute Key conforming to the
+	// "messaging.batch.message_count" semantic conventions. It represents the
+	// number of messages sent, received, or processed in the scope of the batching
+	// operation.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0, 1, 2
+	// Note: Instrumentations SHOULD NOT set `messaging.batch.message_count` on
+	// spans that operate with a single message. When a messaging client library
+	// supports both batch and single-message API for the same operation,
+	// instrumentations SHOULD use `messaging.batch.message_count` for batching APIs
+	// and SHOULD NOT use it for single-message APIs.
+	MessagingBatchMessageCountKey = attribute.Key("messaging.batch.message_count")
+
+	// MessagingClientIDKey is the attribute Key conforming to the
+	// "messaging.client.id" semantic conventions. It represents a unique identifier
+	// for the client that consumes or produces a message.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "client-5", "myhost@8742@s8083jm"
+	MessagingClientIDKey = attribute.Key("messaging.client.id")
+
+	// MessagingConsumerGroupNameKey is the attribute Key conforming to the
+	// "messaging.consumer.group.name" semantic conventions. It represents the name
+	// of the consumer group with which a consumer is associated.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-group", "indexer"
+	// Note: Semantic conventions for individual messaging systems SHOULD document
+	// whether `messaging.consumer.group.name` is applicable and what it means in
+	// the context of that system.
+	MessagingConsumerGroupNameKey = attribute.Key("messaging.consumer.group.name")
+
+	// MessagingDestinationAnonymousKey is the attribute Key conforming to the
+	// "messaging.destination.anonymous" semantic conventions. It represents a
+	// boolean that is true if the message destination is anonymous (could be
+	// unnamed or have auto-generated name).
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	MessagingDestinationAnonymousKey = attribute.Key("messaging.destination.anonymous")
+
+	// MessagingDestinationNameKey is the attribute Key conforming to the
+	// "messaging.destination.name" semantic conventions. It represents the message
+	// destination name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "MyQueue", "MyTopic"
+	// Note: Destination name SHOULD uniquely identify a specific queue, topic or
+	// other entity within the broker. If
+	// the broker doesn't have such notion, the destination name SHOULD uniquely
+	// identify the broker.
+	MessagingDestinationNameKey = attribute.Key("messaging.destination.name")
+
+	// MessagingDestinationPartitionIDKey is the attribute Key conforming to the
+	// "messaging.destination.partition.id" semantic conventions. It represents the
+	// identifier of the partition messages are sent to or received from, unique
+	// within the `messaging.destination.name`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1
+	MessagingDestinationPartitionIDKey = attribute.Key("messaging.destination.partition.id")
+
+	// MessagingDestinationSubscriptionNameKey is the attribute Key conforming to
+	// the "messaging.destination.subscription.name" semantic conventions. It
+	// represents the name of the destination subscription from which a message is
+	// consumed.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "subscription-a"
+	// Note: Semantic conventions for individual messaging systems SHOULD document
+	// whether `messaging.destination.subscription.name` is applicable and what it
+	// means in the context of that system.
+	MessagingDestinationSubscriptionNameKey = attribute.Key("messaging.destination.subscription.name")
+
+	// MessagingDestinationTemplateKey is the attribute Key conforming to the
+	// "messaging.destination.template" semantic conventions. It represents the low
+	// cardinality representation of the messaging destination name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/customers/{customerId}"
+	// Note: Destination names could be constructed from templates. An example would
+	// be a destination name involving a user name or product id. Although the
+	// destination name in this case is of high cardinality, the underlying template
+	// is of low cardinality and can be effectively used for grouping and
+	// aggregation.
+	MessagingDestinationTemplateKey = attribute.Key("messaging.destination.template")
+
+	// MessagingDestinationTemporaryKey is the attribute Key conforming to the
+	// "messaging.destination.temporary" semantic conventions. It represents a
+	// boolean that is true if the message destination is temporary and might not
+	// exist anymore after messages are processed.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	MessagingDestinationTemporaryKey = attribute.Key("messaging.destination.temporary")
+
+	// MessagingEventHubsMessageEnqueuedTimeKey is the attribute Key conforming to
+	// the "messaging.eventhubs.message.enqueued_time" semantic conventions. It
+	// represents the UTC epoch seconds at which the message has been accepted and
+	// stored in the entity.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingEventHubsMessageEnqueuedTimeKey = attribute.Key("messaging.eventhubs.message.enqueued_time")
+
+	// MessagingGCPPubSubMessageAckDeadlineKey is the attribute Key conforming to
+	// the "messaging.gcp_pubsub.message.ack_deadline" semantic conventions. It
+	// represents the ack deadline in seconds set for the modify ack deadline
+	// request.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingGCPPubSubMessageAckDeadlineKey = attribute.Key("messaging.gcp_pubsub.message.ack_deadline")
+
+	// MessagingGCPPubSubMessageAckIDKey is the attribute Key conforming to the
+	// "messaging.gcp_pubsub.message.ack_id" semantic conventions. It represents the
+	// ack id for a given message.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: ack_id
+	MessagingGCPPubSubMessageAckIDKey = attribute.Key("messaging.gcp_pubsub.message.ack_id")
+
+	// MessagingGCPPubSubMessageDeliveryAttemptKey is the attribute Key conforming
+	// to the "messaging.gcp_pubsub.message.delivery_attempt" semantic conventions.
+	// It represents the delivery attempt for a given message.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingGCPPubSubMessageDeliveryAttemptKey = attribute.Key("messaging.gcp_pubsub.message.delivery_attempt")
+
+	// MessagingGCPPubSubMessageOrderingKeyKey is the attribute Key conforming to
+	// the "messaging.gcp_pubsub.message.ordering_key" semantic conventions. It
+	// represents the ordering key for a given message. If the attribute is not
+	// present, the message does not have an ordering key.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: ordering_key
+	MessagingGCPPubSubMessageOrderingKeyKey = attribute.Key("messaging.gcp_pubsub.message.ordering_key")
+
+	// MessagingKafkaMessageKeyKey is the attribute Key conforming to the
+	// "messaging.kafka.message.key" semantic conventions. It represents the message
+	// keys in Kafka are used for grouping alike messages to ensure they're
+	// processed on the same partition. They differ from `messaging.message.id` in
+	// that they're not unique. If the key is `null`, the attribute MUST NOT be set.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: myKey
+	// Note: If the key type is not string, it's string representation has to be
+	// supplied for the attribute. If the key has no unambiguous, canonical string
+	// form, don't include its value.
+	MessagingKafkaMessageKeyKey = attribute.Key("messaging.kafka.message.key")
+
+	// MessagingKafkaMessageTombstoneKey is the attribute Key conforming to the
+	// "messaging.kafka.message.tombstone" semantic conventions. It represents a
+	// boolean that is true if the message is a tombstone.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	MessagingKafkaMessageTombstoneKey = attribute.Key("messaging.kafka.message.tombstone")
+
+	// MessagingKafkaOffsetKey is the attribute Key conforming to the
+	// "messaging.kafka.offset" semantic conventions. It represents the offset of a
+	// record in the corresponding Kafka partition.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingKafkaOffsetKey = attribute.Key("messaging.kafka.offset")
+
+	// MessagingMessageBodySizeKey is the attribute Key conforming to the
+	// "messaging.message.body.size" semantic conventions. It represents the size of
+	// the message body in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Note: This can refer to both the compressed or uncompressed body size. If
+	// both sizes are known, the uncompressed
+	// body size should be used.
+	MessagingMessageBodySizeKey = attribute.Key("messaging.message.body.size")
+
+	// MessagingMessageConversationIDKey is the attribute Key conforming to the
+	// "messaging.message.conversation_id" semantic conventions. It represents the
+	// conversation ID identifying the conversation to which the message belongs,
+	// represented as a string. Sometimes called "Correlation ID".
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: MyConversationId
+	MessagingMessageConversationIDKey = attribute.Key("messaging.message.conversation_id")
+
+	// MessagingMessageEnvelopeSizeKey is the attribute Key conforming to the
+	// "messaging.message.envelope.size" semantic conventions. It represents the
+	// size of the message body and metadata in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Note: This can refer to both the compressed or uncompressed size. If both
+	// sizes are known, the uncompressed
+	// size should be used.
+	MessagingMessageEnvelopeSizeKey = attribute.Key("messaging.message.envelope.size")
+
+	// MessagingMessageIDKey is the attribute Key conforming to the
+	// "messaging.message.id" semantic conventions. It represents a value used by
+	// the messaging system as an identifier for the message, represented as a
+	// string.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 452a7c7c7c7048c2f887f61572b18fc2
+	MessagingMessageIDKey = attribute.Key("messaging.message.id")
+
+	// MessagingOperationNameKey is the attribute Key conforming to the
+	// "messaging.operation.name" semantic conventions. It represents the
+	// system-specific name of the messaging operation.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ack", "nack", "send"
+	MessagingOperationNameKey = attribute.Key("messaging.operation.name")
+
+	// MessagingOperationTypeKey is the attribute Key conforming to the
+	// "messaging.operation.type" semantic conventions. It represents a string
+	// identifying the type of the messaging operation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: If a custom value is used, it MUST be of low cardinality.
+	MessagingOperationTypeKey = attribute.Key("messaging.operation.type")
+
+	// MessagingRabbitMQDestinationRoutingKeyKey is the attribute Key conforming to
+	// the "messaging.rabbitmq.destination.routing_key" semantic conventions. It
+	// represents the rabbitMQ message routing key.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: myKey
+	MessagingRabbitMQDestinationRoutingKeyKey = attribute.Key("messaging.rabbitmq.destination.routing_key")
+
+	// MessagingRabbitMQMessageDeliveryTagKey is the attribute Key conforming to the
+	// "messaging.rabbitmq.message.delivery_tag" semantic conventions. It represents
+	// the rabbitMQ message delivery tag.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingRabbitMQMessageDeliveryTagKey = attribute.Key("messaging.rabbitmq.message.delivery_tag")
+
+	// MessagingRocketMQConsumptionModelKey is the attribute Key conforming to the
+	// "messaging.rocketmq.consumption_model" semantic conventions. It represents
+	// the model of message consumption. This only applies to consumer spans.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	MessagingRocketMQConsumptionModelKey = attribute.Key("messaging.rocketmq.consumption_model")
+
+	// MessagingRocketMQMessageDelayTimeLevelKey is the attribute Key conforming to
+	// the "messaging.rocketmq.message.delay_time_level" semantic conventions. It
+	// represents the delay time level for delay message, which determines the
+	// message delay time.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingRocketMQMessageDelayTimeLevelKey = attribute.Key("messaging.rocketmq.message.delay_time_level")
+
+	// MessagingRocketMQMessageDeliveryTimestampKey is the attribute Key conforming
+	// to the "messaging.rocketmq.message.delivery_timestamp" semantic conventions.
+	// It represents the timestamp in milliseconds that the delay message is
+	// expected to be delivered to consumer.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingRocketMQMessageDeliveryTimestampKey = attribute.Key("messaging.rocketmq.message.delivery_timestamp")
+
+	// MessagingRocketMQMessageGroupKey is the attribute Key conforming to the
+	// "messaging.rocketmq.message.group" semantic conventions. It represents the it
+	// is essential for FIFO message. Messages that belong to the same message group
+	// are always processed one by one within the same consumer group.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: myMessageGroup
+	MessagingRocketMQMessageGroupKey = attribute.Key("messaging.rocketmq.message.group")
+
+	// MessagingRocketMQMessageKeysKey is the attribute Key conforming to the
+	// "messaging.rocketmq.message.keys" semantic conventions. It represents the
+	// key(s) of message, another way to mark message besides message id.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "keyA", "keyB"
+	MessagingRocketMQMessageKeysKey = attribute.Key("messaging.rocketmq.message.keys")
+
+	// MessagingRocketMQMessageTagKey is the attribute Key conforming to the
+	// "messaging.rocketmq.message.tag" semantic conventions. It represents the
+	// secondary classifier of message besides topic.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: tagA
+	MessagingRocketMQMessageTagKey = attribute.Key("messaging.rocketmq.message.tag")
+
+	// MessagingRocketMQMessageTypeKey is the attribute Key conforming to the
+	// "messaging.rocketmq.message.type" semantic conventions. It represents the
+	// type of message.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	MessagingRocketMQMessageTypeKey = attribute.Key("messaging.rocketmq.message.type")
+
+	// MessagingRocketMQNamespaceKey is the attribute Key conforming to the
+	// "messaging.rocketmq.namespace" semantic conventions. It represents the
+	// namespace of RocketMQ resources, resources in different namespaces are
+	// individual.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: myNamespace
+	MessagingRocketMQNamespaceKey = attribute.Key("messaging.rocketmq.namespace")
+
+	// MessagingServiceBusDispositionStatusKey is the attribute Key conforming to
+	// the "messaging.servicebus.disposition_status" semantic conventions. It
+	// represents the describes the [settlement type].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [settlement type]: https://learn.microsoft.com/azure/service-bus-messaging/message-transfers-locks-settlement#peeklock
+	MessagingServiceBusDispositionStatusKey = attribute.Key("messaging.servicebus.disposition_status")
+
+	// MessagingServiceBusMessageDeliveryCountKey is the attribute Key conforming to
+	// the "messaging.servicebus.message.delivery_count" semantic conventions. It
+	// represents the number of deliveries that have been attempted for this
+	// message.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingServiceBusMessageDeliveryCountKey = attribute.Key("messaging.servicebus.message.delivery_count")
+
+	// MessagingServiceBusMessageEnqueuedTimeKey is the attribute Key conforming to
+	// the "messaging.servicebus.message.enqueued_time" semantic conventions. It
+	// represents the UTC epoch seconds at which the message has been accepted and
+	// stored in the entity.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	MessagingServiceBusMessageEnqueuedTimeKey = attribute.Key("messaging.servicebus.message.enqueued_time")
+
+	// MessagingSystemKey is the attribute Key conforming to the "messaging.system"
+	// semantic conventions. It represents the messaging system as identified by the
+	// client instrumentation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: The actual messaging system may differ from the one known by the
+	// client. For example, when using Kafka client libraries to communicate with
+	// Azure Event Hubs, the `messaging.system` is set to `kafka` based on the
+	// instrumentation's best knowledge.
+	MessagingSystemKey = attribute.Key("messaging.system")
+)
+
+// MessagingBatchMessageCount returns an attribute KeyValue conforming to the
+// "messaging.batch.message_count" semantic conventions. It represents the number
+// of messages sent, received, or processed in the scope of the batching
+// operation.
+func MessagingBatchMessageCount(val int) attribute.KeyValue {
+	return MessagingBatchMessageCountKey.Int(val)
+}
+
+// MessagingClientID returns an attribute KeyValue conforming to the
+// "messaging.client.id" semantic conventions. It represents a unique identifier
+// for the client that consumes or produces a message.
+func MessagingClientID(val string) attribute.KeyValue {
+	return MessagingClientIDKey.String(val)
+}
+
+// MessagingConsumerGroupName returns an attribute KeyValue conforming to the
+// "messaging.consumer.group.name" semantic conventions. It represents the name
+// of the consumer group with which a consumer is associated.
+func MessagingConsumerGroupName(val string) attribute.KeyValue {
+	return MessagingConsumerGroupNameKey.String(val)
+}
+
+// MessagingDestinationAnonymous returns an attribute KeyValue conforming to the
+// "messaging.destination.anonymous" semantic conventions. It represents a
+// boolean that is true if the message destination is anonymous (could be unnamed
+// or have auto-generated name).
+func MessagingDestinationAnonymous(val bool) attribute.KeyValue {
+	return MessagingDestinationAnonymousKey.Bool(val)
+}
+
+// MessagingDestinationName returns an attribute KeyValue conforming to the
+// "messaging.destination.name" semantic conventions. It represents the message
+// destination name.
+func MessagingDestinationName(val string) attribute.KeyValue {
+	return MessagingDestinationNameKey.String(val)
+}
+
+// MessagingDestinationPartitionID returns an attribute KeyValue conforming to
+// the "messaging.destination.partition.id" semantic conventions. It represents
+// the identifier of the partition messages are sent to or received from, unique
+// within the `messaging.destination.name`.
+func MessagingDestinationPartitionID(val string) attribute.KeyValue {
+	return MessagingDestinationPartitionIDKey.String(val)
+}
+
+// MessagingDestinationSubscriptionName returns an attribute KeyValue conforming
+// to the "messaging.destination.subscription.name" semantic conventions. It
+// represents the name of the destination subscription from which a message is
+// consumed.
+func MessagingDestinationSubscriptionName(val string) attribute.KeyValue {
+	return MessagingDestinationSubscriptionNameKey.String(val)
+}
+
+// MessagingDestinationTemplate returns an attribute KeyValue conforming to the
+// "messaging.destination.template" semantic conventions. It represents the low
+// cardinality representation of the messaging destination name.
+func MessagingDestinationTemplate(val string) attribute.KeyValue {
+	return MessagingDestinationTemplateKey.String(val)
+}
+
+// MessagingDestinationTemporary returns an attribute KeyValue conforming to the
+// "messaging.destination.temporary" semantic conventions. It represents a
+// boolean that is true if the message destination is temporary and might not
+// exist anymore after messages are processed.
+func MessagingDestinationTemporary(val bool) attribute.KeyValue {
+	return MessagingDestinationTemporaryKey.Bool(val)
+}
+
+// MessagingEventHubsMessageEnqueuedTime returns an attribute KeyValue conforming
+// to the "messaging.eventhubs.message.enqueued_time" semantic conventions. It
+// represents the UTC epoch seconds at which the message has been accepted and
+// stored in the entity.
+func MessagingEventHubsMessageEnqueuedTime(val int) attribute.KeyValue {
+	return MessagingEventHubsMessageEnqueuedTimeKey.Int(val)
+}
+
+// MessagingGCPPubSubMessageAckDeadline returns an attribute KeyValue conforming
+// to the "messaging.gcp_pubsub.message.ack_deadline" semantic conventions. It
+// represents the ack deadline in seconds set for the modify ack deadline
+// request.
+func MessagingGCPPubSubMessageAckDeadline(val int) attribute.KeyValue {
+	return MessagingGCPPubSubMessageAckDeadlineKey.Int(val)
+}
+
+// MessagingGCPPubSubMessageAckID returns an attribute KeyValue conforming to the
+// "messaging.gcp_pubsub.message.ack_id" semantic conventions. It represents the
+// ack id for a given message.
+func MessagingGCPPubSubMessageAckID(val string) attribute.KeyValue {
+	return MessagingGCPPubSubMessageAckIDKey.String(val)
+}
+
+// MessagingGCPPubSubMessageDeliveryAttempt returns an attribute KeyValue
+// conforming to the "messaging.gcp_pubsub.message.delivery_attempt" semantic
+// conventions. It represents the delivery attempt for a given message.
+func MessagingGCPPubSubMessageDeliveryAttempt(val int) attribute.KeyValue {
+	return MessagingGCPPubSubMessageDeliveryAttemptKey.Int(val)
+}
+
+// MessagingGCPPubSubMessageOrderingKey returns an attribute KeyValue conforming
+// to the "messaging.gcp_pubsub.message.ordering_key" semantic conventions. It
+// represents the ordering key for a given message. If the attribute is not
+// present, the message does not have an ordering key.
+func MessagingGCPPubSubMessageOrderingKey(val string) attribute.KeyValue {
+	return MessagingGCPPubSubMessageOrderingKeyKey.String(val)
+}
+
+// MessagingKafkaMessageKey returns an attribute KeyValue conforming to the
+// "messaging.kafka.message.key" semantic conventions. It represents the message
+// keys in Kafka are used for grouping alike messages to ensure they're processed
+// on the same partition. They differ from `messaging.message.id` in that they're
+// not unique. If the key is `null`, the attribute MUST NOT be set.
+func MessagingKafkaMessageKey(val string) attribute.KeyValue {
+	return MessagingKafkaMessageKeyKey.String(val)
+}
+
+// MessagingKafkaMessageTombstone returns an attribute KeyValue conforming to the
+// "messaging.kafka.message.tombstone" semantic conventions. It represents a
+// boolean that is true if the message is a tombstone.
+func MessagingKafkaMessageTombstone(val bool) attribute.KeyValue {
+	return MessagingKafkaMessageTombstoneKey.Bool(val)
+}
+
+// MessagingKafkaOffset returns an attribute KeyValue conforming to the
+// "messaging.kafka.offset" semantic conventions. It represents the offset of a
+// record in the corresponding Kafka partition.
+func MessagingKafkaOffset(val int) attribute.KeyValue {
+	return MessagingKafkaOffsetKey.Int(val)
+}
+
+// MessagingMessageBodySize returns an attribute KeyValue conforming to the
+// "messaging.message.body.size" semantic conventions. It represents the size of
+// the message body in bytes.
+func MessagingMessageBodySize(val int) attribute.KeyValue {
+	return MessagingMessageBodySizeKey.Int(val)
+}
+
+// MessagingMessageConversationID returns an attribute KeyValue conforming to the
+// "messaging.message.conversation_id" semantic conventions. It represents the
+// conversation ID identifying the conversation to which the message belongs,
+// represented as a string. Sometimes called "Correlation ID".
+func MessagingMessageConversationID(val string) attribute.KeyValue {
+	return MessagingMessageConversationIDKey.String(val)
+}
+
+// MessagingMessageEnvelopeSize returns an attribute KeyValue conforming to the
+// "messaging.message.envelope.size" semantic conventions. It represents the size
+// of the message body and metadata in bytes.
+func MessagingMessageEnvelopeSize(val int) attribute.KeyValue {
+	return MessagingMessageEnvelopeSizeKey.Int(val)
+}
+
+// MessagingMessageID returns an attribute KeyValue conforming to the
+// "messaging.message.id" semantic conventions. It represents a value used by the
+// messaging system as an identifier for the message, represented as a string.
+func MessagingMessageID(val string) attribute.KeyValue {
+	return MessagingMessageIDKey.String(val)
+}
+
+// MessagingOperationName returns an attribute KeyValue conforming to the
+// "messaging.operation.name" semantic conventions. It represents the
+// system-specific name of the messaging operation.
+func MessagingOperationName(val string) attribute.KeyValue {
+	return MessagingOperationNameKey.String(val)
+}
+
+// MessagingRabbitMQDestinationRoutingKey returns an attribute KeyValue
+// conforming to the "messaging.rabbitmq.destination.routing_key" semantic
+// conventions. It represents the rabbitMQ message routing key.
+func MessagingRabbitMQDestinationRoutingKey(val string) attribute.KeyValue {
+	return MessagingRabbitMQDestinationRoutingKeyKey.String(val)
+}
+
+// MessagingRabbitMQMessageDeliveryTag returns an attribute KeyValue conforming
+// to the "messaging.rabbitmq.message.delivery_tag" semantic conventions. It
+// represents the rabbitMQ message delivery tag.
+func MessagingRabbitMQMessageDeliveryTag(val int) attribute.KeyValue {
+	return MessagingRabbitMQMessageDeliveryTagKey.Int(val)
+}
+
+// MessagingRocketMQMessageDelayTimeLevel returns an attribute KeyValue
+// conforming to the "messaging.rocketmq.message.delay_time_level" semantic
+// conventions. It represents the delay time level for delay message, which
+// determines the message delay time.
+func MessagingRocketMQMessageDelayTimeLevel(val int) attribute.KeyValue {
+	return MessagingRocketMQMessageDelayTimeLevelKey.Int(val)
+}
+
+// MessagingRocketMQMessageDeliveryTimestamp returns an attribute KeyValue
+// conforming to the "messaging.rocketmq.message.delivery_timestamp" semantic
+// conventions. It represents the timestamp in milliseconds that the delay
+// message is expected to be delivered to consumer.
+func MessagingRocketMQMessageDeliveryTimestamp(val int) attribute.KeyValue {
+	return MessagingRocketMQMessageDeliveryTimestampKey.Int(val)
+}
+
+// MessagingRocketMQMessageGroup returns an attribute KeyValue conforming to the
+// "messaging.rocketmq.message.group" semantic conventions. It represents the it
+// is essential for FIFO message. Messages that belong to the same message group
+// are always processed one by one within the same consumer group.
+func MessagingRocketMQMessageGroup(val string) attribute.KeyValue {
+	return MessagingRocketMQMessageGroupKey.String(val)
+}
+
+// MessagingRocketMQMessageKeys returns an attribute KeyValue conforming to the
+// "messaging.rocketmq.message.keys" semantic conventions. It represents the
+// key(s) of message, another way to mark message besides message id.
+func MessagingRocketMQMessageKeys(val ...string) attribute.KeyValue {
+	return MessagingRocketMQMessageKeysKey.StringSlice(val)
+}
+
+// MessagingRocketMQMessageTag returns an attribute KeyValue conforming to the
+// "messaging.rocketmq.message.tag" semantic conventions. It represents the
+// secondary classifier of message besides topic.
+func MessagingRocketMQMessageTag(val string) attribute.KeyValue {
+	return MessagingRocketMQMessageTagKey.String(val)
+}
+
+// MessagingRocketMQNamespace returns an attribute KeyValue conforming to the
+// "messaging.rocketmq.namespace" semantic conventions. It represents the
+// namespace of RocketMQ resources, resources in different namespaces are
+// individual.
+func MessagingRocketMQNamespace(val string) attribute.KeyValue {
+	return MessagingRocketMQNamespaceKey.String(val)
+}
+
+// MessagingServiceBusMessageDeliveryCount returns an attribute KeyValue
+// conforming to the "messaging.servicebus.message.delivery_count" semantic
+// conventions. It represents the number of deliveries that have been attempted
+// for this message.
+func MessagingServiceBusMessageDeliveryCount(val int) attribute.KeyValue {
+	return MessagingServiceBusMessageDeliveryCountKey.Int(val)
+}
+
+// MessagingServiceBusMessageEnqueuedTime returns an attribute KeyValue
+// conforming to the "messaging.servicebus.message.enqueued_time" semantic
+// conventions. It represents the UTC epoch seconds at which the message has been
+// accepted and stored in the entity.
+func MessagingServiceBusMessageEnqueuedTime(val int) attribute.KeyValue {
+	return MessagingServiceBusMessageEnqueuedTimeKey.Int(val)
+}
+
+// Enum values for messaging.operation.type
+var (
+	// A message is created. "Create" spans always refer to a single message and are
+	// used to provide a unique creation context for messages in batch sending
+	// scenarios.
+	//
+	// Stability: development
+	MessagingOperationTypeCreate = MessagingOperationTypeKey.String("create")
+	// One or more messages are provided for sending to an intermediary. If a single
+	// message is sent, the context of the "Send" span can be used as the creation
+	// context and no "Create" span needs to be created.
+	//
+	// Stability: development
+	MessagingOperationTypeSend = MessagingOperationTypeKey.String("send")
+	// One or more messages are requested by a consumer. This operation refers to
+	// pull-based scenarios, where consumers explicitly call methods of messaging
+	// SDKs to receive messages.
+	//
+	// Stability: development
+	MessagingOperationTypeReceive = MessagingOperationTypeKey.String("receive")
+	// One or more messages are processed by a consumer.
+	//
+	// Stability: development
+	MessagingOperationTypeProcess = MessagingOperationTypeKey.String("process")
+	// One or more messages are settled.
+	//
+	// Stability: development
+	MessagingOperationTypeSettle = MessagingOperationTypeKey.String("settle")
+	// Deprecated: Replaced by `process`.
+	MessagingOperationTypeDeliver = MessagingOperationTypeKey.String("deliver")
+	// Deprecated: Replaced by `send`.
+	MessagingOperationTypePublish = MessagingOperationTypeKey.String("publish")
+)
+
+// Enum values for messaging.rocketmq.consumption_model
+var (
+	// Clustering consumption model
+	// Stability: development
+	MessagingRocketMQConsumptionModelClustering = MessagingRocketMQConsumptionModelKey.String("clustering")
+	// Broadcasting consumption model
+	// Stability: development
+	MessagingRocketMQConsumptionModelBroadcasting = MessagingRocketMQConsumptionModelKey.String("broadcasting")
+)
+
+// Enum values for messaging.rocketmq.message.type
+var (
+	// Normal message
+	// Stability: development
+	MessagingRocketMQMessageTypeNormal = MessagingRocketMQMessageTypeKey.String("normal")
+	// FIFO message
+	// Stability: development
+	MessagingRocketMQMessageTypeFifo = MessagingRocketMQMessageTypeKey.String("fifo")
+	// Delay message
+	// Stability: development
+	MessagingRocketMQMessageTypeDelay = MessagingRocketMQMessageTypeKey.String("delay")
+	// Transaction message
+	// Stability: development
+	MessagingRocketMQMessageTypeTransaction = MessagingRocketMQMessageTypeKey.String("transaction")
+)
+
+// Enum values for messaging.servicebus.disposition_status
+var (
+	// Message is completed
+	// Stability: development
+	MessagingServiceBusDispositionStatusComplete = MessagingServiceBusDispositionStatusKey.String("complete")
+	// Message is abandoned
+	// Stability: development
+	MessagingServiceBusDispositionStatusAbandon = MessagingServiceBusDispositionStatusKey.String("abandon")
+	// Message is sent to dead letter queue
+	// Stability: development
+	MessagingServiceBusDispositionStatusDeadLetter = MessagingServiceBusDispositionStatusKey.String("dead_letter")
+	// Message is deferred
+	// Stability: development
+	MessagingServiceBusDispositionStatusDefer = MessagingServiceBusDispositionStatusKey.String("defer")
+)
+
+// Enum values for messaging.system
+var (
+	// Apache ActiveMQ
+	// Stability: development
+	MessagingSystemActiveMQ = MessagingSystemKey.String("activemq")
+	// Amazon Simple Queue Service (SQS)
+	// Stability: development
+	MessagingSystemAWSSQS = MessagingSystemKey.String("aws_sqs")
+	// Azure Event Grid
+	// Stability: development
+	MessagingSystemEventGrid = MessagingSystemKey.String("eventgrid")
+	// Azure Event Hubs
+	// Stability: development
+	MessagingSystemEventHubs = MessagingSystemKey.String("eventhubs")
+	// Azure Service Bus
+	// Stability: development
+	MessagingSystemServiceBus = MessagingSystemKey.String("servicebus")
+	// Google Cloud Pub/Sub
+	// Stability: development
+	MessagingSystemGCPPubSub = MessagingSystemKey.String("gcp_pubsub")
+	// Java Message Service
+	// Stability: development
+	MessagingSystemJMS = MessagingSystemKey.String("jms")
+	// Apache Kafka
+	// Stability: development
+	MessagingSystemKafka = MessagingSystemKey.String("kafka")
+	// RabbitMQ
+	// Stability: development
+	MessagingSystemRabbitMQ = MessagingSystemKey.String("rabbitmq")
+	// Apache RocketMQ
+	// Stability: development
+	MessagingSystemRocketMQ = MessagingSystemKey.String("rocketmq")
+	// Apache Pulsar
+	// Stability: development
+	MessagingSystemPulsar = MessagingSystemKey.String("pulsar")
+)
+
+// Namespace: network
+const (
+	// NetworkCarrierICCKey is the attribute Key conforming to the
+	// "network.carrier.icc" semantic conventions. It represents the ISO 3166-1
+	// alpha-2 2-character country code associated with the mobile carrier network.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: DE
+	NetworkCarrierICCKey = attribute.Key("network.carrier.icc")
+
+	// NetworkCarrierMCCKey is the attribute Key conforming to the
+	// "network.carrier.mcc" semantic conventions. It represents the mobile carrier
+	// country code.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 310
+	NetworkCarrierMCCKey = attribute.Key("network.carrier.mcc")
+
+	// NetworkCarrierMNCKey is the attribute Key conforming to the
+	// "network.carrier.mnc" semantic conventions. It represents the mobile carrier
+	// network code.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 001
+	NetworkCarrierMNCKey = attribute.Key("network.carrier.mnc")
+
+	// NetworkCarrierNameKey is the attribute Key conforming to the
+	// "network.carrier.name" semantic conventions. It represents the name of the
+	// mobile carrier.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: sprint
+	NetworkCarrierNameKey = attribute.Key("network.carrier.name")
+
+	// NetworkConnectionStateKey is the attribute Key conforming to the
+	// "network.connection.state" semantic conventions. It represents the state of
+	// network connection.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "close_wait"
+	// Note: Connection states are defined as part of the [rfc9293]
+	//
+	// [rfc9293]: https://datatracker.ietf.org/doc/html/rfc9293#section-3.3.2
+	NetworkConnectionStateKey = attribute.Key("network.connection.state")
+
+	// NetworkConnectionSubtypeKey is the attribute Key conforming to the
+	// "network.connection.subtype" semantic conventions. It represents the this
+	// describes more details regarding the connection.type. It may be the type of
+	// cell technology connection, but it could be used for describing details about
+	// a wifi connection.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: LTE
+	NetworkConnectionSubtypeKey = attribute.Key("network.connection.subtype")
+
+	// NetworkConnectionTypeKey is the attribute Key conforming to the
+	// "network.connection.type" semantic conventions. It represents the internet
+	// connection type.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: wifi
+	NetworkConnectionTypeKey = attribute.Key("network.connection.type")
+
+	// NetworkInterfaceNameKey is the attribute Key conforming to the
+	// "network.interface.name" semantic conventions. It represents the network
+	// interface name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "lo", "eth0"
+	NetworkInterfaceNameKey = attribute.Key("network.interface.name")
+
+	// NetworkIODirectionKey is the attribute Key conforming to the
+	// "network.io.direction" semantic conventions. It represents the network IO
+	// operation direction.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "transmit"
+	NetworkIODirectionKey = attribute.Key("network.io.direction")
+
+	// NetworkLocalAddressKey is the attribute Key conforming to the
+	// "network.local.address" semantic conventions. It represents the local address
+	// of the network connection - IP address or Unix domain socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "10.1.2.80", "/tmp/my.sock"
+	NetworkLocalAddressKey = attribute.Key("network.local.address")
+
+	// NetworkLocalPortKey is the attribute Key conforming to the
+	// "network.local.port" semantic conventions. It represents the local port
+	// number of the network connection.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 65123
+	NetworkLocalPortKey = attribute.Key("network.local.port")
+
+	// NetworkPeerAddressKey is the attribute Key conforming to the
+	// "network.peer.address" semantic conventions. It represents the peer address
+	// of the network connection - IP address or Unix domain socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "10.1.2.80", "/tmp/my.sock"
+	NetworkPeerAddressKey = attribute.Key("network.peer.address")
+
+	// NetworkPeerPortKey is the attribute Key conforming to the "network.peer.port"
+	// semantic conventions. It represents the peer port number of the network
+	// connection.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 65123
+	NetworkPeerPortKey = attribute.Key("network.peer.port")
+
+	// NetworkProtocolNameKey is the attribute Key conforming to the
+	// "network.protocol.name" semantic conventions. It represents the
+	// [OSI application layer] or non-OSI equivalent.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "amqp", "http", "mqtt"
+	// Note: The value SHOULD be normalized to lowercase.
+	//
+	// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+	NetworkProtocolNameKey = attribute.Key("network.protocol.name")
+
+	// NetworkProtocolVersionKey is the attribute Key conforming to the
+	// "network.protocol.version" semantic conventions. It represents the actual
+	// version of the protocol used for network communication.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "1.1", "2"
+	// Note: If protocol version is subject to negotiation (for example using [ALPN]
+	// ), this attribute SHOULD be set to the negotiated version. If the actual
+	// protocol version is not known, this attribute SHOULD NOT be set.
+	//
+	// [ALPN]: https://www.rfc-editor.org/rfc/rfc7301.html
+	NetworkProtocolVersionKey = attribute.Key("network.protocol.version")
+
+	// NetworkTransportKey is the attribute Key conforming to the
+	// "network.transport" semantic conventions. It represents the
+	// [OSI transport layer] or [inter-process communication method].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "tcp", "udp"
+	// Note: The value SHOULD be normalized to lowercase.
+	//
+	// Consider always setting the transport when setting a port number, since
+	// a port number is ambiguous without knowing the transport. For example
+	// different processes could be listening on TCP port 12345 and UDP port 12345.
+	//
+	// [OSI transport layer]: https://wikipedia.org/wiki/Transport_layer
+	// [inter-process communication method]: https://wikipedia.org/wiki/Inter-process_communication
+	NetworkTransportKey = attribute.Key("network.transport")
+
+	// NetworkTypeKey is the attribute Key conforming to the "network.type" semantic
+	// conventions. It represents the [OSI network layer] or non-OSI equivalent.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "ipv4", "ipv6"
+	// Note: The value SHOULD be normalized to lowercase.
+	//
+	// [OSI network layer]: https://wikipedia.org/wiki/Network_layer
+	NetworkTypeKey = attribute.Key("network.type")
+)
+
+// NetworkCarrierICC returns an attribute KeyValue conforming to the
+// "network.carrier.icc" semantic conventions. It represents the ISO 3166-1
+// alpha-2 2-character country code associated with the mobile carrier network.
+func NetworkCarrierICC(val string) attribute.KeyValue {
+	return NetworkCarrierICCKey.String(val)
+}
+
+// NetworkCarrierMCC returns an attribute KeyValue conforming to the
+// "network.carrier.mcc" semantic conventions. It represents the mobile carrier
+// country code.
+func NetworkCarrierMCC(val string) attribute.KeyValue {
+	return NetworkCarrierMCCKey.String(val)
+}
+
+// NetworkCarrierMNC returns an attribute KeyValue conforming to the
+// "network.carrier.mnc" semantic conventions. It represents the mobile carrier
+// network code.
+func NetworkCarrierMNC(val string) attribute.KeyValue {
+	return NetworkCarrierMNCKey.String(val)
+}
+
+// NetworkCarrierName returns an attribute KeyValue conforming to the
+// "network.carrier.name" semantic conventions. It represents the name of the
+// mobile carrier.
+func NetworkCarrierName(val string) attribute.KeyValue {
+	return NetworkCarrierNameKey.String(val)
+}
+
+// NetworkInterfaceName returns an attribute KeyValue conforming to the
+// "network.interface.name" semantic conventions. It represents the network
+// interface name.
+func NetworkInterfaceName(val string) attribute.KeyValue {
+	return NetworkInterfaceNameKey.String(val)
+}
+
+// NetworkLocalAddress returns an attribute KeyValue conforming to the
+// "network.local.address" semantic conventions. It represents the local address
+// of the network connection - IP address or Unix domain socket name.
+func NetworkLocalAddress(val string) attribute.KeyValue {
+	return NetworkLocalAddressKey.String(val)
+}
+
+// NetworkLocalPort returns an attribute KeyValue conforming to the
+// "network.local.port" semantic conventions. It represents the local port number
+// of the network connection.
+func NetworkLocalPort(val int) attribute.KeyValue {
+	return NetworkLocalPortKey.Int(val)
+}
+
+// NetworkPeerAddress returns an attribute KeyValue conforming to the
+// "network.peer.address" semantic conventions. It represents the peer address of
+// the network connection - IP address or Unix domain socket name.
+func NetworkPeerAddress(val string) attribute.KeyValue {
+	return NetworkPeerAddressKey.String(val)
+}
+
+// NetworkPeerPort returns an attribute KeyValue conforming to the
+// "network.peer.port" semantic conventions. It represents the peer port number
+// of the network connection.
+func NetworkPeerPort(val int) attribute.KeyValue {
+	return NetworkPeerPortKey.Int(val)
+}
+
+// NetworkProtocolName returns an attribute KeyValue conforming to the
+// "network.protocol.name" semantic conventions. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func NetworkProtocolName(val string) attribute.KeyValue {
+	return NetworkProtocolNameKey.String(val)
+}
+
+// NetworkProtocolVersion returns an attribute KeyValue conforming to the
+// "network.protocol.version" semantic conventions. It represents the actual
+// version of the protocol used for network communication.
+func NetworkProtocolVersion(val string) attribute.KeyValue {
+	return NetworkProtocolVersionKey.String(val)
+}
+
+// Enum values for network.connection.state
+var (
+	// closed
+	// Stability: development
+	NetworkConnectionStateClosed = NetworkConnectionStateKey.String("closed")
+	// close_wait
+	// Stability: development
+	NetworkConnectionStateCloseWait = NetworkConnectionStateKey.String("close_wait")
+	// closing
+	// Stability: development
+	NetworkConnectionStateClosing = NetworkConnectionStateKey.String("closing")
+	// established
+	// Stability: development
+	NetworkConnectionStateEstablished = NetworkConnectionStateKey.String("established")
+	// fin_wait_1
+	// Stability: development
+	NetworkConnectionStateFinWait1 = NetworkConnectionStateKey.String("fin_wait_1")
+	// fin_wait_2
+	// Stability: development
+	NetworkConnectionStateFinWait2 = NetworkConnectionStateKey.String("fin_wait_2")
+	// last_ack
+	// Stability: development
+	NetworkConnectionStateLastAck = NetworkConnectionStateKey.String("last_ack")
+	// listen
+	// Stability: development
+	NetworkConnectionStateListen = NetworkConnectionStateKey.String("listen")
+	// syn_received
+	// Stability: development
+	NetworkConnectionStateSynReceived = NetworkConnectionStateKey.String("syn_received")
+	// syn_sent
+	// Stability: development
+	NetworkConnectionStateSynSent = NetworkConnectionStateKey.String("syn_sent")
+	// time_wait
+	// Stability: development
+	NetworkConnectionStateTimeWait = NetworkConnectionStateKey.String("time_wait")
+)
+
+// Enum values for network.connection.subtype
+var (
+	// GPRS
+	// Stability: development
+	NetworkConnectionSubtypeGprs = NetworkConnectionSubtypeKey.String("gprs")
+	// EDGE
+	// Stability: development
+	NetworkConnectionSubtypeEdge = NetworkConnectionSubtypeKey.String("edge")
+	// UMTS
+	// Stability: development
+	NetworkConnectionSubtypeUmts = NetworkConnectionSubtypeKey.String("umts")
+	// CDMA
+	// Stability: development
+	NetworkConnectionSubtypeCdma = NetworkConnectionSubtypeKey.String("cdma")
+	// EVDO Rel. 0
+	// Stability: development
+	NetworkConnectionSubtypeEvdo0 = NetworkConnectionSubtypeKey.String("evdo_0")
+	// EVDO Rev. A
+	// Stability: development
+	NetworkConnectionSubtypeEvdoA = NetworkConnectionSubtypeKey.String("evdo_a")
+	// CDMA2000 1XRTT
+	// Stability: development
+	NetworkConnectionSubtypeCdma20001xrtt = NetworkConnectionSubtypeKey.String("cdma2000_1xrtt")
+	// HSDPA
+	// Stability: development
+	NetworkConnectionSubtypeHsdpa = NetworkConnectionSubtypeKey.String("hsdpa")
+	// HSUPA
+	// Stability: development
+	NetworkConnectionSubtypeHsupa = NetworkConnectionSubtypeKey.String("hsupa")
+	// HSPA
+	// Stability: development
+	NetworkConnectionSubtypeHspa = NetworkConnectionSubtypeKey.String("hspa")
+	// IDEN
+	// Stability: development
+	NetworkConnectionSubtypeIden = NetworkConnectionSubtypeKey.String("iden")
+	// EVDO Rev. B
+	// Stability: development
+	NetworkConnectionSubtypeEvdoB = NetworkConnectionSubtypeKey.String("evdo_b")
+	// LTE
+	// Stability: development
+	NetworkConnectionSubtypeLte = NetworkConnectionSubtypeKey.String("lte")
+	// EHRPD
+	// Stability: development
+	NetworkConnectionSubtypeEhrpd = NetworkConnectionSubtypeKey.String("ehrpd")
+	// HSPAP
+	// Stability: development
+	NetworkConnectionSubtypeHspap = NetworkConnectionSubtypeKey.String("hspap")
+	// GSM
+	// Stability: development
+	NetworkConnectionSubtypeGsm = NetworkConnectionSubtypeKey.String("gsm")
+	// TD-SCDMA
+	// Stability: development
+	NetworkConnectionSubtypeTdScdma = NetworkConnectionSubtypeKey.String("td_scdma")
+	// IWLAN
+	// Stability: development
+	NetworkConnectionSubtypeIwlan = NetworkConnectionSubtypeKey.String("iwlan")
+	// 5G NR (New Radio)
+	// Stability: development
+	NetworkConnectionSubtypeNr = NetworkConnectionSubtypeKey.String("nr")
+	// 5G NRNSA (New Radio Non-Standalone)
+	// Stability: development
+	NetworkConnectionSubtypeNrnsa = NetworkConnectionSubtypeKey.String("nrnsa")
+	// LTE CA
+	// Stability: development
+	NetworkConnectionSubtypeLteCa = NetworkConnectionSubtypeKey.String("lte_ca")
+)
+
+// Enum values for network.connection.type
+var (
+	// wifi
+	// Stability: development
+	NetworkConnectionTypeWifi = NetworkConnectionTypeKey.String("wifi")
+	// wired
+	// Stability: development
+	NetworkConnectionTypeWired = NetworkConnectionTypeKey.String("wired")
+	// cell
+	// Stability: development
+	NetworkConnectionTypeCell = NetworkConnectionTypeKey.String("cell")
+	// unavailable
+	// Stability: development
+	NetworkConnectionTypeUnavailable = NetworkConnectionTypeKey.String("unavailable")
+	// unknown
+	// Stability: development
+	NetworkConnectionTypeUnknown = NetworkConnectionTypeKey.String("unknown")
+)
+
+// Enum values for network.io.direction
+var (
+	// transmit
+	// Stability: development
+	NetworkIODirectionTransmit = NetworkIODirectionKey.String("transmit")
+	// receive
+	// Stability: development
+	NetworkIODirectionReceive = NetworkIODirectionKey.String("receive")
+)
+
+// Enum values for network.transport
+var (
+	// TCP
+	// Stability: stable
+	NetworkTransportTCP = NetworkTransportKey.String("tcp")
+	// UDP
+	// Stability: stable
+	NetworkTransportUDP = NetworkTransportKey.String("udp")
+	// Named or anonymous pipe.
+	// Stability: stable
+	NetworkTransportPipe = NetworkTransportKey.String("pipe")
+	// Unix domain socket
+	// Stability: stable
+	NetworkTransportUnix = NetworkTransportKey.String("unix")
+	// QUIC
+	// Stability: stable
+	NetworkTransportQUIC = NetworkTransportKey.String("quic")
+)
+
+// Enum values for network.type
+var (
+	// IPv4
+	// Stability: stable
+	NetworkTypeIPv4 = NetworkTypeKey.String("ipv4")
+	// IPv6
+	// Stability: stable
+	NetworkTypeIPv6 = NetworkTypeKey.String("ipv6")
+)
+
+// Namespace: oci
+const (
+	// OCIManifestDigestKey is the attribute Key conforming to the
+	// "oci.manifest.digest" semantic conventions. It represents the digest of the
+	// OCI image manifest. For container images specifically is the digest by which
+	// the container image is known.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4"
+	// Note: Follows [OCI Image Manifest Specification], and specifically the
+	// [Digest property].
+	// An example can be found in [Example Image Manifest].
+	//
+	// [OCI Image Manifest Specification]: https://github.com/opencontainers/image-spec/blob/main/manifest.md
+	// [Digest property]: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests
+	// [Example Image Manifest]: https://github.com/opencontainers/image-spec/blob/main/manifest.md#example-image-manifest
+	OCIManifestDigestKey = attribute.Key("oci.manifest.digest")
+)
+
+// OCIManifestDigest returns an attribute KeyValue conforming to the
+// "oci.manifest.digest" semantic conventions. It represents the digest of the
+// OCI image manifest. For container images specifically is the digest by which
+// the container image is known.
+func OCIManifestDigest(val string) attribute.KeyValue {
+	return OCIManifestDigestKey.String(val)
+}
+
+// Namespace: opentracing
+const (
+	// OpenTracingRefTypeKey is the attribute Key conforming to the
+	// "opentracing.ref_type" semantic conventions. It represents the parent-child
+	// Reference type.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: The causal relationship between a child Span and a parent Span.
+	OpenTracingRefTypeKey = attribute.Key("opentracing.ref_type")
+)
+
+// Enum values for opentracing.ref_type
+var (
+	// The parent Span depends on the child Span in some capacity
+	// Stability: development
+	OpenTracingRefTypeChildOf = OpenTracingRefTypeKey.String("child_of")
+	// The parent Span doesn't depend in any way on the result of the child Span
+	// Stability: development
+	OpenTracingRefTypeFollowsFrom = OpenTracingRefTypeKey.String("follows_from")
+)
+
+// Namespace: os
+const (
+	// OSBuildIDKey is the attribute Key conforming to the "os.build_id" semantic
+	// conventions. It represents the unique identifier for a particular build or
+	// compilation of the operating system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "TQ3C.230805.001.B2", "20E247", "22621"
+	OSBuildIDKey = attribute.Key("os.build_id")
+
+	// OSDescriptionKey is the attribute Key conforming to the "os.description"
+	// semantic conventions. It represents the human readable (not intended to be
+	// parsed) OS version information, like e.g. reported by `ver` or
+	// `lsb_release -a` commands.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Microsoft Windows [Version 10.0.18363.778]", "Ubuntu 18.04.1 LTS"
+	OSDescriptionKey = attribute.Key("os.description")
+
+	// OSNameKey is the attribute Key conforming to the "os.name" semantic
+	// conventions. It represents the human readable operating system name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "iOS", "Android", "Ubuntu"
+	OSNameKey = attribute.Key("os.name")
+
+	// OSTypeKey is the attribute Key conforming to the "os.type" semantic
+	// conventions. It represents the operating system type.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	OSTypeKey = attribute.Key("os.type")
+
+	// OSVersionKey is the attribute Key conforming to the "os.version" semantic
+	// conventions. It represents the version string of the operating system as
+	// defined in [Version Attributes].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "14.2.1", "18.04.1"
+	//
+	// [Version Attributes]: /docs/resource/README.md#version-attributes
+	OSVersionKey = attribute.Key("os.version")
+)
+
+// OSBuildID returns an attribute KeyValue conforming to the "os.build_id"
+// semantic conventions. It represents the unique identifier for a particular
+// build or compilation of the operating system.
+func OSBuildID(val string) attribute.KeyValue {
+	return OSBuildIDKey.String(val)
+}
+
+// OSDescription returns an attribute KeyValue conforming to the "os.description"
+// semantic conventions. It represents the human readable (not intended to be
+// parsed) OS version information, like e.g. reported by `ver` or
+// `lsb_release -a` commands.
+func OSDescription(val string) attribute.KeyValue {
+	return OSDescriptionKey.String(val)
+}
+
+// OSName returns an attribute KeyValue conforming to the "os.name" semantic
+// conventions. It represents the human readable operating system name.
+func OSName(val string) attribute.KeyValue {
+	return OSNameKey.String(val)
+}
+
+// OSVersion returns an attribute KeyValue conforming to the "os.version"
+// semantic conventions. It represents the version string of the operating system
+// as defined in [Version Attributes].
+//
+// [Version Attributes]: /docs/resource/README.md#version-attributes
+func OSVersion(val string) attribute.KeyValue {
+	return OSVersionKey.String(val)
+}
+
+// Enum values for os.type
+var (
+	// Microsoft Windows
+	// Stability: development
+	OSTypeWindows = OSTypeKey.String("windows")
+	// Linux
+	// Stability: development
+	OSTypeLinux = OSTypeKey.String("linux")
+	// Apple Darwin
+	// Stability: development
+	OSTypeDarwin = OSTypeKey.String("darwin")
+	// FreeBSD
+	// Stability: development
+	OSTypeFreeBSD = OSTypeKey.String("freebsd")
+	// NetBSD
+	// Stability: development
+	OSTypeNetBSD = OSTypeKey.String("netbsd")
+	// OpenBSD
+	// Stability: development
+	OSTypeOpenBSD = OSTypeKey.String("openbsd")
+	// DragonFly BSD
+	// Stability: development
+	OSTypeDragonflyBSD = OSTypeKey.String("dragonflybsd")
+	// HP-UX (Hewlett Packard Unix)
+	// Stability: development
+	OSTypeHPUX = OSTypeKey.String("hpux")
+	// AIX (Advanced Interactive eXecutive)
+	// Stability: development
+	OSTypeAIX = OSTypeKey.String("aix")
+	// SunOS, Oracle Solaris
+	// Stability: development
+	OSTypeSolaris = OSTypeKey.String("solaris")
+	// IBM z/OS
+	// Stability: development
+	OSTypeZOS = OSTypeKey.String("z_os")
+)
+
+// Namespace: otel
+const (
+	// OTelComponentNameKey is the attribute Key conforming to the
+	// "otel.component.name" semantic conventions. It represents a name uniquely
+	// identifying the instance of the OpenTelemetry component within its containing
+	// SDK instance.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "otlp_grpc_span_exporter/0", "custom-name"
+	// Note: Implementations SHOULD ensure a low cardinality for this attribute,
+	// even across application or SDK restarts.
+	// E.g. implementations MUST NOT use UUIDs as values for this attribute.
+	//
+	// Implementations MAY achieve these goals by following a
+	// `<otel.component.type>/<instance-counter>` pattern, e.g.
+	// `batching_span_processor/0`.
+	// Hereby `otel.component.type` refers to the corresponding attribute value of
+	// the component.
+	//
+	// The value of `instance-counter` MAY be automatically assigned by the
+	// component and uniqueness within the enclosing SDK instance MUST be
+	// guaranteed.
+	// For example, `<instance-counter>` MAY be implemented by using a monotonically
+	// increasing counter (starting with `0`), which is incremented every time an
+	// instance of the given component type is started.
+	//
+	// With this implementation, for example the first Batching Span Processor would
+	// have `batching_span_processor/0`
+	// as `otel.component.name`, the second one `batching_span_processor/1` and so
+	// on.
+	// These values will therefore be reused in the case of an application restart.
+	OTelComponentNameKey = attribute.Key("otel.component.name")
+
+	// OTelComponentTypeKey is the attribute Key conforming to the
+	// "otel.component.type" semantic conventions. It represents a name identifying
+	// the type of the OpenTelemetry component.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "batching_span_processor", "com.example.MySpanExporter"
+	// Note: If none of the standardized values apply, implementations SHOULD use
+	// the language-defined name of the type.
+	// E.g. for Java the fully qualified classname SHOULD be used in this case.
+	OTelComponentTypeKey = attribute.Key("otel.component.type")
+
+	// OTelScopeNameKey is the attribute Key conforming to the "otel.scope.name"
+	// semantic conventions. It represents the name of the instrumentation scope - (
+	// `InstrumentationScope.Name` in OTLP).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "io.opentelemetry.contrib.mongodb"
+	OTelScopeNameKey = attribute.Key("otel.scope.name")
+
+	// OTelScopeVersionKey is the attribute Key conforming to the
+	// "otel.scope.version" semantic conventions. It represents the version of the
+	// instrumentation scope - (`InstrumentationScope.Version` in OTLP).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "1.0.0"
+	OTelScopeVersionKey = attribute.Key("otel.scope.version")
+
+	// OTelSpanSamplingResultKey is the attribute Key conforming to the
+	// "otel.span.sampling_result" semantic conventions. It represents the result
+	// value of the sampler for this span.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	OTelSpanSamplingResultKey = attribute.Key("otel.span.sampling_result")
+
+	// OTelStatusCodeKey is the attribute Key conforming to the "otel.status_code"
+	// semantic conventions. It represents the name of the code, either "OK" or
+	// "ERROR". MUST NOT be set if the status code is UNSET.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples:
+	OTelStatusCodeKey = attribute.Key("otel.status_code")
+
+	// OTelStatusDescriptionKey is the attribute Key conforming to the
+	// "otel.status_description" semantic conventions. It represents the description
+	// of the Status if it has a value, otherwise not set.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "resource not found"
+	OTelStatusDescriptionKey = attribute.Key("otel.status_description")
+)
+
+// OTelComponentName returns an attribute KeyValue conforming to the
+// "otel.component.name" semantic conventions. It represents a name uniquely
+// identifying the instance of the OpenTelemetry component within its containing
+// SDK instance.
+func OTelComponentName(val string) attribute.KeyValue {
+	return OTelComponentNameKey.String(val)
+}
+
+// OTelScopeName returns an attribute KeyValue conforming to the
+// "otel.scope.name" semantic conventions. It represents the name of the
+// instrumentation scope - (`InstrumentationScope.Name` in OTLP).
+func OTelScopeName(val string) attribute.KeyValue {
+	return OTelScopeNameKey.String(val)
+}
+
+// OTelScopeVersion returns an attribute KeyValue conforming to the
+// "otel.scope.version" semantic conventions. It represents the version of the
+// instrumentation scope - (`InstrumentationScope.Version` in OTLP).
+func OTelScopeVersion(val string) attribute.KeyValue {
+	return OTelScopeVersionKey.String(val)
+}
+
+// OTelStatusDescription returns an attribute KeyValue conforming to the
+// "otel.status_description" semantic conventions. It represents the description
+// of the Status if it has a value, otherwise not set.
+func OTelStatusDescription(val string) attribute.KeyValue {
+	return OTelStatusDescriptionKey.String(val)
+}
+
+// Enum values for otel.component.type
+var (
+	// The builtin SDK batching span processor
+	//
+	// Stability: development
+	OTelComponentTypeBatchingSpanProcessor = OTelComponentTypeKey.String("batching_span_processor")
+	// The builtin SDK simple span processor
+	//
+	// Stability: development
+	OTelComponentTypeSimpleSpanProcessor = OTelComponentTypeKey.String("simple_span_processor")
+	// The builtin SDK batching log record processor
+	//
+	// Stability: development
+	OTelComponentTypeBatchingLogProcessor = OTelComponentTypeKey.String("batching_log_processor")
+	// The builtin SDK simple log record processor
+	//
+	// Stability: development
+	OTelComponentTypeSimpleLogProcessor = OTelComponentTypeKey.String("simple_log_processor")
+	// OTLP span exporter over gRPC with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpGRPCSpanExporter = OTelComponentTypeKey.String("otlp_grpc_span_exporter")
+	// OTLP span exporter over HTTP with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPSpanExporter = OTelComponentTypeKey.String("otlp_http_span_exporter")
+	// OTLP span exporter over HTTP with JSON serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPJSONSpanExporter = OTelComponentTypeKey.String("otlp_http_json_span_exporter")
+	// OTLP log record exporter over gRPC with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpGRPCLogExporter = OTelComponentTypeKey.String("otlp_grpc_log_exporter")
+	// OTLP log record exporter over HTTP with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPLogExporter = OTelComponentTypeKey.String("otlp_http_log_exporter")
+	// OTLP log record exporter over HTTP with JSON serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPJSONLogExporter = OTelComponentTypeKey.String("otlp_http_json_log_exporter")
+	// The builtin SDK periodically exporting metric reader
+	//
+	// Stability: development
+	OTelComponentTypePeriodicMetricReader = OTelComponentTypeKey.String("periodic_metric_reader")
+	// OTLP metric exporter over gRPC with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpGRPCMetricExporter = OTelComponentTypeKey.String("otlp_grpc_metric_exporter")
+	// OTLP metric exporter over HTTP with protobuf serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPMetricExporter = OTelComponentTypeKey.String("otlp_http_metric_exporter")
+	// OTLP metric exporter over HTTP with JSON serialization
+	//
+	// Stability: development
+	OTelComponentTypeOtlpHTTPJSONMetricExporter = OTelComponentTypeKey.String("otlp_http_json_metric_exporter")
+)
+
+// Enum values for otel.span.sampling_result
+var (
+	// The span is not sampled and not recording
+	// Stability: development
+	OTelSpanSamplingResultDrop = OTelSpanSamplingResultKey.String("DROP")
+	// The span is not sampled, but recording
+	// Stability: development
+	OTelSpanSamplingResultRecordOnly = OTelSpanSamplingResultKey.String("RECORD_ONLY")
+	// The span is sampled and recording
+	// Stability: development
+	OTelSpanSamplingResultRecordAndSample = OTelSpanSamplingResultKey.String("RECORD_AND_SAMPLE")
+)
+
+// Enum values for otel.status_code
+var (
+	// The operation has been validated by an Application developer or Operator to
+	// have completed successfully.
+	// Stability: stable
+	OTelStatusCodeOk = OTelStatusCodeKey.String("OK")
+	// The operation contains an error.
+	// Stability: stable
+	OTelStatusCodeError = OTelStatusCodeKey.String("ERROR")
+)
+
+// Namespace: peer
+const (
+	// PeerServiceKey is the attribute Key conforming to the "peer.service" semantic
+	// conventions. It represents the [`service.name`] of the remote service. SHOULD
+	// be equal to the actual `service.name` resource attribute of the remote
+	// service if any.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: AuthTokenCache
+	//
+	// [`service.name`]: /docs/resource/README.md#service
+	PeerServiceKey = attribute.Key("peer.service")
+)
+
+// PeerService returns an attribute KeyValue conforming to the "peer.service"
+// semantic conventions. It represents the [`service.name`] of the remote
+// service. SHOULD be equal to the actual `service.name` resource attribute of
+// the remote service if any.
+//
+// [`service.name`]: /docs/resource/README.md#service
+func PeerService(val string) attribute.KeyValue {
+	return PeerServiceKey.String(val)
+}
+
+// Namespace: process
+const (
+	// ProcessArgsCountKey is the attribute Key conforming to the
+	// "process.args_count" semantic conventions. It represents the length of the
+	// process.command_args array.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 4
+	// Note: This field can be useful for querying or performing bucket analysis on
+	// how many arguments were provided to start a process. More arguments may be an
+	// indication of suspicious activity.
+	ProcessArgsCountKey = attribute.Key("process.args_count")
+
+	// ProcessCommandKey is the attribute Key conforming to the "process.command"
+	// semantic conventions. It represents the command used to launch the process
+	// (i.e. the command name). On Linux based systems, can be set to the zeroth
+	// string in `proc/[pid]/cmdline`. On Windows, can be set to the first parameter
+	// extracted from `GetCommandLineW`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cmd/otelcol"
+	ProcessCommandKey = attribute.Key("process.command")
+
+	// ProcessCommandArgsKey is the attribute Key conforming to the
+	// "process.command_args" semantic conventions. It represents the all the
+	// command arguments (including the command/executable itself) as received by
+	// the process. On Linux-based systems (and some other Unixoid systems
+	// supporting procfs), can be set according to the list of null-delimited
+	// strings extracted from `proc/[pid]/cmdline`. For libc-based executables, this
+	// would be the full argv vector passed to `main`. SHOULD NOT be collected by
+	// default unless there is sanitization that excludes sensitive data.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cmd/otecol", "--config=config.yaml"
+	ProcessCommandArgsKey = attribute.Key("process.command_args")
+
+	// ProcessCommandLineKey is the attribute Key conforming to the
+	// "process.command_line" semantic conventions. It represents the full command
+	// used to launch the process as a single string representing the full command.
+	// On Windows, can be set to the result of `GetCommandLineW`. Do not set this if
+	// you have to assemble it just for monitoring; use `process.command_args`
+	// instead. SHOULD NOT be collected by default unless there is sanitization that
+	// excludes sensitive data.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "C:\cmd\otecol --config="my directory\config.yaml""
+	ProcessCommandLineKey = attribute.Key("process.command_line")
+
+	// ProcessContextSwitchTypeKey is the attribute Key conforming to the
+	// "process.context_switch_type" semantic conventions. It represents the
+	// specifies whether the context switches for this data point were voluntary or
+	// involuntary.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	ProcessContextSwitchTypeKey = attribute.Key("process.context_switch_type")
+
+	// ProcessCreationTimeKey is the attribute Key conforming to the
+	// "process.creation.time" semantic conventions. It represents the date and time
+	// the process was created, in ISO 8601 format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2023-11-21T09:25:34.853Z"
+	ProcessCreationTimeKey = attribute.Key("process.creation.time")
+
+	// ProcessExecutableBuildIDGNUKey is the attribute Key conforming to the
+	// "process.executable.build_id.gnu" semantic conventions. It represents the GNU
+	// build ID as found in the `.note.gnu.build-id` ELF section (hex string).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "c89b11207f6479603b0d49bf291c092c2b719293"
+	ProcessExecutableBuildIDGNUKey = attribute.Key("process.executable.build_id.gnu")
+
+	// ProcessExecutableBuildIDGoKey is the attribute Key conforming to the
+	// "process.executable.build_id.go" semantic conventions. It represents the Go
+	// build ID as retrieved by `go tool buildid <go executable>`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "foh3mEXu7BLZjsN9pOwG/kATcXlYVCDEFouRMQed_/WwRFB1hPo9LBkekthSPG/x8hMC8emW2cCjXD0_1aY"
+	ProcessExecutableBuildIDGoKey = attribute.Key("process.executable.build_id.go")
+
+	// ProcessExecutableBuildIDHtlhashKey is the attribute Key conforming to the
+	// "process.executable.build_id.htlhash" semantic conventions. It represents the
+	// profiling specific build ID for executables. See the OTel specification for
+	// Profiles for more information.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "600DCAFE4A110000F2BF38C493F5FB92"
+	ProcessExecutableBuildIDHtlhashKey = attribute.Key("process.executable.build_id.htlhash")
+
+	// ProcessExecutableNameKey is the attribute Key conforming to the
+	// "process.executable.name" semantic conventions. It represents the name of the
+	// process executable. On Linux based systems, this SHOULD be set to the base
+	// name of the target of `/proc/[pid]/exe`. On Windows, this SHOULD be set to
+	// the base name of `GetProcessImageFileNameW`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "otelcol"
+	ProcessExecutableNameKey = attribute.Key("process.executable.name")
+
+	// ProcessExecutablePathKey is the attribute Key conforming to the
+	// "process.executable.path" semantic conventions. It represents the full path
+	// to the process executable. On Linux based systems, can be set to the target
+	// of `proc/[pid]/exe`. On Windows, can be set to the result of
+	// `GetProcessImageFileNameW`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/usr/bin/cmd/otelcol"
+	ProcessExecutablePathKey = attribute.Key("process.executable.path")
+
+	// ProcessExitCodeKey is the attribute Key conforming to the "process.exit.code"
+	// semantic conventions. It represents the exit code of the process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 127
+	ProcessExitCodeKey = attribute.Key("process.exit.code")
+
+	// ProcessExitTimeKey is the attribute Key conforming to the "process.exit.time"
+	// semantic conventions. It represents the date and time the process exited, in
+	// ISO 8601 format.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2023-11-21T09:26:12.315Z"
+	ProcessExitTimeKey = attribute.Key("process.exit.time")
+
+	// ProcessGroupLeaderPIDKey is the attribute Key conforming to the
+	// "process.group_leader.pid" semantic conventions. It represents the PID of the
+	// process's group leader. This is also the process group ID (PGID) of the
+	// process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 23
+	ProcessGroupLeaderPIDKey = attribute.Key("process.group_leader.pid")
+
+	// ProcessInteractiveKey is the attribute Key conforming to the
+	// "process.interactive" semantic conventions. It represents the whether the
+	// process is connected to an interactive shell.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	ProcessInteractiveKey = attribute.Key("process.interactive")
+
+	// ProcessLinuxCgroupKey is the attribute Key conforming to the
+	// "process.linux.cgroup" semantic conventions. It represents the control group
+	// associated with the process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1:name=systemd:/user.slice/user-1000.slice/session-3.scope",
+	// "0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-0267755b-4639-4a27-90ed-f19f88e53748.scope"
+	// Note: Control groups (cgroups) are a kernel feature used to organize and
+	// manage process resources. This attribute provides the path(s) to the
+	// cgroup(s) associated with the process, which should match the contents of the
+	// [/proc/[PID]/cgroup] file.
+	//
+	// [/proc/[PID]/cgroup]: https://man7.org/linux/man-pages/man7/cgroups.7.html
+	ProcessLinuxCgroupKey = attribute.Key("process.linux.cgroup")
+
+	// ProcessOwnerKey is the attribute Key conforming to the "process.owner"
+	// semantic conventions. It represents the username of the user that owns the
+	// process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "root"
+	ProcessOwnerKey = attribute.Key("process.owner")
+
+	// ProcessPagingFaultTypeKey is the attribute Key conforming to the
+	// "process.paging.fault_type" semantic conventions. It represents the type of
+	// page fault for this data point. Type `major` is for major/hard page faults,
+	// and `minor` is for minor/soft page faults.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	ProcessPagingFaultTypeKey = attribute.Key("process.paging.fault_type")
+
+	// ProcessParentPIDKey is the attribute Key conforming to the
+	// "process.parent_pid" semantic conventions. It represents the parent Process
+	// identifier (PPID).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 111
+	ProcessParentPIDKey = attribute.Key("process.parent_pid")
+
+	// ProcessPIDKey is the attribute Key conforming to the "process.pid" semantic
+	// conventions. It represents the process identifier (PID).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1234
+	ProcessPIDKey = attribute.Key("process.pid")
+
+	// ProcessRealUserIDKey is the attribute Key conforming to the
+	// "process.real_user.id" semantic conventions. It represents the real user ID
+	// (RUID) of the process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1000
+	ProcessRealUserIDKey = attribute.Key("process.real_user.id")
+
+	// ProcessRealUserNameKey is the attribute Key conforming to the
+	// "process.real_user.name" semantic conventions. It represents the username of
+	// the real user of the process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "operator"
+	ProcessRealUserNameKey = attribute.Key("process.real_user.name")
+
+	// ProcessRuntimeDescriptionKey is the attribute Key conforming to the
+	// "process.runtime.description" semantic conventions. It represents an
+	// additional description about the runtime of the process, for example a
+	// specific vendor customization of the runtime environment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: Eclipse OpenJ9 Eclipse OpenJ9 VM openj9-0.21.0
+	ProcessRuntimeDescriptionKey = attribute.Key("process.runtime.description")
+
+	// ProcessRuntimeNameKey is the attribute Key conforming to the
+	// "process.runtime.name" semantic conventions. It represents the name of the
+	// runtime of this process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "OpenJDK Runtime Environment"
+	ProcessRuntimeNameKey = attribute.Key("process.runtime.name")
+
+	// ProcessRuntimeVersionKey is the attribute Key conforming to the
+	// "process.runtime.version" semantic conventions. It represents the version of
+	// the runtime of this process, as returned by the runtime without modification.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 14.0.2
+	ProcessRuntimeVersionKey = attribute.Key("process.runtime.version")
+
+	// ProcessSavedUserIDKey is the attribute Key conforming to the
+	// "process.saved_user.id" semantic conventions. It represents the saved user ID
+	// (SUID) of the process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1002
+	ProcessSavedUserIDKey = attribute.Key("process.saved_user.id")
+
+	// ProcessSavedUserNameKey is the attribute Key conforming to the
+	// "process.saved_user.name" semantic conventions. It represents the username of
+	// the saved user.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "operator"
+	ProcessSavedUserNameKey = attribute.Key("process.saved_user.name")
+
+	// ProcessSessionLeaderPIDKey is the attribute Key conforming to the
+	// "process.session_leader.pid" semantic conventions. It represents the PID of
+	// the process's session leader. This is also the session ID (SID) of the
+	// process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 14
+	ProcessSessionLeaderPIDKey = attribute.Key("process.session_leader.pid")
+
+	// ProcessTitleKey is the attribute Key conforming to the "process.title"
+	// semantic conventions. It represents the process title (proctitle).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cat /etc/hostname", "xfce4-session", "bash"
+	// Note: In many Unix-like systems, process title (proctitle), is the string
+	// that represents the name or command line of a running process, displayed by
+	// system monitoring tools like ps, top, and htop.
+	ProcessTitleKey = attribute.Key("process.title")
+
+	// ProcessUserIDKey is the attribute Key conforming to the "process.user.id"
+	// semantic conventions. It represents the effective user ID (EUID) of the
+	// process.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1001
+	ProcessUserIDKey = attribute.Key("process.user.id")
+
+	// ProcessUserNameKey is the attribute Key conforming to the "process.user.name"
+	// semantic conventions. It represents the username of the effective user of the
+	// process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "root"
+	ProcessUserNameKey = attribute.Key("process.user.name")
+
+	// ProcessVpidKey is the attribute Key conforming to the "process.vpid" semantic
+	// conventions. It represents the virtual process identifier.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 12
+	// Note: The process ID within a PID namespace. This is not necessarily unique
+	// across all processes on the host but it is unique within the process
+	// namespace that the process exists within.
+	ProcessVpidKey = attribute.Key("process.vpid")
+
+	// ProcessWorkingDirectoryKey is the attribute Key conforming to the
+	// "process.working_directory" semantic conventions. It represents the working
+	// directory of the process.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/root"
+	ProcessWorkingDirectoryKey = attribute.Key("process.working_directory")
+)
+
+// ProcessArgsCount returns an attribute KeyValue conforming to the
+// "process.args_count" semantic conventions. It represents the length of the
+// process.command_args array.
+func ProcessArgsCount(val int) attribute.KeyValue {
+	return ProcessArgsCountKey.Int(val)
+}
+
+// ProcessCommand returns an attribute KeyValue conforming to the
+// "process.command" semantic conventions. It represents the command used to
+// launch the process (i.e. the command name). On Linux based systems, can be set
+// to the zeroth string in `proc/[pid]/cmdline`. On Windows, can be set to the
+// first parameter extracted from `GetCommandLineW`.
+func ProcessCommand(val string) attribute.KeyValue {
+	return ProcessCommandKey.String(val)
+}
+
+// ProcessCommandArgs returns an attribute KeyValue conforming to the
+// "process.command_args" semantic conventions. It represents the all the command
+// arguments (including the command/executable itself) as received by the
+// process. On Linux-based systems (and some other Unixoid systems supporting
+// procfs), can be set according to the list of null-delimited strings extracted
+// from `proc/[pid]/cmdline`. For libc-based executables, this would be the full
+// argv vector passed to `main`. SHOULD NOT be collected by default unless there
+// is sanitization that excludes sensitive data.
+func ProcessCommandArgs(val ...string) attribute.KeyValue {
+	return ProcessCommandArgsKey.StringSlice(val)
+}
+
+// ProcessCommandLine returns an attribute KeyValue conforming to the
+// "process.command_line" semantic conventions. It represents the full command
+// used to launch the process as a single string representing the full command.
+// On Windows, can be set to the result of `GetCommandLineW`. Do not set this if
+// you have to assemble it just for monitoring; use `process.command_args`
+// instead. SHOULD NOT be collected by default unless there is sanitization that
+// excludes sensitive data.
+func ProcessCommandLine(val string) attribute.KeyValue {
+	return ProcessCommandLineKey.String(val)
+}
+
+// ProcessCreationTime returns an attribute KeyValue conforming to the
+// "process.creation.time" semantic conventions. It represents the date and time
+// the process was created, in ISO 8601 format.
+func ProcessCreationTime(val string) attribute.KeyValue {
+	return ProcessCreationTimeKey.String(val)
+}
+
+// ProcessExecutableBuildIDGNU returns an attribute KeyValue conforming to the
+// "process.executable.build_id.gnu" semantic conventions. It represents the GNU
+// build ID as found in the `.note.gnu.build-id` ELF section (hex string).
+func ProcessExecutableBuildIDGNU(val string) attribute.KeyValue {
+	return ProcessExecutableBuildIDGNUKey.String(val)
+}
+
+// ProcessExecutableBuildIDGo returns an attribute KeyValue conforming to the
+// "process.executable.build_id.go" semantic conventions. It represents the Go
+// build ID as retrieved by `go tool buildid <go executable>`.
+func ProcessExecutableBuildIDGo(val string) attribute.KeyValue {
+	return ProcessExecutableBuildIDGoKey.String(val)
+}
+
+// ProcessExecutableBuildIDHtlhash returns an attribute KeyValue conforming to
+// the "process.executable.build_id.htlhash" semantic conventions. It represents
+// the profiling specific build ID for executables. See the OTel specification
+// for Profiles for more information.
+func ProcessExecutableBuildIDHtlhash(val string) attribute.KeyValue {
+	return ProcessExecutableBuildIDHtlhashKey.String(val)
+}
+
+// ProcessExecutableName returns an attribute KeyValue conforming to the
+// "process.executable.name" semantic conventions. It represents the name of the
+// process executable. On Linux based systems, this SHOULD be set to the base
+// name of the target of `/proc/[pid]/exe`. On Windows, this SHOULD be set to the
+// base name of `GetProcessImageFileNameW`.
+func ProcessExecutableName(val string) attribute.KeyValue {
+	return ProcessExecutableNameKey.String(val)
+}
+
+// ProcessExecutablePath returns an attribute KeyValue conforming to the
+// "process.executable.path" semantic conventions. It represents the full path to
+// the process executable. On Linux based systems, can be set to the target of
+// `proc/[pid]/exe`. On Windows, can be set to the result of
+// `GetProcessImageFileNameW`.
+func ProcessExecutablePath(val string) attribute.KeyValue {
+	return ProcessExecutablePathKey.String(val)
+}
+
+// ProcessExitCode returns an attribute KeyValue conforming to the
+// "process.exit.code" semantic conventions. It represents the exit code of the
+// process.
+func ProcessExitCode(val int) attribute.KeyValue {
+	return ProcessExitCodeKey.Int(val)
+}
+
+// ProcessExitTime returns an attribute KeyValue conforming to the
+// "process.exit.time" semantic conventions. It represents the date and time the
+// process exited, in ISO 8601 format.
+func ProcessExitTime(val string) attribute.KeyValue {
+	return ProcessExitTimeKey.String(val)
+}
+
+// ProcessGroupLeaderPID returns an attribute KeyValue conforming to the
+// "process.group_leader.pid" semantic conventions. It represents the PID of the
+// process's group leader. This is also the process group ID (PGID) of the
+// process.
+func ProcessGroupLeaderPID(val int) attribute.KeyValue {
+	return ProcessGroupLeaderPIDKey.Int(val)
+}
+
+// ProcessInteractive returns an attribute KeyValue conforming to the
+// "process.interactive" semantic conventions. It represents the whether the
+// process is connected to an interactive shell.
+func ProcessInteractive(val bool) attribute.KeyValue {
+	return ProcessInteractiveKey.Bool(val)
+}
+
+// ProcessLinuxCgroup returns an attribute KeyValue conforming to the
+// "process.linux.cgroup" semantic conventions. It represents the control group
+// associated with the process.
+func ProcessLinuxCgroup(val string) attribute.KeyValue {
+	return ProcessLinuxCgroupKey.String(val)
+}
+
+// ProcessOwner returns an attribute KeyValue conforming to the "process.owner"
+// semantic conventions. It represents the username of the user that owns the
+// process.
+func ProcessOwner(val string) attribute.KeyValue {
+	return ProcessOwnerKey.String(val)
+}
+
+// ProcessParentPID returns an attribute KeyValue conforming to the
+// "process.parent_pid" semantic conventions. It represents the parent Process
+// identifier (PPID).
+func ProcessParentPID(val int) attribute.KeyValue {
+	return ProcessParentPIDKey.Int(val)
+}
+
+// ProcessPID returns an attribute KeyValue conforming to the "process.pid"
+// semantic conventions. It represents the process identifier (PID).
+func ProcessPID(val int) attribute.KeyValue {
+	return ProcessPIDKey.Int(val)
+}
+
+// ProcessRealUserID returns an attribute KeyValue conforming to the
+// "process.real_user.id" semantic conventions. It represents the real user ID
+// (RUID) of the process.
+func ProcessRealUserID(val int) attribute.KeyValue {
+	return ProcessRealUserIDKey.Int(val)
+}
+
+// ProcessRealUserName returns an attribute KeyValue conforming to the
+// "process.real_user.name" semantic conventions. It represents the username of
+// the real user of the process.
+func ProcessRealUserName(val string) attribute.KeyValue {
+	return ProcessRealUserNameKey.String(val)
+}
+
+// ProcessRuntimeDescription returns an attribute KeyValue conforming to the
+// "process.runtime.description" semantic conventions. It represents an
+// additional description about the runtime of the process, for example a
+// specific vendor customization of the runtime environment.
+func ProcessRuntimeDescription(val string) attribute.KeyValue {
+	return ProcessRuntimeDescriptionKey.String(val)
+}
+
+// ProcessRuntimeName returns an attribute KeyValue conforming to the
+// "process.runtime.name" semantic conventions. It represents the name of the
+// runtime of this process.
+func ProcessRuntimeName(val string) attribute.KeyValue {
+	return ProcessRuntimeNameKey.String(val)
+}
+
+// ProcessRuntimeVersion returns an attribute KeyValue conforming to the
+// "process.runtime.version" semantic conventions. It represents the version of
+// the runtime of this process, as returned by the runtime without modification.
+func ProcessRuntimeVersion(val string) attribute.KeyValue {
+	return ProcessRuntimeVersionKey.String(val)
+}
+
+// ProcessSavedUserID returns an attribute KeyValue conforming to the
+// "process.saved_user.id" semantic conventions. It represents the saved user ID
+// (SUID) of the process.
+func ProcessSavedUserID(val int) attribute.KeyValue {
+	return ProcessSavedUserIDKey.Int(val)
+}
+
+// ProcessSavedUserName returns an attribute KeyValue conforming to the
+// "process.saved_user.name" semantic conventions. It represents the username of
+// the saved user.
+func ProcessSavedUserName(val string) attribute.KeyValue {
+	return ProcessSavedUserNameKey.String(val)
+}
+
+// ProcessSessionLeaderPID returns an attribute KeyValue conforming to the
+// "process.session_leader.pid" semantic conventions. It represents the PID of
+// the process's session leader. This is also the session ID (SID) of the
+// process.
+func ProcessSessionLeaderPID(val int) attribute.KeyValue {
+	return ProcessSessionLeaderPIDKey.Int(val)
+}
+
+// ProcessTitle returns an attribute KeyValue conforming to the "process.title"
+// semantic conventions. It represents the process title (proctitle).
+func ProcessTitle(val string) attribute.KeyValue {
+	return ProcessTitleKey.String(val)
+}
+
+// ProcessUserID returns an attribute KeyValue conforming to the
+// "process.user.id" semantic conventions. It represents the effective user ID
+// (EUID) of the process.
+func ProcessUserID(val int) attribute.KeyValue {
+	return ProcessUserIDKey.Int(val)
+}
+
+// ProcessUserName returns an attribute KeyValue conforming to the
+// "process.user.name" semantic conventions. It represents the username of the
+// effective user of the process.
+func ProcessUserName(val string) attribute.KeyValue {
+	return ProcessUserNameKey.String(val)
+}
+
+// ProcessVpid returns an attribute KeyValue conforming to the "process.vpid"
+// semantic conventions. It represents the virtual process identifier.
+func ProcessVpid(val int) attribute.KeyValue {
+	return ProcessVpidKey.Int(val)
+}
+
+// ProcessWorkingDirectory returns an attribute KeyValue conforming to the
+// "process.working_directory" semantic conventions. It represents the working
+// directory of the process.
+func ProcessWorkingDirectory(val string) attribute.KeyValue {
+	return ProcessWorkingDirectoryKey.String(val)
+}
+
+// Enum values for process.context_switch_type
+var (
+	// voluntary
+	// Stability: development
+	ProcessContextSwitchTypeVoluntary = ProcessContextSwitchTypeKey.String("voluntary")
+	// involuntary
+	// Stability: development
+	ProcessContextSwitchTypeInvoluntary = ProcessContextSwitchTypeKey.String("involuntary")
+)
+
+// Enum values for process.paging.fault_type
+var (
+	// major
+	// Stability: development
+	ProcessPagingFaultTypeMajor = ProcessPagingFaultTypeKey.String("major")
+	// minor
+	// Stability: development
+	ProcessPagingFaultTypeMinor = ProcessPagingFaultTypeKey.String("minor")
+)
+
+// Namespace: profile
+const (
+	// ProfileFrameTypeKey is the attribute Key conforming to the
+	// "profile.frame.type" semantic conventions. It represents the describes the
+	// interpreter or compiler of a single frame.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cpython"
+	ProfileFrameTypeKey = attribute.Key("profile.frame.type")
+)
+
+// Enum values for profile.frame.type
+var (
+	// [.NET]
+	//
+	// Stability: development
+	//
+	// [.NET]: https://wikipedia.org/wiki/.NET
+	ProfileFrameTypeDotnet = ProfileFrameTypeKey.String("dotnet")
+	// [JVM]
+	//
+	// Stability: development
+	//
+	// [JVM]: https://wikipedia.org/wiki/Java_virtual_machine
+	ProfileFrameTypeJVM = ProfileFrameTypeKey.String("jvm")
+	// [Kernel]
+	//
+	// Stability: development
+	//
+	// [Kernel]: https://wikipedia.org/wiki/Kernel_(operating_system)
+	ProfileFrameTypeKernel = ProfileFrameTypeKey.String("kernel")
+	// Can be one of but not limited to [C], [C++], [Go] or [Rust]. If possible, a
+	// more precise value MUST be used.
+	//
+	// Stability: development
+	//
+	// [C]: https://wikipedia.org/wiki/C_(programming_language)
+	// [C++]: https://wikipedia.org/wiki/C%2B%2B
+	// [Go]: https://wikipedia.org/wiki/Go_(programming_language)
+	// [Rust]: https://wikipedia.org/wiki/Rust_(programming_language)
+	ProfileFrameTypeNative = ProfileFrameTypeKey.String("native")
+	// [Perl]
+	//
+	// Stability: development
+	//
+	// [Perl]: https://wikipedia.org/wiki/Perl
+	ProfileFrameTypePerl = ProfileFrameTypeKey.String("perl")
+	// [PHP]
+	//
+	// Stability: development
+	//
+	// [PHP]: https://wikipedia.org/wiki/PHP
+	ProfileFrameTypePHP = ProfileFrameTypeKey.String("php")
+	// [Python]
+	//
+	// Stability: development
+	//
+	// [Python]: https://wikipedia.org/wiki/Python_(programming_language)
+	ProfileFrameTypeCpython = ProfileFrameTypeKey.String("cpython")
+	// [Ruby]
+	//
+	// Stability: development
+	//
+	// [Ruby]: https://wikipedia.org/wiki/Ruby_(programming_language)
+	ProfileFrameTypeRuby = ProfileFrameTypeKey.String("ruby")
+	// [V8JS]
+	//
+	// Stability: development
+	//
+	// [V8JS]: https://wikipedia.org/wiki/V8_(JavaScript_engine)
+	ProfileFrameTypeV8JS = ProfileFrameTypeKey.String("v8js")
+	// [Erlang]
+	//
+	// Stability: development
+	//
+	// [Erlang]: https://en.wikipedia.org/wiki/BEAM_(Erlang_virtual_machine)
+	ProfileFrameTypeBeam = ProfileFrameTypeKey.String("beam")
+	// [Go],
+	//
+	// Stability: development
+	//
+	// [Go]: https://wikipedia.org/wiki/Go_(programming_language)
+	ProfileFrameTypeGo = ProfileFrameTypeKey.String("go")
+	// [Rust]
+	//
+	// Stability: development
+	//
+	// [Rust]: https://wikipedia.org/wiki/Rust_(programming_language)
+	ProfileFrameTypeRust = ProfileFrameTypeKey.String("rust")
+)
+
+// Namespace: rpc
+const (
+	// RPCConnectRPCErrorCodeKey is the attribute Key conforming to the
+	// "rpc.connect_rpc.error_code" semantic conventions. It represents the
+	// [error codes] of the Connect request. Error codes are always string values.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [error codes]: https://connectrpc.com//docs/protocol/#error-codes
+	RPCConnectRPCErrorCodeKey = attribute.Key("rpc.connect_rpc.error_code")
+
+	// RPCGRPCStatusCodeKey is the attribute Key conforming to the
+	// "rpc.grpc.status_code" semantic conventions. It represents the
+	// [numeric status code] of the gRPC request.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [numeric status code]: https://github.com/grpc/grpc/blob/v1.33.2/doc/statuscodes.md
+	RPCGRPCStatusCodeKey = attribute.Key("rpc.grpc.status_code")
+
+	// RPCJSONRPCErrorCodeKey is the attribute Key conforming to the
+	// "rpc.jsonrpc.error_code" semantic conventions. It represents the `error.code`
+	//  property of response if it is an error response.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: -32700, 100
+	RPCJSONRPCErrorCodeKey = attribute.Key("rpc.jsonrpc.error_code")
+
+	// RPCJSONRPCErrorMessageKey is the attribute Key conforming to the
+	// "rpc.jsonrpc.error_message" semantic conventions. It represents the
+	// `error.message` property of response if it is an error response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Parse error", "User already exists"
+	RPCJSONRPCErrorMessageKey = attribute.Key("rpc.jsonrpc.error_message")
+
+	// RPCJSONRPCRequestIDKey is the attribute Key conforming to the
+	// "rpc.jsonrpc.request_id" semantic conventions. It represents the `id`
+	// property of request or response. Since protocol allows id to be int, string,
+	// `null` or missing (for notifications), value is expected to be cast to string
+	// for simplicity. Use empty string in case of `null` value. Omit entirely if
+	// this is a notification.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "10", "request-7", ""
+	RPCJSONRPCRequestIDKey = attribute.Key("rpc.jsonrpc.request_id")
+
+	// RPCJSONRPCVersionKey is the attribute Key conforming to the
+	// "rpc.jsonrpc.version" semantic conventions. It represents the protocol
+	// version as in `jsonrpc` property of request/response. Since JSON-RPC 1.0
+	// doesn't specify this, the value can be omitted.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2.0", "1.0"
+	RPCJSONRPCVersionKey = attribute.Key("rpc.jsonrpc.version")
+
+	// RPCMessageCompressedSizeKey is the attribute Key conforming to the
+	// "rpc.message.compressed_size" semantic conventions. It represents the
+	// compressed size of the message in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	RPCMessageCompressedSizeKey = attribute.Key("rpc.message.compressed_size")
+
+	// RPCMessageIDKey is the attribute Key conforming to the "rpc.message.id"
+	// semantic conventions. It MUST be calculated as two different counters
+	// starting from `1` one for sent messages and one for received message..
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: This way we guarantee that the values will be consistent between
+	// different implementations.
+	RPCMessageIDKey = attribute.Key("rpc.message.id")
+
+	// RPCMessageTypeKey is the attribute Key conforming to the "rpc.message.type"
+	// semantic conventions. It represents the whether this is a received or sent
+	// message.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	RPCMessageTypeKey = attribute.Key("rpc.message.type")
+
+	// RPCMessageUncompressedSizeKey is the attribute Key conforming to the
+	// "rpc.message.uncompressed_size" semantic conventions. It represents the
+	// uncompressed size of the message in bytes.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	RPCMessageUncompressedSizeKey = attribute.Key("rpc.message.uncompressed_size")
+
+	// RPCMethodKey is the attribute Key conforming to the "rpc.method" semantic
+	// conventions. It represents the name of the (logical) method being called,
+	// must be equal to the $method part in the span name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: exampleMethod
+	// Note: This is the logical name of the method from the RPC interface
+	// perspective, which can be different from the name of any implementing
+	// method/function. The `code.function.name` attribute may be used to store the
+	// latter (e.g., method actually executing the call on the server side, RPC
+	// client stub method on the client side).
+	RPCMethodKey = attribute.Key("rpc.method")
+
+	// RPCServiceKey is the attribute Key conforming to the "rpc.service" semantic
+	// conventions. It represents the full (logical) name of the service being
+	// called, including its package name, if applicable.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: myservice.EchoService
+	// Note: This is the logical name of the service from the RPC interface
+	// perspective, which can be different from the name of any implementing class.
+	// The `code.namespace` attribute may be used to store the latter (despite the
+	// attribute name, it may include a class name; e.g., class with method actually
+	// executing the call on the server side, RPC client stub class on the client
+	// side).
+	RPCServiceKey = attribute.Key("rpc.service")
+
+	// RPCSystemKey is the attribute Key conforming to the "rpc.system" semantic
+	// conventions. It represents a string identifying the remoting system. See
+	// below for a list of well-known identifiers.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	RPCSystemKey = attribute.Key("rpc.system")
+)
+
+// RPCJSONRPCErrorCode returns an attribute KeyValue conforming to the
+// "rpc.jsonrpc.error_code" semantic conventions. It represents the `error.code`
+// property of response if it is an error response.
+func RPCJSONRPCErrorCode(val int) attribute.KeyValue {
+	return RPCJSONRPCErrorCodeKey.Int(val)
+}
+
+// RPCJSONRPCErrorMessage returns an attribute KeyValue conforming to the
+// "rpc.jsonrpc.error_message" semantic conventions. It represents the
+// `error.message` property of response if it is an error response.
+func RPCJSONRPCErrorMessage(val string) attribute.KeyValue {
+	return RPCJSONRPCErrorMessageKey.String(val)
+}
+
+// RPCJSONRPCRequestID returns an attribute KeyValue conforming to the
+// "rpc.jsonrpc.request_id" semantic conventions. It represents the `id` property
+// of request or response. Since protocol allows id to be int, string, `null` or
+// missing (for notifications), value is expected to be cast to string for
+// simplicity. Use empty string in case of `null` value. Omit entirely if this is
+// a notification.
+func RPCJSONRPCRequestID(val string) attribute.KeyValue {
+	return RPCJSONRPCRequestIDKey.String(val)
+}
+
+// RPCJSONRPCVersion returns an attribute KeyValue conforming to the
+// "rpc.jsonrpc.version" semantic conventions. It represents the protocol version
+// as in `jsonrpc` property of request/response. Since JSON-RPC 1.0 doesn't
+// specify this, the value can be omitted.
+func RPCJSONRPCVersion(val string) attribute.KeyValue {
+	return RPCJSONRPCVersionKey.String(val)
+}
+
+// RPCMessageCompressedSize returns an attribute KeyValue conforming to the
+// "rpc.message.compressed_size" semantic conventions. It represents the
+// compressed size of the message in bytes.
+func RPCMessageCompressedSize(val int) attribute.KeyValue {
+	return RPCMessageCompressedSizeKey.Int(val)
+}
+
+// RPCMessageID returns an attribute KeyValue conforming to the "rpc.message.id"
+// semantic conventions. It MUST be calculated as two different counters starting
+// from `1` one for sent messages and one for received message..
+func RPCMessageID(val int) attribute.KeyValue {
+	return RPCMessageIDKey.Int(val)
+}
+
+// RPCMessageUncompressedSize returns an attribute KeyValue conforming to the
+// "rpc.message.uncompressed_size" semantic conventions. It represents the
+// uncompressed size of the message in bytes.
+func RPCMessageUncompressedSize(val int) attribute.KeyValue {
+	return RPCMessageUncompressedSizeKey.Int(val)
+}
+
+// RPCMethod returns an attribute KeyValue conforming to the "rpc.method"
+// semantic conventions. It represents the name of the (logical) method being
+// called, must be equal to the $method part in the span name.
+func RPCMethod(val string) attribute.KeyValue {
+	return RPCMethodKey.String(val)
+}
+
+// RPCService returns an attribute KeyValue conforming to the "rpc.service"
+// semantic conventions. It represents the full (logical) name of the service
+// being called, including its package name, if applicable.
+func RPCService(val string) attribute.KeyValue {
+	return RPCServiceKey.String(val)
+}
+
+// Enum values for rpc.connect_rpc.error_code
+var (
+	// cancelled
+	// Stability: development
+	RPCConnectRPCErrorCodeCancelled = RPCConnectRPCErrorCodeKey.String("cancelled")
+	// unknown
+	// Stability: development
+	RPCConnectRPCErrorCodeUnknown = RPCConnectRPCErrorCodeKey.String("unknown")
+	// invalid_argument
+	// Stability: development
+	RPCConnectRPCErrorCodeInvalidArgument = RPCConnectRPCErrorCodeKey.String("invalid_argument")
+	// deadline_exceeded
+	// Stability: development
+	RPCConnectRPCErrorCodeDeadlineExceeded = RPCConnectRPCErrorCodeKey.String("deadline_exceeded")
+	// not_found
+	// Stability: development
+	RPCConnectRPCErrorCodeNotFound = RPCConnectRPCErrorCodeKey.String("not_found")
+	// already_exists
+	// Stability: development
+	RPCConnectRPCErrorCodeAlreadyExists = RPCConnectRPCErrorCodeKey.String("already_exists")
+	// permission_denied
+	// Stability: development
+	RPCConnectRPCErrorCodePermissionDenied = RPCConnectRPCErrorCodeKey.String("permission_denied")
+	// resource_exhausted
+	// Stability: development
+	RPCConnectRPCErrorCodeResourceExhausted = RPCConnectRPCErrorCodeKey.String("resource_exhausted")
+	// failed_precondition
+	// Stability: development
+	RPCConnectRPCErrorCodeFailedPrecondition = RPCConnectRPCErrorCodeKey.String("failed_precondition")
+	// aborted
+	// Stability: development
+	RPCConnectRPCErrorCodeAborted = RPCConnectRPCErrorCodeKey.String("aborted")
+	// out_of_range
+	// Stability: development
+	RPCConnectRPCErrorCodeOutOfRange = RPCConnectRPCErrorCodeKey.String("out_of_range")
+	// unimplemented
+	// Stability: development
+	RPCConnectRPCErrorCodeUnimplemented = RPCConnectRPCErrorCodeKey.String("unimplemented")
+	// internal
+	// Stability: development
+	RPCConnectRPCErrorCodeInternal = RPCConnectRPCErrorCodeKey.String("internal")
+	// unavailable
+	// Stability: development
+	RPCConnectRPCErrorCodeUnavailable = RPCConnectRPCErrorCodeKey.String("unavailable")
+	// data_loss
+	// Stability: development
+	RPCConnectRPCErrorCodeDataLoss = RPCConnectRPCErrorCodeKey.String("data_loss")
+	// unauthenticated
+	// Stability: development
+	RPCConnectRPCErrorCodeUnauthenticated = RPCConnectRPCErrorCodeKey.String("unauthenticated")
+)
+
+// Enum values for rpc.grpc.status_code
+var (
+	// OK
+	// Stability: development
+	RPCGRPCStatusCodeOk = RPCGRPCStatusCodeKey.Int(0)
+	// CANCELLED
+	// Stability: development
+	RPCGRPCStatusCodeCancelled = RPCGRPCStatusCodeKey.Int(1)
+	// UNKNOWN
+	// Stability: development
+	RPCGRPCStatusCodeUnknown = RPCGRPCStatusCodeKey.Int(2)
+	// INVALID_ARGUMENT
+	// Stability: development
+	RPCGRPCStatusCodeInvalidArgument = RPCGRPCStatusCodeKey.Int(3)
+	// DEADLINE_EXCEEDED
+	// Stability: development
+	RPCGRPCStatusCodeDeadlineExceeded = RPCGRPCStatusCodeKey.Int(4)
+	// NOT_FOUND
+	// Stability: development
+	RPCGRPCStatusCodeNotFound = RPCGRPCStatusCodeKey.Int(5)
+	// ALREADY_EXISTS
+	// Stability: development
+	RPCGRPCStatusCodeAlreadyExists = RPCGRPCStatusCodeKey.Int(6)
+	// PERMISSION_DENIED
+	// Stability: development
+	RPCGRPCStatusCodePermissionDenied = RPCGRPCStatusCodeKey.Int(7)
+	// RESOURCE_EXHAUSTED
+	// Stability: development
+	RPCGRPCStatusCodeResourceExhausted = RPCGRPCStatusCodeKey.Int(8)
+	// FAILED_PRECONDITION
+	// Stability: development
+	RPCGRPCStatusCodeFailedPrecondition = RPCGRPCStatusCodeKey.Int(9)
+	// ABORTED
+	// Stability: development
+	RPCGRPCStatusCodeAborted = RPCGRPCStatusCodeKey.Int(10)
+	// OUT_OF_RANGE
+	// Stability: development
+	RPCGRPCStatusCodeOutOfRange = RPCGRPCStatusCodeKey.Int(11)
+	// UNIMPLEMENTED
+	// Stability: development
+	RPCGRPCStatusCodeUnimplemented = RPCGRPCStatusCodeKey.Int(12)
+	// INTERNAL
+	// Stability: development
+	RPCGRPCStatusCodeInternal = RPCGRPCStatusCodeKey.Int(13)
+	// UNAVAILABLE
+	// Stability: development
+	RPCGRPCStatusCodeUnavailable = RPCGRPCStatusCodeKey.Int(14)
+	// DATA_LOSS
+	// Stability: development
+	RPCGRPCStatusCodeDataLoss = RPCGRPCStatusCodeKey.Int(15)
+	// UNAUTHENTICATED
+	// Stability: development
+	RPCGRPCStatusCodeUnauthenticated = RPCGRPCStatusCodeKey.Int(16)
+)
+
+// Enum values for rpc.message.type
+var (
+	// sent
+	// Stability: development
+	RPCMessageTypeSent = RPCMessageTypeKey.String("SENT")
+	// received
+	// Stability: development
+	RPCMessageTypeReceived = RPCMessageTypeKey.String("RECEIVED")
+)
+
+// Enum values for rpc.system
+var (
+	// gRPC
+	// Stability: development
+	RPCSystemGRPC = RPCSystemKey.String("grpc")
+	// Java RMI
+	// Stability: development
+	RPCSystemJavaRmi = RPCSystemKey.String("java_rmi")
+	// .NET WCF
+	// Stability: development
+	RPCSystemDotnetWcf = RPCSystemKey.String("dotnet_wcf")
+	// Apache Dubbo
+	// Stability: development
+	RPCSystemApacheDubbo = RPCSystemKey.String("apache_dubbo")
+	// Connect RPC
+	// Stability: development
+	RPCSystemConnectRPC = RPCSystemKey.String("connect_rpc")
+)
+
+// Namespace: security_rule
+const (
+	// SecurityRuleCategoryKey is the attribute Key conforming to the
+	// "security_rule.category" semantic conventions. It represents a categorization
+	// value keyword used by the entity using the rule for detection of this event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Attempted Information Leak"
+	SecurityRuleCategoryKey = attribute.Key("security_rule.category")
+
+	// SecurityRuleDescriptionKey is the attribute Key conforming to the
+	// "security_rule.description" semantic conventions. It represents the
+	// description of the rule generating the event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Block requests to public DNS over HTTPS / TLS protocols"
+	SecurityRuleDescriptionKey = attribute.Key("security_rule.description")
+
+	// SecurityRuleLicenseKey is the attribute Key conforming to the
+	// "security_rule.license" semantic conventions. It represents the name of the
+	// license under which the rule used to generate this event is made available.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Apache 2.0"
+	SecurityRuleLicenseKey = attribute.Key("security_rule.license")
+
+	// SecurityRuleNameKey is the attribute Key conforming to the
+	// "security_rule.name" semantic conventions. It represents the name of the rule
+	// or signature generating the event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "BLOCK_DNS_over_TLS"
+	SecurityRuleNameKey = attribute.Key("security_rule.name")
+
+	// SecurityRuleReferenceKey is the attribute Key conforming to the
+	// "security_rule.reference" semantic conventions. It represents the reference
+	// URL to additional information about the rule used to generate this event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://en.wikipedia.org/wiki/DNS_over_TLS"
+	// Note: The URL can point to the vendor’s documentation about the rule. If
+	// that’s not available, it can also be a link to a more general page
+	// describing this type of alert.
+	SecurityRuleReferenceKey = attribute.Key("security_rule.reference")
+
+	// SecurityRuleRulesetNameKey is the attribute Key conforming to the
+	// "security_rule.ruleset.name" semantic conventions. It represents the name of
+	// the ruleset, policy, group, or parent category in which the rule used to
+	// generate this event is a member.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Standard_Protocol_Filters"
+	SecurityRuleRulesetNameKey = attribute.Key("security_rule.ruleset.name")
+
+	// SecurityRuleUUIDKey is the attribute Key conforming to the
+	// "security_rule.uuid" semantic conventions. It represents a rule ID that is
+	// unique within the scope of a set or group of agents, observers, or other
+	// entities using the rule for detection of this event.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "550e8400-e29b-41d4-a716-446655440000", "1100110011"
+	SecurityRuleUUIDKey = attribute.Key("security_rule.uuid")
+
+	// SecurityRuleVersionKey is the attribute Key conforming to the
+	// "security_rule.version" semantic conventions. It represents the version /
+	// revision of the rule being used for analysis.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1.0.0"
+	SecurityRuleVersionKey = attribute.Key("security_rule.version")
+)
+
+// SecurityRuleCategory returns an attribute KeyValue conforming to the
+// "security_rule.category" semantic conventions. It represents a categorization
+// value keyword used by the entity using the rule for detection of this event.
+func SecurityRuleCategory(val string) attribute.KeyValue {
+	return SecurityRuleCategoryKey.String(val)
+}
+
+// SecurityRuleDescription returns an attribute KeyValue conforming to the
+// "security_rule.description" semantic conventions. It represents the
+// description of the rule generating the event.
+func SecurityRuleDescription(val string) attribute.KeyValue {
+	return SecurityRuleDescriptionKey.String(val)
+}
+
+// SecurityRuleLicense returns an attribute KeyValue conforming to the
+// "security_rule.license" semantic conventions. It represents the name of the
+// license under which the rule used to generate this event is made available.
+func SecurityRuleLicense(val string) attribute.KeyValue {
+	return SecurityRuleLicenseKey.String(val)
+}
+
+// SecurityRuleName returns an attribute KeyValue conforming to the
+// "security_rule.name" semantic conventions. It represents the name of the rule
+// or signature generating the event.
+func SecurityRuleName(val string) attribute.KeyValue {
+	return SecurityRuleNameKey.String(val)
+}
+
+// SecurityRuleReference returns an attribute KeyValue conforming to the
+// "security_rule.reference" semantic conventions. It represents the reference
+// URL to additional information about the rule used to generate this event.
+func SecurityRuleReference(val string) attribute.KeyValue {
+	return SecurityRuleReferenceKey.String(val)
+}
+
+// SecurityRuleRulesetName returns an attribute KeyValue conforming to the
+// "security_rule.ruleset.name" semantic conventions. It represents the name of
+// the ruleset, policy, group, or parent category in which the rule used to
+// generate this event is a member.
+func SecurityRuleRulesetName(val string) attribute.KeyValue {
+	return SecurityRuleRulesetNameKey.String(val)
+}
+
+// SecurityRuleUUID returns an attribute KeyValue conforming to the
+// "security_rule.uuid" semantic conventions. It represents a rule ID that is
+// unique within the scope of a set or group of agents, observers, or other
+// entities using the rule for detection of this event.
+func SecurityRuleUUID(val string) attribute.KeyValue {
+	return SecurityRuleUUIDKey.String(val)
+}
+
+// SecurityRuleVersion returns an attribute KeyValue conforming to the
+// "security_rule.version" semantic conventions. It represents the version /
+// revision of the rule being used for analysis.
+func SecurityRuleVersion(val string) attribute.KeyValue {
+	return SecurityRuleVersionKey.String(val)
+}
+
+// Namespace: server
+const (
+	// ServerAddressKey is the attribute Key conforming to the "server.address"
+	// semantic conventions. It represents the server domain name if available
+	// without reverse DNS lookup; otherwise, IP address or Unix domain socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "example.com", "10.1.2.80", "/tmp/my.sock"
+	// Note: When observed from the client side, and when communicating through an
+	// intermediary, `server.address` SHOULD represent the server address behind any
+	// intermediaries, for example proxies, if it's available.
+	ServerAddressKey = attribute.Key("server.address")
+
+	// ServerPortKey is the attribute Key conforming to the "server.port" semantic
+	// conventions. It represents the server port number.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: 80, 8080, 443
+	// Note: When observed from the client side, and when communicating through an
+	// intermediary, `server.port` SHOULD represent the server port behind any
+	// intermediaries, for example proxies, if it's available.
+	ServerPortKey = attribute.Key("server.port")
+)
+
+// ServerAddress returns an attribute KeyValue conforming to the "server.address"
+// semantic conventions. It represents the server domain name if available
+// without reverse DNS lookup; otherwise, IP address or Unix domain socket name.
+func ServerAddress(val string) attribute.KeyValue {
+	return ServerAddressKey.String(val)
+}
+
+// ServerPort returns an attribute KeyValue conforming to the "server.port"
+// semantic conventions. It represents the server port number.
+func ServerPort(val int) attribute.KeyValue {
+	return ServerPortKey.Int(val)
+}
+
+// Namespace: service
+const (
+	// ServiceInstanceIDKey is the attribute Key conforming to the
+	// "service.instance.id" semantic conventions. It represents the string ID of
+	// the service instance.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "627cc493-f310-47de-96bd-71410b7dec09"
+	// Note: MUST be unique for each instance of the same
+	// `service.namespace,service.name` pair (in other words
+	// `service.namespace,service.name,service.instance.id` triplet MUST be globally
+	// unique). The ID helps to
+	// distinguish instances of the same service that exist at the same time (e.g.
+	// instances of a horizontally scaled
+	// service).
+	//
+	// Implementations, such as SDKs, are recommended to generate a random Version 1
+	// or Version 4 [RFC
+	// 4122] UUID, but are free to use an inherent unique ID as
+	// the source of
+	// this value if stability is desirable. In that case, the ID SHOULD be used as
+	// source of a UUID Version 5 and
+	// SHOULD use the following UUID as the namespace:
+	// `4d63009a-8d0f-11ee-aad7-4c796ed8e320`.
+	//
+	// UUIDs are typically recommended, as only an opaque value for the purposes of
+	// identifying a service instance is
+	// needed. Similar to what can be seen in the man page for the
+	// [`/etc/machine-id`] file, the underlying
+	// data, such as pod name and namespace should be treated as confidential, being
+	// the user's choice to expose it
+	// or not via another resource attribute.
+	//
+	// For applications running behind an application server (like unicorn), we do
+	// not recommend using one identifier
+	// for all processes participating in the application. Instead, it's recommended
+	// each division (e.g. a worker
+	// thread in unicorn) to have its own instance.id.
+	//
+	// It's not recommended for a Collector to set `service.instance.id` if it can't
+	// unambiguously determine the
+	// service instance that is generating that telemetry. For instance, creating an
+	// UUID based on `pod.name` will
+	// likely be wrong, as the Collector might not know from which container within
+	// that pod the telemetry originated.
+	// However, Collectors can set the `service.instance.id` if they can
+	// unambiguously determine the service instance
+	// for that telemetry. This is typically the case for scraping receivers, as
+	// they know the target address and
+	// port.
+	//
+	// [RFC
+	// 4122]: https://www.ietf.org/rfc/rfc4122.txt
+	// [`/etc/machine-id`]: https://www.freedesktop.org/software/systemd/man/latest/machine-id.html
+	ServiceInstanceIDKey = attribute.Key("service.instance.id")
+
+	// ServiceNameKey is the attribute Key conforming to the "service.name" semantic
+	// conventions. It represents the logical name of the service.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "shoppingcart"
+	// Note: MUST be the same for all instances of horizontally scaled services. If
+	// the value was not specified, SDKs MUST fallback to `unknown_service:`
+	// concatenated with [`process.executable.name`], e.g. `unknown_service:bash`.
+	// If `process.executable.name` is not available, the value MUST be set to
+	// `unknown_service`.
+	//
+	// [`process.executable.name`]: process.md
+	ServiceNameKey = attribute.Key("service.name")
+
+	// ServiceNamespaceKey is the attribute Key conforming to the
+	// "service.namespace" semantic conventions. It represents a namespace for
+	// `service.name`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Shop"
+	// Note: A string value having a meaning that helps to distinguish a group of
+	// services, for example the team name that owns a group of services.
+	// `service.name` is expected to be unique within the same namespace. If
+	// `service.namespace` is not specified in the Resource then `service.name` is
+	// expected to be unique for all services that have no explicit namespace
+	// defined (so the empty/unspecified namespace is simply one more valid
+	// namespace). Zero-length namespace string is assumed equal to unspecified
+	// namespace.
+	ServiceNamespaceKey = attribute.Key("service.namespace")
+
+	// ServiceVersionKey is the attribute Key conforming to the "service.version"
+	// semantic conventions. It represents the version string of the service API or
+	// implementation. The format is not defined by these conventions.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "2.0.0", "a01dbef8a"
+	ServiceVersionKey = attribute.Key("service.version")
+)
+
+// ServiceInstanceID returns an attribute KeyValue conforming to the
+// "service.instance.id" semantic conventions. It represents the string ID of the
+// service instance.
+func ServiceInstanceID(val string) attribute.KeyValue {
+	return ServiceInstanceIDKey.String(val)
+}
+
+// ServiceName returns an attribute KeyValue conforming to the "service.name"
+// semantic conventions. It represents the logical name of the service.
+func ServiceName(val string) attribute.KeyValue {
+	return ServiceNameKey.String(val)
+}
+
+// ServiceNamespace returns an attribute KeyValue conforming to the
+// "service.namespace" semantic conventions. It represents a namespace for
+// `service.name`.
+func ServiceNamespace(val string) attribute.KeyValue {
+	return ServiceNamespaceKey.String(val)
+}
+
+// ServiceVersion returns an attribute KeyValue conforming to the
+// "service.version" semantic conventions. It represents the version string of
+// the service API or implementation. The format is not defined by these
+// conventions.
+func ServiceVersion(val string) attribute.KeyValue {
+	return ServiceVersionKey.String(val)
+}
+
+// Namespace: session
+const (
+	// SessionIDKey is the attribute Key conforming to the "session.id" semantic
+	// conventions. It represents a unique id to identify a session.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 00112233-4455-6677-8899-aabbccddeeff
+	SessionIDKey = attribute.Key("session.id")
+
+	// SessionPreviousIDKey is the attribute Key conforming to the
+	// "session.previous_id" semantic conventions. It represents the previous
+	// `session.id` for this user, when known.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 00112233-4455-6677-8899-aabbccddeeff
+	SessionPreviousIDKey = attribute.Key("session.previous_id")
+)
+
+// SessionID returns an attribute KeyValue conforming to the "session.id"
+// semantic conventions. It represents a unique id to identify a session.
+func SessionID(val string) attribute.KeyValue {
+	return SessionIDKey.String(val)
+}
+
+// SessionPreviousID returns an attribute KeyValue conforming to the
+// "session.previous_id" semantic conventions. It represents the previous
+// `session.id` for this user, when known.
+func SessionPreviousID(val string) attribute.KeyValue {
+	return SessionPreviousIDKey.String(val)
+}
+
+// Namespace: signalr
+const (
+	// SignalRConnectionStatusKey is the attribute Key conforming to the
+	// "signalr.connection.status" semantic conventions. It represents the signalR
+	// HTTP connection closure status.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "app_shutdown", "timeout"
+	SignalRConnectionStatusKey = attribute.Key("signalr.connection.status")
+
+	// SignalRTransportKey is the attribute Key conforming to the
+	// "signalr.transport" semantic conventions. It represents the
+	// [SignalR transport type].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "web_sockets", "long_polling"
+	//
+	// [SignalR transport type]: https://github.com/dotnet/aspnetcore/blob/main/src/SignalR/docs/specs/TransportProtocols.md
+	SignalRTransportKey = attribute.Key("signalr.transport")
+)
+
+// Enum values for signalr.connection.status
+var (
+	// The connection was closed normally.
+	// Stability: stable
+	SignalRConnectionStatusNormalClosure = SignalRConnectionStatusKey.String("normal_closure")
+	// The connection was closed due to a timeout.
+	// Stability: stable
+	SignalRConnectionStatusTimeout = SignalRConnectionStatusKey.String("timeout")
+	// The connection was closed because the app is shutting down.
+	// Stability: stable
+	SignalRConnectionStatusAppShutdown = SignalRConnectionStatusKey.String("app_shutdown")
+)
+
+// Enum values for signalr.transport
+var (
+	// ServerSentEvents protocol
+	// Stability: stable
+	SignalRTransportServerSentEvents = SignalRTransportKey.String("server_sent_events")
+	// LongPolling protocol
+	// Stability: stable
+	SignalRTransportLongPolling = SignalRTransportKey.String("long_polling")
+	// WebSockets protocol
+	// Stability: stable
+	SignalRTransportWebSockets = SignalRTransportKey.String("web_sockets")
+)
+
+// Namespace: source
+const (
+	// SourceAddressKey is the attribute Key conforming to the "source.address"
+	// semantic conventions. It represents the source address - domain name if
+	// available without reverse DNS lookup; otherwise, IP address or Unix domain
+	// socket name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "source.example.com", "10.1.2.80", "/tmp/my.sock"
+	// Note: When observed from the destination side, and when communicating through
+	// an intermediary, `source.address` SHOULD represent the source address behind
+	// any intermediaries, for example proxies, if it's available.
+	SourceAddressKey = attribute.Key("source.address")
+
+	// SourcePortKey is the attribute Key conforming to the "source.port" semantic
+	// conventions. It represents the source port number.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 3389, 2888
+	SourcePortKey = attribute.Key("source.port")
+)
+
+// SourceAddress returns an attribute KeyValue conforming to the "source.address"
+// semantic conventions. It represents the source address - domain name if
+// available without reverse DNS lookup; otherwise, IP address or Unix domain
+// socket name.
+func SourceAddress(val string) attribute.KeyValue {
+	return SourceAddressKey.String(val)
+}
+
+// SourcePort returns an attribute KeyValue conforming to the "source.port"
+// semantic conventions. It represents the source port number.
+func SourcePort(val int) attribute.KeyValue {
+	return SourcePortKey.Int(val)
+}
+
+// Namespace: system
+const (
+	// SystemCPULogicalNumberKey is the attribute Key conforming to the
+	// "system.cpu.logical_number" semantic conventions. It represents the
+	// deprecated, use `cpu.logical_number` instead.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1
+	SystemCPULogicalNumberKey = attribute.Key("system.cpu.logical_number")
+
+	// SystemDeviceKey is the attribute Key conforming to the "system.device"
+	// semantic conventions. It represents the device identifier.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "(identifier)"
+	SystemDeviceKey = attribute.Key("system.device")
+
+	// SystemFilesystemModeKey is the attribute Key conforming to the
+	// "system.filesystem.mode" semantic conventions. It represents the filesystem
+	// mode.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "rw, ro"
+	SystemFilesystemModeKey = attribute.Key("system.filesystem.mode")
+
+	// SystemFilesystemMountpointKey is the attribute Key conforming to the
+	// "system.filesystem.mountpoint" semantic conventions. It represents the
+	// filesystem mount path.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/mnt/data"
+	SystemFilesystemMountpointKey = attribute.Key("system.filesystem.mountpoint")
+
+	// SystemFilesystemStateKey is the attribute Key conforming to the
+	// "system.filesystem.state" semantic conventions. It represents the filesystem
+	// state.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "used"
+	SystemFilesystemStateKey = attribute.Key("system.filesystem.state")
+
+	// SystemFilesystemTypeKey is the attribute Key conforming to the
+	// "system.filesystem.type" semantic conventions. It represents the filesystem
+	// type.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ext4"
+	SystemFilesystemTypeKey = attribute.Key("system.filesystem.type")
+
+	// SystemMemoryStateKey is the attribute Key conforming to the
+	// "system.memory.state" semantic conventions. It represents the memory state.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "free", "cached"
+	SystemMemoryStateKey = attribute.Key("system.memory.state")
+
+	// SystemPagingDirectionKey is the attribute Key conforming to the
+	// "system.paging.direction" semantic conventions. It represents the paging
+	// access direction.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "in"
+	SystemPagingDirectionKey = attribute.Key("system.paging.direction")
+
+	// SystemPagingStateKey is the attribute Key conforming to the
+	// "system.paging.state" semantic conventions. It represents the memory paging
+	// state.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "free"
+	SystemPagingStateKey = attribute.Key("system.paging.state")
+
+	// SystemPagingTypeKey is the attribute Key conforming to the
+	// "system.paging.type" semantic conventions. It represents the memory paging
+	// type.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "minor"
+	SystemPagingTypeKey = attribute.Key("system.paging.type")
+
+	// SystemProcessStatusKey is the attribute Key conforming to the
+	// "system.process.status" semantic conventions. It represents the process
+	// state, e.g., [Linux Process State Codes].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "running"
+	//
+	// [Linux Process State Codes]: https://man7.org/linux/man-pages/man1/ps.1.html#PROCESS_STATE_CODES
+	SystemProcessStatusKey = attribute.Key("system.process.status")
+)
+
+// SystemCPULogicalNumber returns an attribute KeyValue conforming to the
+// "system.cpu.logical_number" semantic conventions. It represents the
+// deprecated, use `cpu.logical_number` instead.
+func SystemCPULogicalNumber(val int) attribute.KeyValue {
+	return SystemCPULogicalNumberKey.Int(val)
+}
+
+// SystemDevice returns an attribute KeyValue conforming to the "system.device"
+// semantic conventions. It represents the device identifier.
+func SystemDevice(val string) attribute.KeyValue {
+	return SystemDeviceKey.String(val)
+}
+
+// SystemFilesystemMode returns an attribute KeyValue conforming to the
+// "system.filesystem.mode" semantic conventions. It represents the filesystem
+// mode.
+func SystemFilesystemMode(val string) attribute.KeyValue {
+	return SystemFilesystemModeKey.String(val)
+}
+
+// SystemFilesystemMountpoint returns an attribute KeyValue conforming to the
+// "system.filesystem.mountpoint" semantic conventions. It represents the
+// filesystem mount path.
+func SystemFilesystemMountpoint(val string) attribute.KeyValue {
+	return SystemFilesystemMountpointKey.String(val)
+}
+
+// Enum values for system.filesystem.state
+var (
+	// used
+	// Stability: development
+	SystemFilesystemStateUsed = SystemFilesystemStateKey.String("used")
+	// free
+	// Stability: development
+	SystemFilesystemStateFree = SystemFilesystemStateKey.String("free")
+	// reserved
+	// Stability: development
+	SystemFilesystemStateReserved = SystemFilesystemStateKey.String("reserved")
+)
+
+// Enum values for system.filesystem.type
+var (
+	// fat32
+	// Stability: development
+	SystemFilesystemTypeFat32 = SystemFilesystemTypeKey.String("fat32")
+	// exfat
+	// Stability: development
+	SystemFilesystemTypeExfat = SystemFilesystemTypeKey.String("exfat")
+	// ntfs
+	// Stability: development
+	SystemFilesystemTypeNtfs = SystemFilesystemTypeKey.String("ntfs")
+	// refs
+	// Stability: development
+	SystemFilesystemTypeRefs = SystemFilesystemTypeKey.String("refs")
+	// hfsplus
+	// Stability: development
+	SystemFilesystemTypeHfsplus = SystemFilesystemTypeKey.String("hfsplus")
+	// ext4
+	// Stability: development
+	SystemFilesystemTypeExt4 = SystemFilesystemTypeKey.String("ext4")
+)
+
+// Enum values for system.memory.state
+var (
+	// used
+	// Stability: development
+	SystemMemoryStateUsed = SystemMemoryStateKey.String("used")
+	// free
+	// Stability: development
+	SystemMemoryStateFree = SystemMemoryStateKey.String("free")
+	// Deprecated: Removed, report shared memory usage with
+	// `metric.system.memory.shared` metric.
+	SystemMemoryStateShared = SystemMemoryStateKey.String("shared")
+	// buffers
+	// Stability: development
+	SystemMemoryStateBuffers = SystemMemoryStateKey.String("buffers")
+	// cached
+	// Stability: development
+	SystemMemoryStateCached = SystemMemoryStateKey.String("cached")
+)
+
+// Enum values for system.paging.direction
+var (
+	// in
+	// Stability: development
+	SystemPagingDirectionIn = SystemPagingDirectionKey.String("in")
+	// out
+	// Stability: development
+	SystemPagingDirectionOut = SystemPagingDirectionKey.String("out")
+)
+
+// Enum values for system.paging.state
+var (
+	// used
+	// Stability: development
+	SystemPagingStateUsed = SystemPagingStateKey.String("used")
+	// free
+	// Stability: development
+	SystemPagingStateFree = SystemPagingStateKey.String("free")
+)
+
+// Enum values for system.paging.type
+var (
+	// major
+	// Stability: development
+	SystemPagingTypeMajor = SystemPagingTypeKey.String("major")
+	// minor
+	// Stability: development
+	SystemPagingTypeMinor = SystemPagingTypeKey.String("minor")
+)
+
+// Enum values for system.process.status
+var (
+	// running
+	// Stability: development
+	SystemProcessStatusRunning = SystemProcessStatusKey.String("running")
+	// sleeping
+	// Stability: development
+	SystemProcessStatusSleeping = SystemProcessStatusKey.String("sleeping")
+	// stopped
+	// Stability: development
+	SystemProcessStatusStopped = SystemProcessStatusKey.String("stopped")
+	// defunct
+	// Stability: development
+	SystemProcessStatusDefunct = SystemProcessStatusKey.String("defunct")
+)
+
+// Namespace: telemetry
+const (
+	// TelemetryDistroNameKey is the attribute Key conforming to the
+	// "telemetry.distro.name" semantic conventions. It represents the name of the
+	// auto instrumentation agent or distribution, if used.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "parts-unlimited-java"
+	// Note: Official auto instrumentation agents and distributions SHOULD set the
+	// `telemetry.distro.name` attribute to
+	// a string starting with `opentelemetry-`, e.g.
+	// `opentelemetry-java-instrumentation`.
+	TelemetryDistroNameKey = attribute.Key("telemetry.distro.name")
+
+	// TelemetryDistroVersionKey is the attribute Key conforming to the
+	// "telemetry.distro.version" semantic conventions. It represents the version
+	// string of the auto instrumentation agent or distribution, if used.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1.2.3"
+	TelemetryDistroVersionKey = attribute.Key("telemetry.distro.version")
+
+	// TelemetrySDKLanguageKey is the attribute Key conforming to the
+	// "telemetry.sdk.language" semantic conventions. It represents the language of
+	// the telemetry SDK.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples:
+	TelemetrySDKLanguageKey = attribute.Key("telemetry.sdk.language")
+
+	// TelemetrySDKNameKey is the attribute Key conforming to the
+	// "telemetry.sdk.name" semantic conventions. It represents the name of the
+	// telemetry SDK as defined above.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "opentelemetry"
+	// Note: The OpenTelemetry SDK MUST set the `telemetry.sdk.name` attribute to
+	// `opentelemetry`.
+	// If another SDK, like a fork or a vendor-provided implementation, is used,
+	// this SDK MUST set the
+	// `telemetry.sdk.name` attribute to the fully-qualified class or module name of
+	// this SDK's main entry point
+	// or another suitable identifier depending on the language.
+	// The identifier `opentelemetry` is reserved and MUST NOT be used in this case.
+	// All custom identifiers SHOULD be stable across different versions of an
+	// implementation.
+	TelemetrySDKNameKey = attribute.Key("telemetry.sdk.name")
+
+	// TelemetrySDKVersionKey is the attribute Key conforming to the
+	// "telemetry.sdk.version" semantic conventions. It represents the version
+	// string of the telemetry SDK.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "1.2.3"
+	TelemetrySDKVersionKey = attribute.Key("telemetry.sdk.version")
+)
+
+// TelemetryDistroName returns an attribute KeyValue conforming to the
+// "telemetry.distro.name" semantic conventions. It represents the name of the
+// auto instrumentation agent or distribution, if used.
+func TelemetryDistroName(val string) attribute.KeyValue {
+	return TelemetryDistroNameKey.String(val)
+}
+
+// TelemetryDistroVersion returns an attribute KeyValue conforming to the
+// "telemetry.distro.version" semantic conventions. It represents the version
+// string of the auto instrumentation agent or distribution, if used.
+func TelemetryDistroVersion(val string) attribute.KeyValue {
+	return TelemetryDistroVersionKey.String(val)
+}
+
+// TelemetrySDKName returns an attribute KeyValue conforming to the
+// "telemetry.sdk.name" semantic conventions. It represents the name of the
+// telemetry SDK as defined above.
+func TelemetrySDKName(val string) attribute.KeyValue {
+	return TelemetrySDKNameKey.String(val)
+}
+
+// TelemetrySDKVersion returns an attribute KeyValue conforming to the
+// "telemetry.sdk.version" semantic conventions. It represents the version string
+// of the telemetry SDK.
+func TelemetrySDKVersion(val string) attribute.KeyValue {
+	return TelemetrySDKVersionKey.String(val)
+}
+
+// Enum values for telemetry.sdk.language
+var (
+	// cpp
+	// Stability: stable
+	TelemetrySDKLanguageCPP = TelemetrySDKLanguageKey.String("cpp")
+	// dotnet
+	// Stability: stable
+	TelemetrySDKLanguageDotnet = TelemetrySDKLanguageKey.String("dotnet")
+	// erlang
+	// Stability: stable
+	TelemetrySDKLanguageErlang = TelemetrySDKLanguageKey.String("erlang")
+	// go
+	// Stability: stable
+	TelemetrySDKLanguageGo = TelemetrySDKLanguageKey.String("go")
+	// java
+	// Stability: stable
+	TelemetrySDKLanguageJava = TelemetrySDKLanguageKey.String("java")
+	// nodejs
+	// Stability: stable
+	TelemetrySDKLanguageNodejs = TelemetrySDKLanguageKey.String("nodejs")
+	// php
+	// Stability: stable
+	TelemetrySDKLanguagePHP = TelemetrySDKLanguageKey.String("php")
+	// python
+	// Stability: stable
+	TelemetrySDKLanguagePython = TelemetrySDKLanguageKey.String("python")
+	// ruby
+	// Stability: stable
+	TelemetrySDKLanguageRuby = TelemetrySDKLanguageKey.String("ruby")
+	// rust
+	// Stability: stable
+	TelemetrySDKLanguageRust = TelemetrySDKLanguageKey.String("rust")
+	// swift
+	// Stability: stable
+	TelemetrySDKLanguageSwift = TelemetrySDKLanguageKey.String("swift")
+	// webjs
+	// Stability: stable
+	TelemetrySDKLanguageWebJS = TelemetrySDKLanguageKey.String("webjs")
+)
+
+// Namespace: test
+const (
+	// TestCaseNameKey is the attribute Key conforming to the "test.case.name"
+	// semantic conventions. It represents the fully qualified human readable name
+	// of the [test case].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "org.example.TestCase1.test1", "example/tests/TestCase1.test1",
+	// "ExampleTestCase1_test1"
+	//
+	// [test case]: https://wikipedia.org/wiki/Test_case
+	TestCaseNameKey = attribute.Key("test.case.name")
+
+	// TestCaseResultStatusKey is the attribute Key conforming to the
+	// "test.case.result.status" semantic conventions. It represents the status of
+	// the actual test case result from test execution.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "pass", "fail"
+	TestCaseResultStatusKey = attribute.Key("test.case.result.status")
+
+	// TestSuiteNameKey is the attribute Key conforming to the "test.suite.name"
+	// semantic conventions. It represents the human readable name of a [test suite]
+	// .
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "TestSuite1"
+	//
+	// [test suite]: https://wikipedia.org/wiki/Test_suite
+	TestSuiteNameKey = attribute.Key("test.suite.name")
+
+	// TestSuiteRunStatusKey is the attribute Key conforming to the
+	// "test.suite.run.status" semantic conventions. It represents the status of the
+	// test suite run.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "success", "failure", "skipped", "aborted", "timed_out",
+	// "in_progress"
+	TestSuiteRunStatusKey = attribute.Key("test.suite.run.status")
+)
+
+// TestCaseName returns an attribute KeyValue conforming to the "test.case.name"
+// semantic conventions. It represents the fully qualified human readable name of
+// the [test case].
+//
+// [test case]: https://wikipedia.org/wiki/Test_case
+func TestCaseName(val string) attribute.KeyValue {
+	return TestCaseNameKey.String(val)
+}
+
+// TestSuiteName returns an attribute KeyValue conforming to the
+// "test.suite.name" semantic conventions. It represents the human readable name
+// of a [test suite].
+//
+// [test suite]: https://wikipedia.org/wiki/Test_suite
+func TestSuiteName(val string) attribute.KeyValue {
+	return TestSuiteNameKey.String(val)
+}
+
+// Enum values for test.case.result.status
+var (
+	// pass
+	// Stability: development
+	TestCaseResultStatusPass = TestCaseResultStatusKey.String("pass")
+	// fail
+	// Stability: development
+	TestCaseResultStatusFail = TestCaseResultStatusKey.String("fail")
+)
+
+// Enum values for test.suite.run.status
+var (
+	// success
+	// Stability: development
+	TestSuiteRunStatusSuccess = TestSuiteRunStatusKey.String("success")
+	// failure
+	// Stability: development
+	TestSuiteRunStatusFailure = TestSuiteRunStatusKey.String("failure")
+	// skipped
+	// Stability: development
+	TestSuiteRunStatusSkipped = TestSuiteRunStatusKey.String("skipped")
+	// aborted
+	// Stability: development
+	TestSuiteRunStatusAborted = TestSuiteRunStatusKey.String("aborted")
+	// timed_out
+	// Stability: development
+	TestSuiteRunStatusTimedOut = TestSuiteRunStatusKey.String("timed_out")
+	// in_progress
+	// Stability: development
+	TestSuiteRunStatusInProgress = TestSuiteRunStatusKey.String("in_progress")
+)
+
+// Namespace: thread
+const (
+	// ThreadIDKey is the attribute Key conforming to the "thread.id" semantic
+	// conventions. It represents the current "managed" thread ID (as opposed to OS
+	// thread ID).
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	ThreadIDKey = attribute.Key("thread.id")
+
+	// ThreadNameKey is the attribute Key conforming to the "thread.name" semantic
+	// conventions. It represents the current thread name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: main
+	ThreadNameKey = attribute.Key("thread.name")
+)
+
+// ThreadID returns an attribute KeyValue conforming to the "thread.id" semantic
+// conventions. It represents the current "managed" thread ID (as opposed to OS
+// thread ID).
+func ThreadID(val int) attribute.KeyValue {
+	return ThreadIDKey.Int(val)
+}
+
+// ThreadName returns an attribute KeyValue conforming to the "thread.name"
+// semantic conventions. It represents the current thread name.
+func ThreadName(val string) attribute.KeyValue {
+	return ThreadNameKey.String(val)
+}
+
+// Namespace: tls
+const (
+	// TLSCipherKey is the attribute Key conforming to the "tls.cipher" semantic
+	// conventions. It represents the string indicating the [cipher] used during the
+	// current connection.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	// "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+	// Note: The values allowed for `tls.cipher` MUST be one of the `Descriptions`
+	// of the [registered TLS Cipher Suits].
+	//
+	// [cipher]: https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5
+	// [registered TLS Cipher Suits]: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-4
+	TLSCipherKey = attribute.Key("tls.cipher")
+
+	// TLSClientCertificateKey is the attribute Key conforming to the
+	// "tls.client.certificate" semantic conventions. It represents the PEM-encoded
+	// stand-alone certificate offered by the client. This is usually
+	// mutually-exclusive of `client.certificate_chain` since this value also exists
+	// in that list.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "MII..."
+	TLSClientCertificateKey = attribute.Key("tls.client.certificate")
+
+	// TLSClientCertificateChainKey is the attribute Key conforming to the
+	// "tls.client.certificate_chain" semantic conventions. It represents the array
+	// of PEM-encoded certificates that make up the certificate chain offered by the
+	// client. This is usually mutually-exclusive of `client.certificate` since that
+	// value should be the first certificate in the chain.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "MII...", "MI..."
+	TLSClientCertificateChainKey = attribute.Key("tls.client.certificate_chain")
+
+	// TLSClientHashMd5Key is the attribute Key conforming to the
+	// "tls.client.hash.md5" semantic conventions. It represents the certificate
+	// fingerprint using the MD5 digest of DER-encoded version of certificate
+	// offered by the client. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"
+	TLSClientHashMd5Key = attribute.Key("tls.client.hash.md5")
+
+	// TLSClientHashSha1Key is the attribute Key conforming to the
+	// "tls.client.hash.sha1" semantic conventions. It represents the certificate
+	// fingerprint using the SHA1 digest of DER-encoded version of certificate
+	// offered by the client. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "9E393D93138888D288266C2D915214D1D1CCEB2A"
+	TLSClientHashSha1Key = attribute.Key("tls.client.hash.sha1")
+
+	// TLSClientHashSha256Key is the attribute Key conforming to the
+	// "tls.client.hash.sha256" semantic conventions. It represents the certificate
+	// fingerprint using the SHA256 digest of DER-encoded version of certificate
+	// offered by the client. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"
+	TLSClientHashSha256Key = attribute.Key("tls.client.hash.sha256")
+
+	// TLSClientIssuerKey is the attribute Key conforming to the "tls.client.issuer"
+	// semantic conventions. It represents the distinguished name of [subject] of
+	// the issuer of the x.509 certificate presented by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
+	//
+	// [subject]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	TLSClientIssuerKey = attribute.Key("tls.client.issuer")
+
+	// TLSClientJa3Key is the attribute Key conforming to the "tls.client.ja3"
+	// semantic conventions. It represents a hash that identifies clients based on
+	// how they perform an SSL/TLS handshake.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "d4e5b18d6b55c71272893221c96ba240"
+	TLSClientJa3Key = attribute.Key("tls.client.ja3")
+
+	// TLSClientNotAfterKey is the attribute Key conforming to the
+	// "tls.client.not_after" semantic conventions. It represents the date/Time
+	// indicating when client certificate is no longer considered valid.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T00:00:00.000Z"
+	TLSClientNotAfterKey = attribute.Key("tls.client.not_after")
+
+	// TLSClientNotBeforeKey is the attribute Key conforming to the
+	// "tls.client.not_before" semantic conventions. It represents the date/Time
+	// indicating when client certificate is first considered valid.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1970-01-01T00:00:00.000Z"
+	TLSClientNotBeforeKey = attribute.Key("tls.client.not_before")
+
+	// TLSClientSubjectKey is the attribute Key conforming to the
+	// "tls.client.subject" semantic conventions. It represents the distinguished
+	// name of subject of the x.509 certificate presented by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CN=myclient, OU=Documentation Team, DC=example, DC=com"
+	TLSClientSubjectKey = attribute.Key("tls.client.subject")
+
+	// TLSClientSupportedCiphersKey is the attribute Key conforming to the
+	// "tls.client.supported_ciphers" semantic conventions. It represents the array
+	// of ciphers offered by the client during the client hello.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	// "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+	TLSClientSupportedCiphersKey = attribute.Key("tls.client.supported_ciphers")
+
+	// TLSCurveKey is the attribute Key conforming to the "tls.curve" semantic
+	// conventions. It represents the string indicating the curve used for the given
+	// cipher, when applicable.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "secp256r1"
+	TLSCurveKey = attribute.Key("tls.curve")
+
+	// TLSEstablishedKey is the attribute Key conforming to the "tls.established"
+	// semantic conventions. It represents the boolean flag indicating if the TLS
+	// negotiation was successful and transitioned to an encrypted tunnel.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: true
+	TLSEstablishedKey = attribute.Key("tls.established")
+
+	// TLSNextProtocolKey is the attribute Key conforming to the "tls.next_protocol"
+	// semantic conventions. It represents the string indicating the protocol being
+	// tunneled. Per the values in the [IANA registry], this string should be lower
+	// case.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "http/1.1"
+	//
+	// [IANA registry]: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
+	TLSNextProtocolKey = attribute.Key("tls.next_protocol")
+
+	// TLSProtocolNameKey is the attribute Key conforming to the "tls.protocol.name"
+	// semantic conventions. It represents the normalized lowercase protocol name
+	// parsed from original string of the negotiated [SSL/TLS protocol version].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [SSL/TLS protocol version]: https://docs.openssl.org/1.1.1/man3/SSL_get_version/#return-values
+	TLSProtocolNameKey = attribute.Key("tls.protocol.name")
+
+	// TLSProtocolVersionKey is the attribute Key conforming to the
+	// "tls.protocol.version" semantic conventions. It represents the numeric part
+	// of the version parsed from the original string of the negotiated
+	// [SSL/TLS protocol version].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1.2", "3"
+	//
+	// [SSL/TLS protocol version]: https://docs.openssl.org/1.1.1/man3/SSL_get_version/#return-values
+	TLSProtocolVersionKey = attribute.Key("tls.protocol.version")
+
+	// TLSResumedKey is the attribute Key conforming to the "tls.resumed" semantic
+	// conventions. It represents the boolean flag indicating if this TLS connection
+	// was resumed from an existing TLS negotiation.
+	//
+	// Type: boolean
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: true
+	TLSResumedKey = attribute.Key("tls.resumed")
+
+	// TLSServerCertificateKey is the attribute Key conforming to the
+	// "tls.server.certificate" semantic conventions. It represents the PEM-encoded
+	// stand-alone certificate offered by the server. This is usually
+	// mutually-exclusive of `server.certificate_chain` since this value also exists
+	// in that list.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "MII..."
+	TLSServerCertificateKey = attribute.Key("tls.server.certificate")
+
+	// TLSServerCertificateChainKey is the attribute Key conforming to the
+	// "tls.server.certificate_chain" semantic conventions. It represents the array
+	// of PEM-encoded certificates that make up the certificate chain offered by the
+	// server. This is usually mutually-exclusive of `server.certificate` since that
+	// value should be the first certificate in the chain.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "MII...", "MI..."
+	TLSServerCertificateChainKey = attribute.Key("tls.server.certificate_chain")
+
+	// TLSServerHashMd5Key is the attribute Key conforming to the
+	// "tls.server.hash.md5" semantic conventions. It represents the certificate
+	// fingerprint using the MD5 digest of DER-encoded version of certificate
+	// offered by the server. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"
+	TLSServerHashMd5Key = attribute.Key("tls.server.hash.md5")
+
+	// TLSServerHashSha1Key is the attribute Key conforming to the
+	// "tls.server.hash.sha1" semantic conventions. It represents the certificate
+	// fingerprint using the SHA1 digest of DER-encoded version of certificate
+	// offered by the server. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "9E393D93138888D288266C2D915214D1D1CCEB2A"
+	TLSServerHashSha1Key = attribute.Key("tls.server.hash.sha1")
+
+	// TLSServerHashSha256Key is the attribute Key conforming to the
+	// "tls.server.hash.sha256" semantic conventions. It represents the certificate
+	// fingerprint using the SHA256 digest of DER-encoded version of certificate
+	// offered by the server. For consistency with other hash values, this value
+	// should be formatted as an uppercase hash.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"
+	TLSServerHashSha256Key = attribute.Key("tls.server.hash.sha256")
+
+	// TLSServerIssuerKey is the attribute Key conforming to the "tls.server.issuer"
+	// semantic conventions. It represents the distinguished name of [subject] of
+	// the issuer of the x.509 certificate presented by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"
+	//
+	// [subject]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	TLSServerIssuerKey = attribute.Key("tls.server.issuer")
+
+	// TLSServerJa3sKey is the attribute Key conforming to the "tls.server.ja3s"
+	// semantic conventions. It represents a hash that identifies servers based on
+	// how they perform an SSL/TLS handshake.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "d4e5b18d6b55c71272893221c96ba240"
+	TLSServerJa3sKey = attribute.Key("tls.server.ja3s")
+
+	// TLSServerNotAfterKey is the attribute Key conforming to the
+	// "tls.server.not_after" semantic conventions. It represents the date/Time
+	// indicating when server certificate is no longer considered valid.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2021-01-01T00:00:00.000Z"
+	TLSServerNotAfterKey = attribute.Key("tls.server.not_after")
+
+	// TLSServerNotBeforeKey is the attribute Key conforming to the
+	// "tls.server.not_before" semantic conventions. It represents the date/Time
+	// indicating when server certificate is first considered valid.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "1970-01-01T00:00:00.000Z"
+	TLSServerNotBeforeKey = attribute.Key("tls.server.not_before")
+
+	// TLSServerSubjectKey is the attribute Key conforming to the
+	// "tls.server.subject" semantic conventions. It represents the distinguished
+	// name of subject of the x.509 certificate presented by the server.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CN=myserver, OU=Documentation Team, DC=example, DC=com"
+	TLSServerSubjectKey = attribute.Key("tls.server.subject")
+)
+
+// TLSCipher returns an attribute KeyValue conforming to the "tls.cipher"
+// semantic conventions. It represents the string indicating the [cipher] used
+// during the current connection.
+//
+// [cipher]: https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5
+func TLSCipher(val string) attribute.KeyValue {
+	return TLSCipherKey.String(val)
+}
+
+// TLSClientCertificate returns an attribute KeyValue conforming to the
+// "tls.client.certificate" semantic conventions. It represents the PEM-encoded
+// stand-alone certificate offered by the client. This is usually
+// mutually-exclusive of `client.certificate_chain` since this value also exists
+// in that list.
+func TLSClientCertificate(val string) attribute.KeyValue {
+	return TLSClientCertificateKey.String(val)
+}
+
+// TLSClientCertificateChain returns an attribute KeyValue conforming to the
+// "tls.client.certificate_chain" semantic conventions. It represents the array
+// of PEM-encoded certificates that make up the certificate chain offered by the
+// client. This is usually mutually-exclusive of `client.certificate` since that
+// value should be the first certificate in the chain.
+func TLSClientCertificateChain(val ...string) attribute.KeyValue {
+	return TLSClientCertificateChainKey.StringSlice(val)
+}
+
+// TLSClientHashMd5 returns an attribute KeyValue conforming to the
+// "tls.client.hash.md5" semantic conventions. It represents the certificate
+// fingerprint using the MD5 digest of DER-encoded version of certificate offered
+// by the client. For consistency with other hash values, this value should be
+// formatted as an uppercase hash.
+func TLSClientHashMd5(val string) attribute.KeyValue {
+	return TLSClientHashMd5Key.String(val)
+}
+
+// TLSClientHashSha1 returns an attribute KeyValue conforming to the
+// "tls.client.hash.sha1" semantic conventions. It represents the certificate
+// fingerprint using the SHA1 digest of DER-encoded version of certificate
+// offered by the client. For consistency with other hash values, this value
+// should be formatted as an uppercase hash.
+func TLSClientHashSha1(val string) attribute.KeyValue {
+	return TLSClientHashSha1Key.String(val)
+}
+
+// TLSClientHashSha256 returns an attribute KeyValue conforming to the
+// "tls.client.hash.sha256" semantic conventions. It represents the certificate
+// fingerprint using the SHA256 digest of DER-encoded version of certificate
+// offered by the client. For consistency with other hash values, this value
+// should be formatted as an uppercase hash.
+func TLSClientHashSha256(val string) attribute.KeyValue {
+	return TLSClientHashSha256Key.String(val)
+}
+
+// TLSClientIssuer returns an attribute KeyValue conforming to the
+// "tls.client.issuer" semantic conventions. It represents the distinguished name
+// of [subject] of the issuer of the x.509 certificate presented by the client.
+//
+// [subject]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+func TLSClientIssuer(val string) attribute.KeyValue {
+	return TLSClientIssuerKey.String(val)
+}
+
+// TLSClientJa3 returns an attribute KeyValue conforming to the "tls.client.ja3"
+// semantic conventions. It represents a hash that identifies clients based on
+// how they perform an SSL/TLS handshake.
+func TLSClientJa3(val string) attribute.KeyValue {
+	return TLSClientJa3Key.String(val)
+}
+
+// TLSClientNotAfter returns an attribute KeyValue conforming to the
+// "tls.client.not_after" semantic conventions. It represents the date/Time
+// indicating when client certificate is no longer considered valid.
+func TLSClientNotAfter(val string) attribute.KeyValue {
+	return TLSClientNotAfterKey.String(val)
+}
+
+// TLSClientNotBefore returns an attribute KeyValue conforming to the
+// "tls.client.not_before" semantic conventions. It represents the date/Time
+// indicating when client certificate is first considered valid.
+func TLSClientNotBefore(val string) attribute.KeyValue {
+	return TLSClientNotBeforeKey.String(val)
+}
+
+// TLSClientSubject returns an attribute KeyValue conforming to the
+// "tls.client.subject" semantic conventions. It represents the distinguished
+// name of subject of the x.509 certificate presented by the client.
+func TLSClientSubject(val string) attribute.KeyValue {
+	return TLSClientSubjectKey.String(val)
+}
+
+// TLSClientSupportedCiphers returns an attribute KeyValue conforming to the
+// "tls.client.supported_ciphers" semantic conventions. It represents the array
+// of ciphers offered by the client during the client hello.
+func TLSClientSupportedCiphers(val ...string) attribute.KeyValue {
+	return TLSClientSupportedCiphersKey.StringSlice(val)
+}
+
+// TLSCurve returns an attribute KeyValue conforming to the "tls.curve" semantic
+// conventions. It represents the string indicating the curve used for the given
+// cipher, when applicable.
+func TLSCurve(val string) attribute.KeyValue {
+	return TLSCurveKey.String(val)
+}
+
+// TLSEstablished returns an attribute KeyValue conforming to the
+// "tls.established" semantic conventions. It represents the boolean flag
+// indicating if the TLS negotiation was successful and transitioned to an
+// encrypted tunnel.
+func TLSEstablished(val bool) attribute.KeyValue {
+	return TLSEstablishedKey.Bool(val)
+}
+
+// TLSNextProtocol returns an attribute KeyValue conforming to the
+// "tls.next_protocol" semantic conventions. It represents the string indicating
+// the protocol being tunneled. Per the values in the [IANA registry], this
+// string should be lower case.
+//
+// [IANA registry]: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
+func TLSNextProtocol(val string) attribute.KeyValue {
+	return TLSNextProtocolKey.String(val)
+}
+
+// TLSProtocolVersion returns an attribute KeyValue conforming to the
+// "tls.protocol.version" semantic conventions. It represents the numeric part of
+// the version parsed from the original string of the negotiated
+// [SSL/TLS protocol version].
+//
+// [SSL/TLS protocol version]: https://docs.openssl.org/1.1.1/man3/SSL_get_version/#return-values
+func TLSProtocolVersion(val string) attribute.KeyValue {
+	return TLSProtocolVersionKey.String(val)
+}
+
+// TLSResumed returns an attribute KeyValue conforming to the "tls.resumed"
+// semantic conventions. It represents the boolean flag indicating if this TLS
+// connection was resumed from an existing TLS negotiation.
+func TLSResumed(val bool) attribute.KeyValue {
+	return TLSResumedKey.Bool(val)
+}
+
+// TLSServerCertificate returns an attribute KeyValue conforming to the
+// "tls.server.certificate" semantic conventions. It represents the PEM-encoded
+// stand-alone certificate offered by the server. This is usually
+// mutually-exclusive of `server.certificate_chain` since this value also exists
+// in that list.
+func TLSServerCertificate(val string) attribute.KeyValue {
+	return TLSServerCertificateKey.String(val)
+}
+
+// TLSServerCertificateChain returns an attribute KeyValue conforming to the
+// "tls.server.certificate_chain" semantic conventions. It represents the array
+// of PEM-encoded certificates that make up the certificate chain offered by the
+// server. This is usually mutually-exclusive of `server.certificate` since that
+// value should be the first certificate in the chain.
+func TLSServerCertificateChain(val ...string) attribute.KeyValue {
+	return TLSServerCertificateChainKey.StringSlice(val)
+}
+
+// TLSServerHashMd5 returns an attribute KeyValue conforming to the
+// "tls.server.hash.md5" semantic conventions. It represents the certificate
+// fingerprint using the MD5 digest of DER-encoded version of certificate offered
+// by the server. For consistency with other hash values, this value should be
+// formatted as an uppercase hash.
+func TLSServerHashMd5(val string) attribute.KeyValue {
+	return TLSServerHashMd5Key.String(val)
+}
+
+// TLSServerHashSha1 returns an attribute KeyValue conforming to the
+// "tls.server.hash.sha1" semantic conventions. It represents the certificate
+// fingerprint using the SHA1 digest of DER-encoded version of certificate
+// offered by the server. For consistency with other hash values, this value
+// should be formatted as an uppercase hash.
+func TLSServerHashSha1(val string) attribute.KeyValue {
+	return TLSServerHashSha1Key.String(val)
+}
+
+// TLSServerHashSha256 returns an attribute KeyValue conforming to the
+// "tls.server.hash.sha256" semantic conventions. It represents the certificate
+// fingerprint using the SHA256 digest of DER-encoded version of certificate
+// offered by the server. For consistency with other hash values, this value
+// should be formatted as an uppercase hash.
+func TLSServerHashSha256(val string) attribute.KeyValue {
+	return TLSServerHashSha256Key.String(val)
+}
+
+// TLSServerIssuer returns an attribute KeyValue conforming to the
+// "tls.server.issuer" semantic conventions. It represents the distinguished name
+// of [subject] of the issuer of the x.509 certificate presented by the client.
+//
+// [subject]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+func TLSServerIssuer(val string) attribute.KeyValue {
+	return TLSServerIssuerKey.String(val)
+}
+
+// TLSServerJa3s returns an attribute KeyValue conforming to the
+// "tls.server.ja3s" semantic conventions. It represents a hash that identifies
+// servers based on how they perform an SSL/TLS handshake.
+func TLSServerJa3s(val string) attribute.KeyValue {
+	return TLSServerJa3sKey.String(val)
+}
+
+// TLSServerNotAfter returns an attribute KeyValue conforming to the
+// "tls.server.not_after" semantic conventions. It represents the date/Time
+// indicating when server certificate is no longer considered valid.
+func TLSServerNotAfter(val string) attribute.KeyValue {
+	return TLSServerNotAfterKey.String(val)
+}
+
+// TLSServerNotBefore returns an attribute KeyValue conforming to the
+// "tls.server.not_before" semantic conventions. It represents the date/Time
+// indicating when server certificate is first considered valid.
+func TLSServerNotBefore(val string) attribute.KeyValue {
+	return TLSServerNotBeforeKey.String(val)
+}
+
+// TLSServerSubject returns an attribute KeyValue conforming to the
+// "tls.server.subject" semantic conventions. It represents the distinguished
+// name of subject of the x.509 certificate presented by the server.
+func TLSServerSubject(val string) attribute.KeyValue {
+	return TLSServerSubjectKey.String(val)
+}
+
+// Enum values for tls.protocol.name
+var (
+	// ssl
+	// Stability: development
+	TLSProtocolNameSsl = TLSProtocolNameKey.String("ssl")
+	// tls
+	// Stability: development
+	TLSProtocolNameTLS = TLSProtocolNameKey.String("tls")
+)
+
+// Namespace: url
+const (
+	// URLDomainKey is the attribute Key conforming to the "url.domain" semantic
+	// conventions. It represents the domain extracted from the `url.full`, such as
+	// "opentelemetry.io".
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "www.foo.bar", "opentelemetry.io", "3.12.167.2",
+	// "[1080:0:0:0:8:800:200C:417A]"
+	// Note: In some cases a URL may refer to an IP and/or port directly, without a
+	// domain name. In this case, the IP address would go to the domain field. If
+	// the URL contains a [literal IPv6 address] enclosed by `[` and `]`, the `[`
+	// and `]` characters should also be captured in the domain field.
+	//
+	// [literal IPv6 address]: https://www.rfc-editor.org/rfc/rfc2732#section-2
+	URLDomainKey = attribute.Key("url.domain")
+
+	// URLExtensionKey is the attribute Key conforming to the "url.extension"
+	// semantic conventions. It represents the file extension extracted from the
+	// `url.full`, excluding the leading dot.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "png", "gz"
+	// Note: The file extension is only set if it exists, as not every url has a
+	// file extension. When the file name has multiple extensions `example.tar.gz`,
+	// only the last one should be captured `gz`, not `tar.gz`.
+	URLExtensionKey = attribute.Key("url.extension")
+
+	// URLFragmentKey is the attribute Key conforming to the "url.fragment" semantic
+	// conventions. It represents the [URI fragment] component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "SemConv"
+	//
+	// [URI fragment]: https://www.rfc-editor.org/rfc/rfc3986#section-3.5
+	URLFragmentKey = attribute.Key("url.fragment")
+
+	// URLFullKey is the attribute Key conforming to the "url.full" semantic
+	// conventions. It represents the absolute URL describing a network resource
+	// according to [RFC3986].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "https://www.foo.bar/search?q=OpenTelemetry#SemConv", "//localhost"
+	// Note: For network calls, URL usually has
+	// `scheme://host[:port][path][?query][#fragment]` format, where the fragment
+	// is not transmitted over HTTP, but if it is known, it SHOULD be included
+	// nevertheless.
+	//
+	// `url.full` MUST NOT contain credentials passed via URL in form of
+	// `https://username:password@www.example.com/`.
+	// In such case username and password SHOULD be redacted and attribute's value
+	// SHOULD be `https://REDACTED:REDACTED@www.example.com/`.
+	//
+	// `url.full` SHOULD capture the absolute URL when it is available (or can be
+	// reconstructed).
+	//
+	// Sensitive content provided in `url.full` SHOULD be scrubbed when
+	// instrumentations can identify it.
+	//
+	//
+	// Query string values for the following keys SHOULD be redacted by default and
+	// replaced by the
+	// value `REDACTED`:
+	//
+	//   - [`AWSAccessKeyId`]
+	//   - [`Signature`]
+	//   - [`sig`]
+	//   - [`X-Goog-Signature`]
+	//
+	// This list is subject to change over time.
+	//
+	// When a query string value is redacted, the query string key SHOULD still be
+	// preserved, e.g.
+	// `https://www.example.com/path?color=blue&sig=REDACTED`.
+	//
+	// [RFC3986]: https://www.rfc-editor.org/rfc/rfc3986
+	// [`AWSAccessKeyId`]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+	// [`Signature`]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+	// [`sig`]: https://learn.microsoft.com/azure/storage/common/storage-sas-overview#sas-token
+	// [`X-Goog-Signature`]: https://cloud.google.com/storage/docs/access-control/signed-urls
+	URLFullKey = attribute.Key("url.full")
+
+	// URLOriginalKey is the attribute Key conforming to the "url.original" semantic
+	// conventions. It represents the unmodified original URL as seen in the event
+	// source.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://www.foo.bar/search?q=OpenTelemetry#SemConv",
+	// "search?q=OpenTelemetry"
+	// Note: In network monitoring, the observed URL may be a full URL, whereas in
+	// access logs, the URL is often just represented as a path. This field is meant
+	// to represent the URL as it was observed, complete or not.
+	// `url.original` might contain credentials passed via URL in form of
+	// `https://username:password@www.example.com/`. In such case password and
+	// username SHOULD NOT be redacted and attribute's value SHOULD remain the same.
+	URLOriginalKey = attribute.Key("url.original")
+
+	// URLPathKey is the attribute Key conforming to the "url.path" semantic
+	// conventions. It represents the [URI path] component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "/search"
+	// Note: Sensitive content provided in `url.path` SHOULD be scrubbed when
+	// instrumentations can identify it.
+	//
+	// [URI path]: https://www.rfc-editor.org/rfc/rfc3986#section-3.3
+	URLPathKey = attribute.Key("url.path")
+
+	// URLPortKey is the attribute Key conforming to the "url.port" semantic
+	// conventions. It represents the port extracted from the `url.full`.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 443
+	URLPortKey = attribute.Key("url.port")
+
+	// URLQueryKey is the attribute Key conforming to the "url.query" semantic
+	// conventions. It represents the [URI query] component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "q=OpenTelemetry"
+	// Note: Sensitive content provided in `url.query` SHOULD be scrubbed when
+	// instrumentations can identify it.
+	//
+	//
+	// Query string values for the following keys SHOULD be redacted by default and
+	// replaced by the value `REDACTED`:
+	//
+	//   - [`AWSAccessKeyId`]
+	//   - [`Signature`]
+	//   - [`sig`]
+	//   - [`X-Goog-Signature`]
+	//
+	// This list is subject to change over time.
+	//
+	// When a query string value is redacted, the query string key SHOULD still be
+	// preserved, e.g.
+	// `q=OpenTelemetry&sig=REDACTED`.
+	//
+	// [URI query]: https://www.rfc-editor.org/rfc/rfc3986#section-3.4
+	// [`AWSAccessKeyId`]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+	// [`Signature`]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+	// [`sig`]: https://learn.microsoft.com/azure/storage/common/storage-sas-overview#sas-token
+	// [`X-Goog-Signature`]: https://cloud.google.com/storage/docs/access-control/signed-urls
+	URLQueryKey = attribute.Key("url.query")
+
+	// URLRegisteredDomainKey is the attribute Key conforming to the
+	// "url.registered_domain" semantic conventions. It represents the highest
+	// registered url domain, stripped of the subdomain.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "example.com", "foo.co.uk"
+	// Note: This value can be determined precisely with the [public suffix list].
+	// For example, the registered domain for `foo.example.com` is `example.com`.
+	// Trying to approximate this by simply taking the last two labels will not work
+	// well for TLDs such as `co.uk`.
+	//
+	// [public suffix list]: https://publicsuffix.org/
+	URLRegisteredDomainKey = attribute.Key("url.registered_domain")
+
+	// URLSchemeKey is the attribute Key conforming to the "url.scheme" semantic
+	// conventions. It represents the [URI scheme] component identifying the used
+	// protocol.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "https", "ftp", "telnet"
+	//
+	// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+	URLSchemeKey = attribute.Key("url.scheme")
+
+	// URLSubdomainKey is the attribute Key conforming to the "url.subdomain"
+	// semantic conventions. It represents the subdomain portion of a fully
+	// qualified domain name includes all of the names except the host name under
+	// the registered_domain. In a partially qualified domain, or if the
+	// qualification level of the full name cannot be determined, subdomain contains
+	// all of the names below the registered domain.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "east", "sub2.sub1"
+	// Note: The subdomain portion of `www.east.mydomain.co.uk` is `east`. If the
+	// domain has multiple levels of subdomain, such as `sub2.sub1.example.com`, the
+	// subdomain field should contain `sub2.sub1`, with no trailing period.
+	URLSubdomainKey = attribute.Key("url.subdomain")
+
+	// URLTemplateKey is the attribute Key conforming to the "url.template" semantic
+	// conventions. It represents the low-cardinality template of an
+	// [absolute path reference].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "/users/{id}", "/users/:id", "/users?id={id}"
+	//
+	// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+	URLTemplateKey = attribute.Key("url.template")
+
+	// URLTopLevelDomainKey is the attribute Key conforming to the
+	// "url.top_level_domain" semantic conventions. It represents the effective top
+	// level domain (eTLD), also known as the domain suffix, is the last part of the
+	// domain name. For example, the top level domain for example.com is `com`.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "com", "co.uk"
+	// Note: This value can be determined precisely with the [public suffix list].
+	//
+	// [public suffix list]: https://publicsuffix.org/
+	URLTopLevelDomainKey = attribute.Key("url.top_level_domain")
+)
+
+// URLDomain returns an attribute KeyValue conforming to the "url.domain"
+// semantic conventions. It represents the domain extracted from the `url.full`,
+// such as "opentelemetry.io".
+func URLDomain(val string) attribute.KeyValue {
+	return URLDomainKey.String(val)
+}
+
+// URLExtension returns an attribute KeyValue conforming to the "url.extension"
+// semantic conventions. It represents the file extension extracted from the
+// `url.full`, excluding the leading dot.
+func URLExtension(val string) attribute.KeyValue {
+	return URLExtensionKey.String(val)
+}
+
+// URLFragment returns an attribute KeyValue conforming to the "url.fragment"
+// semantic conventions. It represents the [URI fragment] component.
+//
+// [URI fragment]: https://www.rfc-editor.org/rfc/rfc3986#section-3.5
+func URLFragment(val string) attribute.KeyValue {
+	return URLFragmentKey.String(val)
+}
+
+// URLFull returns an attribute KeyValue conforming to the "url.full" semantic
+// conventions. It represents the absolute URL describing a network resource
+// according to [RFC3986].
+//
+// [RFC3986]: https://www.rfc-editor.org/rfc/rfc3986
+func URLFull(val string) attribute.KeyValue {
+	return URLFullKey.String(val)
+}
+
+// URLOriginal returns an attribute KeyValue conforming to the "url.original"
+// semantic conventions. It represents the unmodified original URL as seen in the
+// event source.
+func URLOriginal(val string) attribute.KeyValue {
+	return URLOriginalKey.String(val)
+}
+
+// URLPath returns an attribute KeyValue conforming to the "url.path" semantic
+// conventions. It represents the [URI path] component.
+//
+// [URI path]: https://www.rfc-editor.org/rfc/rfc3986#section-3.3
+func URLPath(val string) attribute.KeyValue {
+	return URLPathKey.String(val)
+}
+
+// URLPort returns an attribute KeyValue conforming to the "url.port" semantic
+// conventions. It represents the port extracted from the `url.full`.
+func URLPort(val int) attribute.KeyValue {
+	return URLPortKey.Int(val)
+}
+
+// URLQuery returns an attribute KeyValue conforming to the "url.query" semantic
+// conventions. It represents the [URI query] component.
+//
+// [URI query]: https://www.rfc-editor.org/rfc/rfc3986#section-3.4
+func URLQuery(val string) attribute.KeyValue {
+	return URLQueryKey.String(val)
+}
+
+// URLRegisteredDomain returns an attribute KeyValue conforming to the
+// "url.registered_domain" semantic conventions. It represents the highest
+// registered url domain, stripped of the subdomain.
+func URLRegisteredDomain(val string) attribute.KeyValue {
+	return URLRegisteredDomainKey.String(val)
+}
+
+// URLScheme returns an attribute KeyValue conforming to the "url.scheme"
+// semantic conventions. It represents the [URI scheme] component identifying the
+// used protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func URLScheme(val string) attribute.KeyValue {
+	return URLSchemeKey.String(val)
+}
+
+// URLSubdomain returns an attribute KeyValue conforming to the "url.subdomain"
+// semantic conventions. It represents the subdomain portion of a fully qualified
+// domain name includes all of the names except the host name under the
+// registered_domain. In a partially qualified domain, or if the qualification
+// level of the full name cannot be determined, subdomain contains all of the
+// names below the registered domain.
+func URLSubdomain(val string) attribute.KeyValue {
+	return URLSubdomainKey.String(val)
+}
+
+// URLTemplate returns an attribute KeyValue conforming to the "url.template"
+// semantic conventions. It represents the low-cardinality template of an
+// [absolute path reference].
+//
+// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+func URLTemplate(val string) attribute.KeyValue {
+	return URLTemplateKey.String(val)
+}
+
+// URLTopLevelDomain returns an attribute KeyValue conforming to the
+// "url.top_level_domain" semantic conventions. It represents the effective top
+// level domain (eTLD), also known as the domain suffix, is the last part of the
+// domain name. For example, the top level domain for example.com is `com`.
+func URLTopLevelDomain(val string) attribute.KeyValue {
+	return URLTopLevelDomainKey.String(val)
+}
+
+// Namespace: user
+const (
+	// UserEmailKey is the attribute Key conforming to the "user.email" semantic
+	// conventions. It represents the user email address.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "a.einstein@example.com"
+	UserEmailKey = attribute.Key("user.email")
+
+	// UserFullNameKey is the attribute Key conforming to the "user.full_name"
+	// semantic conventions. It represents the user's full name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Albert Einstein"
+	UserFullNameKey = attribute.Key("user.full_name")
+
+	// UserHashKey is the attribute Key conforming to the "user.hash" semantic
+	// conventions. It represents the unique user hash to correlate information for
+	// a user in anonymized form.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "364fc68eaf4c8acec74a4e52d7d1feaa"
+	// Note: Useful if `user.id` or `user.name` contain confidential information and
+	// cannot be used.
+	UserHashKey = attribute.Key("user.hash")
+
+	// UserIDKey is the attribute Key conforming to the "user.id" semantic
+	// conventions. It represents the unique identifier of the user.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "S-1-5-21-202424912787-2692429404-2351956786-1000"
+	UserIDKey = attribute.Key("user.id")
+
+	// UserNameKey is the attribute Key conforming to the "user.name" semantic
+	// conventions. It represents the short name or login/username of the user.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "a.einstein"
+	UserNameKey = attribute.Key("user.name")
+
+	// UserRolesKey is the attribute Key conforming to the "user.roles" semantic
+	// conventions. It represents the array of user roles at the time of the event.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "admin", "reporting_user"
+	UserRolesKey = attribute.Key("user.roles")
+)
+
+// UserEmail returns an attribute KeyValue conforming to the "user.email"
+// semantic conventions. It represents the user email address.
+func UserEmail(val string) attribute.KeyValue {
+	return UserEmailKey.String(val)
+}
+
+// UserFullName returns an attribute KeyValue conforming to the "user.full_name"
+// semantic conventions. It represents the user's full name.
+func UserFullName(val string) attribute.KeyValue {
+	return UserFullNameKey.String(val)
+}
+
+// UserHash returns an attribute KeyValue conforming to the "user.hash" semantic
+// conventions. It represents the unique user hash to correlate information for a
+// user in anonymized form.
+func UserHash(val string) attribute.KeyValue {
+	return UserHashKey.String(val)
+}
+
+// UserID returns an attribute KeyValue conforming to the "user.id" semantic
+// conventions. It represents the unique identifier of the user.
+func UserID(val string) attribute.KeyValue {
+	return UserIDKey.String(val)
+}
+
+// UserName returns an attribute KeyValue conforming to the "user.name" semantic
+// conventions. It represents the short name or login/username of the user.
+func UserName(val string) attribute.KeyValue {
+	return UserNameKey.String(val)
+}
+
+// UserRoles returns an attribute KeyValue conforming to the "user.roles"
+// semantic conventions. It represents the array of user roles at the time of the
+// event.
+func UserRoles(val ...string) attribute.KeyValue {
+	return UserRolesKey.StringSlice(val)
+}
+
+// Namespace: user_agent
+const (
+	// UserAgentNameKey is the attribute Key conforming to the "user_agent.name"
+	// semantic conventions. It represents the name of the user-agent extracted from
+	// original. Usually refers to the browser's name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Safari", "YourApp"
+	// Note: [Example] of extracting browser's name from original string. In the
+	// case of using a user-agent for non-browser products, such as microservices
+	// with multiple names/versions inside the `user_agent.original`, the most
+	// significant name SHOULD be selected. In such a scenario it should align with
+	// `user_agent.version`
+	//
+	// [Example]: https://www.whatsmyua.info
+	UserAgentNameKey = attribute.Key("user_agent.name")
+
+	// UserAgentOriginalKey is the attribute Key conforming to the
+	// "user_agent.original" semantic conventions. It represents the value of the
+	// [HTTP User-Agent] header sent by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Stable
+	//
+	// Examples: "CERN-LineMode/2.15 libwww/2.17b3", "Mozilla/5.0 (iPhone; CPU
+	// iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
+	// Version/14.1.2 Mobile/15E148 Safari/604.1", "YourApp/1.0.0
+	// grpc-java-okhttp/1.27.2"
+	//
+	// [HTTP User-Agent]: https://www.rfc-editor.org/rfc/rfc9110.html#field.user-agent
+	UserAgentOriginalKey = attribute.Key("user_agent.original")
+
+	// UserAgentOSNameKey is the attribute Key conforming to the
+	// "user_agent.os.name" semantic conventions. It represents the human readable
+	// operating system name.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "iOS", "Android", "Ubuntu"
+	// Note: For mapping user agent strings to OS names, libraries such as
+	// [ua-parser] can be utilized.
+	//
+	// [ua-parser]: https://github.com/ua-parser
+	UserAgentOSNameKey = attribute.Key("user_agent.os.name")
+
+	// UserAgentOSVersionKey is the attribute Key conforming to the
+	// "user_agent.os.version" semantic conventions. It represents the version
+	// string of the operating system as defined in [Version Attributes].
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "14.2.1", "18.04.1"
+	// Note: For mapping user agent strings to OS versions, libraries such as
+	// [ua-parser] can be utilized.
+	//
+	// [Version Attributes]: /docs/resource/README.md#version-attributes
+	// [ua-parser]: https://github.com/ua-parser
+	UserAgentOSVersionKey = attribute.Key("user_agent.os.version")
+
+	// UserAgentSyntheticTypeKey is the attribute Key conforming to the
+	// "user_agent.synthetic.type" semantic conventions. It represents the specifies
+	// the category of synthetic traffic, such as tests or bots.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: This attribute MAY be derived from the contents of the
+	// `user_agent.original` attribute. Components that populate the attribute are
+	// responsible for determining what they consider to be synthetic bot or test
+	// traffic. This attribute can either be set for self-identification purposes,
+	// or on telemetry detected to be generated as a result of a synthetic request.
+	// This attribute is useful for distinguishing between genuine client traffic
+	// and synthetic traffic generated by bots or tests.
+	UserAgentSyntheticTypeKey = attribute.Key("user_agent.synthetic.type")
+
+	// UserAgentVersionKey is the attribute Key conforming to the
+	// "user_agent.version" semantic conventions. It represents the version of the
+	// user-agent extracted from original. Usually refers to the browser's version.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "14.1.2", "1.0.0"
+	// Note: [Example] of extracting browser's version from original string. In the
+	// case of using a user-agent for non-browser products, such as microservices
+	// with multiple names/versions inside the `user_agent.original`, the most
+	// significant version SHOULD be selected. In such a scenario it should align
+	// with `user_agent.name`
+	//
+	// [Example]: https://www.whatsmyua.info
+	UserAgentVersionKey = attribute.Key("user_agent.version")
+)
+
+// UserAgentName returns an attribute KeyValue conforming to the
+// "user_agent.name" semantic conventions. It represents the name of the
+// user-agent extracted from original. Usually refers to the browser's name.
+func UserAgentName(val string) attribute.KeyValue {
+	return UserAgentNameKey.String(val)
+}
+
+// UserAgentOriginal returns an attribute KeyValue conforming to the
+// "user_agent.original" semantic conventions. It represents the value of the
+// [HTTP User-Agent] header sent by the client.
+//
+// [HTTP User-Agent]: https://www.rfc-editor.org/rfc/rfc9110.html#field.user-agent
+func UserAgentOriginal(val string) attribute.KeyValue {
+	return UserAgentOriginalKey.String(val)
+}
+
+// UserAgentOSName returns an attribute KeyValue conforming to the
+// "user_agent.os.name" semantic conventions. It represents the human readable
+// operating system name.
+func UserAgentOSName(val string) attribute.KeyValue {
+	return UserAgentOSNameKey.String(val)
+}
+
+// UserAgentOSVersion returns an attribute KeyValue conforming to the
+// "user_agent.os.version" semantic conventions. It represents the version string
+// of the operating system as defined in [Version Attributes].
+//
+// [Version Attributes]: /docs/resource/README.md#version-attributes
+func UserAgentOSVersion(val string) attribute.KeyValue {
+	return UserAgentOSVersionKey.String(val)
+}
+
+// UserAgentVersion returns an attribute KeyValue conforming to the
+// "user_agent.version" semantic conventions. It represents the version of the
+// user-agent extracted from original. Usually refers to the browser's version.
+func UserAgentVersion(val string) attribute.KeyValue {
+	return UserAgentVersionKey.String(val)
+}
+
+// Enum values for user_agent.synthetic.type
+var (
+	// Bot source.
+	// Stability: development
+	UserAgentSyntheticTypeBot = UserAgentSyntheticTypeKey.String("bot")
+	// Synthetic test source.
+	// Stability: development
+	UserAgentSyntheticTypeTest = UserAgentSyntheticTypeKey.String("test")
+)
+
+// Namespace: vcs
+const (
+	// VCSChangeIDKey is the attribute Key conforming to the "vcs.change.id"
+	// semantic conventions. It represents the ID of the change (pull request/merge
+	// request/changelist) if applicable. This is usually a unique (within
+	// repository) identifier generated by the VCS system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "123"
+	VCSChangeIDKey = attribute.Key("vcs.change.id")
+
+	// VCSChangeStateKey is the attribute Key conforming to the "vcs.change.state"
+	// semantic conventions. It represents the state of the change (pull
+	// request/merge request/changelist).
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "open", "closed", "merged"
+	VCSChangeStateKey = attribute.Key("vcs.change.state")
+
+	// VCSChangeTitleKey is the attribute Key conforming to the "vcs.change.title"
+	// semantic conventions. It represents the human readable title of the change
+	// (pull request/merge request/changelist). This title is often a brief summary
+	// of the change and may get merged in to a ref as the commit summary.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Fixes broken thing", "feat: add my new feature", "[chore] update
+	// dependency"
+	VCSChangeTitleKey = attribute.Key("vcs.change.title")
+
+	// VCSLineChangeTypeKey is the attribute Key conforming to the
+	// "vcs.line_change.type" semantic conventions. It represents the type of line
+	// change being measured on a branch or change.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "added", "removed"
+	VCSLineChangeTypeKey = attribute.Key("vcs.line_change.type")
+
+	// VCSOwnerNameKey is the attribute Key conforming to the "vcs.owner.name"
+	// semantic conventions. It represents the group owner within the version
+	// control system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-org", "myteam", "business-unit"
+	VCSOwnerNameKey = attribute.Key("vcs.owner.name")
+
+	// VCSProviderNameKey is the attribute Key conforming to the "vcs.provider.name"
+	// semantic conventions. It represents the name of the version control system
+	// provider.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "github", "gitlab", "gitea", "bitbucket"
+	VCSProviderNameKey = attribute.Key("vcs.provider.name")
+
+	// VCSRefBaseNameKey is the attribute Key conforming to the "vcs.ref.base.name"
+	// semantic conventions. It represents the name of the [reference] such as
+	// **branch** or **tag** in the repository.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-feature-branch", "tag-1-test"
+	// Note: `base` refers to the starting point of a change. For example, `main`
+	// would be the base reference of type branch if you've created a new
+	// reference of type branch from it and created new commits.
+	//
+	// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+	VCSRefBaseNameKey = attribute.Key("vcs.ref.base.name")
+
+	// VCSRefBaseRevisionKey is the attribute Key conforming to the
+	// "vcs.ref.base.revision" semantic conventions. It represents the revision,
+	// literally [revised version], The revision most often refers to a commit
+	// object in Git, or a revision number in SVN.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "9d59409acf479dfa0df1aa568182e43e43df8bbe28d60fcf2bc52e30068802cc",
+	// "main", "123", "HEAD"
+	// Note: `base` refers to the starting point of a change. For example, `main`
+	// would be the base reference of type branch if you've created a new
+	// reference of type branch from it and created new commits. The
+	// revision can be a full [hash value (see
+	// glossary)],
+	// of the recorded change to a ref within a repository pointing to a
+	// commit [commit] object. It does
+	// not necessarily have to be a hash; it can simply define a [revision
+	// number]
+	// which is an integer that is monotonically increasing. In cases where
+	// it is identical to the `ref.base.name`, it SHOULD still be included.
+	// It is up to the implementer to decide which value to set as the
+	// revision based on the VCS system and situational context.
+	//
+	// [revised version]: https://www.merriam-webster.com/dictionary/revision
+	// [hash value (see
+	// glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+	// [commit]: https://git-scm.com/docs/git-commit
+	// [revision
+	// number]: https://svnbook.red-bean.com/en/1.7/svn.tour.revs.specifiers.html
+	VCSRefBaseRevisionKey = attribute.Key("vcs.ref.base.revision")
+
+	// VCSRefBaseTypeKey is the attribute Key conforming to the "vcs.ref.base.type"
+	// semantic conventions. It represents the type of the [reference] in the
+	// repository.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "branch", "tag"
+	// Note: `base` refers to the starting point of a change. For example, `main`
+	// would be the base reference of type branch if you've created a new
+	// reference of type branch from it and created new commits.
+	//
+	// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+	VCSRefBaseTypeKey = attribute.Key("vcs.ref.base.type")
+
+	// VCSRefHeadNameKey is the attribute Key conforming to the "vcs.ref.head.name"
+	// semantic conventions. It represents the name of the [reference] such as
+	// **branch** or **tag** in the repository.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-feature-branch", "tag-1-test"
+	// Note: `head` refers to where you are right now; the current reference at a
+	// given time.
+	//
+	// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+	VCSRefHeadNameKey = attribute.Key("vcs.ref.head.name")
+
+	// VCSRefHeadRevisionKey is the attribute Key conforming to the
+	// "vcs.ref.head.revision" semantic conventions. It represents the revision,
+	// literally [revised version], The revision most often refers to a commit
+	// object in Git, or a revision number in SVN.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "9d59409acf479dfa0df1aa568182e43e43df8bbe28d60fcf2bc52e30068802cc",
+	// "main", "123", "HEAD"
+	// Note: `head` refers to where you are right now; the current reference at a
+	// given time.The revision can be a full [hash value (see
+	// glossary)],
+	// of the recorded change to a ref within a repository pointing to a
+	// commit [commit] object. It does
+	// not necessarily have to be a hash; it can simply define a [revision
+	// number]
+	// which is an integer that is monotonically increasing. In cases where
+	// it is identical to the `ref.head.name`, it SHOULD still be included.
+	// It is up to the implementer to decide which value to set as the
+	// revision based on the VCS system and situational context.
+	//
+	// [revised version]: https://www.merriam-webster.com/dictionary/revision
+	// [hash value (see
+	// glossary)]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
+	// [commit]: https://git-scm.com/docs/git-commit
+	// [revision
+	// number]: https://svnbook.red-bean.com/en/1.7/svn.tour.revs.specifiers.html
+	VCSRefHeadRevisionKey = attribute.Key("vcs.ref.head.revision")
+
+	// VCSRefHeadTypeKey is the attribute Key conforming to the "vcs.ref.head.type"
+	// semantic conventions. It represents the type of the [reference] in the
+	// repository.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "branch", "tag"
+	// Note: `head` refers to where you are right now; the current reference at a
+	// given time.
+	//
+	// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+	VCSRefHeadTypeKey = attribute.Key("vcs.ref.head.type")
+
+	// VCSRefTypeKey is the attribute Key conforming to the "vcs.ref.type" semantic
+	// conventions. It represents the type of the [reference] in the repository.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "branch", "tag"
+	//
+	// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+	VCSRefTypeKey = attribute.Key("vcs.ref.type")
+
+	// VCSRepositoryNameKey is the attribute Key conforming to the
+	// "vcs.repository.name" semantic conventions. It represents the human readable
+	// name of the repository. It SHOULD NOT include any additional identifier like
+	// Group/SubGroup in GitLab or organization in GitHub.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "semantic-conventions", "my-cool-repo"
+	// Note: Due to it only being the name, it can clash with forks of the same
+	// repository if collecting telemetry across multiple orgs or groups in
+	// the same backends.
+	VCSRepositoryNameKey = attribute.Key("vcs.repository.name")
+
+	// VCSRepositoryURLFullKey is the attribute Key conforming to the
+	// "vcs.repository.url.full" semantic conventions. It represents the
+	// [canonical URL] of the repository providing the complete HTTP(S) address in
+	// order to locate and identify the repository through a browser.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// "https://github.com/opentelemetry/open-telemetry-collector-contrib",
+	// "https://gitlab.com/my-org/my-project/my-projects-project/repo"
+	// Note: In Git Version Control Systems, the canonical URL SHOULD NOT include
+	// the `.git` extension.
+	//
+	// [canonical URL]: https://support.google.com/webmasters/answer/10347851?hl=en#:~:text=A%20canonical%20URL%20is%20the,Google%20chooses%20one%20as%20canonical.
+	VCSRepositoryURLFullKey = attribute.Key("vcs.repository.url.full")
+
+	// VCSRevisionDeltaDirectionKey is the attribute Key conforming to the
+	// "vcs.revision_delta.direction" semantic conventions. It represents the type
+	// of revision comparison.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ahead", "behind"
+	VCSRevisionDeltaDirectionKey = attribute.Key("vcs.revision_delta.direction")
+)
+
+// VCSChangeID returns an attribute KeyValue conforming to the "vcs.change.id"
+// semantic conventions. It represents the ID of the change (pull request/merge
+// request/changelist) if applicable. This is usually a unique (within
+// repository) identifier generated by the VCS system.
+func VCSChangeID(val string) attribute.KeyValue {
+	return VCSChangeIDKey.String(val)
+}
+
+// VCSChangeTitle returns an attribute KeyValue conforming to the
+// "vcs.change.title" semantic conventions. It represents the human readable
+// title of the change (pull request/merge request/changelist). This title is
+// often a brief summary of the change and may get merged in to a ref as the
+// commit summary.
+func VCSChangeTitle(val string) attribute.KeyValue {
+	return VCSChangeTitleKey.String(val)
+}
+
+// VCSOwnerName returns an attribute KeyValue conforming to the "vcs.owner.name"
+// semantic conventions. It represents the group owner within the version control
+// system.
+func VCSOwnerName(val string) attribute.KeyValue {
+	return VCSOwnerNameKey.String(val)
+}
+
+// VCSRefBaseName returns an attribute KeyValue conforming to the
+// "vcs.ref.base.name" semantic conventions. It represents the name of the
+// [reference] such as **branch** or **tag** in the repository.
+//
+// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+func VCSRefBaseName(val string) attribute.KeyValue {
+	return VCSRefBaseNameKey.String(val)
+}
+
+// VCSRefBaseRevision returns an attribute KeyValue conforming to the
+// "vcs.ref.base.revision" semantic conventions. It represents the revision,
+// literally [revised version], The revision most often refers to a commit object
+// in Git, or a revision number in SVN.
+//
+// [revised version]: https://www.merriam-webster.com/dictionary/revision
+func VCSRefBaseRevision(val string) attribute.KeyValue {
+	return VCSRefBaseRevisionKey.String(val)
+}
+
+// VCSRefHeadName returns an attribute KeyValue conforming to the
+// "vcs.ref.head.name" semantic conventions. It represents the name of the
+// [reference] such as **branch** or **tag** in the repository.
+//
+// [reference]: https://git-scm.com/docs/gitglossary#def_ref
+func VCSRefHeadName(val string) attribute.KeyValue {
+	return VCSRefHeadNameKey.String(val)
+}
+
+// VCSRefHeadRevision returns an attribute KeyValue conforming to the
+// "vcs.ref.head.revision" semantic conventions. It represents the revision,
+// literally [revised version], The revision most often refers to a commit object
+// in Git, or a revision number in SVN.
+//
+// [revised version]: https://www.merriam-webster.com/dictionary/revision
+func VCSRefHeadRevision(val string) attribute.KeyValue {
+	return VCSRefHeadRevisionKey.String(val)
+}
+
+// VCSRepositoryName returns an attribute KeyValue conforming to the
+// "vcs.repository.name" semantic conventions. It represents the human readable
+// name of the repository. It SHOULD NOT include any additional identifier like
+// Group/SubGroup in GitLab or organization in GitHub.
+func VCSRepositoryName(val string) attribute.KeyValue {
+	return VCSRepositoryNameKey.String(val)
+}
+
+// VCSRepositoryURLFull returns an attribute KeyValue conforming to the
+// "vcs.repository.url.full" semantic conventions. It represents the
+// [canonical URL] of the repository providing the complete HTTP(S) address in
+// order to locate and identify the repository through a browser.
+//
+// [canonical URL]: https://support.google.com/webmasters/answer/10347851?hl=en#:~:text=A%20canonical%20URL%20is%20the,Google%20chooses%20one%20as%20canonical.
+func VCSRepositoryURLFull(val string) attribute.KeyValue {
+	return VCSRepositoryURLFullKey.String(val)
+}
+
+// Enum values for vcs.change.state
+var (
+	// Open means the change is currently active and under review. It hasn't been
+	// merged into the target branch yet, and it's still possible to make changes or
+	// add comments.
+	// Stability: development
+	VCSChangeStateOpen = VCSChangeStateKey.String("open")
+	// WIP (work-in-progress, draft) means the change is still in progress and not
+	// yet ready for a full review. It might still undergo significant changes.
+	// Stability: development
+	VCSChangeStateWip = VCSChangeStateKey.String("wip")
+	// Closed means the merge request has been closed without merging. This can
+	// happen for various reasons, such as the changes being deemed unnecessary, the
+	// issue being resolved in another way, or the author deciding to withdraw the
+	// request.
+	// Stability: development
+	VCSChangeStateClosed = VCSChangeStateKey.String("closed")
+	// Merged indicates that the change has been successfully integrated into the
+	// target codebase.
+	// Stability: development
+	VCSChangeStateMerged = VCSChangeStateKey.String("merged")
+)
+
+// Enum values for vcs.line_change.type
+var (
+	// How many lines were added.
+	// Stability: development
+	VCSLineChangeTypeAdded = VCSLineChangeTypeKey.String("added")
+	// How many lines were removed.
+	// Stability: development
+	VCSLineChangeTypeRemoved = VCSLineChangeTypeKey.String("removed")
+)
+
+// Enum values for vcs.provider.name
+var (
+	// [GitHub]
+	// Stability: development
+	//
+	// [GitHub]: https://github.com
+	VCSProviderNameGithub = VCSProviderNameKey.String("github")
+	// [GitLab]
+	// Stability: development
+	//
+	// [GitLab]: https://gitlab.com
+	VCSProviderNameGitlab = VCSProviderNameKey.String("gitlab")
+	// Deprecated: Replaced by `gitea`.
+	VCSProviderNameGittea = VCSProviderNameKey.String("gittea")
+	// [Gitea]
+	// Stability: development
+	//
+	// [Gitea]: https://gitea.io
+	VCSProviderNameGitea = VCSProviderNameKey.String("gitea")
+	// [Bitbucket]
+	// Stability: development
+	//
+	// [Bitbucket]: https://bitbucket.org
+	VCSProviderNameBitbucket = VCSProviderNameKey.String("bitbucket")
+)
+
+// Enum values for vcs.ref.base.type
+var (
+	// [branch]
+	// Stability: development
+	//
+	// [branch]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefbranchabranch
+	VCSRefBaseTypeBranch = VCSRefBaseTypeKey.String("branch")
+	// [tag]
+	// Stability: development
+	//
+	// [tag]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddeftagatag
+	VCSRefBaseTypeTag = VCSRefBaseTypeKey.String("tag")
+)
+
+// Enum values for vcs.ref.head.type
+var (
+	// [branch]
+	// Stability: development
+	//
+	// [branch]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefbranchabranch
+	VCSRefHeadTypeBranch = VCSRefHeadTypeKey.String("branch")
+	// [tag]
+	// Stability: development
+	//
+	// [tag]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddeftagatag
+	VCSRefHeadTypeTag = VCSRefHeadTypeKey.String("tag")
+)
+
+// Enum values for vcs.ref.type
+var (
+	// [branch]
+	// Stability: development
+	//
+	// [branch]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefbranchabranch
+	VCSRefTypeBranch = VCSRefTypeKey.String("branch")
+	// [tag]
+	// Stability: development
+	//
+	// [tag]: https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddeftagatag
+	VCSRefTypeTag = VCSRefTypeKey.String("tag")
+)
+
+// Enum values for vcs.revision_delta.direction
+var (
+	// How many revisions the change is behind the target ref.
+	// Stability: development
+	VCSRevisionDeltaDirectionBehind = VCSRevisionDeltaDirectionKey.String("behind")
+	// How many revisions the change is ahead of the target ref.
+	// Stability: development
+	VCSRevisionDeltaDirectionAhead = VCSRevisionDeltaDirectionKey.String("ahead")
+)
+
+// Namespace: webengine
+const (
+	// WebEngineDescriptionKey is the attribute Key conforming to the
+	// "webengine.description" semantic conventions. It represents the additional
+	// description of the web engine (e.g. detailed version and edition
+	// information).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "WildFly Full 21.0.0.Final (WildFly Core 13.0.1.Final) -
+	// 2.2.2.Final"
+	WebEngineDescriptionKey = attribute.Key("webengine.description")
+
+	// WebEngineNameKey is the attribute Key conforming to the "webengine.name"
+	// semantic conventions. It represents the name of the web engine.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "WildFly"
+	WebEngineNameKey = attribute.Key("webengine.name")
+
+	// WebEngineVersionKey is the attribute Key conforming to the
+	// "webengine.version" semantic conventions. It represents the version of the
+	// web engine.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "21.0.0"
+	WebEngineVersionKey = attribute.Key("webengine.version")
+)
+
+// WebEngineDescription returns an attribute KeyValue conforming to the
+// "webengine.description" semantic conventions. It represents the additional
+// description of the web engine (e.g. detailed version and edition information).
+func WebEngineDescription(val string) attribute.KeyValue {
+	return WebEngineDescriptionKey.String(val)
+}
+
+// WebEngineName returns an attribute KeyValue conforming to the "webengine.name"
+// semantic conventions. It represents the name of the web engine.
+func WebEngineName(val string) attribute.KeyValue {
+	return WebEngineNameKey.String(val)
+}
+
+// WebEngineVersion returns an attribute KeyValue conforming to the
+// "webengine.version" semantic conventions. It represents the version of the web
+// engine.
+func WebEngineVersion(val string) attribute.KeyValue {
+	return WebEngineVersionKey.String(val)
+}
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go
new file mode 100644
index 00000000..2c5c7ebd
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go
@@ -0,0 +1,9 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Package semconv implements OpenTelemetry semantic conventions.
+//
+// OpenTelemetry semantic conventions are agreed standardized naming
+// patterns for OpenTelemetry things. This package represents the v1.34.0
+// version of the OpenTelemetry semantic conventions.
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go
new file mode 100644
index 00000000..88a998f1
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go
@@ -0,0 +1,9 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+
+const (
+	// ExceptionEventName is the name of the Span event representing an exception.
+	ExceptionEventName = "exception"
+)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/httpconv/metric.go b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/httpconv/metric.go
new file mode 100644
index 00000000..79843adb
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/httpconv/metric.go
@@ -0,0 +1,1418 @@
+// Code generated from semantic convention specification. DO NOT EDIT.
+
+// Package httpconv provides types and functionality for OpenTelemetry semantic
+// conventions in the "http" namespace.
+package httpconv
+
+import (
+	"context"
+	"sync"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/metric/noop"
+)
+
+var (
+	addOptPool = &sync.Pool{New: func() any { return &[]metric.AddOption{} }}
+	recOptPool = &sync.Pool{New: func() any { return &[]metric.RecordOption{} }}
+)
+
+// ErrorTypeAttr is an attribute conforming to the error.type semantic
+// conventions. It represents the describes a class of error the operation ended
+// with.
+type ErrorTypeAttr string
+
+var (
+	// ErrorTypeOther is a fallback error value to be used when the instrumentation
+	// doesn't define a custom value.
+	ErrorTypeOther ErrorTypeAttr = "_OTHER"
+)
+
+// ConnectionStateAttr is an attribute conforming to the http.connection.state
+// semantic conventions. It represents the state of the HTTP connection in the
+// HTTP connection pool.
+type ConnectionStateAttr string
+
+var (
+	// ConnectionStateActive is the active state.
+	ConnectionStateActive ConnectionStateAttr = "active"
+	// ConnectionStateIdle is the idle state.
+	ConnectionStateIdle ConnectionStateAttr = "idle"
+)
+
+// RequestMethodAttr is an attribute conforming to the http.request.method
+// semantic conventions. It represents the HTTP request method.
+type RequestMethodAttr string
+
+var (
+	// RequestMethodConnect is the CONNECT method.
+	RequestMethodConnect RequestMethodAttr = "CONNECT"
+	// RequestMethodDelete is the DELETE method.
+	RequestMethodDelete RequestMethodAttr = "DELETE"
+	// RequestMethodGet is the GET method.
+	RequestMethodGet RequestMethodAttr = "GET"
+	// RequestMethodHead is the HEAD method.
+	RequestMethodHead RequestMethodAttr = "HEAD"
+	// RequestMethodOptions is the OPTIONS method.
+	RequestMethodOptions RequestMethodAttr = "OPTIONS"
+	// RequestMethodPatch is the PATCH method.
+	RequestMethodPatch RequestMethodAttr = "PATCH"
+	// RequestMethodPost is the POST method.
+	RequestMethodPost RequestMethodAttr = "POST"
+	// RequestMethodPut is the PUT method.
+	RequestMethodPut RequestMethodAttr = "PUT"
+	// RequestMethodTrace is the TRACE method.
+	RequestMethodTrace RequestMethodAttr = "TRACE"
+	// RequestMethodOther is the any HTTP method that the instrumentation has no
+	// prior knowledge of.
+	RequestMethodOther RequestMethodAttr = "_OTHER"
+)
+
+// UserAgentSyntheticTypeAttr is an attribute conforming to the
+// user_agent.synthetic.type semantic conventions. It represents the specifies
+// the category of synthetic traffic, such as tests or bots.
+type UserAgentSyntheticTypeAttr string
+
+var (
+	// UserAgentSyntheticTypeBot is the bot source.
+	UserAgentSyntheticTypeBot UserAgentSyntheticTypeAttr = "bot"
+	// UserAgentSyntheticTypeTest is the synthetic test source.
+	UserAgentSyntheticTypeTest UserAgentSyntheticTypeAttr = "test"
+)
+
+// ClientActiveRequests is an instrument used to record metric values conforming
+// to the "http.client.active_requests" semantic conventions. It represents the
+// number of active HTTP requests.
+type ClientActiveRequests struct {
+	metric.Int64UpDownCounter
+}
+
+// NewClientActiveRequests returns a new ClientActiveRequests instrument.
+func NewClientActiveRequests(
+	m metric.Meter,
+	opt ...metric.Int64UpDownCounterOption,
+) (ClientActiveRequests, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientActiveRequests{noop.Int64UpDownCounter{}}, nil
+	}
+
+	i, err := m.Int64UpDownCounter(
+		"http.client.active_requests",
+		append([]metric.Int64UpDownCounterOption{
+			metric.WithDescription("Number of active HTTP requests."),
+			metric.WithUnit("{request}"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientActiveRequests{noop.Int64UpDownCounter{}}, err
+	}
+	return ClientActiveRequests{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientActiveRequests) Inst() metric.Int64UpDownCounter {
+	return m.Int64UpDownCounter
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientActiveRequests) Name() string {
+	return "http.client.active_requests"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientActiveRequests) Unit() string {
+	return "{request}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientActiveRequests) Description() string {
+	return "Number of active HTTP requests."
+}
+
+// Add adds incr to the existing count.
+//
+// The serverAddress is the server domain name if available without reverse DNS
+// lookup; otherwise, IP address or Unix domain socket name.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+func (m ClientActiveRequests) Add(
+	ctx context.Context,
+	incr int64,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := addOptPool.Get().(*[]metric.AddOption)
+	defer func() {
+		*o = (*o)[:0]
+		addOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Int64UpDownCounter.Add(ctx, incr, *o...)
+}
+
+// AttrURLTemplate returns an optional attribute for the "url.template" semantic
+// convention. It represents the low-cardinality template of an
+// [absolute path reference].
+//
+// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+func (ClientActiveRequests) AttrURLTemplate(val string) attribute.KeyValue {
+	return attribute.String("url.template", val)
+}
+
+// AttrRequestMethod returns an optional attribute for the "http.request.method"
+// semantic convention. It represents the HTTP request method.
+func (ClientActiveRequests) AttrRequestMethod(val RequestMethodAttr) attribute.KeyValue {
+	return attribute.String("http.request.method", string(val))
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientActiveRequests) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// ClientConnectionDuration is an instrument used to record metric values
+// conforming to the "http.client.connection.duration" semantic conventions. It
+// represents the duration of the successfully established outbound HTTP
+// connections.
+type ClientConnectionDuration struct {
+	metric.Float64Histogram
+}
+
+// NewClientConnectionDuration returns a new ClientConnectionDuration instrument.
+func NewClientConnectionDuration(
+	m metric.Meter,
+	opt ...metric.Float64HistogramOption,
+) (ClientConnectionDuration, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientConnectionDuration{noop.Float64Histogram{}}, nil
+	}
+
+	i, err := m.Float64Histogram(
+		"http.client.connection.duration",
+		append([]metric.Float64HistogramOption{
+			metric.WithDescription("The duration of the successfully established outbound HTTP connections."),
+			metric.WithUnit("s"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientConnectionDuration{noop.Float64Histogram{}}, err
+	}
+	return ClientConnectionDuration{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientConnectionDuration) Inst() metric.Float64Histogram {
+	return m.Float64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientConnectionDuration) Name() string {
+	return "http.client.connection.duration"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientConnectionDuration) Unit() string {
+	return "s"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientConnectionDuration) Description() string {
+	return "The duration of the successfully established outbound HTTP connections."
+}
+
+// Record records val to the current distribution.
+//
+// The serverAddress is the server domain name if available without reverse DNS
+// lookup; otherwise, IP address or Unix domain socket name.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+func (m ClientConnectionDuration) Record(
+	ctx context.Context,
+	val float64,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrNetworkPeerAddress returns an optional attribute for the
+// "network.peer.address" semantic convention. It represents the peer address of
+// the network connection - IP address or Unix domain socket name.
+func (ClientConnectionDuration) AttrNetworkPeerAddress(val string) attribute.KeyValue {
+	return attribute.String("network.peer.address", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ClientConnectionDuration) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientConnectionDuration) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// ClientOpenConnections is an instrument used to record metric values conforming
+// to the "http.client.open_connections" semantic conventions. It represents the
+// number of outbound HTTP connections that are currently active or idle on the
+// client.
+type ClientOpenConnections struct {
+	metric.Int64UpDownCounter
+}
+
+// NewClientOpenConnections returns a new ClientOpenConnections instrument.
+func NewClientOpenConnections(
+	m metric.Meter,
+	opt ...metric.Int64UpDownCounterOption,
+) (ClientOpenConnections, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientOpenConnections{noop.Int64UpDownCounter{}}, nil
+	}
+
+	i, err := m.Int64UpDownCounter(
+		"http.client.open_connections",
+		append([]metric.Int64UpDownCounterOption{
+			metric.WithDescription("Number of outbound HTTP connections that are currently active or idle on the client."),
+			metric.WithUnit("{connection}"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientOpenConnections{noop.Int64UpDownCounter{}}, err
+	}
+	return ClientOpenConnections{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientOpenConnections) Inst() metric.Int64UpDownCounter {
+	return m.Int64UpDownCounter
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientOpenConnections) Name() string {
+	return "http.client.open_connections"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientOpenConnections) Unit() string {
+	return "{connection}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientOpenConnections) Description() string {
+	return "Number of outbound HTTP connections that are currently active or idle on the client."
+}
+
+// Add adds incr to the existing count.
+//
+// The connectionState is the state of the HTTP connection in the HTTP connection
+// pool.
+//
+// The serverAddress is the server domain name if available without reverse DNS
+// lookup; otherwise, IP address or Unix domain socket name.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+func (m ClientOpenConnections) Add(
+	ctx context.Context,
+	incr int64,
+	connectionState ConnectionStateAttr,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := addOptPool.Get().(*[]metric.AddOption)
+	defer func() {
+		*o = (*o)[:0]
+		addOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.connection.state", string(connectionState)),
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Int64UpDownCounter.Add(ctx, incr, *o...)
+}
+
+// AttrNetworkPeerAddress returns an optional attribute for the
+// "network.peer.address" semantic convention. It represents the peer address of
+// the network connection - IP address or Unix domain socket name.
+func (ClientOpenConnections) AttrNetworkPeerAddress(val string) attribute.KeyValue {
+	return attribute.String("network.peer.address", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ClientOpenConnections) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientOpenConnections) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// ClientRequestBodySize is an instrument used to record metric values conforming
+// to the "http.client.request.body.size" semantic conventions. It represents the
+// size of HTTP client request bodies.
+type ClientRequestBodySize struct {
+	metric.Int64Histogram
+}
+
+// NewClientRequestBodySize returns a new ClientRequestBodySize instrument.
+func NewClientRequestBodySize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientRequestBodySize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientRequestBodySize{noop.Int64Histogram{}}, nil
+	}
+
+	i, err := m.Int64Histogram(
+		"http.client.request.body.size",
+		append([]metric.Int64HistogramOption{
+			metric.WithDescription("Size of HTTP client request bodies."),
+			metric.WithUnit("By"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientRequestBodySize{noop.Int64Histogram{}}, err
+	}
+	return ClientRequestBodySize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientRequestBodySize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientRequestBodySize) Name() string {
+	return "http.client.request.body.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientRequestBodySize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientRequestBodySize) Description() string {
+	return "Size of HTTP client request bodies."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The serverAddress is the host identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+//
+// The size of the request payload body in bytes. This is the number of bytes
+// transferred excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func (m ClientRequestBodySize) Record(
+	ctx context.Context,
+	val int64,
+	requestMethod RequestMethodAttr,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ClientRequestBodySize) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ClientRequestBodySize) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ClientRequestBodySize) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrURLTemplate returns an optional attribute for the "url.template" semantic
+// convention. It represents the low-cardinality template of an
+// [absolute path reference].
+//
+// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+func (ClientRequestBodySize) AttrURLTemplate(val string) attribute.KeyValue {
+	return attribute.String("url.template", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ClientRequestBodySize) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientRequestBodySize) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// ClientRequestDuration is an instrument used to record metric values conforming
+// to the "http.client.request.duration" semantic conventions. It represents the
+// duration of HTTP client requests.
+type ClientRequestDuration struct {
+	metric.Float64Histogram
+}
+
+// NewClientRequestDuration returns a new ClientRequestDuration instrument.
+func NewClientRequestDuration(
+	m metric.Meter,
+	opt ...metric.Float64HistogramOption,
+) (ClientRequestDuration, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientRequestDuration{noop.Float64Histogram{}}, nil
+	}
+
+	i, err := m.Float64Histogram(
+		"http.client.request.duration",
+		append([]metric.Float64HistogramOption{
+			metric.WithDescription("Duration of HTTP client requests."),
+			metric.WithUnit("s"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientRequestDuration{noop.Float64Histogram{}}, err
+	}
+	return ClientRequestDuration{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientRequestDuration) Inst() metric.Float64Histogram {
+	return m.Float64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientRequestDuration) Name() string {
+	return "http.client.request.duration"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientRequestDuration) Unit() string {
+	return "s"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientRequestDuration) Description() string {
+	return "Duration of HTTP client requests."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The serverAddress is the host identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+func (m ClientRequestDuration) Record(
+	ctx context.Context,
+	val float64,
+	requestMethod RequestMethodAttr,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ClientRequestDuration) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ClientRequestDuration) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ClientRequestDuration) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ClientRequestDuration) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientRequestDuration) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// AttrURLTemplate returns an optional attribute for the "url.template" semantic
+// convention. It represents the low-cardinality template of an
+// [absolute path reference].
+//
+// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+func (ClientRequestDuration) AttrURLTemplate(val string) attribute.KeyValue {
+	return attribute.String("url.template", val)
+}
+
+// ClientResponseBodySize is an instrument used to record metric values
+// conforming to the "http.client.response.body.size" semantic conventions. It
+// represents the size of HTTP client response bodies.
+type ClientResponseBodySize struct {
+	metric.Int64Histogram
+}
+
+// NewClientResponseBodySize returns a new ClientResponseBodySize instrument.
+func NewClientResponseBodySize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ClientResponseBodySize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ClientResponseBodySize{noop.Int64Histogram{}}, nil
+	}
+
+	i, err := m.Int64Histogram(
+		"http.client.response.body.size",
+		append([]metric.Int64HistogramOption{
+			metric.WithDescription("Size of HTTP client response bodies."),
+			metric.WithUnit("By"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ClientResponseBodySize{noop.Int64Histogram{}}, err
+	}
+	return ClientResponseBodySize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ClientResponseBodySize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ClientResponseBodySize) Name() string {
+	return "http.client.response.body.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ClientResponseBodySize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ClientResponseBodySize) Description() string {
+	return "Size of HTTP client response bodies."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The serverAddress is the host identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// The serverPort is the port identifier of the ["URI origin"] HTTP request is
+// sent to.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+// ["URI origin"]: https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-origin
+//
+// The size of the response payload body in bytes. This is the number of bytes
+// transferred excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func (m ClientResponseBodySize) Record(
+	ctx context.Context,
+	val int64,
+	requestMethod RequestMethodAttr,
+	serverAddress string,
+	serverPort int,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("server.address", serverAddress),
+				attribute.Int("server.port", serverPort),
+			)...,
+		),
+	)
+
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ClientResponseBodySize) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ClientResponseBodySize) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ClientResponseBodySize) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrURLTemplate returns an optional attribute for the "url.template" semantic
+// convention. It represents the low-cardinality template of an
+// [absolute path reference].
+//
+// [absolute path reference]: https://www.rfc-editor.org/rfc/rfc3986#section-4.2
+func (ClientResponseBodySize) AttrURLTemplate(val string) attribute.KeyValue {
+	return attribute.String("url.template", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ClientResponseBodySize) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrURLScheme returns an optional attribute for the "url.scheme" semantic
+// convention. It represents the [URI scheme] component identifying the used
+// protocol.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (ClientResponseBodySize) AttrURLScheme(val string) attribute.KeyValue {
+	return attribute.String("url.scheme", val)
+}
+
+// ServerActiveRequests is an instrument used to record metric values conforming
+// to the "http.server.active_requests" semantic conventions. It represents the
+// number of active HTTP server requests.
+type ServerActiveRequests struct {
+	metric.Int64UpDownCounter
+}
+
+// NewServerActiveRequests returns a new ServerActiveRequests instrument.
+func NewServerActiveRequests(
+	m metric.Meter,
+	opt ...metric.Int64UpDownCounterOption,
+) (ServerActiveRequests, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerActiveRequests{noop.Int64UpDownCounter{}}, nil
+	}
+
+	i, err := m.Int64UpDownCounter(
+		"http.server.active_requests",
+		append([]metric.Int64UpDownCounterOption{
+			metric.WithDescription("Number of active HTTP server requests."),
+			metric.WithUnit("{request}"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ServerActiveRequests{noop.Int64UpDownCounter{}}, err
+	}
+	return ServerActiveRequests{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerActiveRequests) Inst() metric.Int64UpDownCounter {
+	return m.Int64UpDownCounter
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerActiveRequests) Name() string {
+	return "http.server.active_requests"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerActiveRequests) Unit() string {
+	return "{request}"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerActiveRequests) Description() string {
+	return "Number of active HTTP server requests."
+}
+
+// Add adds incr to the existing count.
+//
+// The requestMethod is the HTTP request method.
+//
+// The urlScheme is the the [URI scheme] component identifying the used protocol.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (m ServerActiveRequests) Add(
+	ctx context.Context,
+	incr int64,
+	requestMethod RequestMethodAttr,
+	urlScheme string,
+	attrs ...attribute.KeyValue,
+) {
+	o := addOptPool.Get().(*[]metric.AddOption)
+	defer func() {
+		*o = (*o)[:0]
+		addOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("url.scheme", urlScheme),
+			)...,
+		),
+	)
+
+	m.Int64UpDownCounter.Add(ctx, incr, *o...)
+}
+
+// AttrServerAddress returns an optional attribute for the "server.address"
+// semantic convention. It represents the name of the local HTTP server that
+// received the request.
+func (ServerActiveRequests) AttrServerAddress(val string) attribute.KeyValue {
+	return attribute.String("server.address", val)
+}
+
+// AttrServerPort returns an optional attribute for the "server.port" semantic
+// convention. It represents the port of the local HTTP server that received the
+// request.
+func (ServerActiveRequests) AttrServerPort(val int) attribute.KeyValue {
+	return attribute.Int("server.port", val)
+}
+
+// ServerRequestBodySize is an instrument used to record metric values conforming
+// to the "http.server.request.body.size" semantic conventions. It represents the
+// size of HTTP server request bodies.
+type ServerRequestBodySize struct {
+	metric.Int64Histogram
+}
+
+// NewServerRequestBodySize returns a new ServerRequestBodySize instrument.
+func NewServerRequestBodySize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerRequestBodySize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerRequestBodySize{noop.Int64Histogram{}}, nil
+	}
+
+	i, err := m.Int64Histogram(
+		"http.server.request.body.size",
+		append([]metric.Int64HistogramOption{
+			metric.WithDescription("Size of HTTP server request bodies."),
+			metric.WithUnit("By"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ServerRequestBodySize{noop.Int64Histogram{}}, err
+	}
+	return ServerRequestBodySize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerRequestBodySize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerRequestBodySize) Name() string {
+	return "http.server.request.body.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerRequestBodySize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerRequestBodySize) Description() string {
+	return "Size of HTTP server request bodies."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The urlScheme is the the [URI scheme] component identifying the used protocol.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+//
+// The size of the request payload body in bytes. This is the number of bytes
+// transferred excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func (m ServerRequestBodySize) Record(
+	ctx context.Context,
+	val int64,
+	requestMethod RequestMethodAttr,
+	urlScheme string,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("url.scheme", urlScheme),
+			)...,
+		),
+	)
+
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ServerRequestBodySize) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ServerRequestBodySize) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrRoute returns an optional attribute for the "http.route" semantic
+// convention. It represents the matched route, that is, the path template in the
+// format used by the respective server framework.
+func (ServerRequestBodySize) AttrRoute(val string) attribute.KeyValue {
+	return attribute.String("http.route", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ServerRequestBodySize) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ServerRequestBodySize) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrServerAddress returns an optional attribute for the "server.address"
+// semantic convention. It represents the name of the local HTTP server that
+// received the request.
+func (ServerRequestBodySize) AttrServerAddress(val string) attribute.KeyValue {
+	return attribute.String("server.address", val)
+}
+
+// AttrServerPort returns an optional attribute for the "server.port" semantic
+// convention. It represents the port of the local HTTP server that received the
+// request.
+func (ServerRequestBodySize) AttrServerPort(val int) attribute.KeyValue {
+	return attribute.Int("server.port", val)
+}
+
+// AttrUserAgentSyntheticType returns an optional attribute for the
+// "user_agent.synthetic.type" semantic convention. It represents the specifies
+// the category of synthetic traffic, such as tests or bots.
+func (ServerRequestBodySize) AttrUserAgentSyntheticType(val UserAgentSyntheticTypeAttr) attribute.KeyValue {
+	return attribute.String("user_agent.synthetic.type", string(val))
+}
+
+// ServerRequestDuration is an instrument used to record metric values conforming
+// to the "http.server.request.duration" semantic conventions. It represents the
+// duration of HTTP server requests.
+type ServerRequestDuration struct {
+	metric.Float64Histogram
+}
+
+// NewServerRequestDuration returns a new ServerRequestDuration instrument.
+func NewServerRequestDuration(
+	m metric.Meter,
+	opt ...metric.Float64HistogramOption,
+) (ServerRequestDuration, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerRequestDuration{noop.Float64Histogram{}}, nil
+	}
+
+	i, err := m.Float64Histogram(
+		"http.server.request.duration",
+		append([]metric.Float64HistogramOption{
+			metric.WithDescription("Duration of HTTP server requests."),
+			metric.WithUnit("s"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ServerRequestDuration{noop.Float64Histogram{}}, err
+	}
+	return ServerRequestDuration{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerRequestDuration) Inst() metric.Float64Histogram {
+	return m.Float64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerRequestDuration) Name() string {
+	return "http.server.request.duration"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerRequestDuration) Unit() string {
+	return "s"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerRequestDuration) Description() string {
+	return "Duration of HTTP server requests."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The urlScheme is the the [URI scheme] component identifying the used protocol.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+func (m ServerRequestDuration) Record(
+	ctx context.Context,
+	val float64,
+	requestMethod RequestMethodAttr,
+	urlScheme string,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("url.scheme", urlScheme),
+			)...,
+		),
+	)
+
+	m.Float64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ServerRequestDuration) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ServerRequestDuration) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrRoute returns an optional attribute for the "http.route" semantic
+// convention. It represents the matched route, that is, the path template in the
+// format used by the respective server framework.
+func (ServerRequestDuration) AttrRoute(val string) attribute.KeyValue {
+	return attribute.String("http.route", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ServerRequestDuration) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ServerRequestDuration) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrServerAddress returns an optional attribute for the "server.address"
+// semantic convention. It represents the name of the local HTTP server that
+// received the request.
+func (ServerRequestDuration) AttrServerAddress(val string) attribute.KeyValue {
+	return attribute.String("server.address", val)
+}
+
+// AttrServerPort returns an optional attribute for the "server.port" semantic
+// convention. It represents the port of the local HTTP server that received the
+// request.
+func (ServerRequestDuration) AttrServerPort(val int) attribute.KeyValue {
+	return attribute.Int("server.port", val)
+}
+
+// AttrUserAgentSyntheticType returns an optional attribute for the
+// "user_agent.synthetic.type" semantic convention. It represents the specifies
+// the category of synthetic traffic, such as tests or bots.
+func (ServerRequestDuration) AttrUserAgentSyntheticType(val UserAgentSyntheticTypeAttr) attribute.KeyValue {
+	return attribute.String("user_agent.synthetic.type", string(val))
+}
+
+// ServerResponseBodySize is an instrument used to record metric values
+// conforming to the "http.server.response.body.size" semantic conventions. It
+// represents the size of HTTP server response bodies.
+type ServerResponseBodySize struct {
+	metric.Int64Histogram
+}
+
+// NewServerResponseBodySize returns a new ServerResponseBodySize instrument.
+func NewServerResponseBodySize(
+	m metric.Meter,
+	opt ...metric.Int64HistogramOption,
+) (ServerResponseBodySize, error) {
+	// Check if the meter is nil.
+	if m == nil {
+		return ServerResponseBodySize{noop.Int64Histogram{}}, nil
+	}
+
+	i, err := m.Int64Histogram(
+		"http.server.response.body.size",
+		append([]metric.Int64HistogramOption{
+			metric.WithDescription("Size of HTTP server response bodies."),
+			metric.WithUnit("By"),
+		}, opt...)...,
+	)
+	if err != nil {
+	    return ServerResponseBodySize{noop.Int64Histogram{}}, err
+	}
+	return ServerResponseBodySize{i}, nil
+}
+
+// Inst returns the underlying metric instrument.
+func (m ServerResponseBodySize) Inst() metric.Int64Histogram {
+	return m.Int64Histogram
+}
+
+// Name returns the semantic convention name of the instrument.
+func (ServerResponseBodySize) Name() string {
+	return "http.server.response.body.size"
+}
+
+// Unit returns the semantic convention unit of the instrument
+func (ServerResponseBodySize) Unit() string {
+	return "By"
+}
+
+// Description returns the semantic convention description of the instrument
+func (ServerResponseBodySize) Description() string {
+	return "Size of HTTP server response bodies."
+}
+
+// Record records val to the current distribution.
+//
+// The requestMethod is the HTTP request method.
+//
+// The urlScheme is the the [URI scheme] component identifying the used protocol.
+//
+// All additional attrs passed are included in the recorded value.
+//
+// [URI scheme]: https://www.rfc-editor.org/rfc/rfc3986#section-3.1
+//
+// The size of the response payload body in bytes. This is the number of bytes
+// transferred excluding headers and is often, but not always, present as the
+// [Content-Length] header. For requests using transport encoding, this should be
+// the compressed size.
+//
+// [Content-Length]: https://www.rfc-editor.org/rfc/rfc9110.html#field.content-length
+func (m ServerResponseBodySize) Record(
+	ctx context.Context,
+	val int64,
+	requestMethod RequestMethodAttr,
+	urlScheme string,
+	attrs ...attribute.KeyValue,
+) {
+	o := recOptPool.Get().(*[]metric.RecordOption)
+	defer func() {
+		*o = (*o)[:0]
+		recOptPool.Put(o)
+	}()
+
+	*o = append(
+		*o,
+		metric.WithAttributes(
+			append(
+				attrs,
+				attribute.String("http.request.method", string(requestMethod)),
+				attribute.String("url.scheme", urlScheme),
+			)...,
+		),
+	)
+
+	m.Int64Histogram.Record(ctx, val, *o...)
+}
+
+// AttrErrorType returns an optional attribute for the "error.type" semantic
+// convention. It represents the describes a class of error the operation ended
+// with.
+func (ServerResponseBodySize) AttrErrorType(val ErrorTypeAttr) attribute.KeyValue {
+	return attribute.String("error.type", string(val))
+}
+
+// AttrResponseStatusCode returns an optional attribute for the
+// "http.response.status_code" semantic convention. It represents the
+// [HTTP response status code].
+//
+// [HTTP response status code]: https://tools.ietf.org/html/rfc7231#section-6
+func (ServerResponseBodySize) AttrResponseStatusCode(val int) attribute.KeyValue {
+	return attribute.Int("http.response.status_code", val)
+}
+
+// AttrRoute returns an optional attribute for the "http.route" semantic
+// convention. It represents the matched route, that is, the path template in the
+// format used by the respective server framework.
+func (ServerResponseBodySize) AttrRoute(val string) attribute.KeyValue {
+	return attribute.String("http.route", val)
+}
+
+// AttrNetworkProtocolName returns an optional attribute for the
+// "network.protocol.name" semantic convention. It represents the
+// [OSI application layer] or non-OSI equivalent.
+//
+// [OSI application layer]: https://wikipedia.org/wiki/Application_layer
+func (ServerResponseBodySize) AttrNetworkProtocolName(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.name", val)
+}
+
+// AttrNetworkProtocolVersion returns an optional attribute for the
+// "network.protocol.version" semantic convention. It represents the actual
+// version of the protocol used for network communication.
+func (ServerResponseBodySize) AttrNetworkProtocolVersion(val string) attribute.KeyValue {
+	return attribute.String("network.protocol.version", val)
+}
+
+// AttrServerAddress returns an optional attribute for the "server.address"
+// semantic convention. It represents the name of the local HTTP server that
+// received the request.
+func (ServerResponseBodySize) AttrServerAddress(val string) attribute.KeyValue {
+	return attribute.String("server.address", val)
+}
+
+// AttrServerPort returns an optional attribute for the "server.port" semantic
+// convention. It represents the port of the local HTTP server that received the
+// request.
+func (ServerResponseBodySize) AttrServerPort(val int) attribute.KeyValue {
+	return attribute.Int("server.port", val)
+}
+
+// AttrUserAgentSyntheticType returns an optional attribute for the
+// "user_agent.synthetic.type" semantic convention. It represents the specifies
+// the category of synthetic traffic, such as tests or bots.
+func (ServerResponseBodySize) AttrUserAgentSyntheticType(val UserAgentSyntheticTypeAttr) attribute.KeyValue {
+	return attribute.String("user_agent.synthetic.type", string(val))
+}
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go
new file mode 100644
index 00000000..3c23d459
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go
@@ -0,0 +1,9 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+
+// SchemaURL is the schema URL that matches the version of the semantic conventions
+// that this package defines. Semconv packages starting from v1.4.0 must declare
+// non-empty schema URL in the form https://opentelemetry.io/schemas/<version>
+const SchemaURL = "https://opentelemetry.io/schemas/1.34.0"
diff --git a/vendor/go.opentelemetry.io/otel/trace/auto.go b/vendor/go.opentelemetry.io/otel/trace/auto.go
index 7e291002..f3aa3981 100644
--- a/vendor/go.opentelemetry.io/otel/trace/auto.go
+++ b/vendor/go.opentelemetry.io/otel/trace/auto.go
@@ -20,7 +20,7 @@ import (
 
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
-	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
 	"go.opentelemetry.io/otel/trace/embedded"
 	"go.opentelemetry.io/otel/trace/internal/telemetry"
 )
@@ -57,14 +57,15 @@ type autoTracer struct {
 var _ Tracer = autoTracer{}
 
 func (t autoTracer) Start(ctx context.Context, name string, opts ...SpanStartOption) (context.Context, Span) {
-	var psc SpanContext
+	var psc, sc SpanContext
 	sampled := true
 	span := new(autoSpan)
 
 	// Ask eBPF for sampling decision and span context info.
-	t.start(ctx, span, &psc, &sampled, &span.spanContext)
+	t.start(ctx, span, &psc, &sampled, &sc)
 
 	span.sampled.Store(sampled)
+	span.spanContext = sc
 
 	ctx = ContextWithSpan(ctx, span)
 
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
index 3c5e1cdb..e7ca62c6 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
@@ -251,13 +251,20 @@ func (s *Span) UnmarshalJSON(data []byte) error {
 type SpanFlags int32
 
 const (
+	// SpanFlagsTraceFlagsMask is a mask for trace-flags.
+	//
 	// Bits 0-7 are used for trace flags.
 	SpanFlagsTraceFlagsMask SpanFlags = 255
-	// Bits 8 and 9 are used to indicate that the parent span or link span is remote.
-	// Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
-	// Bit 9 (`IS_REMOTE`) indicates whether the span or link is remote.
+	// SpanFlagsContextHasIsRemoteMask is a mask for HAS_IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
 	SpanFlagsContextHasIsRemoteMask SpanFlags = 256
-	// SpanFlagsContextHasIsRemoteMask indicates the Span is remote.
+	// SpanFlagsContextIsRemoteMask is a mask for IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 9 (`IS_REMOTE`) indicates whether the span or link is
+	// remote.
 	SpanFlagsContextIsRemoteMask SpanFlags = 512
 )
 
@@ -266,27 +273,31 @@ const (
 type SpanKind int32
 
 const (
-	// Indicates that the span represents an internal operation within an application,
-	// as opposed to an operation happening at the boundaries. Default value.
+	// SpanKindInternal indicates that the span represents an internal
+	// operation within an application, as opposed to an operation happening at
+	// the boundaries.
 	SpanKindInternal SpanKind = 1
-	// Indicates that the span covers server-side handling of an RPC or other
-	// remote network request.
+	// SpanKindServer indicates that the span covers server-side handling of an
+	// RPC or other remote network request.
 	SpanKindServer SpanKind = 2
-	// Indicates that the span describes a request to some remote service.
+	// SpanKindClient indicates that the span describes a request to some
+	// remote service.
 	SpanKindClient SpanKind = 3
-	// Indicates that the span describes a producer sending a message to a broker.
-	// Unlike CLIENT and SERVER, there is often no direct critical path latency relationship
-	// between producer and consumer spans. A PRODUCER span ends when the message was accepted
-	// by the broker while the logical processing of the message might span a much longer time.
+	// SpanKindProducer indicates that the span describes a producer sending a
+	// message to a broker. Unlike SpanKindClient and SpanKindServer, there is
+	// often no direct critical path latency relationship between producer and
+	// consumer spans. A SpanKindProducer span ends when the message was
+	// accepted by the broker while the logical processing of the message might
+	// span a much longer time.
 	SpanKindProducer SpanKind = 4
-	// Indicates that the span describes consumer receiving a message from a broker.
-	// Like the PRODUCER kind, there is often no direct critical path latency relationship
-	// between producer and consumer spans.
+	// SpanKindConsumer indicates that the span describes a consumer receiving
+	// a message from a broker. Like SpanKindProducer, there is often no direct
+	// critical path latency relationship between producer and consumer spans.
 	SpanKindConsumer SpanKind = 5
 )
 
-// Event is a time-stamped annotation of the span, consisting of user-supplied
-// text description and key-value pairs.
+// SpanEvent is a time-stamped annotation of the span, consisting of
+// user-supplied text description and key-value pairs.
 type SpanEvent struct {
 	// time_unix_nano is the time the event occurred.
 	Time time.Time `json:"timeUnixNano,omitempty"`
@@ -369,10 +380,11 @@ func (se *SpanEvent) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A pointer from the current span to another span in the same trace or in a
-// different trace. For example, this can be used in batching operations,
-// where a single batch handler processes multiple requests from different
-// traces or when the handler receives a request from a different project.
+// SpanLink is a reference from the current span to another span in the same
+// trace or in a different trace. For example, this can be used in batching
+// operations, where a single batch handler processes multiple requests from
+// different traces or when the handler receives a request from a different
+// project.
 type SpanLink struct {
 	// A unique identifier of a trace that this linked span is part of. The ID is a
 	// 16-byte array.
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
index 1d013a8f..1039bf40 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
@@ -3,17 +3,19 @@
 
 package telemetry // import "go.opentelemetry.io/otel/trace/internal/telemetry"
 
+// StatusCode is the status of a Span.
+//
 // For the semantics of status codes see
 // https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/api.md#set-status
 type StatusCode int32
 
 const (
-	// The default status.
+	// StatusCodeUnset is the default status.
 	StatusCodeUnset StatusCode = 0
-	// The Span has been validated by an Application developer or Operator to
-	// have completed successfully.
+	// StatusCodeOK is used when the Span has been validated by an Application
+	// developer or Operator to have completed successfully.
 	StatusCodeOK StatusCode = 1
-	// The Span contains an error.
+	// StatusCodeError is used when the Span contains an error.
 	StatusCodeError StatusCode = 2
 )
 
@@ -30,7 +32,7 @@ func (s StatusCode) String() string {
 	return "<unknown telemetry.StatusCode>"
 }
 
-// The Status type defines a logical error model that is suitable for different
+// Status defines a logical error model that is suitable for different
 // programming environments, including REST APIs and RPC APIs.
 type Status struct {
 	// A developer-facing human readable error message.
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
index b0394070..e5f10767 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
@@ -71,7 +71,7 @@ func (td *Traces) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of ScopeSpans from a Resource.
+// ResourceSpans is a collection of ScopeSpans from a Resource.
 type ResourceSpans struct {
 	// The resource for the spans in this message.
 	// If this field is not set then no resource info is known.
@@ -128,7 +128,7 @@ func (rs *ResourceSpans) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of Spans produced by an InstrumentationScope.
+// ScopeSpans is a collection of Spans produced by an InstrumentationScope.
 type ScopeSpans struct {
 	// The instrumentation scope information for the spans in this message.
 	// Semantically when InstrumentationScope isn't set, it is equivalent with
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
index 7251492d..ae9ce102 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
@@ -316,7 +316,7 @@ func (v Value) String() string {
 	case ValueKindBool:
 		return strconv.FormatBool(v.asBool())
 	case ValueKindBytes:
-		return fmt.Sprint(v.asBytes())
+		return string(v.asBytes())
 	case ValueKindMap:
 		return fmt.Sprint(v.asMap())
 	case ValueKindSlice:
diff --git a/vendor/go.opentelemetry.io/otel/trace/noop.go b/vendor/go.opentelemetry.io/otel/trace/noop.go
index c8b1ae5d..0f56e4db 100644
--- a/vendor/go.opentelemetry.io/otel/trace/noop.go
+++ b/vendor/go.opentelemetry.io/otel/trace/noop.go
@@ -95,6 +95,8 @@ var autoInstEnabled = new(bool)
 // tracerProvider return a noopTracerProvider if autoEnabled is false,
 // otherwise it will return a TracerProvider from the sdk package used in
 // auto-instrumentation.
+//
+//go:noinline
 func (noopSpan) tracerProvider(autoEnabled *bool) TracerProvider {
 	if *autoEnabled {
 		return newAutoTracerProvider()
diff --git a/vendor/go.opentelemetry.io/otel/verify_readmes.sh b/vendor/go.opentelemetry.io/otel/verify_readmes.sh
deleted file mode 100644
index 1e87855e..00000000
--- a/vendor/go.opentelemetry.io/otel/verify_readmes.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright The OpenTelemetry Authors
-# SPDX-License-Identifier: Apache-2.0
-
-set -euo pipefail
-
-dirs=$(find . -type d -not -path "*/internal*" -not -path "*/test*" -not -path "*/example*" -not -path "*/.*" | sort)
-
-missingReadme=false
-for dir in $dirs; do
-	if [ ! -f "$dir/README.md" ]; then
-		echo "couldn't find README.md for $dir"
-		missingReadme=true
-	fi
-done
-
-if [ "$missingReadme" = true ] ; then
-	echo "Error: some READMEs couldn't be found."
-	exit 1
-fi
diff --git a/vendor/go.opentelemetry.io/otel/version.go b/vendor/go.opentelemetry.io/otel/version.go
index d5fa71f6..7afe92b5 100644
--- a/vendor/go.opentelemetry.io/otel/version.go
+++ b/vendor/go.opentelemetry.io/otel/version.go
@@ -5,5 +5,5 @@ package otel // import "go.opentelemetry.io/otel"
 
 // Version is the current release version of OpenTelemetry in use.
 func Version() string {
-	return "1.35.0"
+	return "1.37.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/versions.yaml b/vendor/go.opentelemetry.io/otel/versions.yaml
index 2b4cb4b4..9d4742a1 100644
--- a/vendor/go.opentelemetry.io/otel/versions.yaml
+++ b/vendor/go.opentelemetry.io/otel/versions.yaml
@@ -3,13 +3,12 @@
 
 module-sets:
   stable-v1:
-    version: v1.35.0
+    version: v1.37.0
     modules:
       - go.opentelemetry.io/otel
       - go.opentelemetry.io/otel/bridge/opencensus
       - go.opentelemetry.io/otel/bridge/opencensus/test
       - go.opentelemetry.io/otel/bridge/opentracing
-      - go.opentelemetry.io/otel/bridge/opentracing/test
       - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
       - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
       - go.opentelemetry.io/otel/exporters/otlp/otlptrace
@@ -23,14 +22,16 @@ module-sets:
       - go.opentelemetry.io/otel/sdk/metric
       - go.opentelemetry.io/otel/trace
   experimental-metrics:
-    version: v0.57.0
+    version: v0.59.0
     modules:
       - go.opentelemetry.io/otel/exporters/prometheus
   experimental-logs:
-    version: v0.11.0
+    version: v0.13.0
     modules:
       - go.opentelemetry.io/otel/log
+      - go.opentelemetry.io/otel/log/logtest
       - go.opentelemetry.io/otel/sdk/log
+      - go.opentelemetry.io/otel/sdk/log/logtest
       - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc
       - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
       - go.opentelemetry.io/otel/exporters/stdout/stdoutlog
diff --git a/vendor/go.opentelemetry.io/proto/otlp/collector/metrics/v1/metrics_service_grpc.pb.go b/vendor/go.opentelemetry.io/proto/otlp/collector/metrics/v1/metrics_service_grpc.pb.go
index 31d25fc1..fc668643 100644
--- a/vendor/go.opentelemetry.io/proto/otlp/collector/metrics/v1/metrics_service_grpc.pb.go
+++ b/vendor/go.opentelemetry.io/proto/otlp/collector/metrics/v1/metrics_service_grpc.pb.go
@@ -22,8 +22,6 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type MetricsServiceClient interface {
-	// For performance reasons, it is recommended to keep this RPC
-	// alive for the entire life of the application.
 	Export(ctx context.Context, in *ExportMetricsServiceRequest, opts ...grpc.CallOption) (*ExportMetricsServiceResponse, error)
 }
 
@@ -48,8 +46,6 @@ func (c *metricsServiceClient) Export(ctx context.Context, in *ExportMetricsServ
 // All implementations must embed UnimplementedMetricsServiceServer
 // for forward compatibility
 type MetricsServiceServer interface {
-	// For performance reasons, it is recommended to keep this RPC
-	// alive for the entire life of the application.
 	Export(context.Context, *ExportMetricsServiceRequest) (*ExportMetricsServiceResponse, error)
 	mustEmbedUnimplementedMetricsServiceServer()
 }
diff --git a/vendor/go.opentelemetry.io/proto/otlp/collector/trace/v1/trace_service_grpc.pb.go b/vendor/go.opentelemetry.io/proto/otlp/collector/trace/v1/trace_service_grpc.pb.go
index dd1b73f1..892864ea 100644
--- a/vendor/go.opentelemetry.io/proto/otlp/collector/trace/v1/trace_service_grpc.pb.go
+++ b/vendor/go.opentelemetry.io/proto/otlp/collector/trace/v1/trace_service_grpc.pb.go
@@ -22,8 +22,6 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type TraceServiceClient interface {
-	// For performance reasons, it is recommended to keep this RPC
-	// alive for the entire life of the application.
 	Export(ctx context.Context, in *ExportTraceServiceRequest, opts ...grpc.CallOption) (*ExportTraceServiceResponse, error)
 }
 
@@ -48,8 +46,6 @@ func (c *traceServiceClient) Export(ctx context.Context, in *ExportTraceServiceR
 // All implementations must embed UnimplementedTraceServiceServer
 // for forward compatibility
 type TraceServiceServer interface {
-	// For performance reasons, it is recommended to keep this RPC
-	// alive for the entire life of the application.
 	Export(context.Context, *ExportTraceServiceRequest) (*ExportTraceServiceResponse, error)
 	mustEmbedUnimplementedTraceServiceServer()
 }
diff --git a/vendor/go.opentelemetry.io/proto/otlp/common/v1/common.pb.go b/vendor/go.opentelemetry.io/proto/otlp/common/v1/common.pb.go
index 852209b0..a7c5d19b 100644
--- a/vendor/go.opentelemetry.io/proto/otlp/common/v1/common.pb.go
+++ b/vendor/go.opentelemetry.io/proto/otlp/common/v1/common.pb.go
@@ -430,6 +430,101 @@ func (x *InstrumentationScope) GetDroppedAttributesCount() uint32 {
 	return 0
 }
 
+// A reference to an Entity.
+// Entity represents an object of interest associated with produced telemetry: e.g spans, metrics, profiles, or logs.
+//
+// Status: [Development]
+type EntityRef struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The Schema URL, if known. This is the identifier of the Schema that the entity data
+	// is recorded in. To learn more about Schema URL see
+	// https://opentelemetry.io/docs/specs/otel/schemas/#schema-url
+	//
+	// This schema_url applies to the data in this message and to the Resource attributes
+	// referenced by id_keys and description_keys.
+	// TODO: discuss if we are happy with this somewhat complicated definition of what
+	// the schema_url applies to.
+	//
+	// This field obsoletes the schema_url field in ResourceMetrics/ResourceSpans/ResourceLogs.
+	SchemaUrl string `protobuf:"bytes,1,opt,name=schema_url,json=schemaUrl,proto3" json:"schema_url,omitempty"`
+	// Defines the type of the entity. MUST not change during the lifetime of the entity.
+	// For example: "service" or "host". This field is required and MUST not be empty
+	// for valid entities.
+	Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"`
+	// Attribute Keys that identify the entity.
+	// MUST not change during the lifetime of the entity. The Id must contain at least one attribute.
+	// These keys MUST exist in the containing {message}.attributes.
+	IdKeys []string `protobuf:"bytes,3,rep,name=id_keys,json=idKeys,proto3" json:"id_keys,omitempty"`
+	// Descriptive (non-identifying) attribute keys of the entity.
+	// MAY change over the lifetime of the entity. MAY be empty.
+	// These attribute keys are not part of entity's identity.
+	// These keys MUST exist in the containing {message}.attributes.
+	DescriptionKeys []string `protobuf:"bytes,4,rep,name=description_keys,json=descriptionKeys,proto3" json:"description_keys,omitempty"`
+}
+
+func (x *EntityRef) Reset() {
+	*x = EntityRef{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_opentelemetry_proto_common_v1_common_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EntityRef) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EntityRef) ProtoMessage() {}
+
+func (x *EntityRef) ProtoReflect() protoreflect.Message {
+	mi := &file_opentelemetry_proto_common_v1_common_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EntityRef.ProtoReflect.Descriptor instead.
+func (*EntityRef) Descriptor() ([]byte, []int) {
+	return file_opentelemetry_proto_common_v1_common_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *EntityRef) GetSchemaUrl() string {
+	if x != nil {
+		return x.SchemaUrl
+	}
+	return ""
+}
+
+func (x *EntityRef) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+func (x *EntityRef) GetIdKeys() []string {
+	if x != nil {
+		return x.IdKeys
+	}
+	return nil
+}
+
+func (x *EntityRef) GetDescriptionKeys() []string {
+	if x != nil {
+		return x.DescriptionKeys
+	}
+	return nil
+}
+
 var File_opentelemetry_proto_common_v1_common_proto protoreflect.FileDescriptor
 
 var file_opentelemetry_proto_common_v1_common_proto_rawDesc = []byte{
@@ -488,15 +583,23 @@ var file_opentelemetry_proto_common_v1_common_proto_rawDesc = []byte{
 	0x72, 0x6f, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65,
 	0x73, 0x5f, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x16, 0x64,
 	0x72, 0x6f, 0x70, 0x70, 0x65, 0x64, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73,
-	0x43, 0x6f, 0x75, 0x6e, 0x74, 0x42, 0x7b, 0x0a, 0x20, 0x69, 0x6f, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e,
-	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f,
-	0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x28, 0x67, 0x6f, 0x2e, 0x6f, 0x70, 0x65,
-	0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x2f, 0x6f, 0x74, 0x6c, 0x70, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f,
-	0x76, 0x31, 0xaa, 0x02, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
-	0x72, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
-	0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x82, 0x01, 0x0a, 0x09, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79,
+	0x52, 0x65, 0x66, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x75, 0x72,
+	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x55,
+	0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x69, 0x64, 0x5f, 0x6b, 0x65, 0x79,
+	0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x69, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x12,
+	0x29, 0x0a, 0x10, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b,
+	0x65, 0x79, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x64, 0x65, 0x73, 0x63, 0x72,
+	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x7b, 0x0a, 0x20, 0x69, 0x6f,
+	0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b,
+	0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x28, 0x67,
+	0x6f, 0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e,
+	0x69, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6f, 0x74, 0x6c, 0x70, 0x2f, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xaa, 0x02, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x65,
+	0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -511,13 +614,14 @@ func file_opentelemetry_proto_common_v1_common_proto_rawDescGZIP() []byte {
 	return file_opentelemetry_proto_common_v1_common_proto_rawDescData
 }
 
-var file_opentelemetry_proto_common_v1_common_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_opentelemetry_proto_common_v1_common_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_opentelemetry_proto_common_v1_common_proto_goTypes = []interface{}{
 	(*AnyValue)(nil),             // 0: opentelemetry.proto.common.v1.AnyValue
 	(*ArrayValue)(nil),           // 1: opentelemetry.proto.common.v1.ArrayValue
 	(*KeyValueList)(nil),         // 2: opentelemetry.proto.common.v1.KeyValueList
 	(*KeyValue)(nil),             // 3: opentelemetry.proto.common.v1.KeyValue
 	(*InstrumentationScope)(nil), // 4: opentelemetry.proto.common.v1.InstrumentationScope
+	(*EntityRef)(nil),            // 5: opentelemetry.proto.common.v1.EntityRef
 }
 var file_opentelemetry_proto_common_v1_common_proto_depIdxs = []int32{
 	1, // 0: opentelemetry.proto.common.v1.AnyValue.array_value:type_name -> opentelemetry.proto.common.v1.ArrayValue
@@ -599,6 +703,18 @@ func file_opentelemetry_proto_common_v1_common_proto_init() {
 				return nil
 			}
 		}
+		file_opentelemetry_proto_common_v1_common_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EntityRef); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	file_opentelemetry_proto_common_v1_common_proto_msgTypes[0].OneofWrappers = []interface{}{
 		(*AnyValue_StringValue)(nil),
@@ -615,7 +731,7 @@ func file_opentelemetry_proto_common_v1_common_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_opentelemetry_proto_common_v1_common_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   5,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/vendor/go.opentelemetry.io/proto/otlp/metrics/v1/metrics.pb.go b/vendor/go.opentelemetry.io/proto/otlp/metrics/v1/metrics.pb.go
index 8799d6ba..ec187b13 100644
--- a/vendor/go.opentelemetry.io/proto/otlp/metrics/v1/metrics.pb.go
+++ b/vendor/go.opentelemetry.io/proto/otlp/metrics/v1/metrics.pb.go
@@ -526,7 +526,7 @@ type Metric struct {
 	// description of the metric, which can be used in documentation.
 	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
 	// unit in which the metric value is reported. Follows the format
-	// described by http://unitsofmeasure.org/ucum.html.
+	// described by https://unitsofmeasure.org/ucum.html.
 	Unit string `protobuf:"bytes,3,opt,name=unit,proto3" json:"unit,omitempty"`
 	// Data determines the aggregation type (if any) of the metric, what is the
 	// reported value type for the data points, as well as the relatationship to
@@ -929,7 +929,7 @@ func (x *ExponentialHistogram) GetAggregationTemporality() AggregationTemporalit
 
 // Summary metric data are used to convey quantile summaries,
 // a Prometheus (see: https://prometheus.io/docs/concepts/metric_types/#summary)
-// and OpenMetrics (see: https://github.com/OpenObservability/OpenMetrics/blob/4dbf6075567ab43296eed941037c12951faafb92/protos/prometheus.proto#L45)
+// and OpenMetrics (see: https://github.com/prometheus/OpenMetrics/blob/4dbf6075567ab43296eed941037c12951faafb92/protos/prometheus.proto#L45)
 // data type. These data points cannot always be merged in a meaningful way.
 // While they can be useful in some applications, histogram data points are
 // recommended for new applications.
@@ -1175,7 +1175,9 @@ type HistogramDataPoint struct {
 	// The sum of the bucket_counts must equal the value in the count field.
 	//
 	// The number of elements in bucket_counts array must be by one greater than
-	// the number of elements in explicit_bounds array.
+	// the number of elements in explicit_bounds array. The exception to this rule
+	// is when the length of bucket_counts is 0, then the length of explicit_bounds
+	// must also be 0.
 	BucketCounts []uint64 `protobuf:"fixed64,6,rep,packed,name=bucket_counts,json=bucketCounts,proto3" json:"bucket_counts,omitempty"`
 	// explicit_bounds specifies buckets with explicitly defined bounds for values.
 	//
@@ -1190,6 +1192,9 @@ type HistogramDataPoint struct {
 	// Histogram buckets are inclusive of their upper boundary, except the last
 	// bucket where the boundary is at infinity. This format is intentionally
 	// compatible with the OpenMetrics histogram definition.
+	//
+	// If bucket_counts length is 0 then explicit_bounds length must also be 0,
+	// otherwise the data point is invalid.
 	ExplicitBounds []float64 `protobuf:"fixed64,7,rep,packed,name=explicit_bounds,json=explicitBounds,proto3" json:"explicit_bounds,omitempty"`
 	// (Optional) List of exemplars collected from
 	// measurements that were used to form the data point
diff --git a/vendor/go.opentelemetry.io/proto/otlp/resource/v1/resource.pb.go b/vendor/go.opentelemetry.io/proto/otlp/resource/v1/resource.pb.go
index b7545b03..eb7745d6 100644
--- a/vendor/go.opentelemetry.io/proto/otlp/resource/v1/resource.pb.go
+++ b/vendor/go.opentelemetry.io/proto/otlp/resource/v1/resource.pb.go
@@ -48,6 +48,12 @@ type Resource struct {
 	// dropped_attributes_count is the number of dropped attributes. If the value is 0, then
 	// no attributes were dropped.
 	DroppedAttributesCount uint32 `protobuf:"varint,2,opt,name=dropped_attributes_count,json=droppedAttributesCount,proto3" json:"dropped_attributes_count,omitempty"`
+	// Set of entities that participate in this Resource.
+	//
+	// Note: keys in the references MUST exist in attributes of this message.
+	//
+	// Status: [Development]
+	EntityRefs []*v1.EntityRef `protobuf:"bytes,3,rep,name=entity_refs,json=entityRefs,proto3" json:"entity_refs,omitempty"`
 }
 
 func (x *Resource) Reset() {
@@ -96,6 +102,13 @@ func (x *Resource) GetDroppedAttributesCount() uint32 {
 	return 0
 }
 
+func (x *Resource) GetEntityRefs() []*v1.EntityRef {
+	if x != nil {
+		return x.EntityRefs
+	}
+	return nil
+}
+
 var File_opentelemetry_proto_resource_v1_resource_proto protoreflect.FileDescriptor
 
 var file_opentelemetry_proto_resource_v1_resource_proto_rawDesc = []byte{
@@ -106,7 +119,7 @@ var file_opentelemetry_proto_resource_v1_resource_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x76,
 	0x31, 0x1a, 0x2a, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31,
-	0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8d, 0x01,
+	0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd8, 0x01,
 	0x0a, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x47, 0x0a, 0x0a, 0x61, 0x74,
 	0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27,
 	0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x70,
@@ -115,16 +128,21 @@ var file_opentelemetry_proto_resource_v1_resource_proto_rawDesc = []byte{
 	0x74, 0x65, 0x73, 0x12, 0x38, 0x0a, 0x18, 0x64, 0x72, 0x6f, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x61,
 	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18,
 	0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x16, 0x64, 0x72, 0x6f, 0x70, 0x70, 0x65, 0x64, 0x41, 0x74,
-	0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x42, 0x83, 0x01,
-	0x0a, 0x22, 0x69, 0x6f, 0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
-	0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
-	0x65, 0x2e, 0x76, 0x31, 0x42, 0x0d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x72,
-	0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2a, 0x67, 0x6f, 0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65,
-	0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x2f, 0x6f, 0x74, 0x6c, 0x70, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x76,
-	0x31, 0xaa, 0x02, 0x1f, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72,
-	0x79, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x2e, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x49, 0x0a,
+	0x0b, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x72, 0x65, 0x66, 0x73, 0x18, 0x03, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
+	0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x76, 0x31, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x65, 0x66, 0x52, 0x0a, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x52, 0x65, 0x66, 0x73, 0x42, 0x83, 0x01, 0x0a, 0x22, 0x69, 0x6f, 0x2e,
+	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x76, 0x31, 0x42,
+	0x0d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x2a, 0x67, 0x6f, 0x2e, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
+	0x72, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6f, 0x74, 0x6c, 0x70,
+	0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x76, 0x31, 0xaa, 0x02, 0x1f, 0x4f,
+	0x70, 0x65, 0x6e, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x56, 0x31, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -141,16 +159,18 @@ func file_opentelemetry_proto_resource_v1_resource_proto_rawDescGZIP() []byte {
 
 var file_opentelemetry_proto_resource_v1_resource_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
 var file_opentelemetry_proto_resource_v1_resource_proto_goTypes = []interface{}{
-	(*Resource)(nil),    // 0: opentelemetry.proto.resource.v1.Resource
-	(*v1.KeyValue)(nil), // 1: opentelemetry.proto.common.v1.KeyValue
+	(*Resource)(nil),     // 0: opentelemetry.proto.resource.v1.Resource
+	(*v1.KeyValue)(nil),  // 1: opentelemetry.proto.common.v1.KeyValue
+	(*v1.EntityRef)(nil), // 2: opentelemetry.proto.common.v1.EntityRef
 }
 var file_opentelemetry_proto_resource_v1_resource_proto_depIdxs = []int32{
 	1, // 0: opentelemetry.proto.resource.v1.Resource.attributes:type_name -> opentelemetry.proto.common.v1.KeyValue
-	1, // [1:1] is the sub-list for method output_type
-	1, // [1:1] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
+	2, // 1: opentelemetry.proto.resource.v1.Resource.entity_refs:type_name -> opentelemetry.proto.common.v1.EntityRef
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
 }
 
 func init() { file_opentelemetry_proto_resource_v1_resource_proto_init() }
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2x.go b/vendor/golang.org/x/crypto/blake2b/blake2x.go
index 52c414db..7692bb34 100644
--- a/vendor/golang.org/x/crypto/blake2b/blake2x.go
+++ b/vendor/golang.org/x/crypto/blake2b/blake2x.go
@@ -12,6 +12,8 @@ import (
 
 // XOF defines the interface to hash functions that
 // support arbitrary-length output.
+//
+// New callers should prefer the standard library [hash.XOF].
 type XOF interface {
 	// Write absorbs more data into the hash's state. It panics if called
 	// after Read.
@@ -47,6 +49,8 @@ const maxOutputLength = (1 << 32) * 64
 //
 // A non-nil key turns the hash into a MAC. The key must between
 // zero and 32 bytes long.
+//
+// The result can be safely interface-upgraded to [hash.XOF].
 func NewXOF(size uint32, key []byte) (XOF, error) {
 	if len(key) > Size {
 		return nil, errKeySize
@@ -93,6 +97,10 @@ func (x *xof) Clone() XOF {
 	return &clone
 }
 
+func (x *xof) BlockSize() int {
+	return x.d.BlockSize()
+}
+
 func (x *xof) Reset() {
 	x.cfg[0] = byte(Size)
 	binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length
diff --git a/vendor/golang.org/x/crypto/blake2b/go125.go b/vendor/golang.org/x/crypto/blake2b/go125.go
new file mode 100644
index 00000000..67e990b7
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blake2b/go125.go
@@ -0,0 +1,11 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.25
+
+package blake2b
+
+import "hash"
+
+var _ hash.XOF = (*xof)(nil)
diff --git a/vendor/golang.org/x/crypto/cryptobyte/asn1.go b/vendor/golang.org/x/crypto/cryptobyte/asn1.go
index 2492f796..d25979d9 100644
--- a/vendor/golang.org/x/crypto/cryptobyte/asn1.go
+++ b/vendor/golang.org/x/crypto/cryptobyte/asn1.go
@@ -234,7 +234,7 @@ func (b *Builder) AddASN1(tag asn1.Tag, f BuilderContinuation) {
 	// Identifiers with the low five bits set indicate high-tag-number format
 	// (two or more octets), which we don't support.
 	if tag&0x1f == 0x1f {
-		b.err = fmt.Errorf("cryptobyte: high-tag number identifier octects not supported: 0x%x", tag)
+		b.err = fmt.Errorf("cryptobyte: high-tag number identifier octets not supported: 0x%x", tag)
 		return
 	}
 	b.AddUint8(uint8(tag))
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
deleted file mode 100644
index 59b3a95a..00000000
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
-//
-// These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
-// representation includes a public key suffix to make multiple signing
-// operations with the same key more efficient. This package refers to the RFC
-// 8032 private key as the “seed”.
-//
-// This package is a wrapper around the standard library crypto/ed25519 package.
-package ed25519
-
-import (
-	"crypto/ed25519"
-	"io"
-)
-
-const (
-	// PublicKeySize is the size, in bytes, of public keys as used in this package.
-	PublicKeySize = 32
-	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
-	PrivateKeySize = 64
-	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
-	SignatureSize = 64
-	// SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
-	SeedSize = 32
-)
-
-// PublicKey is the type of Ed25519 public keys.
-//
-// This type is an alias for crypto/ed25519's PublicKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PublicKey = ed25519.PublicKey
-
-// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
-//
-// This type is an alias for crypto/ed25519's PrivateKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PrivateKey = ed25519.PrivateKey
-
-// GenerateKey generates a public/private key pair using entropy from rand.
-// If rand is nil, crypto/rand.Reader will be used.
-func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
-	return ed25519.GenerateKey(rand)
-}
-
-// NewKeyFromSeed calculates a private key from a seed. It will panic if
-// len(seed) is not SeedSize. This function is provided for interoperability
-// with RFC 8032. RFC 8032's private keys correspond to seeds in this
-// package.
-func NewKeyFromSeed(seed []byte) PrivateKey {
-	return ed25519.NewKeyFromSeed(seed)
-}
-
-// Sign signs the message with privateKey and returns a signature. It will
-// panic if len(privateKey) is not PrivateKeySize.
-func Sign(privateKey PrivateKey, message []byte) []byte {
-	return ed25519.Sign(privateKey, message)
-}
-
-// Verify reports whether sig is a valid signature of message by publicKey. It
-// will panic if len(publicKey) is not PublicKeySize.
-func Verify(publicKey PublicKey, message, sig []byte) bool {
-	return ed25519.Verify(publicKey, message, sig)
-}
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go b/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go
index bd896bdc..8d99551f 100644
--- a/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go
+++ b/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build (!amd64 && !ppc64le && !ppc64 && !s390x) || !gc || purego
+//go:build (!amd64 && !loong64 && !ppc64le && !ppc64 && !s390x) || !gc || purego
 
 package poly1305
 
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_asm.go
similarity index 94%
rename from vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go
rename to vendor/golang.org/x/crypto/internal/poly1305/sum_asm.go
index 164cd47d..315b84ac 100644
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_asm.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build gc && !purego
+//go:build gc && !purego && (amd64 || loong64 || ppc64 || ppc64le)
 
 package poly1305
 
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_loong64.s b/vendor/golang.org/x/crypto/internal/poly1305/sum_loong64.s
new file mode 100644
index 00000000..bc8361da
--- /dev/null
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_loong64.s
@@ -0,0 +1,123 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build gc && !purego
+
+// func update(state *macState, msg []byte)
+TEXT ·update(SB), $0-32
+	MOVV	state+0(FP), R4
+	MOVV	msg_base+8(FP), R5
+	MOVV	msg_len+16(FP), R6
+
+	MOVV	$0x10, R7
+
+	MOVV	(R4), R8	// h0
+	MOVV	8(R4), R9	// h1
+	MOVV	16(R4), R10	// h2
+	MOVV	24(R4), R11	// r0
+	MOVV	32(R4), R12	// r1
+
+	BLT	R6, R7, bytes_between_0_and_15
+
+loop:
+	MOVV	(R5), R14	// msg[0:8]
+	MOVV	8(R5), R16	// msg[8:16]
+	ADDV	R14, R8, R8	// h0 (x1 + y1 = z1', if z1' < x1 then z1' overflow)
+	ADDV	R16, R9, R27
+	SGTU	R14, R8, R24	// h0.carry
+	SGTU	R9, R27, R28
+	ADDV	R27, R24, R9	// h1
+	SGTU	R27, R9, R24
+	OR	R24, R28, R24	// h1.carry
+	ADDV	$0x01, R24, R24
+	ADDV	R10, R24, R10	// h2
+
+	ADDV	$16, R5, R5	// msg = msg[16:]
+
+multiply:
+	MULV	R8, R11, R14	// h0r0.lo
+	MULHVU	R8, R11, R15	// h0r0.hi
+	MULV	R9, R11, R13	// h1r0.lo
+	MULHVU	R9, R11, R16	// h1r0.hi
+	ADDV	R13, R15, R15
+	SGTU	R13, R15, R24
+	ADDV	R24, R16, R16
+	MULV	R10, R11, R25
+	ADDV	R16, R25, R25
+	MULV	R8, R12, R13	// h0r1.lo
+	MULHVU	R8, R12, R16	// h0r1.hi
+	ADDV	R13, R15, R15
+	SGTU	R13, R15, R24
+	ADDV	R24, R16, R16
+	MOVV	R16, R8
+	MULV	R10, R12, R26	// h2r1
+	MULV	R9, R12, R13	// h1r1.lo
+	MULHVU	R9, R12, R16	// h1r1.hi
+	ADDV	R13, R25, R25
+	ADDV	R16, R26, R27
+	SGTU	R13, R25, R24
+	ADDV	R27, R24, R26
+	ADDV	R8, R25, R25
+	SGTU	R8, R25, R24
+	ADDV	R24, R26, R26
+	AND	$3, R25, R10
+	AND	$-4, R25, R17
+	ADDV	R17, R14, R8
+	ADDV	R26, R15, R27
+	SGTU	R17, R8, R24
+	SGTU	R26, R27, R28
+	ADDV	R27, R24, R9
+	SGTU	R27, R9, R24
+	OR	R24, R28, R24
+	ADDV	R24, R10, R10
+	SLLV	$62, R26, R27
+	SRLV	$2, R25, R28
+	SRLV	$2, R26, R26
+	OR	R27, R28, R25
+	ADDV	R25, R8, R8
+	ADDV	R26, R9, R27
+	SGTU	R25, R8, R24
+	SGTU	R26, R27, R28
+	ADDV	R27, R24, R9
+	SGTU	R27, R9, R24
+	OR	R24, R28, R24
+	ADDV	R24, R10, R10
+
+	SUBV	$16, R6, R6
+	BGE	R6, R7, loop
+
+bytes_between_0_and_15:
+	BEQ	R6, R0, done
+	MOVV	$1, R14
+	XOR	R15, R15
+	ADDV	R6, R5, R5
+
+flush_buffer:
+	MOVBU	-1(R5), R25
+	SRLV	$56, R14, R24
+	SLLV	$8, R15, R28
+	SLLV	$8, R14, R14
+	OR	R24, R28, R15
+	XOR	R25, R14, R14
+	SUBV	$1, R6, R6
+	SUBV	$1, R5, R5
+	BNE	R6, R0, flush_buffer
+
+	ADDV	R14, R8, R8
+	SGTU	R14, R8, R24
+	ADDV	R15, R9, R27
+	SGTU	R15, R27, R28
+	ADDV	R27, R24, R9
+	SGTU	R27, R9, R24
+	OR	R24, R28, R24
+	ADDV	R10, R24, R10
+
+	MOVV	$16, R6
+	JMP	multiply
+
+done:
+	MOVV	R8, (R4)
+	MOVV	R9, 8(R4)
+	MOVV	R10, 16(R4)
+	RET
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go
deleted file mode 100644
index 1a1679aa..00000000
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego && (ppc64 || ppc64le)
-
-package poly1305
-
-//go:noescape
-func update(state *macState, msg []byte)
-
-// mac is a wrapper for macGeneric that redirects calls that would have gone to
-// updateGeneric to update.
-//
-// Its Write and Sum methods are otherwise identical to the macGeneric ones, but
-// using function pointers would carry a major performance cost.
-type mac struct{ macGeneric }
-
-func (h *mac) Write(p []byte) (int, error) {
-	nn := len(p)
-	if h.offset > 0 {
-		n := copy(h.buffer[h.offset:], p)
-		if h.offset+n < TagSize {
-			h.offset += n
-			return nn, nil
-		}
-		p = p[n:]
-		h.offset = 0
-		update(&h.macState, h.buffer[:])
-	}
-	if n := len(p) - (len(p) % TagSize); n > 0 {
-		update(&h.macState, p[:n])
-		p = p[n:]
-	}
-	if len(p) > 0 {
-		h.offset += copy(h.buffer[h.offset:], p)
-	}
-	return nn, nil
-}
-
-func (h *mac) Sum(out *[16]byte) {
-	state := h.macState
-	if h.offset > 0 {
-		update(&state, h.buffer[:h.offset])
-	}
-	finalize(out, &state.h, &state.s)
-}
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
deleted file mode 100644
index 28cd99c7..00000000
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
-2898 / PKCS #5 v2.0.
-
-A key derivation function is useful when encrypting data based on a password
-or any other not-fully-random data. It uses a pseudorandom function to derive
-a secure encryption key based on the password.
-
-While v2.0 of the standard defines only one pseudorandom function to use,
-HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
-Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
-choose, you can pass the `New` functions from the different SHA packages to
-pbkdf2.Key.
-*/
-package pbkdf2
-
-import (
-	"crypto/hmac"
-	"hash"
-)
-
-// Key derives a key from the password, salt and iteration count, returning a
-// []byte of length keylen that can be used as cryptographic key. The key is
-// derived based on the method described as PBKDF2 with the HMAC variant using
-// the supplied hash function.
-//
-// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
-// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
-// doing:
-//
-//	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
-//
-// Remember to get a good random salt. At least 8 bytes is recommended by the
-// RFC.
-//
-// Using a higher iteration count will increase the cost of an exhaustive
-// search but will also make derivation proportionally slower.
-func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		prf.Write(salt)
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		prf.Write(buf[:4])
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			prf.Write(U)
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
-	}
-	return dk[:keyLen]
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
index 106708d2..37525e1a 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
@@ -555,7 +555,7 @@ func (c *client) insertKey(s interface{}, comment string, constraints []byte) er
 		})
 	case *dsa.PrivateKey:
 		req = ssh.Marshal(dsaKeyMsg{
-			Type:        ssh.KeyAlgoDSA,
+			Type:        ssh.InsecureKeyAlgoDSA,
 			P:           k.P,
 			Q:           k.Q,
 			G:           k.G,
@@ -803,16 +803,16 @@ var _ ssh.AlgorithmSigner = &agentKeyringSigner{}
 //
 // This map must be kept in sync with the one in certs.go.
 var certKeyAlgoNames = map[string]string{
-	ssh.CertAlgoRSAv01:        ssh.KeyAlgoRSA,
-	ssh.CertAlgoRSASHA256v01:  ssh.KeyAlgoRSASHA256,
-	ssh.CertAlgoRSASHA512v01:  ssh.KeyAlgoRSASHA512,
-	ssh.CertAlgoDSAv01:        ssh.KeyAlgoDSA,
-	ssh.CertAlgoECDSA256v01:   ssh.KeyAlgoECDSA256,
-	ssh.CertAlgoECDSA384v01:   ssh.KeyAlgoECDSA384,
-	ssh.CertAlgoECDSA521v01:   ssh.KeyAlgoECDSA521,
-	ssh.CertAlgoSKECDSA256v01: ssh.KeyAlgoSKECDSA256,
-	ssh.CertAlgoED25519v01:    ssh.KeyAlgoED25519,
-	ssh.CertAlgoSKED25519v01:  ssh.KeyAlgoSKED25519,
+	ssh.CertAlgoRSAv01:         ssh.KeyAlgoRSA,
+	ssh.CertAlgoRSASHA256v01:   ssh.KeyAlgoRSASHA256,
+	ssh.CertAlgoRSASHA512v01:   ssh.KeyAlgoRSASHA512,
+	ssh.InsecureCertAlgoDSAv01: ssh.InsecureKeyAlgoDSA,
+	ssh.CertAlgoECDSA256v01:    ssh.KeyAlgoECDSA256,
+	ssh.CertAlgoECDSA384v01:    ssh.KeyAlgoECDSA384,
+	ssh.CertAlgoECDSA521v01:    ssh.KeyAlgoECDSA521,
+	ssh.CertAlgoSKECDSA256v01:  ssh.KeyAlgoSKECDSA256,
+	ssh.CertAlgoED25519v01:     ssh.KeyAlgoED25519,
+	ssh.CertAlgoSKED25519v01:   ssh.KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is
diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
index e35ca7ce..88ce4da6 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
@@ -506,7 +506,7 @@ func (s *server) insertIdentity(req []byte) error {
 	switch record.Type {
 	case ssh.KeyAlgoRSA:
 		addedKey, err = parseRSAKey(req)
-	case ssh.KeyAlgoDSA:
+	case ssh.InsecureKeyAlgoDSA:
 		addedKey, err = parseDSAKey(req)
 	case ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521:
 		addedKey, err = parseECDSAKey(req)
@@ -514,7 +514,7 @@ func (s *server) insertIdentity(req []byte) error {
 		addedKey, err = parseEd25519Key(req)
 	case ssh.CertAlgoRSAv01:
 		addedKey, err = parseRSACert(req)
-	case ssh.CertAlgoDSAv01:
+	case ssh.InsecureCertAlgoDSAv01:
 		addedKey, err = parseDSACert(req)
 	case ssh.CertAlgoECDSA256v01, ssh.CertAlgoECDSA384v01, ssh.CertAlgoECDSA521v01:
 		addedKey, err = parseECDSACert(req)
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go
index 27d0e14a..139fa31e 100644
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ b/vendor/golang.org/x/crypto/ssh/certs.go
@@ -20,14 +20,19 @@ import (
 // returned by MultiAlgorithmSigner and don't appear in the Signature.Format
 // field.
 const (
-	CertAlgoRSAv01        = "ssh-rsa-cert-v01@openssh.com"
-	CertAlgoDSAv01        = "ssh-dss-cert-v01@openssh.com"
-	CertAlgoECDSA256v01   = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-	CertAlgoECDSA384v01   = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-	CertAlgoECDSA521v01   = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-	CertAlgoSKECDSA256v01 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
-	CertAlgoED25519v01    = "ssh-ed25519-cert-v01@openssh.com"
-	CertAlgoSKED25519v01  = "sk-ssh-ed25519-cert-v01@openssh.com"
+	CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com"
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	CertAlgoDSAv01 = InsecureCertAlgoDSAv01
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	InsecureCertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com"
+	CertAlgoECDSA256v01    = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+	CertAlgoECDSA384v01    = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+	CertAlgoECDSA521v01    = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+	CertAlgoSKECDSA256v01  = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+	CertAlgoED25519v01     = "ssh-ed25519-cert-v01@openssh.com"
+	CertAlgoSKED25519v01   = "sk-ssh-ed25519-cert-v01@openssh.com"
 
 	// CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a
 	// Certificate.Type (or PublicKey.Type), but only in
@@ -228,7 +233,11 @@ func parseCert(in []byte, privAlgo string) (*Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	// The Type() function is intended to return only certificate key types, but
+	// we use certKeyAlgoNames anyway for safety, to match [Certificate.Type].
+	if _, ok := certKeyAlgoNames[k.Type()]; ok {
+		return nil, fmt.Errorf("ssh: the signature key type %q is invalid for certificates", k.Type())
+	}
 	c.SignatureKey = k
 	c.Signature, rest, ok = parseSignatureBody(g.Signature)
 	if !ok || len(rest) > 0 {
@@ -296,16 +305,13 @@ type CertChecker struct {
 	SupportedCriticalOptions []string
 
 	// IsUserAuthority should return true if the key is recognized as an
-	// authority for the given user certificate. This allows for
-	// certificates to be signed by other certificates. This must be set
-	// if this CertChecker will be checking user certificates.
+	// authority for user certificate. This must be set if this CertChecker
+	// will be checking user certificates.
 	IsUserAuthority func(auth PublicKey) bool
 
 	// IsHostAuthority should report whether the key is recognized as
-	// an authority for this host. This allows for certificates to be
-	// signed by other keys, and for those other keys to only be valid
-	// signers for particular hostnames. This must be set if this
-	// CertChecker will be checking host certificates.
+	// an authority for this host. This must be set if this CertChecker
+	// will be checking host certificates.
 	IsHostAuthority func(auth PublicKey, address string) bool
 
 	// Clock is used for verifying time stamps. If nil, time.Now
@@ -442,12 +448,19 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
 // SignCert signs the certificate with an authority, setting the Nonce,
 // SignatureKey, and Signature fields. If the authority implements the
 // MultiAlgorithmSigner interface the first algorithm in the list is used. This
-// is useful if you want to sign with a specific algorithm.
+// is useful if you want to sign with a specific algorithm. As specified in
+// [SSH-CERTS], Section 2.1.1, authority can't be a [Certificate].
 func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 	c.Nonce = make([]byte, 32)
 	if _, err := io.ReadFull(rand, c.Nonce); err != nil {
 		return err
 	}
+	// The Type() function is intended to return only certificate key types, but
+	// we use certKeyAlgoNames anyway for safety, to match [Certificate.Type].
+	if _, ok := certKeyAlgoNames[authority.PublicKey().Type()]; ok {
+		return fmt.Errorf("ssh: certificates cannot be used as authority (public key type %q)",
+			authority.PublicKey().Type())
+	}
 	c.SignatureKey = authority.PublicKey()
 
 	if v, ok := authority.(MultiAlgorithmSigner); ok {
@@ -485,16 +498,16 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 //
 // This map must be kept in sync with the one in agent/client.go.
 var certKeyAlgoNames = map[string]string{
-	CertAlgoRSAv01:        KeyAlgoRSA,
-	CertAlgoRSASHA256v01:  KeyAlgoRSASHA256,
-	CertAlgoRSASHA512v01:  KeyAlgoRSASHA512,
-	CertAlgoDSAv01:        KeyAlgoDSA,
-	CertAlgoECDSA256v01:   KeyAlgoECDSA256,
-	CertAlgoECDSA384v01:   KeyAlgoECDSA384,
-	CertAlgoECDSA521v01:   KeyAlgoECDSA521,
-	CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256,
-	CertAlgoED25519v01:    KeyAlgoED25519,
-	CertAlgoSKED25519v01:  KeyAlgoSKED25519,
+	CertAlgoRSAv01:         KeyAlgoRSA,
+	CertAlgoRSASHA256v01:   KeyAlgoRSASHA256,
+	CertAlgoRSASHA512v01:   KeyAlgoRSASHA512,
+	InsecureCertAlgoDSAv01: InsecureKeyAlgoDSA,
+	CertAlgoECDSA256v01:    KeyAlgoECDSA256,
+	CertAlgoECDSA384v01:    KeyAlgoECDSA384,
+	CertAlgoECDSA521v01:    KeyAlgoECDSA521,
+	CertAlgoSKECDSA256v01:  KeyAlgoSKECDSA256,
+	CertAlgoED25519v01:     KeyAlgoED25519,
+	CertAlgoSKED25519v01:   KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
index 741e984f..6a5b582a 100644
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@@ -58,11 +58,11 @@ func newRC4(key, iv []byte) (cipher.Stream, error) {
 type cipherMode struct {
 	keySize int
 	ivSize  int
-	create  func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
+	create  func(key, iv []byte, macKey []byte, algs DirectionAlgorithms) (packetCipher, error)
 }
 
-func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
+	return func(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 		stream, err := createFunc(key, iv)
 		if err != nil {
 			return nil, err
@@ -98,36 +98,36 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 var cipherModes = map[string]*cipherMode{
 	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
 	// are defined in the order specified in the RFC.
-	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES128CTR: {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES192CTR: {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+	CipherAES256CTR: {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
 
 	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
 	// They are defined in the order specified in the RFC.
-	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
-	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
+	InsecureCipherRC4128: {16, 0, streamCipherMode(1536, newRC4)},
+	InsecureCipherRC4256: {32, 0, streamCipherMode(1536, newRC4)},
 
 	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
 	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
 	// RC4) has problems with weak keys, and should be used with caution."
 	// RFC 4345 introduces improved versions of Arcfour.
-	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
+	InsecureCipherRC4: {16, 0, streamCipherMode(0, newRC4)},
 
 	// AEAD ciphers
-	gcm128CipherID:     {16, 12, newGCMCipher},
-	gcm256CipherID:     {32, 12, newGCMCipher},
-	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
+	CipherAES128GCM:        {16, 12, newGCMCipher},
+	CipherAES256GCM:        {32, 12, newGCMCipher},
+	CipherChaCha20Poly1305: {64, 0, newChaCha20Cipher},
 
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
+	InsecureCipherAES128CBC: {16, aes.BlockSize, newAESCBCCipher},
 
 	// 3des-cbc is insecure and is not included in the default
 	// config.
-	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
+	InsecureCipherTripleDESCBC: {24, des.BlockSize, newTripleDESCBCCipher},
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
@@ -307,7 +307,7 @@ type gcmCipher struct {
 	buf    []byte
 }
 
-func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
+func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs DirectionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
@@ -429,7 +429,7 @@ type cbcCipher struct {
 	oracleCamouflage uint32
 }
 
-func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	cbc := &cbcCipher{
 		mac:        macModes[algs.MAC].new(macKey),
 		decrypter:  cipher.NewCBCDecrypter(c, iv),
@@ -443,7 +443,7 @@ func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorith
 	return cbc, nil
 }
 
-func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newAESCBCCipher(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
@@ -457,7 +457,7 @@ func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCi
 	return cbc, nil
 }
 
-func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newTripleDESCBCCipher(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	c, err := des.NewTripleDESCipher(key)
 	if err != nil {
 		return nil, err
@@ -635,8 +635,6 @@ func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader
 	return nil
 }
 
-const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
-
 // chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
 // AEAD, which is described here:
 //
@@ -650,7 +648,7 @@ type chacha20Poly1305Cipher struct {
 	buf        []byte
 }
 
-func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
+func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs DirectionAlgorithms) (packetCipher, error) {
 	if len(key) != 64 {
 		panic(len(key))
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/client.go b/vendor/golang.org/x/crypto/ssh/client.go
index fd8c4974..33079789 100644
--- a/vendor/golang.org/x/crypto/ssh/client.go
+++ b/vendor/golang.org/x/crypto/ssh/client.go
@@ -110,6 +110,7 @@ func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) e
 	}
 
 	c.sessionID = c.transport.getSessionID()
+	c.algorithms = c.transport.getAlgorithms()
 	return c.clientAuthenticate(config)
 }
 
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
index b86dde15..c12818fd 100644
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth.go
@@ -289,7 +289,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 		}
 	}
 
-	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos)
+	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos, true)
 	if err != nil {
 		// If there is no overlap, return the fallback algorithm to support
 		// servers that fail to list all supported algorithms.
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
index 7e9c2cbc..f2ec0896 100644
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ b/vendor/golang.org/x/crypto/ssh/common.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"math"
+	"slices"
 	"sync"
 
 	_ "crypto/sha1"
@@ -24,69 +25,258 @@ const (
 	serviceSSH      = "ssh-connection"
 )
 
-// supportedCiphers lists ciphers we support but might not recommend.
-var supportedCiphers = []string{
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-	"aes128-gcm@openssh.com", gcm256CipherID,
-	chacha20Poly1305ID,
-	"arcfour256", "arcfour128", "arcfour",
-	aes128cbcID,
-	tripledescbcID,
+// The ciphers currently or previously implemented by this library, to use in
+// [Config.Ciphers]. For a list, see the [Algorithms.Ciphers] returned by
+// [SupportedAlgorithms] or [InsecureAlgorithms].
+const (
+	CipherAES128GCM            = "aes128-gcm@openssh.com"
+	CipherAES256GCM            = "aes256-gcm@openssh.com"
+	CipherChaCha20Poly1305     = "chacha20-poly1305@openssh.com"
+	CipherAES128CTR            = "aes128-ctr"
+	CipherAES192CTR            = "aes192-ctr"
+	CipherAES256CTR            = "aes256-ctr"
+	InsecureCipherAES128CBC    = "aes128-cbc"
+	InsecureCipherTripleDESCBC = "3des-cbc"
+	InsecureCipherRC4          = "arcfour"
+	InsecureCipherRC4128       = "arcfour128"
+	InsecureCipherRC4256       = "arcfour256"
+)
+
+// The key exchanges currently or previously implemented by this library, to use
+// in [Config.KeyExchanges]. For a list, see the
+// [Algorithms.KeyExchanges] returned by [SupportedAlgorithms] or
+// [InsecureAlgorithms].
+const (
+	InsecureKeyExchangeDH1SHA1   = "diffie-hellman-group1-sha1"
+	InsecureKeyExchangeDH14SHA1  = "diffie-hellman-group14-sha1"
+	KeyExchangeDH14SHA256        = "diffie-hellman-group14-sha256"
+	KeyExchangeDH16SHA512        = "diffie-hellman-group16-sha512"
+	KeyExchangeECDHP256          = "ecdh-sha2-nistp256"
+	KeyExchangeECDHP384          = "ecdh-sha2-nistp384"
+	KeyExchangeECDHP521          = "ecdh-sha2-nistp521"
+	KeyExchangeCurve25519        = "curve25519-sha256"
+	InsecureKeyExchangeDHGEXSHA1 = "diffie-hellman-group-exchange-sha1"
+	KeyExchangeDHGEXSHA256       = "diffie-hellman-group-exchange-sha256"
+	// KeyExchangeMLKEM768X25519 is supported from Go 1.24.
+	KeyExchangeMLKEM768X25519 = "mlkem768x25519-sha256"
+
+	// An alias for KeyExchangeCurve25519SHA256. This kex ID will be added if
+	// KeyExchangeCurve25519SHA256 is requested for backward compatibility with
+	// OpenSSH versions up to 7.2.
+	keyExchangeCurve25519LibSSH = "curve25519-sha256@libssh.org"
+)
+
+// The message authentication code (MAC) currently or previously implemented by
+// this library, to use in [Config.MACs]. For a list, see the
+// [Algorithms.MACs] returned by [SupportedAlgorithms] or
+// [InsecureAlgorithms].
+const (
+	HMACSHA256ETM      = "hmac-sha2-256-etm@openssh.com"
+	HMACSHA512ETM      = "hmac-sha2-512-etm@openssh.com"
+	HMACSHA256         = "hmac-sha2-256"
+	HMACSHA512         = "hmac-sha2-512"
+	HMACSHA1           = "hmac-sha1"
+	InsecureHMACSHA196 = "hmac-sha1-96"
+)
+
+var (
+	// supportedKexAlgos specifies key-exchange algorithms implemented by this
+	// package in preference order, excluding those with security issues.
+	supportedKexAlgos = []string{
+		KeyExchangeCurve25519,
+		KeyExchangeECDHP256,
+		KeyExchangeECDHP384,
+		KeyExchangeECDHP521,
+		KeyExchangeDH14SHA256,
+		KeyExchangeDH16SHA512,
+		KeyExchangeDHGEXSHA256,
+	}
+	// defaultKexAlgos specifies the default preference for key-exchange
+	// algorithms in preference order.
+	defaultKexAlgos = []string{
+		KeyExchangeCurve25519,
+		KeyExchangeECDHP256,
+		KeyExchangeECDHP384,
+		KeyExchangeECDHP521,
+		KeyExchangeDH14SHA256,
+		InsecureKeyExchangeDH14SHA1,
+	}
+	// insecureKexAlgos specifies key-exchange algorithms implemented by this
+	// package and which have security issues.
+	insecureKexAlgos = []string{
+		InsecureKeyExchangeDH14SHA1,
+		InsecureKeyExchangeDH1SHA1,
+		InsecureKeyExchangeDHGEXSHA1,
+	}
+	// supportedCiphers specifies cipher algorithms implemented by this package
+	// in preference order, excluding those with security issues.
+	supportedCiphers = []string{
+		CipherAES128GCM,
+		CipherAES256GCM,
+		CipherChaCha20Poly1305,
+		CipherAES128CTR,
+		CipherAES192CTR,
+		CipherAES256CTR,
+	}
+	// defaultCiphers specifies the default preference for ciphers algorithms
+	// in preference order.
+	defaultCiphers = supportedCiphers
+	// insecureCiphers specifies cipher algorithms implemented by this
+	// package and which have security issues.
+	insecureCiphers = []string{
+		InsecureCipherAES128CBC,
+		InsecureCipherTripleDESCBC,
+		InsecureCipherRC4256,
+		InsecureCipherRC4128,
+		InsecureCipherRC4,
+	}
+	// supportedMACs specifies MAC algorithms implemented by this package in
+	// preference order, excluding those with security issues.
+	supportedMACs = []string{
+		HMACSHA256ETM,
+		HMACSHA512ETM,
+		HMACSHA256,
+		HMACSHA512,
+		HMACSHA1,
+	}
+	// defaultMACs specifies the default preference for MAC algorithms in
+	// preference order.
+	defaultMACs = []string{
+		HMACSHA256ETM,
+		HMACSHA512ETM,
+		HMACSHA256,
+		HMACSHA512,
+		HMACSHA1,
+		InsecureHMACSHA196,
+	}
+	// insecureMACs specifies MAC algorithms implemented by this
+	// package and which have security issues.
+	insecureMACs = []string{
+		InsecureHMACSHA196,
+	}
+	// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e.
+	// methods of authenticating servers) implemented by this package in
+	// preference order, excluding those with security issues.
+	supportedHostKeyAlgos = []string{
+		CertAlgoRSASHA256v01,
+		CertAlgoRSASHA512v01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoED25519v01,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoED25519,
+	}
+	// defaultHostKeyAlgos specifies the default preference for host-key
+	// algorithms in preference order.
+	defaultHostKeyAlgos = []string{
+		CertAlgoRSASHA256v01,
+		CertAlgoRSASHA512v01,
+		CertAlgoRSAv01,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoED25519v01,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+		KeyAlgoED25519,
+	}
+	// insecureHostKeyAlgos specifies host-key algorithms implemented by this
+	// package and which have security issues.
+	insecureHostKeyAlgos = []string{
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+		CertAlgoRSAv01,
+		InsecureCertAlgoDSAv01,
+	}
+	// supportedPubKeyAuthAlgos specifies the supported client public key
+	// authentication algorithms. Note that this doesn't include certificate
+	// types since those use the underlying algorithm. Order is irrelevant.
+	supportedPubKeyAuthAlgos = []string{
+		KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+	}
+
+	// defaultPubKeyAuthAlgos specifies the preferred client public key
+	// authentication algorithms. This list is sent to the client if it supports
+	// the server-sig-algs extension. Order is irrelevant.
+	defaultPubKeyAuthAlgos = []string{
+		KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+	}
+	// insecurePubKeyAuthAlgos specifies client public key authentication
+	// algorithms implemented by this package and which have security issues.
+	insecurePubKeyAuthAlgos = []string{
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+	}
+)
+
+// NegotiatedAlgorithms defines algorithms negotiated between client and server.
+type NegotiatedAlgorithms struct {
+	KeyExchange string
+	HostKey     string
+	Read        DirectionAlgorithms
+	Write       DirectionAlgorithms
 }
 
-// preferredCiphers specifies the default preference for ciphers.
-var preferredCiphers = []string{
-	"aes128-gcm@openssh.com", gcm256CipherID,
-	chacha20Poly1305ID,
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
+// Algorithms defines a set of algorithms that can be configured in the client
+// or server config for negotiation during a handshake.
+type Algorithms struct {
+	KeyExchanges   []string
+	Ciphers        []string
+	MACs           []string
+	HostKeys       []string
+	PublicKeyAuths []string
 }
 
-// supportedKexAlgos specifies the supported key-exchange algorithms in
-// preference order.
-var supportedKexAlgos = []string{
-	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
-	// P384 and P521 are not constant-time yet, but since we don't
-	// reuse ephemeral keys, using them for ECDH should be OK.
-	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1,
-	kexAlgoDH1SHA1,
+// SupportedAlgorithms returns algorithms currently implemented by this package,
+// excluding those with security issues, which are returned by
+// InsecureAlgorithms. The algorithms listed here are in preference order.
+func SupportedAlgorithms() Algorithms {
+	return Algorithms{
+		Ciphers:        slices.Clone(supportedCiphers),
+		MACs:           slices.Clone(supportedMACs),
+		KeyExchanges:   slices.Clone(supportedKexAlgos),
+		HostKeys:       slices.Clone(supportedHostKeyAlgos),
+		PublicKeyAuths: slices.Clone(supportedPubKeyAuthAlgos),
+	}
 }
 
-// serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
-// for the server half.
-var serverForbiddenKexAlgos = map[string]struct{}{
-	kexAlgoDHGEXSHA1:   {}, // server half implementation is only minimal to satisfy the automated tests
-	kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
-}
-
-// preferredKexAlgos specifies the default preference for key-exchange
-// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm
-// is disabled by default because it is a bit slower than the others.
-var preferredKexAlgos = []string{
-	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
-	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH14SHA1,
-}
-
-// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
-// of authenticating servers) in preference order.
-var supportedHostKeyAlgos = []string{
-	CertAlgoRSASHA256v01, CertAlgoRSASHA512v01,
-	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
-	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
-
-	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	KeyAlgoRSASHA256, KeyAlgoRSASHA512,
-	KeyAlgoRSA, KeyAlgoDSA,
-
-	KeyAlgoED25519,
-}
-
-// supportedMACs specifies a default set of MAC algorithms in preference order.
-// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
-// because they have reached the end of their useful life.
-var supportedMACs = []string{
-	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
+// InsecureAlgorithms returns algorithms currently implemented by this package
+// and which have security issues.
+func InsecureAlgorithms() Algorithms {
+	return Algorithms{
+		KeyExchanges:   slices.Clone(insecureKexAlgos),
+		Ciphers:        slices.Clone(insecureCiphers),
+		MACs:           slices.Clone(insecureMACs),
+		HostKeys:       slices.Clone(insecureHostKeyAlgos),
+		PublicKeyAuths: slices.Clone(insecurePubKeyAuthAlgos),
+	}
 }
 
 var supportedCompressions = []string{compressionNone}
@@ -94,13 +284,13 @@ var supportedCompressions = []string{compressionNone}
 // hashFuncs keeps the mapping of supported signature algorithms to their
 // respective hashes needed for signing and verification.
 var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:       crypto.SHA1,
-	KeyAlgoRSASHA256: crypto.SHA256,
-	KeyAlgoRSASHA512: crypto.SHA512,
-	KeyAlgoDSA:       crypto.SHA1,
-	KeyAlgoECDSA256:  crypto.SHA256,
-	KeyAlgoECDSA384:  crypto.SHA384,
-	KeyAlgoECDSA521:  crypto.SHA512,
+	KeyAlgoRSA:         crypto.SHA1,
+	KeyAlgoRSASHA256:   crypto.SHA256,
+	KeyAlgoRSASHA512:   crypto.SHA512,
+	InsecureKeyAlgoDSA: crypto.SHA1,
+	KeyAlgoECDSA256:    crypto.SHA256,
+	KeyAlgoECDSA384:    crypto.SHA384,
+	KeyAlgoECDSA521:    crypto.SHA512,
 	// KeyAlgoED25519 doesn't pre-hash.
 	KeyAlgoSKECDSA256: crypto.SHA256,
 	KeyAlgoSKED25519:  crypto.SHA256,
@@ -135,18 +325,6 @@ func isRSACert(algo string) bool {
 	return isRSA(algo)
 }
 
-// supportedPubKeyAuthAlgos specifies the supported client public key
-// authentication algorithms. Note that this doesn't include certificate types
-// since those use the underlying algorithm. This list is sent to the client if
-// it supports the server-sig-algs extension. Order is irrelevant.
-var supportedPubKeyAuthAlgos = []string{
-	KeyAlgoED25519,
-	KeyAlgoSKED25519, KeyAlgoSKECDSA256,
-	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA,
-	KeyAlgoDSA,
-}
-
 // unexpectedMessageError results when the SSH message that we received didn't
 // match what we wanted.
 func unexpectedMessageError(expected, got uint8) error {
@@ -158,7 +336,7 @@ func parseError(tag uint8) error {
 	return fmt.Errorf("ssh: parse error in message type %d", tag)
 }
 
-func findCommon(what string, client []string, server []string) (common string, err error) {
+func findCommon(what string, client []string, server []string, isClient bool) (string, error) {
 	for _, c := range client {
 		for _, s := range server {
 			if c == s {
@@ -166,23 +344,49 @@ func findCommon(what string, client []string, server []string) (common string, e
 			}
 		}
 	}
-	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
+	err := &AlgorithmNegotiationError{
+		What: what,
+	}
+	if isClient {
+		err.SupportedAlgorithms = client
+		err.RequestedAlgorithms = server
+	} else {
+		err.SupportedAlgorithms = server
+		err.RequestedAlgorithms = client
+	}
+	return "", err
 }
 
-// directionAlgorithms records algorithm choices in one direction (either read or write)
-type directionAlgorithms struct {
+// AlgorithmNegotiationError defines the error returned if the client and the
+// server cannot agree on an algorithm for key exchange, host key, cipher, MAC.
+type AlgorithmNegotiationError struct {
+	What string
+	// RequestedAlgorithms lists the algorithms supported by the peer.
+	RequestedAlgorithms []string
+	// SupportedAlgorithms lists the algorithms supported on our side.
+	SupportedAlgorithms []string
+}
+
+func (a *AlgorithmNegotiationError) Error() string {
+	return fmt.Sprintf("ssh: no common algorithm for %s; we offered: %v, peer offered: %v",
+		a.What, a.SupportedAlgorithms, a.RequestedAlgorithms)
+}
+
+// DirectionAlgorithms defines the algorithms negotiated in one direction
+// (either read or write).
+type DirectionAlgorithms struct {
 	Cipher      string
 	MAC         string
-	Compression string
+	compression string
 }
 
 // rekeyBytes returns a rekeying intervals in bytes.
-func (a *directionAlgorithms) rekeyBytes() int64 {
+func (a *DirectionAlgorithms) rekeyBytes() int64 {
 	// According to RFC 4344 block ciphers should rekey after
 	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
 	// 128.
 	switch a.Cipher {
-	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcm128CipherID, gcm256CipherID, aes128cbcID:
+	case CipherAES128CTR, CipherAES192CTR, CipherAES256CTR, CipherAES128GCM, CipherAES256GCM, InsecureCipherAES128CBC:
 		return 16 * (1 << 32)
 
 	}
@@ -192,66 +396,59 @@ func (a *directionAlgorithms) rekeyBytes() int64 {
 }
 
 var aeadCiphers = map[string]bool{
-	gcm128CipherID:     true,
-	gcm256CipherID:     true,
-	chacha20Poly1305ID: true,
+	CipherAES128GCM:        true,
+	CipherAES256GCM:        true,
+	CipherChaCha20Poly1305: true,
 }
 
-type algorithms struct {
-	kex     string
-	hostKey string
-	w       directionAlgorithms
-	r       directionAlgorithms
-}
+func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *NegotiatedAlgorithms, err error) {
+	result := &NegotiatedAlgorithms{}
 
-func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
-	result := &algorithms{}
-
-	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
+	result.KeyExchange, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos, isClient)
 	if err != nil {
 		return
 	}
 
-	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
+	result.HostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc, ctos := &result.w, &result.r
+	stoc, ctos := &result.Write, &result.Read
 	if isClient {
 		ctos, stoc = stoc, ctos
 	}
 
-	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
+	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
+	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient, isClient)
 	if err != nil {
 		return
 	}
 
 	if !aeadCiphers[ctos.Cipher] {
-		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
+		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer, isClient)
 		if err != nil {
 			return
 		}
 	}
 
 	if !aeadCiphers[stoc.Cipher] {
-		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
+		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient, isClient)
 		if err != nil {
 			return
 		}
 	}
 
-	ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
+	ctos.compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
+	stoc.compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient, isClient)
 	if err != nil {
 		return
 	}
@@ -297,7 +494,7 @@ func (c *Config) SetDefaults() {
 		c.Rand = rand.Reader
 	}
 	if c.Ciphers == nil {
-		c.Ciphers = preferredCiphers
+		c.Ciphers = defaultCiphers
 	}
 	var ciphers []string
 	for _, c := range c.Ciphers {
@@ -309,19 +506,22 @@ func (c *Config) SetDefaults() {
 	c.Ciphers = ciphers
 
 	if c.KeyExchanges == nil {
-		c.KeyExchanges = preferredKexAlgos
+		c.KeyExchanges = defaultKexAlgos
 	}
 	var kexs []string
 	for _, k := range c.KeyExchanges {
 		if kexAlgoMap[k] != nil {
 			// Ignore the KEX if we have no kexAlgoMap definition.
 			kexs = append(kexs, k)
+			if k == KeyExchangeCurve25519 && !contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
+				kexs = append(kexs, keyExchangeCurve25519LibSSH)
+			}
 		}
 	}
 	c.KeyExchanges = kexs
 
 	if c.MACs == nil {
-		c.MACs = supportedMACs
+		c.MACs = defaultMACs
 	}
 	var macs []string
 	for _, m := range c.MACs {
diff --git a/vendor/golang.org/x/crypto/ssh/connection.go b/vendor/golang.org/x/crypto/ssh/connection.go
index 8f345ee9..613a71a7 100644
--- a/vendor/golang.org/x/crypto/ssh/connection.go
+++ b/vendor/golang.org/x/crypto/ssh/connection.go
@@ -74,6 +74,13 @@ type Conn interface {
 	//   Disconnect
 }
 
+// AlgorithmsConnMetadata is a ConnMetadata that can return the algorithms
+// negotiated between client and server.
+type AlgorithmsConnMetadata interface {
+	ConnMetadata
+	Algorithms() NegotiatedAlgorithms
+}
+
 // DiscardRequests consumes and rejects all requests from the
 // passed-in channel.
 func DiscardRequests(in <-chan *Request) {
@@ -106,6 +113,7 @@ type sshConn struct {
 	sessionID     []byte
 	clientVersion []byte
 	serverVersion []byte
+	algorithms    NegotiatedAlgorithms
 }
 
 func dup(src []byte) []byte {
@@ -141,3 +149,7 @@ func (c *sshConn) ClientVersion() []byte {
 func (c *sshConn) ServerVersion() []byte {
 	return dup(c.serverVersion)
 }
+
+func (c *sshConn) Algorithms() NegotiatedAlgorithms {
+	return c.algorithms
+}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
index f5d352fe..04ccce34 100644
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ b/vendor/golang.org/x/crypto/ssh/doc.go
@@ -16,6 +16,7 @@ References:
 	[PROTOCOL]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=HEAD
 	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
+	[SSH-CERTS]:	https://datatracker.ietf.org/doc/html/draft-miller-ssh-cert-01
 
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index c9202b05..a90bfe33 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -5,7 +5,6 @@
 package ssh
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
 	"io"
@@ -39,7 +38,7 @@ type keyingTransport interface {
 	// prepareKeyChange sets up a key change. The key change for a
 	// direction will be effected if a msgNewKeys message is sent
 	// or received.
-	prepareKeyChange(*algorithms, *kexResult) error
+	prepareKeyChange(*NegotiatedAlgorithms, *kexResult) error
 
 	// setStrictMode sets the strict KEX mode, notably triggering
 	// sequence number resets on sending or receiving msgNewKeys.
@@ -116,7 +115,7 @@ type handshakeTransport struct {
 	bannerCallback BannerCallback
 
 	// Algorithms agreed in the last key exchange.
-	algorithms *algorithms
+	algorithms *NegotiatedAlgorithms
 
 	// Counters exclusively owned by readLoop.
 	readPacketsLeft uint32
@@ -165,7 +164,7 @@ func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byt
 	if config.HostKeyAlgorithms != nil {
 		t.hostKeyAlgorithms = config.HostKeyAlgorithms
 	} else {
-		t.hostKeyAlgorithms = supportedHostKeyAlgos
+		t.hostKeyAlgorithms = defaultHostKeyAlgos
 	}
 	go t.readLoop()
 	go t.kexLoop()
@@ -185,6 +184,10 @@ func (t *handshakeTransport) getSessionID() []byte {
 	return t.sessionID
 }
 
+func (t *handshakeTransport) getAlgorithms() NegotiatedAlgorithms {
+	return *t.algorithms
+}
+
 // waitSession waits for the session to be established. This should be
 // the first thing to call after instantiating handshakeTransport.
 func (t *handshakeTransport) waitSession() error {
@@ -291,7 +294,7 @@ func (t *handshakeTransport) resetWriteThresholds() {
 	if t.config.RekeyThreshold > 0 {
 		t.writeBytesLeft = int64(t.config.RekeyThreshold)
 	} else if t.algorithms != nil {
-		t.writeBytesLeft = t.algorithms.w.rekeyBytes()
+		t.writeBytesLeft = t.algorithms.Write.rekeyBytes()
 	} else {
 		t.writeBytesLeft = 1 << 30
 	}
@@ -408,7 +411,7 @@ func (t *handshakeTransport) resetReadThresholds() {
 	if t.config.RekeyThreshold > 0 {
 		t.readBytesLeft = int64(t.config.RekeyThreshold)
 	} else if t.algorithms != nil {
-		t.readBytesLeft = t.algorithms.r.rekeyBytes()
+		t.readBytesLeft = t.algorithms.Read.rekeyBytes()
 	} else {
 		t.readBytesLeft = 1 << 30
 	}
@@ -501,7 +504,7 @@ func (t *handshakeTransport) sendKexInit() error {
 		CompressionClientServer: supportedCompressions,
 		CompressionServerClient: supportedCompressions,
 	}
-	io.ReadFull(rand.Reader, msg.Cookie[:])
+	io.ReadFull(t.config.Rand, msg.Cookie[:])
 
 	// We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm,
 	// and possibly to add the ext-info extension algorithm. Since the slice may be the
@@ -701,9 +704,9 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		}
 	}
 
-	kex, ok := kexAlgoMap[t.algorithms.kex]
+	kex, ok := kexAlgoMap[t.algorithms.KeyExchange]
 	if !ok {
-		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
+		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.KeyExchange)
 	}
 
 	var result *kexResult
@@ -810,12 +813,12 @@ func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 }
 
 func (t *handshakeTransport) server(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) {
-	hostKey := pickHostKey(t.hostKeys, t.algorithms.hostKey)
+	hostKey := pickHostKey(t.hostKeys, t.algorithms.HostKey)
 	if hostKey == nil {
 		return nil, errors.New("ssh: internal error: negotiated unsupported signature type")
 	}
 
-	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.hostKey)
+	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.HostKey)
 	return r, err
 }
 
@@ -830,7 +833,7 @@ func (t *handshakeTransport) client(kex kexAlgorithm, magics *handshakeMagics) (
 		return nil, err
 	}
 
-	if err := verifyHostKeySignature(hostKey, t.algorithms.hostKey, result); err != nil {
+	if err := verifyHostKeySignature(hostKey, t.algorithms.HostKey, result); err != nil {
 		return nil, err
 	}
 
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
index 8a05f799..cf388a92 100644
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ b/vendor/golang.org/x/crypto/ssh/kex.go
@@ -20,21 +20,18 @@ import (
 )
 
 const (
-	kexAlgoDH1SHA1                = "diffie-hellman-group1-sha1"
-	kexAlgoDH14SHA1               = "diffie-hellman-group14-sha1"
-	kexAlgoDH14SHA256             = "diffie-hellman-group14-sha256"
-	kexAlgoDH16SHA512             = "diffie-hellman-group16-sha512"
-	kexAlgoECDH256                = "ecdh-sha2-nistp256"
-	kexAlgoECDH384                = "ecdh-sha2-nistp384"
-	kexAlgoECDH521                = "ecdh-sha2-nistp521"
-	kexAlgoCurve25519SHA256LibSSH = "curve25519-sha256@libssh.org"
-	kexAlgoCurve25519SHA256       = "curve25519-sha256"
-
-	// For the following kex only the client half contains a production
-	// ready implementation. The server half only consists of a minimal
-	// implementation to satisfy the automated tests.
-	kexAlgoDHGEXSHA1   = "diffie-hellman-group-exchange-sha1"
-	kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256"
+	// This is the group called diffie-hellman-group1-sha1 in RFC 4253 and
+	// Oakley Group 2 in RFC 2409.
+	oakleyGroup2 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group14-sha1 in RFC 4253 and
+	// Oakley Group 14 in RFC 3526.
+	oakleyGroup14 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group15-sha512 in RFC 8268 and
+	// Oakley Group 15 in RFC 3526.
+	oakleyGroup15 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group16-sha512 in RFC 8268 and
+	// Oakley Group 16 in RFC 3526.
+	oakleyGroup16 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF"
 )
 
 // kexResult captures the outcome of a key exchange.
@@ -402,53 +399,46 @@ func ecHash(curve elliptic.Curve) crypto.Hash {
 var kexAlgoMap = map[string]kexAlgorithm{}
 
 func init() {
-	// This is the group called diffie-hellman-group1-sha1 in
-	// RFC 4253 and Oakley Group 2 in RFC 2409.
-	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
-	kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
+	p, _ := new(big.Int).SetString(oakleyGroup2, 16)
+	kexAlgoMap[InsecureKeyExchangeDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
 		p:        p,
 		pMinus1:  new(big.Int).Sub(p, bigOne),
 		hashFunc: crypto.SHA1,
 	}
 
-	// This are the groups called diffie-hellman-group14-sha1 and
-	// diffie-hellman-group14-sha256 in RFC 4253 and RFC 8268,
-	// and Oakley Group 14 in RFC 3526.
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
+	p, _ = new(big.Int).SetString(oakleyGroup14, 16)
 	group14 := &dhGroup{
 		g:       new(big.Int).SetInt64(2),
 		p:       p,
 		pMinus1: new(big.Int).Sub(p, bigOne),
 	}
 
-	kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
+	kexAlgoMap[InsecureKeyExchangeDH14SHA1] = &dhGroup{
 		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
 		hashFunc: crypto.SHA1,
 	}
-	kexAlgoMap[kexAlgoDH14SHA256] = &dhGroup{
+	kexAlgoMap[KeyExchangeDH14SHA256] = &dhGroup{
 		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
 		hashFunc: crypto.SHA256,
 	}
 
-	// This is the group called diffie-hellman-group16-sha512 in RFC
-	// 8268 and Oakley Group 16 in RFC 3526.
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16)
+	p, _ = new(big.Int).SetString(oakleyGroup16, 16)
 
-	kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{
+	kexAlgoMap[KeyExchangeDH16SHA512] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
 		p:        p,
 		pMinus1:  new(big.Int).Sub(p, bigOne),
 		hashFunc: crypto.SHA512,
 	}
 
-	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
-	kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
-	kexAlgoMap[kexAlgoCurve25519SHA256LibSSH] = &curve25519sha256{}
-	kexAlgoMap[kexAlgoDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
-	kexAlgoMap[kexAlgoDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
+	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
+	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
+	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
+	kexAlgoMap[KeyExchangeCurve25519] = &curve25519sha256{}
+	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
+	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
+	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
@@ -601,9 +591,9 @@ const (
 func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	// Send GexRequest
 	kexDHGexRequest := kexDHGexRequestMsg{
-		MinBits:      dhGroupExchangeMinimumBits,
-		PreferedBits: dhGroupExchangePreferredBits,
-		MaxBits:      dhGroupExchangeMaximumBits,
+		MinBits:       dhGroupExchangeMinimumBits,
+		PreferredBits: dhGroupExchangePreferredBits,
+		MaxBits:       dhGroupExchangeMaximumBits,
 	}
 	if err := c.writePacket(Marshal(&kexDHGexRequest)); err != nil {
 		return nil, err
@@ -690,9 +680,7 @@ func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshak
 }
 
 // Server half implementation of the Diffie Hellman Key Exchange with SHA1 and SHA256.
-//
-// This is a minimal implementation to satisfy the automated tests.
-func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
+func (gex *dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	// Receive GexRequest
 	packet, err := c.readPacket()
 	if err != nil {
@@ -702,13 +690,32 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	if err = Unmarshal(packet, &kexDHGexRequest); err != nil {
 		return
 	}
+	// We check that the request received is valid and that the MaxBits
+	// requested are at least equal to our supported minimum. This is the same
+	// check done in OpenSSH:
+	// https://github.com/openssh/openssh-portable/blob/80a2f64b/kexgexs.c#L94
+	//
+	// Furthermore, we also check that the required MinBits are less than or
+	// equal to 4096 because we can use up to Oakley Group 16.
+	if kexDHGexRequest.MaxBits < kexDHGexRequest.MinBits || kexDHGexRequest.PreferredBits < kexDHGexRequest.MinBits ||
+		kexDHGexRequest.MaxBits < kexDHGexRequest.PreferredBits || kexDHGexRequest.MaxBits < dhGroupExchangeMinimumBits ||
+		kexDHGexRequest.MinBits > 4096 {
+		return nil, fmt.Errorf("ssh: DH GEX request out of range, min: %d, max: %d, preferred: %d", kexDHGexRequest.MinBits,
+			kexDHGexRequest.MaxBits, kexDHGexRequest.PreferredBits)
+	}
+
+	var p *big.Int
+	// We hardcode sending Oakley Group 14 (2048 bits), Oakley Group 15 (3072
+	// bits) or Oakley Group 16 (4096 bits), based on the requested max size.
+	if kexDHGexRequest.MaxBits < 3072 {
+		p, _ = new(big.Int).SetString(oakleyGroup14, 16)
+	} else if kexDHGexRequest.MaxBits < 4096 {
+		p, _ = new(big.Int).SetString(oakleyGroup15, 16)
+	} else {
+		p, _ = new(big.Int).SetString(oakleyGroup16, 16)
+	}
 
-	// Send GexGroup
-	// This is the group called diffie-hellman-group14-sha1 in RFC
-	// 4253 and Oakley Group 14 in RFC 3526.
-	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
 	g := big.NewInt(2)
-
 	msg := &kexDHGexGroupMsg{
 		P: p,
 		G: g,
@@ -746,9 +753,9 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	h := gex.hashFunc.New()
 	magics.write(h)
 	writeString(h, hostKeyBytes)
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits))
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits))
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits))
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.MinBits)
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.PreferredBits)
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.MaxBits)
 	writeInt(h, p)
 	writeInt(h, g)
 	writeInt(h, kexDHGexInit.X)
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
index 98e6706d..a28c0de5 100644
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@@ -36,14 +36,19 @@ import (
 // ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
 // arguments.
 const (
-	KeyAlgoRSA        = "ssh-rsa"
-	KeyAlgoDSA        = "ssh-dss"
-	KeyAlgoECDSA256   = "ecdsa-sha2-nistp256"
-	KeyAlgoSKECDSA256 = "sk-ecdsa-sha2-nistp256@openssh.com"
-	KeyAlgoECDSA384   = "ecdsa-sha2-nistp384"
-	KeyAlgoECDSA521   = "ecdsa-sha2-nistp521"
-	KeyAlgoED25519    = "ssh-ed25519"
-	KeyAlgoSKED25519  = "sk-ssh-ed25519@openssh.com"
+	KeyAlgoRSA = "ssh-rsa"
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	KeyAlgoDSA = InsecureKeyAlgoDSA
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	InsecureKeyAlgoDSA = "ssh-dss"
+	KeyAlgoECDSA256    = "ecdsa-sha2-nistp256"
+	KeyAlgoSKECDSA256  = "sk-ecdsa-sha2-nistp256@openssh.com"
+	KeyAlgoECDSA384    = "ecdsa-sha2-nistp384"
+	KeyAlgoECDSA521    = "ecdsa-sha2-nistp521"
+	KeyAlgoED25519     = "ssh-ed25519"
+	KeyAlgoSKED25519   = "sk-ssh-ed25519@openssh.com"
 
 	// KeyAlgoRSASHA256 and KeyAlgoRSASHA512 are only public key algorithms, not
 	// public key formats, so they can't appear as a PublicKey.Type. The
@@ -67,7 +72,7 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 	switch algo {
 	case KeyAlgoRSA:
 		return parseRSA(in)
-	case KeyAlgoDSA:
+	case InsecureKeyAlgoDSA:
 		return parseDSA(in)
 	case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
 		return parseECDSA(in)
@@ -77,7 +82,7 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 		return parseED25519(in)
 	case KeyAlgoSKED25519:
 		return parseSKEd25519(in)
-	case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
+	case CertAlgoRSAv01, InsecureCertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
 		cert, err := parseCert(in, certKeyAlgoNames[algo])
 		if err != nil {
 			return nil, nil, err
@@ -268,7 +273,7 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
-// ParsePublicKey parses an SSH public key formatted for use in
+// ParsePublicKey parses an SSH public key or certificate formatted for use in
 // the SSH wire protocol according to RFC 4253, section 6.6.
 func ParsePublicKey(in []byte) (out PublicKey, err error) {
 	algo, in, ok := parseString(in)
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
index 7376a8df..c022e411 100644
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
+++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
@@ -302,8 +302,8 @@ func (k *KnownKey) String() string {
 // applications can offer an interactive prompt to the user.
 type KeyError struct {
 	// Want holds the accepted host keys. For each key algorithm,
-	// there can be one hostkey.  If Want is empty, the host is
-	// unknown. If Want is non-empty, there was a mismatch, which
+	// there can be multiple hostkeys.  If Want is empty, the host
+	// is unknown. If Want is non-empty, there was a mismatch, which
 	// can signify a MITM attack.
 	Want []KnownKey
 }
@@ -358,34 +358,20 @@ func (db *hostKeyDB) checkAddr(a addr, remoteKey ssh.PublicKey) error {
 	// is just a key for the IP address, but not for the
 	// hostname?
 
-	// Algorithm => key.
-	knownKeys := map[string]KnownKey{}
+	keyErr := &KeyError{}
+
 	for _, l := range db.lines {
-		if l.match(a) {
-			typ := l.knownKey.Key.Type()
-			if _, ok := knownKeys[typ]; !ok {
-				knownKeys[typ] = l.knownKey
-			}
+		if !l.match(a) {
+			continue
+		}
+
+		keyErr.Want = append(keyErr.Want, l.knownKey)
+		if keyEq(l.knownKey.Key, remoteKey) {
+			return nil
 		}
 	}
 
-	keyErr := &KeyError{}
-	for _, v := range knownKeys {
-		keyErr.Want = append(keyErr.Want, v)
-	}
-
-	// Unknown remote host.
-	if len(knownKeys) == 0 {
-		return keyErr
-	}
-
-	// If the remote host starts using a different, unknown key type, we
-	// also interpret that as a mismatch.
-	if known, ok := knownKeys[remoteKey.Type()]; !ok || !keyEq(known.Key, remoteKey) {
-		return keyErr
-	}
-
-	return nil
+	return keyErr
 }
 
 // The Read function parses file contents.
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
index 06a1b275..de2639d5 100644
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ b/vendor/golang.org/x/crypto/ssh/mac.go
@@ -47,22 +47,22 @@ func (t truncatingMAC) Size() int {
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
 var macModes = map[string]*macMode{
-	"hmac-sha2-512-etm@openssh.com": {64, true, func(key []byte) hash.Hash {
+	HMACSHA512ETM: {64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
 	}},
-	"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
+	HMACSHA256ETM: {32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
 	}},
-	"hmac-sha2-512": {64, false, func(key []byte) hash.Hash {
+	HMACSHA512: {64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
 	}},
-	"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
+	HMACSHA256: {32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
 	}},
-	"hmac-sha1": {20, false, func(key []byte) hash.Hash {
+	HMACSHA1: {20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
 	}},
-	"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
+	InsecureHMACSHA196: {20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
 	}},
 }
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
index 118427bc..251b9d06 100644
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@@ -122,9 +122,9 @@ type kexDHGexReplyMsg struct {
 const msgKexDHGexRequest = 34
 
 type kexDHGexRequestMsg struct {
-	MinBits      uint32 `sshtype:"34"`
-	PreferedBits uint32
-	MaxBits      uint32
+	MinBits       uint32 `sshtype:"34"`
+	PreferredBits uint32
+	MaxBits       uint32
 }
 
 // See RFC 4253, section 10.
diff --git a/vendor/golang.org/x/crypto/ssh/mlkem.go b/vendor/golang.org/x/crypto/ssh/mlkem.go
new file mode 100644
index 00000000..657e1079
--- /dev/null
+++ b/vendor/golang.org/x/crypto/ssh/mlkem.go
@@ -0,0 +1,183 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.24
+
+package ssh
+
+import (
+	"crypto"
+	"crypto/mlkem"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"runtime"
+	"slices"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+func init() {
+	// After Go 1.24rc1 mlkem swapped the order of return values of Encapsulate.
+	// See #70950.
+	if runtime.Version() == "go1.24rc1" {
+		return
+	}
+	supportedKexAlgos = slices.Insert(supportedKexAlgos, 0, KeyExchangeMLKEM768X25519)
+	defaultKexAlgos = slices.Insert(defaultKexAlgos, 0, KeyExchangeMLKEM768X25519)
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
+}
+
+// mlkem768WithCurve25519sha256 implements the hybrid ML-KEM768 with
+// curve25519-sha256 key exchange method, as described by
+// draft-kampanakis-curdle-ssh-pq-ke-05 section 2.3.3.
+type mlkem768WithCurve25519sha256 struct{}
+
+func (kex *mlkem768WithCurve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
+	var c25519kp curve25519KeyPair
+	if err := c25519kp.generate(rand); err != nil {
+		return nil, err
+	}
+
+	seed := make([]byte, mlkem.SeedSize)
+	if _, err := io.ReadFull(rand, seed); err != nil {
+		return nil, err
+	}
+
+	mlkemDk, err := mlkem.NewDecapsulationKey768(seed)
+	if err != nil {
+		return nil, err
+	}
+
+	hybridKey := append(mlkemDk.EncapsulationKey().Bytes(), c25519kp.pub[:]...)
+	if err := c.writePacket(Marshal(&kexECDHInitMsg{hybridKey})); err != nil {
+		return nil, err
+	}
+
+	packet, err := c.readPacket()
+	if err != nil {
+		return nil, err
+	}
+
+	var reply kexECDHReplyMsg
+	if err = Unmarshal(packet, &reply); err != nil {
+		return nil, err
+	}
+
+	if len(reply.EphemeralPubKey) != mlkem.CiphertextSize768+32 {
+		return nil, errors.New("ssh: peer's mlkem768x25519 public value has wrong length")
+	}
+
+	// Perform KEM decapsulate operation to obtain shared key from ML-KEM.
+	mlkem768Secret, err := mlkemDk.Decapsulate(reply.EphemeralPubKey[:mlkem.CiphertextSize768])
+	if err != nil {
+		return nil, err
+	}
+
+	// Complete Curve25519 ECDH to obtain its shared key.
+	c25519Secret, err := curve25519.X25519(c25519kp.priv[:], reply.EphemeralPubKey[mlkem.CiphertextSize768:])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's mlkem768x25519 public value is not valid: %w", err)
+	}
+	// Compute actual shared key.
+	h := sha256.New()
+	h.Write(mlkem768Secret)
+	h.Write(c25519Secret)
+	secret := h.Sum(nil)
+
+	h.Reset()
+	magics.write(h)
+	writeString(h, reply.HostKey)
+	writeString(h, hybridKey)
+	writeString(h, reply.EphemeralPubKey)
+
+	K := make([]byte, stringLength(len(secret)))
+	marshalString(K, secret)
+	h.Write(K)
+
+	return &kexResult{
+		H:         h.Sum(nil),
+		K:         K,
+		HostKey:   reply.HostKey,
+		Signature: reply.Signature,
+		Hash:      crypto.SHA256,
+	}, nil
+}
+
+func (kex *mlkem768WithCurve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (*kexResult, error) {
+	packet, err := c.readPacket()
+	if err != nil {
+		return nil, err
+	}
+
+	var kexInit kexECDHInitMsg
+	if err = Unmarshal(packet, &kexInit); err != nil {
+		return nil, err
+	}
+
+	if len(kexInit.ClientPubKey) != mlkem.EncapsulationKeySize768+32 {
+		return nil, errors.New("ssh: peer's ML-KEM768/curve25519 public value has wrong length")
+	}
+
+	encapsulationKey, err := mlkem.NewEncapsulationKey768(kexInit.ClientPubKey[:mlkem.EncapsulationKeySize768])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's ML-KEM768 encapsulation key is not valid: %w", err)
+	}
+	// Perform KEM encapsulate operation to obtain ciphertext and shared key.
+	mlkem768Secret, mlkem768Ciphertext := encapsulationKey.Encapsulate()
+
+	// Perform server side of Curve25519 ECDH to obtain server public value and
+	// shared key.
+	var c25519kp curve25519KeyPair
+	if err := c25519kp.generate(rand); err != nil {
+		return nil, err
+	}
+	c25519Secret, err := curve25519.X25519(c25519kp.priv[:], kexInit.ClientPubKey[mlkem.EncapsulationKeySize768:])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's ML-KEM768/curve25519 public value is not valid: %w", err)
+	}
+	hybridKey := append(mlkem768Ciphertext, c25519kp.pub[:]...)
+
+	// Compute actual shared key.
+	h := sha256.New()
+	h.Write(mlkem768Secret)
+	h.Write(c25519Secret)
+	secret := h.Sum(nil)
+
+	hostKeyBytes := priv.PublicKey().Marshal()
+
+	h.Reset()
+	magics.write(h)
+	writeString(h, hostKeyBytes)
+	writeString(h, kexInit.ClientPubKey)
+	writeString(h, hybridKey)
+
+	K := make([]byte, stringLength(len(secret)))
+	marshalString(K, secret)
+	h.Write(K)
+
+	H := h.Sum(nil)
+
+	sig, err := signAndMarshal(priv, rand, H, algo)
+	if err != nil {
+		return nil, err
+	}
+
+	reply := kexECDHReplyMsg{
+		EphemeralPubKey: hybridKey,
+		HostKey:         hostKeyBytes,
+		Signature:       sig,
+	}
+	if err := c.writePacket(Marshal(&reply)); err != nil {
+		return nil, err
+	}
+	return &kexResult{
+		H:         H,
+		K:         K,
+		HostKey:   hostKeyBytes,
+		Signature: sig,
+		Hash:      crypto.SHA256,
+	}, nil
+}
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 1839ddc6..98679ba5 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -243,22 +243,15 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 		fullConf.MaxAuthTries = 6
 	}
 	if len(fullConf.PublicKeyAuthAlgorithms) == 0 {
-		fullConf.PublicKeyAuthAlgorithms = supportedPubKeyAuthAlgos
+		fullConf.PublicKeyAuthAlgorithms = defaultPubKeyAuthAlgos
 	} else {
 		for _, algo := range fullConf.PublicKeyAuthAlgorithms {
-			if !contains(supportedPubKeyAuthAlgos, algo) {
+			if !contains(SupportedAlgorithms().PublicKeyAuths, algo) && !contains(InsecureAlgorithms().PublicKeyAuths, algo) {
 				c.Close()
 				return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
 			}
 		}
 	}
-	// Check if the config contains any unsupported key exchanges
-	for _, kex := range fullConf.KeyExchanges {
-		if _, ok := serverForbiddenKexAlgos[kex]; ok {
-			c.Close()
-			return nil, nil, nil, fmt.Errorf("ssh: unsupported key exchange %s for server", kex)
-		}
-	}
 
 	s := &connection{
 		sshConn: sshConn{conn: c},
@@ -315,6 +308,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 
 	// We just did the key change, so the session ID is established.
 	s.sessionID = s.transport.getSessionID()
+	s.algorithms = s.transport.getAlgorithms()
 
 	var packet []byte
 	if packet, err = s.transport.readPacket(); err != nil {
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
index 0424d2d3..66361984 100644
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ b/vendor/golang.org/x/crypto/ssh/transport.go
@@ -16,13 +16,6 @@ import (
 // wire. No message decoding is done, to minimize the impact on timing.
 const debugTransport = false
 
-const (
-	gcm128CipherID = "aes128-gcm@openssh.com"
-	gcm256CipherID = "aes256-gcm@openssh.com"
-	aes128cbcID    = "aes128-cbc"
-	tripledescbcID = "3des-cbc"
-)
-
 // packetConn represents a transport that implements packet based
 // operations.
 type packetConn interface {
@@ -92,14 +85,14 @@ func (t *transport) setInitialKEXDone() {
 // prepareKeyChange sets up key material for a keychange. The key changes in
 // both directions are triggered by reading and writing a msgNewKey packet
 // respectively.
-func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
-	ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult)
+func (t *transport) prepareKeyChange(algs *NegotiatedAlgorithms, kexResult *kexResult) error {
+	ciph, err := newPacketCipher(t.reader.dir, algs.Read, kexResult)
 	if err != nil {
 		return err
 	}
 	t.reader.pendingKeyChange <- ciph
 
-	ciph, err = newPacketCipher(t.writer.dir, algs.w, kexResult)
+	ciph, err = newPacketCipher(t.writer.dir, algs.Write, kexResult)
 	if err != nil {
 		return err
 	}
@@ -259,7 +252,7 @@ var (
 // setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
 // described in RFC 4253, section 6.4. direction should either be serverKeys
 // (to setup server->client keys) or clientKeys (for client->server keys).
-func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
+func newPacketCipher(d direction, algs DirectionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
 
 	iv := make([]byte, cipherMode.ivSize)
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index 81faec7e..db3264da 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -39,7 +39,7 @@ const (
 	FrameContinuation FrameType = 0x9
 )
 
-var frameName = map[FrameType]string{
+var frameNames = [...]string{
 	FrameData:         "DATA",
 	FrameHeaders:      "HEADERS",
 	FramePriority:     "PRIORITY",
@@ -53,10 +53,10 @@ var frameName = map[FrameType]string{
 }
 
 func (t FrameType) String() string {
-	if s, ok := frameName[t]; ok {
-		return s
+	if int(t) < len(frameNames) {
+		return frameNames[t]
 	}
-	return fmt.Sprintf("UNKNOWN_FRAME_TYPE_%d", uint8(t))
+	return fmt.Sprintf("UNKNOWN_FRAME_TYPE_%d", t)
 }
 
 // Flags is a bitmask of HTTP/2 flags.
@@ -124,7 +124,7 @@ var flagName = map[FrameType]map[Flags]string{
 // might be 0).
 type frameParser func(fc *frameCache, fh FrameHeader, countError func(string), payload []byte) (Frame, error)
 
-var frameParsers = map[FrameType]frameParser{
+var frameParsers = [...]frameParser{
 	FrameData:         parseDataFrame,
 	FrameHeaders:      parseHeadersFrame,
 	FramePriority:     parsePriorityFrame,
@@ -138,8 +138,8 @@ var frameParsers = map[FrameType]frameParser{
 }
 
 func typeFrameParser(t FrameType) frameParser {
-	if f := frameParsers[t]; f != nil {
-		return f
+	if int(t) < len(frameParsers) {
+		return frameParsers[t]
 	}
 	return parseUnknownFrame
 }
@@ -225,6 +225,11 @@ var fhBytes = sync.Pool{
 	},
 }
 
+func invalidHTTP1LookingFrameHeader() FrameHeader {
+	fh, _ := readFrameHeader(make([]byte, frameHeaderLen), strings.NewReader("HTTP/1.1 "))
+	return fh
+}
+
 // ReadFrameHeader reads 9 bytes from r and returns a FrameHeader.
 // Most users should use Framer.ReadFrame instead.
 func ReadFrameHeader(r io.Reader) (FrameHeader, error) {
@@ -503,10 +508,16 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 		return nil, err
 	}
 	if fh.Length > fr.maxReadSize {
+		if fh == invalidHTTP1LookingFrameHeader() {
+			return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
+		}
 		return nil, ErrFrameTooLarge
 	}
 	payload := fr.getReadBuf(fh.Length)
 	if _, err := io.ReadFull(fr.r, payload); err != nil {
+		if fh == invalidHTTP1LookingFrameHeader() {
+			return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", err)
+		}
 		return nil, err
 	}
 	f, err := typeFrameParser(fh.Type)(fr.frameCache, fh, fr.countError, payload)
diff --git a/vendor/golang.org/x/net/http2/http2.go b/vendor/golang.org/x/net/http2/http2.go
index 6c18ea23..ea5ae629 100644
--- a/vendor/golang.org/x/net/http2/http2.go
+++ b/vendor/golang.org/x/net/http2/http2.go
@@ -11,8 +11,6 @@
 // requires Go 1.6 or later)
 //
 // See https://http2.github.io/ for more information on HTTP/2.
-//
-// See https://http2.golang.org/ for a test server running this code.
 package http2 // import "golang.org/x/net/http2"
 
 import (
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index b640deb0..51fca38f 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -1068,7 +1068,10 @@ func (sc *serverConn) serve(conf http2Config) {
 
 func (sc *serverConn) handlePingTimer(lastFrameReadTime time.Time) {
 	if sc.pingSent {
-		sc.vlogf("timeout waiting for PING response")
+		sc.logf("timeout waiting for PING response")
+		if f := sc.countErrorFunc; f != nil {
+			f("conn_close_lost_ping")
+		}
 		sc.conn.Close()
 		return
 	}
diff --git a/vendor/golang.org/x/net/trace/events.go b/vendor/golang.org/x/net/trace/events.go
index c646a695..3aaffdd1 100644
--- a/vendor/golang.org/x/net/trace/events.go
+++ b/vendor/golang.org/x/net/trace/events.go
@@ -508,7 +508,7 @@ const eventsHTML = `
 	<tr class="first">
 		<td class="when">{{$el.When}}</td>
 		<td class="elapsed">{{$el.ElapsedTime}}</td>
-		<td>{{$el.Title}}
+		<td>{{$el.Title}}</td>
 	</tr>
 	{{if $.Expanded}}
 	<tr>
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index a4ea5d14..1d8cffae 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -18,7 +18,7 @@ import (
 type token struct{}
 
 // A Group is a collection of goroutines working on subtasks that are part of
-// the same overall task.
+// the same overall task. A Group should not be reused for different tasks.
 //
 // A zero Group is valid, has no limit on the number of active goroutines,
 // and does not cancel on error.
@@ -61,11 +61,14 @@ func (g *Group) Wait() error {
 }
 
 // Go calls the given function in a new goroutine.
-// It blocks until the new goroutine can be added without the number of
-// active goroutines in the group exceeding the configured limit.
 //
-// The first call to return a non-nil error cancels the group's context, if the
-// group was created by calling WithContext. The error will be returned by Wait.
+// The first call to Go must happen before a Wait.
+// It blocks until the new goroutine can be added without the number of
+// goroutines in the group exceeding the configured limit.
+//
+// The first goroutine in the group that returns a non-nil error will
+// cancel the associated Context, if any. The error will be returned
+// by Wait.
 func (g *Group) Go(f func() error) {
 	if g.sem != nil {
 		g.sem <- token{}
@@ -75,6 +78,18 @@ func (g *Group) Go(f func() error) {
 	go func() {
 		defer g.done()
 
+		// It is tempting to propagate panics from f()
+		// up to the goroutine that calls Wait, but
+		// it creates more problems than it solves:
+		// - it delays panics arbitrarily,
+		//   making bugs harder to detect;
+		// - it turns f's panic stack into a mere value,
+		//   hiding it from crash-monitoring tools;
+		// - it risks deadlocks that hide the panic entirely,
+		//   if f's panic leaves the program in a state
+		//   that prevents the Wait call from being reached.
+		// See #53757, #74275, #74304, #74306.
+
 		if err := f(); err != nil {
 			g.errOnce.Do(func() {
 				g.err = err
diff --git a/vendor/golang.org/x/sys/cpu/cpu.go b/vendor/golang.org/x/sys/cpu/cpu.go
index 9c105f23..63541994 100644
--- a/vendor/golang.org/x/sys/cpu/cpu.go
+++ b/vendor/golang.org/x/sys/cpu/cpu.go
@@ -149,6 +149,18 @@ var ARM struct {
 	_           CacheLinePad
 }
 
+// The booleans in Loong64 contain the correspondingly named cpu feature bit.
+// The struct is padded to avoid false sharing.
+var Loong64 struct {
+	_         CacheLinePad
+	HasLSX    bool // support 128-bit vector extension
+	HasLASX   bool // support 256-bit vector extension
+	HasCRC32  bool // support CRC instruction
+	HasLAM_BH bool // support AM{SWAP/ADD}[_DB].{B/H} instruction
+	HasLAMCAS bool // support AMCAS[_DB].{B/H/W/D} instruction
+	_         CacheLinePad
+}
+
 // MIPS64X contains the supported CPU features of the current mips64/mips64le
 // platforms. If the current platform is not mips64/mips64le or the current
 // operating system is not Linux then all feature flags are false.
@@ -220,6 +232,17 @@ var RISCV64 struct {
 	HasZba            bool // Address generation instructions extension
 	HasZbb            bool // Basic bit-manipulation extension
 	HasZbs            bool // Single-bit instructions extension
+	HasZvbb           bool // Vector Basic Bit-manipulation
+	HasZvbc           bool // Vector Carryless Multiplication
+	HasZvkb           bool // Vector Cryptography Bit-manipulation
+	HasZvkt           bool // Vector Data-Independent Execution Latency
+	HasZvkg           bool // Vector GCM/GMAC
+	HasZvkn           bool // NIST Algorithm Suite (AES/SHA256/SHA512)
+	HasZvknc          bool // NIST Algorithm Suite with carryless multiply
+	HasZvkng          bool // NIST Algorithm Suite with GCM
+	HasZvks           bool // ShangMi Algorithm Suite
+	HasZvksc          bool // ShangMi Algorithm Suite with carryless multiplication
+	HasZvksg          bool // ShangMi Algorithm Suite with GCM
 	_                 CacheLinePad
 }
 
diff --git a/vendor/golang.org/x/sys/cpu/cpu_linux_loong64.go b/vendor/golang.org/x/sys/cpu/cpu_linux_loong64.go
new file mode 100644
index 00000000..4f341143
--- /dev/null
+++ b/vendor/golang.org/x/sys/cpu/cpu_linux_loong64.go
@@ -0,0 +1,22 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cpu
+
+// HWCAP bits. These are exposed by the Linux kernel.
+const (
+	hwcap_LOONGARCH_LSX  = 1 << 4
+	hwcap_LOONGARCH_LASX = 1 << 5
+)
+
+func doinit() {
+	// TODO: Features that require kernel support like LSX and LASX can
+	// be detected here once needed in std library or by the compiler.
+	Loong64.HasLSX = hwcIsSet(hwCap, hwcap_LOONGARCH_LSX)
+	Loong64.HasLASX = hwcIsSet(hwCap, hwcap_LOONGARCH_LASX)
+}
+
+func hwcIsSet(hwc uint, val uint) bool {
+	return hwc&val != 0
+}
diff --git a/vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go b/vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go
index 7d902b68..a428dec9 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && !arm && !arm64 && !mips64 && !mips64le && !ppc64 && !ppc64le && !s390x && !riscv64
+//go:build linux && !arm && !arm64 && !loong64 && !mips64 && !mips64le && !ppc64 && !ppc64le && !s390x && !riscv64
 
 package cpu
 
diff --git a/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go b/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go
index cb4a0c57..ad741536 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go
@@ -58,6 +58,15 @@ const (
 	riscv_HWPROBE_EXT_ZBA         = 0x8
 	riscv_HWPROBE_EXT_ZBB         = 0x10
 	riscv_HWPROBE_EXT_ZBS         = 0x20
+	riscv_HWPROBE_EXT_ZVBB        = 0x20000
+	riscv_HWPROBE_EXT_ZVBC        = 0x40000
+	riscv_HWPROBE_EXT_ZVKB        = 0x80000
+	riscv_HWPROBE_EXT_ZVKG        = 0x100000
+	riscv_HWPROBE_EXT_ZVKNED      = 0x200000
+	riscv_HWPROBE_EXT_ZVKNHB      = 0x800000
+	riscv_HWPROBE_EXT_ZVKSED      = 0x1000000
+	riscv_HWPROBE_EXT_ZVKSH       = 0x2000000
+	riscv_HWPROBE_EXT_ZVKT        = 0x4000000
 	riscv_HWPROBE_KEY_CPUPERF_0   = 0x5
 	riscv_HWPROBE_MISALIGNED_FAST = 0x3
 	riscv_HWPROBE_MISALIGNED_MASK = 0x7
@@ -99,6 +108,20 @@ func doinit() {
 			RISCV64.HasZba = isSet(v, riscv_HWPROBE_EXT_ZBA)
 			RISCV64.HasZbb = isSet(v, riscv_HWPROBE_EXT_ZBB)
 			RISCV64.HasZbs = isSet(v, riscv_HWPROBE_EXT_ZBS)
+			RISCV64.HasZvbb = isSet(v, riscv_HWPROBE_EXT_ZVBB)
+			RISCV64.HasZvbc = isSet(v, riscv_HWPROBE_EXT_ZVBC)
+			RISCV64.HasZvkb = isSet(v, riscv_HWPROBE_EXT_ZVKB)
+			RISCV64.HasZvkg = isSet(v, riscv_HWPROBE_EXT_ZVKG)
+			RISCV64.HasZvkt = isSet(v, riscv_HWPROBE_EXT_ZVKT)
+			// Cryptography shorthand extensions
+			RISCV64.HasZvkn = isSet(v, riscv_HWPROBE_EXT_ZVKNED) &&
+				isSet(v, riscv_HWPROBE_EXT_ZVKNHB) && RISCV64.HasZvkb && RISCV64.HasZvkt
+			RISCV64.HasZvknc = RISCV64.HasZvkn && RISCV64.HasZvbc
+			RISCV64.HasZvkng = RISCV64.HasZvkn && RISCV64.HasZvkg
+			RISCV64.HasZvks = isSet(v, riscv_HWPROBE_EXT_ZVKSED) &&
+				isSet(v, riscv_HWPROBE_EXT_ZVKSH) && RISCV64.HasZvkb && RISCV64.HasZvkt
+			RISCV64.HasZvksc = RISCV64.HasZvks && RISCV64.HasZvbc
+			RISCV64.HasZvksg = RISCV64.HasZvks && RISCV64.HasZvkg
 		}
 		if pairs[1].key != -1 {
 			v := pairs[1].value & riscv_HWPROBE_MISALIGNED_MASK
diff --git a/vendor/golang.org/x/sys/cpu/cpu_loong64.go b/vendor/golang.org/x/sys/cpu/cpu_loong64.go
index 55863585..45ecb29a 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_loong64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_loong64.go
@@ -8,5 +8,43 @@ package cpu
 
 const cacheLineSize = 64
 
+// Bit fields for CPUCFG registers, Related reference documents:
+// https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#_cpucfg
+const (
+	// CPUCFG1 bits
+	cpucfg1_CRC32 = 1 << 25
+
+	// CPUCFG2 bits
+	cpucfg2_LAM_BH = 1 << 27
+	cpucfg2_LAMCAS = 1 << 28
+)
+
 func initOptions() {
+	options = []option{
+		{Name: "lsx", Feature: &Loong64.HasLSX},
+		{Name: "lasx", Feature: &Loong64.HasLASX},
+		{Name: "crc32", Feature: &Loong64.HasCRC32},
+		{Name: "lam_bh", Feature: &Loong64.HasLAM_BH},
+		{Name: "lamcas", Feature: &Loong64.HasLAMCAS},
+	}
+
+	// The CPUCFG data on Loong64 only reflects the hardware capabilities,
+	// not the kernel support status, so features such as LSX and LASX that
+	// require kernel support cannot be obtained from the CPUCFG data.
+	//
+	// These features only require hardware capability support and do not
+	// require kernel specific support, so they can be obtained directly
+	// through CPUCFG
+	cfg1 := get_cpucfg(1)
+	cfg2 := get_cpucfg(2)
+
+	Loong64.HasCRC32 = cfgIsSet(cfg1, cpucfg1_CRC32)
+	Loong64.HasLAMCAS = cfgIsSet(cfg2, cpucfg2_LAMCAS)
+	Loong64.HasLAM_BH = cfgIsSet(cfg2, cpucfg2_LAM_BH)
+}
+
+func get_cpucfg(reg uint32) uint32
+
+func cfgIsSet(cfg uint32, val uint32) bool {
+	return cfg&val != 0
 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_loong64.s b/vendor/golang.org/x/sys/cpu/cpu_loong64.s
new file mode 100644
index 00000000..71cbaf1c
--- /dev/null
+++ b/vendor/golang.org/x/sys/cpu/cpu_loong64.s
@@ -0,0 +1,13 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "textflag.h"
+
+// func get_cpucfg(reg uint32) uint32
+TEXT ·get_cpucfg(SB), NOSPLIT|NOFRAME, $0
+	MOVW	reg+0(FP), R5
+	// CPUCFG R5, R4 = 0x00006ca4
+	WORD	$0x00006ca4
+	MOVW	R4, ret+8(FP)
+	RET
diff --git a/vendor/golang.org/x/sys/cpu/cpu_riscv64.go b/vendor/golang.org/x/sys/cpu/cpu_riscv64.go
index aca3199c..0f617aef 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_riscv64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_riscv64.go
@@ -16,5 +16,17 @@ func initOptions() {
 		{Name: "zba", Feature: &RISCV64.HasZba},
 		{Name: "zbb", Feature: &RISCV64.HasZbb},
 		{Name: "zbs", Feature: &RISCV64.HasZbs},
+		// RISC-V Cryptography Extensions
+		{Name: "zvbb", Feature: &RISCV64.HasZvbb},
+		{Name: "zvbc", Feature: &RISCV64.HasZvbc},
+		{Name: "zvkb", Feature: &RISCV64.HasZvkb},
+		{Name: "zvkg", Feature: &RISCV64.HasZvkg},
+		{Name: "zvkt", Feature: &RISCV64.HasZvkt},
+		{Name: "zvkn", Feature: &RISCV64.HasZvkn},
+		{Name: "zvknc", Feature: &RISCV64.HasZvknc},
+		{Name: "zvkng", Feature: &RISCV64.HasZvkng},
+		{Name: "zvks", Feature: &RISCV64.HasZvks},
+		{Name: "zvksc", Feature: &RISCV64.HasZvksc},
+		{Name: "zvksg", Feature: &RISCV64.HasZvksg},
 	}
 }
diff --git a/vendor/golang.org/x/sys/cpu/parse.go b/vendor/golang.org/x/sys/cpu/parse.go
index 762b63d6..56a7e1a1 100644
--- a/vendor/golang.org/x/sys/cpu/parse.go
+++ b/vendor/golang.org/x/sys/cpu/parse.go
@@ -13,7 +13,7 @@ import "strconv"
 // https://golang.org/cl/209597.
 func parseRelease(rel string) (major, minor, patch int, ok bool) {
 	// Strip anything after a dash or plus.
-	for i := 0; i < len(rel); i++ {
+	for i := range len(rel) {
 		if rel[i] == '-' || rel[i] == '+' {
 			rel = rel[:i]
 			break
@@ -21,7 +21,7 @@ func parseRelease(rel string) (major, minor, patch int, ok bool) {
 	}
 
 	next := func() (int, bool) {
-		for i := 0; i < len(rel); i++ {
+		for i := range len(rel) {
 			if rel[i] == '.' {
 				ver, err := strconv.Atoi(rel[:i])
 				rel = rel[i+1:]
diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh
index 6ab02b6c..d1c8b264 100644
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -349,6 +349,9 @@ struct ltchars {
 #define _HIDIOCGRAWPHYS		HIDIOCGRAWPHYS(_HIDIOCGRAWPHYS_LEN)
 #define _HIDIOCGRAWUNIQ		HIDIOCGRAWUNIQ(_HIDIOCGRAWUNIQ_LEN)
 
+// Renamed in v6.16, commit c6d732c38f93 ("net: ethtool: remove duplicate defines for family info")
+#define ETHTOOL_FAMILY_NAME	ETHTOOL_GENL_NAME
+#define ETHTOOL_FAMILY_VERSION	ETHTOOL_GENL_VERSION
 '
 
 includes_NetBSD='
diff --git a/vendor/golang.org/x/sys/unix/syscall_darwin.go b/vendor/golang.org/x/sys/unix/syscall_darwin.go
index 099867de..7838ca5d 100644
--- a/vendor/golang.org/x/sys/unix/syscall_darwin.go
+++ b/vendor/golang.org/x/sys/unix/syscall_darwin.go
@@ -602,6 +602,95 @@ func Connectx(fd int, srcIf uint32, srcAddr, dstAddr Sockaddr, associd SaeAssocI
 	return
 }
 
+const minIovec = 8
+
+func Readv(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = readv(fd, iovecs)
+	readvRacedetect(iovecs, n, err)
+	return n, err
+}
+
+func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = preadv(fd, iovecs, offset)
+	readvRacedetect(iovecs, n, err)
+	return n, err
+}
+
+func Writev(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = writev(fd, iovecs)
+	writevRacedetect(iovecs, n)
+	return n, err
+}
+
+func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = pwritev(fd, iovecs, offset)
+	writevRacedetect(iovecs, n)
+	return n, err
+}
+
+func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
+	for _, b := range bs {
+		var v Iovec
+		v.SetLen(len(b))
+		if len(b) > 0 {
+			v.Base = &b[0]
+		} else {
+			v.Base = (*byte)(unsafe.Pointer(&_zero))
+		}
+		vecs = append(vecs, v)
+	}
+	return vecs
+}
+
+func writevRacedetect(iovecs []Iovec, n int) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := int(iovecs[i].Len)
+		if m > n {
+			m = n
+		}
+		n -= m
+		if m > 0 {
+			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+}
+
+func readvRacedetect(iovecs []Iovec, n int, err error) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := int(iovecs[i].Len)
+		if m > n {
+			m = n
+		}
+		n -= m
+		if m > 0 {
+			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+	if err == nil {
+		raceAcquire(unsafe.Pointer(&ioSync))
+	}
+}
+
 //sys	connectx(fd int, endpoints *SaEndpoints, associd SaeAssocID, flags uint32, iov []Iovec, n *uintptr, connid *SaeConnID) (err error)
 //sys	sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error)
 
@@ -705,3 +794,7 @@ func Connectx(fd int, srcIf uint32, srcAddr, dstAddr Sockaddr, associd SaeAssocI
 //sys	write(fd int, p []byte) (n int, err error)
 //sys	mmap(addr uintptr, length uintptr, prot int, flag int, fd int, pos int64) (ret uintptr, err error)
 //sys	munmap(addr uintptr, length uintptr) (err error)
+//sys	readv(fd int, iovecs []Iovec) (n int, err error)
+//sys	preadv(fd int, iovecs []Iovec, offset int64) (n int, err error)
+//sys	writev(fd int, iovecs []Iovec) (n int, err error)
+//sys	pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index 230a9454..4958a657 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -13,6 +13,7 @@ package unix
 
 import (
 	"encoding/binary"
+	"slices"
 	"strconv"
 	"syscall"
 	"time"
@@ -417,7 +418,7 @@ func (sa *SockaddrUnix) sockaddr() (unsafe.Pointer, _Socklen, error) {
 		return nil, 0, EINVAL
 	}
 	sa.raw.Family = AF_UNIX
-	for i := 0; i < n; i++ {
+	for i := range n {
 		sa.raw.Path[i] = int8(name[i])
 	}
 	// length is family (uint16), name, NUL.
@@ -507,7 +508,7 @@ func (sa *SockaddrL2) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	psm := (*[2]byte)(unsafe.Pointer(&sa.raw.Psm))
 	psm[0] = byte(sa.PSM)
 	psm[1] = byte(sa.PSM >> 8)
-	for i := 0; i < len(sa.Addr); i++ {
+	for i := range len(sa.Addr) {
 		sa.raw.Bdaddr[i] = sa.Addr[len(sa.Addr)-1-i]
 	}
 	cid := (*[2]byte)(unsafe.Pointer(&sa.raw.Cid))
@@ -589,11 +590,11 @@ func (sa *SockaddrCAN) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	sa.raw.Family = AF_CAN
 	sa.raw.Ifindex = int32(sa.Ifindex)
 	rx := (*[4]byte)(unsafe.Pointer(&sa.RxID))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i] = rx[i]
 	}
 	tx := (*[4]byte)(unsafe.Pointer(&sa.TxID))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i+4] = tx[i]
 	}
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrCAN, nil
@@ -618,11 +619,11 @@ func (sa *SockaddrCANJ1939) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	sa.raw.Family = AF_CAN
 	sa.raw.Ifindex = int32(sa.Ifindex)
 	n := (*[8]byte)(unsafe.Pointer(&sa.Name))
-	for i := 0; i < 8; i++ {
+	for i := range 8 {
 		sa.raw.Addr[i] = n[i]
 	}
 	p := (*[4]byte)(unsafe.Pointer(&sa.PGN))
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		sa.raw.Addr[i+8] = p[i]
 	}
 	sa.raw.Addr[12] = sa.Addr
@@ -911,7 +912,7 @@ func (sa *SockaddrIUCV) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	// These are EBCDIC encoded by the kernel, but we still need to pad them
 	// with blanks. Initializing with blanks allows the caller to feed in either
 	// a padded or an unpadded string.
-	for i := 0; i < 8; i++ {
+	for i := range 8 {
 		sa.raw.Nodeid[i] = ' '
 		sa.raw.User_id[i] = ' '
 		sa.raw.Name[i] = ' '
@@ -1148,7 +1149,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 		var user [8]byte
 		var name [8]byte
 
-		for i := 0; i < 8; i++ {
+		for i := range 8 {
 			user[i] = byte(pp.User_id[i])
 			name[i] = byte(pp.Name[i])
 		}
@@ -1173,11 +1174,11 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 				Ifindex: int(pp.Ifindex),
 			}
 			name := (*[8]byte)(unsafe.Pointer(&sa.Name))
-			for i := 0; i < 8; i++ {
+			for i := range 8 {
 				name[i] = pp.Addr[i]
 			}
 			pgn := (*[4]byte)(unsafe.Pointer(&sa.PGN))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				pgn[i] = pp.Addr[i+8]
 			}
 			addr := (*[1]byte)(unsafe.Pointer(&sa.Addr))
@@ -1188,11 +1189,11 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
 				Ifindex: int(pp.Ifindex),
 			}
 			rx := (*[4]byte)(unsafe.Pointer(&sa.RxID))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				rx[i] = pp.Addr[i]
 			}
 			tx := (*[4]byte)(unsafe.Pointer(&sa.TxID))
-			for i := 0; i < 4; i++ {
+			for i := range 4 {
 				tx[i] = pp.Addr[i+4]
 			}
 			return sa, nil
@@ -2216,10 +2217,7 @@ func readvRacedetect(iovecs []Iovec, n int, err error) {
 		return
 	}
 	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
+		m := min(int(iovecs[i].Len), n)
 		n -= m
 		if m > 0 {
 			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
@@ -2270,10 +2268,7 @@ func writevRacedetect(iovecs []Iovec, n int) {
 		return
 	}
 	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
+		m := min(int(iovecs[i].Len), n)
 		n -= m
 		if m > 0 {
 			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
@@ -2320,12 +2315,7 @@ func isGroupMember(gid int) bool {
 		return false
 	}
 
-	for _, g := range groups {
-		if g == gid {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(groups, gid)
 }
 
 func isCapDacOverrideSet() bool {
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go
index 4f432bfe..b6db27d9 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -319,6 +319,7 @@ const (
 	AUDIT_INTEGRITY_POLICY_RULE                 = 0x70f
 	AUDIT_INTEGRITY_RULE                        = 0x70d
 	AUDIT_INTEGRITY_STATUS                      = 0x70a
+	AUDIT_INTEGRITY_USERSPACE                   = 0x710
 	AUDIT_IPC                                   = 0x517
 	AUDIT_IPC_SET_PERM                          = 0x51f
 	AUDIT_IPE_ACCESS                            = 0x58c
@@ -327,6 +328,8 @@ const (
 	AUDIT_KERNEL                                = 0x7d0
 	AUDIT_KERNEL_OTHER                          = 0x524
 	AUDIT_KERN_MODULE                           = 0x532
+	AUDIT_LANDLOCK_ACCESS                       = 0x58f
+	AUDIT_LANDLOCK_DOMAIN                       = 0x590
 	AUDIT_LAST_FEATURE                          = 0x1
 	AUDIT_LAST_KERN_ANOM_MSG                    = 0x707
 	AUDIT_LAST_USER_MSG                         = 0x4af
@@ -491,6 +494,7 @@ const (
 	BPF_F_BEFORE                                = 0x8
 	BPF_F_ID                                    = 0x20
 	BPF_F_NETFILTER_IP_DEFRAG                   = 0x1
+	BPF_F_PREORDER                              = 0x40
 	BPF_F_QUERY_EFFECTIVE                       = 0x1
 	BPF_F_REDIRECT_FLAGS                        = 0x19
 	BPF_F_REPLACE                               = 0x4
@@ -527,6 +531,7 @@ const (
 	BPF_LDX                                     = 0x1
 	BPF_LEN                                     = 0x80
 	BPF_LL_OFF                                  = -0x200000
+	BPF_LOAD_ACQ                                = 0x100
 	BPF_LSH                                     = 0x60
 	BPF_MAJOR_VERSION                           = 0x1
 	BPF_MAXINSNS                                = 0x1000
@@ -554,6 +559,7 @@ const (
 	BPF_RET                                     = 0x6
 	BPF_RSH                                     = 0x70
 	BPF_ST                                      = 0x2
+	BPF_STORE_REL                               = 0x110
 	BPF_STX                                     = 0x3
 	BPF_SUB                                     = 0x10
 	BPF_TAG_SIZE                                = 0x8
@@ -843,9 +849,9 @@ const (
 	DM_UUID_FLAG                                = 0x4000
 	DM_UUID_LEN                                 = 0x81
 	DM_VERSION                                  = 0xc138fd00
-	DM_VERSION_EXTRA                            = "-ioctl (2023-03-01)"
+	DM_VERSION_EXTRA                            = "-ioctl (2025-04-28)"
 	DM_VERSION_MAJOR                            = 0x4
-	DM_VERSION_MINOR                            = 0x30
+	DM_VERSION_MINOR                            = 0x32
 	DM_VERSION_PATCHLEVEL                       = 0x0
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
@@ -936,11 +942,10 @@ const (
 	EPOLL_CTL_MOD                               = 0x3
 	EPOLL_IOC_TYPE                              = 0x8a
 	EROFS_SUPER_MAGIC_V1                        = 0xe0f5e1e2
-	ESP_V4_FLOW                                 = 0xa
-	ESP_V6_FLOW                                 = 0xc
-	ETHER_FLOW                                  = 0x12
 	ETHTOOL_BUSINFO_LEN                         = 0x20
 	ETHTOOL_EROMVERS_LEN                        = 0x20
+	ETHTOOL_FAMILY_NAME                         = "ethtool"
+	ETHTOOL_FAMILY_VERSION                      = 0x1
 	ETHTOOL_FEC_AUTO                            = 0x2
 	ETHTOOL_FEC_BASER                           = 0x10
 	ETHTOOL_FEC_LLRS                            = 0x20
@@ -1203,13 +1208,18 @@ const (
 	FAN_DENY                                    = 0x2
 	FAN_ENABLE_AUDIT                            = 0x40
 	FAN_EPIDFD                                  = -0x2
+	FAN_ERRNO_BITS                              = 0x8
+	FAN_ERRNO_MASK                              = 0xff
+	FAN_ERRNO_SHIFT                             = 0x18
 	FAN_EVENT_INFO_TYPE_DFID                    = 0x3
 	FAN_EVENT_INFO_TYPE_DFID_NAME               = 0x2
 	FAN_EVENT_INFO_TYPE_ERROR                   = 0x5
 	FAN_EVENT_INFO_TYPE_FID                     = 0x1
+	FAN_EVENT_INFO_TYPE_MNT                     = 0x7
 	FAN_EVENT_INFO_TYPE_NEW_DFID_NAME           = 0xc
 	FAN_EVENT_INFO_TYPE_OLD_DFID_NAME           = 0xa
 	FAN_EVENT_INFO_TYPE_PIDFD                   = 0x4
+	FAN_EVENT_INFO_TYPE_RANGE                   = 0x6
 	FAN_EVENT_METADATA_LEN                      = 0x18
 	FAN_EVENT_ON_CHILD                          = 0x8000000
 	FAN_FS_ERROR                                = 0x8000
@@ -1224,9 +1234,12 @@ const (
 	FAN_MARK_IGNORED_SURV_MODIFY                = 0x40
 	FAN_MARK_IGNORE_SURV                        = 0x440
 	FAN_MARK_INODE                              = 0x0
+	FAN_MARK_MNTNS                              = 0x110
 	FAN_MARK_MOUNT                              = 0x10
 	FAN_MARK_ONLYDIR                            = 0x8
 	FAN_MARK_REMOVE                             = 0x2
+	FAN_MNT_ATTACH                              = 0x1000000
+	FAN_MNT_DETACH                              = 0x2000000
 	FAN_MODIFY                                  = 0x2
 	FAN_MOVE                                    = 0xc0
 	FAN_MOVED_FROM                              = 0x40
@@ -1240,6 +1253,7 @@ const (
 	FAN_OPEN_EXEC                               = 0x1000
 	FAN_OPEN_EXEC_PERM                          = 0x40000
 	FAN_OPEN_PERM                               = 0x10000
+	FAN_PRE_ACCESS                              = 0x100000
 	FAN_Q_OVERFLOW                              = 0x4000
 	FAN_RENAME                                  = 0x10000000
 	FAN_REPORT_DFID_NAME                        = 0xc00
@@ -1247,6 +1261,7 @@ const (
 	FAN_REPORT_DIR_FID                          = 0x400
 	FAN_REPORT_FD_ERROR                         = 0x2000
 	FAN_REPORT_FID                              = 0x200
+	FAN_REPORT_MNT                              = 0x4000
 	FAN_REPORT_NAME                             = 0x800
 	FAN_REPORT_PIDFD                            = 0x80
 	FAN_REPORT_TARGET_FID                       = 0x1000
@@ -1266,6 +1281,7 @@ const (
 	FIB_RULE_PERMANENT                          = 0x1
 	FIB_RULE_UNRESOLVED                         = 0x4
 	FIDEDUPERANGE                               = 0xc0189436
+	FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED             = 0x1
 	FSCRYPT_KEY_DESCRIPTOR_SIZE                 = 0x8
 	FSCRYPT_KEY_DESC_PREFIX                     = "fscrypt:"
 	FSCRYPT_KEY_DESC_PREFIX_SIZE                = 0x8
@@ -1574,7 +1590,6 @@ const (
 	IPV6_DONTFRAG                               = 0x3e
 	IPV6_DROP_MEMBERSHIP                        = 0x15
 	IPV6_DSTOPTS                                = 0x3b
-	IPV6_FLOW                                   = 0x11
 	IPV6_FREEBIND                               = 0x4e
 	IPV6_HDRINCL                                = 0x24
 	IPV6_HOPLIMIT                               = 0x34
@@ -1625,7 +1640,6 @@ const (
 	IPV6_TRANSPARENT                            = 0x4b
 	IPV6_UNICAST_HOPS                           = 0x10
 	IPV6_UNICAST_IF                             = 0x4c
-	IPV6_USER_FLOW                              = 0xe
 	IPV6_V6ONLY                                 = 0x1a
 	IPV6_VERSION                                = 0x60
 	IPV6_VERSION_MASK                           = 0xf0
@@ -1687,7 +1701,6 @@ const (
 	IP_TTL                                      = 0x2
 	IP_UNBLOCK_SOURCE                           = 0x25
 	IP_UNICAST_IF                               = 0x32
-	IP_USER_FLOW                                = 0xd
 	IP_XFRM_POLICY                              = 0x11
 	ISOFS_SUPER_MAGIC                           = 0x9660
 	ISTRIP                                      = 0x20
@@ -1809,7 +1822,11 @@ const (
 	LANDLOCK_ACCESS_FS_WRITE_FILE               = 0x2
 	LANDLOCK_ACCESS_NET_BIND_TCP                = 0x1
 	LANDLOCK_ACCESS_NET_CONNECT_TCP             = 0x2
+	LANDLOCK_CREATE_RULESET_ERRATA              = 0x2
 	LANDLOCK_CREATE_RULESET_VERSION             = 0x1
+	LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON      = 0x2
+	LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF    = 0x1
+	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF   = 0x4
 	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET         = 0x1
 	LANDLOCK_SCOPE_SIGNAL                       = 0x2
 	LINUX_REBOOT_CMD_CAD_OFF                    = 0x0
@@ -2485,6 +2502,10 @@ const (
 	PR_FP_EXC_UND                               = 0x40000
 	PR_FP_MODE_FR                               = 0x1
 	PR_FP_MODE_FRE                              = 0x2
+	PR_FUTEX_HASH                               = 0x4e
+	PR_FUTEX_HASH_GET_IMMUTABLE                 = 0x3
+	PR_FUTEX_HASH_GET_SLOTS                     = 0x2
+	PR_FUTEX_HASH_SET_SLOTS                     = 0x1
 	PR_GET_AUXV                                 = 0x41555856
 	PR_GET_CHILD_SUBREAPER                      = 0x25
 	PR_GET_DUMPABLE                             = 0x3
@@ -2644,6 +2665,10 @@ const (
 	PR_TAGGED_ADDR_ENABLE                       = 0x1
 	PR_TASK_PERF_EVENTS_DISABLE                 = 0x1f
 	PR_TASK_PERF_EVENTS_ENABLE                  = 0x20
+	PR_TIMER_CREATE_RESTORE_IDS                 = 0x4d
+	PR_TIMER_CREATE_RESTORE_IDS_GET             = 0x2
+	PR_TIMER_CREATE_RESTORE_IDS_OFF             = 0x0
+	PR_TIMER_CREATE_RESTORE_IDS_ON              = 0x1
 	PR_TIMING_STATISTICAL                       = 0x0
 	PR_TIMING_TIMESTAMP                         = 0x1
 	PR_TSC_ENABLE                               = 0x1
@@ -2724,6 +2749,7 @@ const (
 	PTRACE_SETREGSET                            = 0x4205
 	PTRACE_SETSIGINFO                           = 0x4203
 	PTRACE_SETSIGMASK                           = 0x420b
+	PTRACE_SET_SYSCALL_INFO                     = 0x4212
 	PTRACE_SET_SYSCALL_USER_DISPATCH_CONFIG     = 0x4210
 	PTRACE_SINGLESTEP                           = 0x9
 	PTRACE_SYSCALL                              = 0x18
@@ -2787,7 +2813,7 @@ const (
 	RTAX_UNSPEC                                 = 0x0
 	RTAX_WINDOW                                 = 0x3
 	RTA_ALIGNTO                                 = 0x4
-	RTA_MAX                                     = 0x1e
+	RTA_MAX                                     = 0x1f
 	RTCF_DIRECTSRC                              = 0x4000000
 	RTCF_DOREDIRECT                             = 0x1000000
 	RTCF_LOG                                    = 0x2000000
@@ -2864,10 +2890,12 @@ const (
 	RTM_DELACTION                               = 0x31
 	RTM_DELADDR                                 = 0x15
 	RTM_DELADDRLABEL                            = 0x49
+	RTM_DELANYCAST                              = 0x3d
 	RTM_DELCHAIN                                = 0x65
 	RTM_DELLINK                                 = 0x11
 	RTM_DELLINKPROP                             = 0x6d
 	RTM_DELMDB                                  = 0x55
+	RTM_DELMULTICAST                            = 0x39
 	RTM_DELNEIGH                                = 0x1d
 	RTM_DELNETCONF                              = 0x51
 	RTM_DELNEXTHOP                              = 0x69
@@ -2917,11 +2945,13 @@ const (
 	RTM_NEWACTION                               = 0x30
 	RTM_NEWADDR                                 = 0x14
 	RTM_NEWADDRLABEL                            = 0x48
+	RTM_NEWANYCAST                              = 0x3c
 	RTM_NEWCACHEREPORT                          = 0x60
 	RTM_NEWCHAIN                                = 0x64
 	RTM_NEWLINK                                 = 0x10
 	RTM_NEWLINKPROP                             = 0x6c
 	RTM_NEWMDB                                  = 0x54
+	RTM_NEWMULTICAST                            = 0x38
 	RTM_NEWNDUSEROPT                            = 0x44
 	RTM_NEWNEIGH                                = 0x1c
 	RTM_NEWNEIGHTBL                             = 0x40
@@ -2970,6 +3000,7 @@ const (
 	RTPROT_NTK                                  = 0xf
 	RTPROT_OPENR                                = 0x63
 	RTPROT_OSPF                                 = 0xbc
+	RTPROT_OVN                                  = 0x54
 	RTPROT_RA                                   = 0x9
 	RTPROT_REDIRECT                             = 0x1
 	RTPROT_RIP                                  = 0xbd
@@ -2987,11 +3018,12 @@ const (
 	RUSAGE_THREAD                               = 0x1
 	RWF_APPEND                                  = 0x10
 	RWF_ATOMIC                                  = 0x40
+	RWF_DONTCACHE                               = 0x80
 	RWF_DSYNC                                   = 0x2
 	RWF_HIPRI                                   = 0x1
 	RWF_NOAPPEND                                = 0x20
 	RWF_NOWAIT                                  = 0x8
-	RWF_SUPPORTED                               = 0x7f
+	RWF_SUPPORTED                               = 0xff
 	RWF_SYNC                                    = 0x4
 	RWF_WRITE_LIFE_NOT_SET                      = 0x0
 	SCHED_BATCH                                 = 0x3
@@ -3271,6 +3303,7 @@ const (
 	STATX_BTIME                                 = 0x800
 	STATX_CTIME                                 = 0x80
 	STATX_DIOALIGN                              = 0x2000
+	STATX_DIO_READ_ALIGN                        = 0x20000
 	STATX_GID                                   = 0x10
 	STATX_INO                                   = 0x100
 	STATX_MNT_ID                                = 0x1000
@@ -3322,7 +3355,7 @@ const (
 	TASKSTATS_GENL_NAME                         = "TASKSTATS"
 	TASKSTATS_GENL_VERSION                      = 0x1
 	TASKSTATS_TYPE_MAX                          = 0x6
-	TASKSTATS_VERSION                           = 0xe
+	TASKSTATS_VERSION                           = 0x10
 	TCIFLUSH                                    = 0x0
 	TCIOFF                                      = 0x2
 	TCIOFLUSH                                   = 0x2
@@ -3392,8 +3425,6 @@ const (
 	TCP_TX_DELAY                                = 0x25
 	TCP_ULP                                     = 0x1f
 	TCP_USER_TIMEOUT                            = 0x12
-	TCP_V4_FLOW                                 = 0x1
-	TCP_V6_FLOW                                 = 0x5
 	TCP_WINDOW_CLAMP                            = 0xa
 	TCP_ZEROCOPY_RECEIVE                        = 0x23
 	TFD_TIMER_ABSTIME                           = 0x1
@@ -3503,6 +3534,7 @@ const (
 	TP_STATUS_WRONG_FORMAT                      = 0x4
 	TRACEFS_MAGIC                               = 0x74726163
 	TS_COMM_LEN                                 = 0x20
+	UBI_IOCECNFO                                = 0xc01c6f06
 	UDF_SUPER_MAGIC                             = 0x15013346
 	UDP_CORK                                    = 0x1
 	UDP_ENCAP                                   = 0x64
@@ -3515,8 +3547,6 @@ const (
 	UDP_NO_CHECK6_RX                            = 0x66
 	UDP_NO_CHECK6_TX                            = 0x65
 	UDP_SEGMENT                                 = 0x67
-	UDP_V4_FLOW                                 = 0x2
-	UDP_V6_FLOW                                 = 0x6
 	UMOUNT_NOFOLLOW                             = 0x8
 	USBDEVICE_SUPER_MAGIC                       = 0x9fa2
 	UTIME_NOW                                   = 0x3fffffff
@@ -3559,7 +3589,7 @@ const (
 	WDIOS_TEMPPANIC                             = 0x4
 	WDIOS_UNKNOWN                               = -0x1
 	WEXITED                                     = 0x4
-	WGALLOWEDIP_A_MAX                           = 0x3
+	WGALLOWEDIP_A_MAX                           = 0x4
 	WGDEVICE_A_MAX                              = 0x8
 	WGPEER_A_MAX                                = 0xa
 	WG_CMD_MAX                                  = 0x1
@@ -3673,6 +3703,7 @@ const (
 	XDP_SHARED_UMEM                             = 0x1
 	XDP_STATISTICS                              = 0x7
 	XDP_TXMD_FLAGS_CHECKSUM                     = 0x2
+	XDP_TXMD_FLAGS_LAUNCH_TIME                  = 0x4
 	XDP_TXMD_FLAGS_TIMESTAMP                    = 0x1
 	XDP_TX_METADATA                             = 0x2
 	XDP_TX_RING                                 = 0x3
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
index 75207613..1c37f9fb 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -360,6 +361,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -372,6 +374,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
index c68acda5..6f54d34a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -361,6 +362,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -373,6 +375,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
index a8c607ab..783ec5c1 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -366,6 +367,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -378,6 +380,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
index 18563dd8..ca83d3ba 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -359,6 +360,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -371,6 +373,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
index 22912cda..607e611c 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -353,6 +354,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -365,6 +367,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
index 29344eb3..b9cb5bd3 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x200
@@ -359,6 +360,7 @@ const (
 	SO_OOBINLINE                     = 0x100
 	SO_PASSCRED                      = 0x11
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x12
@@ -371,6 +373,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x1004
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x1006
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x1006
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
index 20d51fb9..65b078a6 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x200
@@ -359,6 +360,7 @@ const (
 	SO_OOBINLINE                     = 0x100
 	SO_PASSCRED                      = 0x11
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x12
@@ -371,6 +373,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x1004
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x1006
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x1006
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
index 321b6090..5298a303 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x200
@@ -359,6 +360,7 @@ const (
 	SO_OOBINLINE                     = 0x100
 	SO_PASSCRED                      = 0x11
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x12
@@ -371,6 +373,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x1004
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x1006
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x1006
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
index 9bacdf1e..7bc557c8 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x200
@@ -359,6 +360,7 @@ const (
 	SO_OOBINLINE                     = 0x100
 	SO_PASSCRED                      = 0x11
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x12
@@ -371,6 +373,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x1004
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x1006
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x1006
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
index c2242726..152399bb 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x300
 	CSIZE                            = 0x300
 	CSTOPB                           = 0x400
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x40
@@ -414,6 +415,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x14
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x15
@@ -426,6 +428,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x10
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x12
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x12
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
index 6270c8ee..1a1ce240 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x300
 	CSIZE                            = 0x300
 	CSTOPB                           = 0x400
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x40
@@ -418,6 +419,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x14
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x15
@@ -430,6 +432,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x10
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x12
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x12
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
index 9966c194..4231a1fb 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x300
 	CSIZE                            = 0x300
 	CSTOPB                           = 0x400
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x40
@@ -418,6 +419,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x14
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x15
@@ -430,6 +432,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x10
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x12
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x12
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
index 848e5fcc..21c0e952 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -350,6 +351,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -362,6 +364,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
index 669b2adb..f00d1cd7 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -68,6 +68,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0xfd12
 	ECCGETLAYOUT                     = 0x81484d11
 	ECCGETSTATS                      = 0x80104d12
 	ECHOCTL                          = 0x200
@@ -422,6 +423,7 @@ const (
 	SO_OOBINLINE                     = 0xa
 	SO_PASSCRED                      = 0x10
 	SO_PASSPIDFD                     = 0x4c
+	SO_PASSRIGHTS                    = 0x53
 	SO_PASSSEC                       = 0x22
 	SO_PEEK_OFF                      = 0x2a
 	SO_PEERCRED                      = 0x11
@@ -434,6 +436,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x21
 	SO_RCVLOWAT                      = 0x12
 	SO_RCVMARK                       = 0x4b
+	SO_RCVPRIORITY                   = 0x52
 	SO_RCVTIMEO                      = 0x14
 	SO_RCVTIMEO_NEW                  = 0x42
 	SO_RCVTIMEO_OLD                  = 0x14
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
index 4834e575..bc8d539e 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@@ -71,6 +71,7 @@ const (
 	CS8                              = 0x30
 	CSIZE                            = 0x30
 	CSTOPB                           = 0x40
+	DM_MPATH_PROBE_PATHS             = 0x2000fd12
 	ECCGETLAYOUT                     = 0x41484d11
 	ECCGETSTATS                      = 0x40104d12
 	ECHOCTL                          = 0x200
@@ -461,6 +462,7 @@ const (
 	SO_OOBINLINE                     = 0x100
 	SO_PASSCRED                      = 0x2
 	SO_PASSPIDFD                     = 0x55
+	SO_PASSRIGHTS                    = 0x5c
 	SO_PASSSEC                       = 0x1f
 	SO_PEEK_OFF                      = 0x26
 	SO_PEERCRED                      = 0x40
@@ -473,6 +475,7 @@ const (
 	SO_RCVBUFFORCE                   = 0x100b
 	SO_RCVLOWAT                      = 0x800
 	SO_RCVMARK                       = 0x54
+	SO_RCVPRIORITY                   = 0x5b
 	SO_RCVTIMEO                      = 0x2000
 	SO_RCVTIMEO_NEW                  = 0x44
 	SO_RCVTIMEO_OLD                  = 0x2000
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
index 24b346e1..813c05b6 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
@@ -2512,6 +2512,90 @@ var libc_munmap_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Fstat(fd int, stat *Stat_t) (err error) {
 	_, _, e1 := syscall_syscall(libc_fstat64_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s b/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
index ebd21310..fda32858 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
@@ -738,6 +738,26 @@ TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_fstat64_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat64(SB)
 GLOBL	·libc_fstat64_trampoline_addr(SB), RODATA, $8
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go b/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
index 824b9c2d..e6f58f3c 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
@@ -2512,6 +2512,90 @@ var libc_munmap_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Fstat(fd int, stat *Stat_t) (err error) {
 	_, _, e1 := syscall_syscall(libc_fstat_trampoline_addr, uintptr(fd), uintptr(unsafe.Pointer(stat)), 0)
 	if e1 != 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s b/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
index 4f178a22..7f8998b9 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
@@ -738,6 +738,26 @@ TEXT libc_munmap_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_munmap_trampoline_addr(SB), RODATA, $8
 DATA	·libc_munmap_trampoline_addr(SB)/8, $libc_munmap_trampoline<>(SB)
 
+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_fstat_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_fstat(SB)
 GLOBL	·libc_fstat_trampoline_addr(SB), RODATA, $8
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
index c79aaff3..aca56ee4 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
@@ -462,4 +462,5 @@ const (
 	SYS_GETXATTRAT                   = 464
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
+	SYS_OPEN_TREE_ATTR               = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
index 5eb45069..2ea1ef58 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
@@ -385,4 +385,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
index 05e50297..d22c8af3 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
@@ -426,4 +426,5 @@ const (
 	SYS_GETXATTRAT                   = 464
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
+	SYS_OPEN_TREE_ATTR               = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
index 38c53ec5..5ee264ae 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
@@ -329,4 +329,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
index 31d2e71a..f9f03ebf 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
@@ -325,4 +325,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
index f4184a33..87c2118e 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
@@ -446,4 +446,5 @@ const (
 	SYS_GETXATTRAT                   = 4464
 	SYS_LISTXATTRAT                  = 4465
 	SYS_REMOVEXATTRAT                = 4466
+	SYS_OPEN_TREE_ATTR               = 4467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
index 05b99622..391ad102 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
@@ -376,4 +376,5 @@ const (
 	SYS_GETXATTRAT              = 5464
 	SYS_LISTXATTRAT             = 5465
 	SYS_REMOVEXATTRAT           = 5466
+	SYS_OPEN_TREE_ATTR          = 5467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
index 43a256e9..56561577 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
@@ -376,4 +376,5 @@ const (
 	SYS_GETXATTRAT              = 5464
 	SYS_LISTXATTRAT             = 5465
 	SYS_REMOVEXATTRAT           = 5466
+	SYS_OPEN_TREE_ATTR          = 5467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
index eea5ddfc..0482b52e 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
@@ -446,4 +446,5 @@ const (
 	SYS_GETXATTRAT                   = 4464
 	SYS_LISTXATTRAT                  = 4465
 	SYS_REMOVEXATTRAT                = 4466
+	SYS_OPEN_TREE_ATTR               = 4467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
index 0d777bfb..71806f08 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
@@ -453,4 +453,5 @@ const (
 	SYS_GETXATTRAT                   = 464
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
+	SYS_OPEN_TREE_ATTR               = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
index b4463650..e35a7105 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
@@ -425,4 +425,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
index 0c7d21c1..2aea4767 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
@@ -425,4 +425,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
index 84053916..6c9bb4e5 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
@@ -330,4 +330,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
index fcf1b790..680bc991 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
@@ -391,4 +391,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
index 52d15b5f..620f2710 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
@@ -404,4 +404,5 @@ const (
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
 )
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go
index a46abe64..cd236443 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -114,8 +114,10 @@ type Statx_t struct {
 	Atomic_write_unit_min     uint32
 	Atomic_write_unit_max     uint32
 	Atomic_write_segments_max uint32
+	Dio_read_offset_align     uint32
+	Atomic_write_unit_max_opt uint32
 	_                         [1]uint32
-	_                         [9]uint64
+	_                         [8]uint64
 }
 
 type Fsid struct {
@@ -199,7 +201,8 @@ type FscryptAddKeyArg struct {
 	Key_spec FscryptKeySpecifier
 	Raw_size uint32
 	Key_id   uint32
-	_        [8]uint32
+	Flags    uint32
+	_        [7]uint32
 }
 
 type FscryptRemoveKeyArg struct {
@@ -2226,8 +2229,11 @@ const (
 	NFT_PAYLOAD_LL_HEADER             = 0x0
 	NFT_PAYLOAD_NETWORK_HEADER        = 0x1
 	NFT_PAYLOAD_TRANSPORT_HEADER      = 0x2
+	NFT_PAYLOAD_INNER_HEADER          = 0x3
+	NFT_PAYLOAD_TUN_HEADER            = 0x4
 	NFT_PAYLOAD_CSUM_NONE             = 0x0
 	NFT_PAYLOAD_CSUM_INET             = 0x1
+	NFT_PAYLOAD_CSUM_SCTP             = 0x2
 	NFT_PAYLOAD_L4CSUM_PSEUDOHDR      = 0x1
 	NFTA_PAYLOAD_UNSPEC               = 0x0
 	NFTA_PAYLOAD_DREG                 = 0x1
@@ -2314,6 +2320,11 @@ const (
 	NFT_CT_AVGPKT                     = 0x10
 	NFT_CT_ZONE                       = 0x11
 	NFT_CT_EVENTMASK                  = 0x12
+	NFT_CT_SRC_IP                     = 0x13
+	NFT_CT_DST_IP                     = 0x14
+	NFT_CT_SRC_IP6                    = 0x15
+	NFT_CT_DST_IP6                    = 0x16
+	NFT_CT_ID                         = 0x17
 	NFTA_CT_UNSPEC                    = 0x0
 	NFTA_CT_DREG                      = 0x1
 	NFTA_CT_KEY                       = 0x2
@@ -2594,8 +2605,8 @@ const (
 	SOF_TIMESTAMPING_BIND_PHC     = 0x8000
 	SOF_TIMESTAMPING_OPT_ID_TCP   = 0x10000
 
-	SOF_TIMESTAMPING_LAST = 0x20000
-	SOF_TIMESTAMPING_MASK = 0x3ffff
+	SOF_TIMESTAMPING_LAST = 0x40000
+	SOF_TIMESTAMPING_MASK = 0x7ffff
 
 	SCM_TSTAMP_SND   = 0x0
 	SCM_TSTAMP_SCHED = 0x1
@@ -3802,7 +3813,16 @@ const (
 	ETHTOOL_MSG_PSE_GET                       = 0x24
 	ETHTOOL_MSG_PSE_SET                       = 0x25
 	ETHTOOL_MSG_RSS_GET                       = 0x26
-	ETHTOOL_MSG_USER_MAX                      = 0x2d
+	ETHTOOL_MSG_PLCA_GET_CFG                  = 0x27
+	ETHTOOL_MSG_PLCA_SET_CFG                  = 0x28
+	ETHTOOL_MSG_PLCA_GET_STATUS               = 0x29
+	ETHTOOL_MSG_MM_GET                        = 0x2a
+	ETHTOOL_MSG_MM_SET                        = 0x2b
+	ETHTOOL_MSG_MODULE_FW_FLASH_ACT           = 0x2c
+	ETHTOOL_MSG_PHY_GET                       = 0x2d
+	ETHTOOL_MSG_TSCONFIG_GET                  = 0x2e
+	ETHTOOL_MSG_TSCONFIG_SET                  = 0x2f
+	ETHTOOL_MSG_USER_MAX                      = 0x2f
 	ETHTOOL_MSG_KERNEL_NONE                   = 0x0
 	ETHTOOL_MSG_STRSET_GET_REPLY              = 0x1
 	ETHTOOL_MSG_LINKINFO_GET_REPLY            = 0x2
@@ -3842,7 +3862,17 @@ const (
 	ETHTOOL_MSG_MODULE_NTF                    = 0x24
 	ETHTOOL_MSG_PSE_GET_REPLY                 = 0x25
 	ETHTOOL_MSG_RSS_GET_REPLY                 = 0x26
-	ETHTOOL_MSG_KERNEL_MAX                    = 0x2e
+	ETHTOOL_MSG_PLCA_GET_CFG_REPLY            = 0x27
+	ETHTOOL_MSG_PLCA_GET_STATUS_REPLY         = 0x28
+	ETHTOOL_MSG_PLCA_NTF                      = 0x29
+	ETHTOOL_MSG_MM_GET_REPLY                  = 0x2a
+	ETHTOOL_MSG_MM_NTF                        = 0x2b
+	ETHTOOL_MSG_MODULE_FW_FLASH_NTF           = 0x2c
+	ETHTOOL_MSG_PHY_GET_REPLY                 = 0x2d
+	ETHTOOL_MSG_PHY_NTF                       = 0x2e
+	ETHTOOL_MSG_TSCONFIG_GET_REPLY            = 0x2f
+	ETHTOOL_MSG_TSCONFIG_SET_REPLY            = 0x30
+	ETHTOOL_MSG_KERNEL_MAX                    = 0x30
 	ETHTOOL_FLAG_COMPACT_BITSETS              = 0x1
 	ETHTOOL_FLAG_OMIT_REPLY                   = 0x2
 	ETHTOOL_FLAG_STATS                        = 0x4
@@ -3949,7 +3979,12 @@ const (
 	ETHTOOL_A_RINGS_TCP_DATA_SPLIT            = 0xb
 	ETHTOOL_A_RINGS_CQE_SIZE                  = 0xc
 	ETHTOOL_A_RINGS_TX_PUSH                   = 0xd
-	ETHTOOL_A_RINGS_MAX                       = 0x10
+	ETHTOOL_A_RINGS_RX_PUSH                   = 0xe
+	ETHTOOL_A_RINGS_TX_PUSH_BUF_LEN           = 0xf
+	ETHTOOL_A_RINGS_TX_PUSH_BUF_LEN_MAX       = 0x10
+	ETHTOOL_A_RINGS_HDS_THRESH                = 0x11
+	ETHTOOL_A_RINGS_HDS_THRESH_MAX            = 0x12
+	ETHTOOL_A_RINGS_MAX                       = 0x12
 	ETHTOOL_A_CHANNELS_UNSPEC                 = 0x0
 	ETHTOOL_A_CHANNELS_HEADER                 = 0x1
 	ETHTOOL_A_CHANNELS_RX_MAX                 = 0x2
@@ -4015,7 +4050,9 @@ const (
 	ETHTOOL_A_TSINFO_TX_TYPES                 = 0x3
 	ETHTOOL_A_TSINFO_RX_FILTERS               = 0x4
 	ETHTOOL_A_TSINFO_PHC_INDEX                = 0x5
-	ETHTOOL_A_TSINFO_MAX                      = 0x6
+	ETHTOOL_A_TSINFO_STATS                    = 0x6
+	ETHTOOL_A_TSINFO_HWTSTAMP_PROVIDER        = 0x7
+	ETHTOOL_A_TSINFO_MAX                      = 0x9
 	ETHTOOL_A_CABLE_TEST_UNSPEC               = 0x0
 	ETHTOOL_A_CABLE_TEST_HEADER               = 0x1
 	ETHTOOL_A_CABLE_TEST_MAX                  = 0x1
@@ -4101,6 +4138,19 @@ const (
 	ETHTOOL_A_TUNNEL_INFO_MAX                 = 0x2
 )
 
+const (
+	TCP_V4_FLOW    = 0x1
+	UDP_V4_FLOW    = 0x2
+	TCP_V6_FLOW    = 0x5
+	UDP_V6_FLOW    = 0x6
+	ESP_V4_FLOW    = 0xa
+	ESP_V6_FLOW    = 0xc
+	IP_USER_FLOW   = 0xd
+	IPV6_USER_FLOW = 0xe
+	IPV6_FLOW      = 0x11
+	ETHER_FLOW     = 0x12
+)
+
 const SPEED_UNKNOWN = -0x1
 
 type EthtoolDrvinfo struct {
@@ -4613,6 +4663,7 @@ const (
 	NL80211_ATTR_AKM_SUITES                                 = 0x4c
 	NL80211_ATTR_AP_ISOLATE                                 = 0x60
 	NL80211_ATTR_AP_SETTINGS_FLAGS                          = 0x135
+	NL80211_ATTR_ASSOC_SPP_AMSDU                            = 0x14a
 	NL80211_ATTR_AUTH_DATA                                  = 0x9c
 	NL80211_ATTR_AUTH_TYPE                                  = 0x35
 	NL80211_ATTR_BANDS                                      = 0xef
@@ -4623,6 +4674,7 @@ const (
 	NL80211_ATTR_BSS_BASIC_RATES                            = 0x24
 	NL80211_ATTR_BSS                                        = 0x2f
 	NL80211_ATTR_BSS_CTS_PROT                               = 0x1c
+	NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA                  = 0x147
 	NL80211_ATTR_BSS_HT_OPMODE                              = 0x6d
 	NL80211_ATTR_BSSID                                      = 0xf5
 	NL80211_ATTR_BSS_SELECT                                 = 0xe3
@@ -4682,6 +4734,7 @@ const (
 	NL80211_ATTR_DTIM_PERIOD                                = 0xd
 	NL80211_ATTR_DURATION                                   = 0x57
 	NL80211_ATTR_EHT_CAPABILITY                             = 0x136
+	NL80211_ATTR_EMA_RNR_ELEMS                              = 0x145
 	NL80211_ATTR_EML_CAPABILITY                             = 0x13d
 	NL80211_ATTR_EXT_CAPA                                   = 0xa9
 	NL80211_ATTR_EXT_CAPA_MASK                              = 0xaa
@@ -4717,6 +4770,7 @@ const (
 	NL80211_ATTR_HIDDEN_SSID                                = 0x7e
 	NL80211_ATTR_HT_CAPABILITY                              = 0x1f
 	NL80211_ATTR_HT_CAPABILITY_MASK                         = 0x94
+	NL80211_ATTR_HW_TIMESTAMP_ENABLED                       = 0x144
 	NL80211_ATTR_IE_ASSOC_RESP                              = 0x80
 	NL80211_ATTR_IE                                         = 0x2a
 	NL80211_ATTR_IE_PROBE_RESP                              = 0x7f
@@ -4747,9 +4801,10 @@ const (
 	NL80211_ATTR_MAC_HINT                                   = 0xc8
 	NL80211_ATTR_MAC_MASK                                   = 0xd7
 	NL80211_ATTR_MAX_AP_ASSOC_STA                           = 0xca
-	NL80211_ATTR_MAX                                        = 0x14d
+	NL80211_ATTR_MAX                                        = 0x151
 	NL80211_ATTR_MAX_CRIT_PROT_DURATION                     = 0xb4
 	NL80211_ATTR_MAX_CSA_COUNTERS                           = 0xce
+	NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS                     = 0x143
 	NL80211_ATTR_MAX_MATCH_SETS                             = 0x85
 	NL80211_ATTR_MAX_NUM_AKM_SUITES                         = 0x13c
 	NL80211_ATTR_MAX_NUM_PMKIDS                             = 0x56
@@ -4774,9 +4829,12 @@ const (
 	NL80211_ATTR_MGMT_SUBTYPE                               = 0x29
 	NL80211_ATTR_MLD_ADDR                                   = 0x13a
 	NL80211_ATTR_MLD_CAPA_AND_OPS                           = 0x13e
+	NL80211_ATTR_MLO_LINK_DISABLED                          = 0x146
 	NL80211_ATTR_MLO_LINK_ID                                = 0x139
 	NL80211_ATTR_MLO_LINKS                                  = 0x138
 	NL80211_ATTR_MLO_SUPPORT                                = 0x13b
+	NL80211_ATTR_MLO_TTLM_DLINK                             = 0x148
+	NL80211_ATTR_MLO_TTLM_ULINK                             = 0x149
 	NL80211_ATTR_MNTR_FLAGS                                 = 0x17
 	NL80211_ATTR_MPATH_INFO                                 = 0x1b
 	NL80211_ATTR_MPATH_NEXT_HOP                             = 0x1a
@@ -4809,12 +4867,14 @@ const (
 	NL80211_ATTR_PORT_AUTHORIZED                            = 0x103
 	NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN                    = 0x5
 	NL80211_ATTR_POWER_RULE_MAX_EIRP                        = 0x6
+	NL80211_ATTR_POWER_RULE_PSD                             = 0x8
 	NL80211_ATTR_PREV_BSSID                                 = 0x4f
 	NL80211_ATTR_PRIVACY                                    = 0x46
 	NL80211_ATTR_PROBE_RESP                                 = 0x91
 	NL80211_ATTR_PROBE_RESP_OFFLOAD                         = 0x90
 	NL80211_ATTR_PROTOCOL_FEATURES                          = 0xad
 	NL80211_ATTR_PS_STATE                                   = 0x5d
+	NL80211_ATTR_PUNCT_BITMAP                               = 0x142
 	NL80211_ATTR_QOS_MAP                                    = 0xc7
 	NL80211_ATTR_RADAR_BACKGROUND                           = 0x134
 	NL80211_ATTR_RADAR_EVENT                                = 0xa8
@@ -4943,7 +5003,9 @@ const (
 	NL80211_ATTR_WIPHY_FREQ                                 = 0x26
 	NL80211_ATTR_WIPHY_FREQ_HINT                            = 0xc9
 	NL80211_ATTR_WIPHY_FREQ_OFFSET                          = 0x122
+	NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS               = 0x14c
 	NL80211_ATTR_WIPHY_NAME                                 = 0x2
+	NL80211_ATTR_WIPHY_RADIOS                               = 0x14b
 	NL80211_ATTR_WIPHY_RETRY_LONG                           = 0x3e
 	NL80211_ATTR_WIPHY_RETRY_SHORT                          = 0x3d
 	NL80211_ATTR_WIPHY_RTS_THRESHOLD                        = 0x40
@@ -4978,6 +5040,8 @@ const (
 	NL80211_BAND_ATTR_IFTYPE_DATA                           = 0x9
 	NL80211_BAND_ATTR_MAX                                   = 0xd
 	NL80211_BAND_ATTR_RATES                                 = 0x2
+	NL80211_BAND_ATTR_S1G_CAPA                              = 0xd
+	NL80211_BAND_ATTR_S1G_MCS_NSS_SET                       = 0xc
 	NL80211_BAND_ATTR_VHT_CAPA                              = 0x8
 	NL80211_BAND_ATTR_VHT_MCS_SET                           = 0x7
 	NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC                    = 0x8
@@ -5001,6 +5065,10 @@ const (
 	NL80211_BSS_BEACON_INTERVAL                             = 0x4
 	NL80211_BSS_BEACON_TSF                                  = 0xd
 	NL80211_BSS_BSSID                                       = 0x1
+	NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH                = 0x2
+	NL80211_BSS_CANNOT_USE_NSTR_NONPRIMARY                  = 0x1
+	NL80211_BSS_CANNOT_USE_REASONS                          = 0x18
+	NL80211_BSS_CANNOT_USE_UHB_PWR_MISMATCH                 = 0x2
 	NL80211_BSS_CAPABILITY                                  = 0x5
 	NL80211_BSS_CHAIN_SIGNAL                                = 0x13
 	NL80211_BSS_CHAN_WIDTH_10                               = 0x1
@@ -5032,6 +5100,9 @@ const (
 	NL80211_BSS_STATUS                                      = 0x9
 	NL80211_BSS_STATUS_IBSS_JOINED                          = 0x2
 	NL80211_BSS_TSF                                         = 0x3
+	NL80211_BSS_USE_FOR                                     = 0x17
+	NL80211_BSS_USE_FOR_MLD_LINK                            = 0x2
+	NL80211_BSS_USE_FOR_NORMAL                              = 0x1
 	NL80211_CHAN_HT20                                       = 0x1
 	NL80211_CHAN_HT40MINUS                                  = 0x2
 	NL80211_CHAN_HT40PLUS                                   = 0x3
@@ -5117,7 +5188,8 @@ const (
 	NL80211_CMD_LEAVE_IBSS                                  = 0x2c
 	NL80211_CMD_LEAVE_MESH                                  = 0x45
 	NL80211_CMD_LEAVE_OCB                                   = 0x6d
-	NL80211_CMD_MAX                                         = 0x9b
+	NL80211_CMD_LINKS_REMOVED                               = 0x9a
+	NL80211_CMD_MAX                                         = 0x9d
 	NL80211_CMD_MICHAEL_MIC_FAILURE                         = 0x29
 	NL80211_CMD_MODIFY_LINK_STA                             = 0x97
 	NL80211_CMD_NAN_MATCH                                   = 0x78
@@ -5161,6 +5233,7 @@ const (
 	NL80211_CMD_SET_COALESCE                                = 0x65
 	NL80211_CMD_SET_CQM                                     = 0x3f
 	NL80211_CMD_SET_FILS_AAD                                = 0x92
+	NL80211_CMD_SET_HW_TIMESTAMP                            = 0x99
 	NL80211_CMD_SET_INTERFACE                               = 0x6
 	NL80211_CMD_SET_KEY                                     = 0xa
 	NL80211_CMD_SET_MAC_ACL                                 = 0x5d
@@ -5180,6 +5253,7 @@ const (
 	NL80211_CMD_SET_SAR_SPECS                               = 0x8c
 	NL80211_CMD_SET_STATION                                 = 0x12
 	NL80211_CMD_SET_TID_CONFIG                              = 0x89
+	NL80211_CMD_SET_TID_TO_LINK_MAPPING                     = 0x9b
 	NL80211_CMD_SET_TX_BITRATE_MASK                         = 0x39
 	NL80211_CMD_SET_WDS_PEER                                = 0x42
 	NL80211_CMD_SET_WIPHY                                   = 0x2
@@ -5247,6 +5321,7 @@ const (
 	NL80211_EXT_FEATURE_AIRTIME_FAIRNESS                    = 0x21
 	NL80211_EXT_FEATURE_AP_PMKSA_CACHING                    = 0x22
 	NL80211_EXT_FEATURE_AQL                                 = 0x28
+	NL80211_EXT_FEATURE_AUTH_AND_DEAUTH_RANDOM_TA           = 0x40
 	NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT            = 0x2e
 	NL80211_EXT_FEATURE_BEACON_PROTECTION                   = 0x29
 	NL80211_EXT_FEATURE_BEACON_RATE_HE                      = 0x36
@@ -5262,6 +5337,7 @@ const (
 	NL80211_EXT_FEATURE_CQM_RSSI_LIST                       = 0xd
 	NL80211_EXT_FEATURE_DATA_ACK_SIGNAL_SUPPORT             = 0x1b
 	NL80211_EXT_FEATURE_DEL_IBSS_STA                        = 0x2c
+	NL80211_EXT_FEATURE_DFS_CONCURRENT                      = 0x43
 	NL80211_EXT_FEATURE_DFS_OFFLOAD                         = 0x19
 	NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER                = 0x20
 	NL80211_EXT_FEATURE_EXT_KEY_ID                          = 0x24
@@ -5281,9 +5357,12 @@ const (
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION  = 0x14
 	NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE          = 0x13
 	NL80211_EXT_FEATURE_OPERATING_CHANNEL_VALIDATION        = 0x31
+	NL80211_EXT_FEATURE_OWE_OFFLOAD_AP                      = 0x42
+	NL80211_EXT_FEATURE_OWE_OFFLOAD                         = 0x41
 	NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE                 = 0x3d
 	NL80211_EXT_FEATURE_PROTECTED_TWT                       = 0x2b
 	NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE         = 0x39
+	NL80211_EXT_FEATURE_PUNCT                               = 0x3e
 	NL80211_EXT_FEATURE_RADAR_BACKGROUND                    = 0x3c
 	NL80211_EXT_FEATURE_RRM                                 = 0x1
 	NL80211_EXT_FEATURE_SAE_OFFLOAD_AP                      = 0x33
@@ -5295,8 +5374,10 @@ const (
 	NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD = 0x23
 	NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI            = 0xc
 	NL80211_EXT_FEATURE_SECURE_LTF                          = 0x37
+	NL80211_EXT_FEATURE_SECURE_NAN                          = 0x3f
 	NL80211_EXT_FEATURE_SECURE_RTT                          = 0x38
 	NL80211_EXT_FEATURE_SET_SCAN_DWELL                      = 0x5
+	NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT                   = 0x44
 	NL80211_EXT_FEATURE_STA_TX_PWR                          = 0x25
 	NL80211_EXT_FEATURE_TXQS                                = 0x1c
 	NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP              = 0x35
@@ -5343,7 +5424,10 @@ const (
 	NL80211_FREQUENCY_ATTR_2MHZ                             = 0x16
 	NL80211_FREQUENCY_ATTR_4MHZ                             = 0x17
 	NL80211_FREQUENCY_ATTR_8MHZ                             = 0x18
+	NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP                = 0x21
+	NL80211_FREQUENCY_ATTR_CAN_MONITOR                      = 0x20
 	NL80211_FREQUENCY_ATTR_DFS_CAC_TIME                     = 0xd
+	NL80211_FREQUENCY_ATTR_DFS_CONCURRENT                   = 0x1d
 	NL80211_FREQUENCY_ATTR_DFS_STATE                        = 0x7
 	NL80211_FREQUENCY_ATTR_DFS_TIME                         = 0x8
 	NL80211_FREQUENCY_ATTR_DISABLED                         = 0x2
@@ -5351,12 +5435,14 @@ const (
 	NL80211_FREQUENCY_ATTR_GO_CONCURRENT                    = 0xf
 	NL80211_FREQUENCY_ATTR_INDOOR_ONLY                      = 0xe
 	NL80211_FREQUENCY_ATTR_IR_CONCURRENT                    = 0xf
-	NL80211_FREQUENCY_ATTR_MAX                              = 0x21
+	NL80211_FREQUENCY_ATTR_MAX                              = 0x22
 	NL80211_FREQUENCY_ATTR_MAX_TX_POWER                     = 0x6
 	NL80211_FREQUENCY_ATTR_NO_10MHZ                         = 0x11
 	NL80211_FREQUENCY_ATTR_NO_160MHZ                        = 0xc
 	NL80211_FREQUENCY_ATTR_NO_20MHZ                         = 0x10
 	NL80211_FREQUENCY_ATTR_NO_320MHZ                        = 0x1a
+	NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT               = 0x1f
+	NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT               = 0x1e
 	NL80211_FREQUENCY_ATTR_NO_80MHZ                         = 0xb
 	NL80211_FREQUENCY_ATTR_NO_EHT                           = 0x1b
 	NL80211_FREQUENCY_ATTR_NO_HE                            = 0x13
@@ -5364,8 +5450,11 @@ const (
 	NL80211_FREQUENCY_ATTR_NO_HT40_PLUS                     = 0xa
 	NL80211_FREQUENCY_ATTR_NO_IBSS                          = 0x3
 	NL80211_FREQUENCY_ATTR_NO_IR                            = 0x3
+	NL80211_FREQUENCY_ATTR_NO_UHB_AFC_CLIENT                = 0x1f
+	NL80211_FREQUENCY_ATTR_NO_UHB_VLP_CLIENT                = 0x1e
 	NL80211_FREQUENCY_ATTR_OFFSET                           = 0x14
 	NL80211_FREQUENCY_ATTR_PASSIVE_SCAN                     = 0x3
+	NL80211_FREQUENCY_ATTR_PSD                              = 0x1c
 	NL80211_FREQUENCY_ATTR_RADAR                            = 0x5
 	NL80211_FREQUENCY_ATTR_WMM                              = 0x12
 	NL80211_FTM_RESP_ATTR_CIVICLOC                          = 0x3
@@ -5430,6 +5519,7 @@ const (
 	NL80211_IFTYPE_STATION                                  = 0x2
 	NL80211_IFTYPE_UNSPECIFIED                              = 0x0
 	NL80211_IFTYPE_WDS                                      = 0x5
+	NL80211_KCK_EXT_LEN_32                                  = 0x20
 	NL80211_KCK_EXT_LEN                                     = 0x18
 	NL80211_KCK_LEN                                         = 0x10
 	NL80211_KEK_EXT_LEN                                     = 0x20
@@ -5458,9 +5548,10 @@ const (
 	NL80211_MAX_SUPP_HT_RATES                               = 0x4d
 	NL80211_MAX_SUPP_RATES                                  = 0x20
 	NL80211_MAX_SUPP_REG_RULES                              = 0x80
+	NL80211_MAX_SUPP_SELECTORS                              = 0x80
 	NL80211_MBSSID_CONFIG_ATTR_EMA                          = 0x5
 	NL80211_MBSSID_CONFIG_ATTR_INDEX                        = 0x3
-	NL80211_MBSSID_CONFIG_ATTR_MAX                          = 0x5
+	NL80211_MBSSID_CONFIG_ATTR_MAX                          = 0x6
 	NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY  = 0x2
 	NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES               = 0x1
 	NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX                   = 0x4
@@ -5703,11 +5794,16 @@ const (
 	NL80211_RADAR_PRE_CAC_EXPIRED                           = 0x4
 	NL80211_RATE_INFO_10_MHZ_WIDTH                          = 0xb
 	NL80211_RATE_INFO_160_MHZ_WIDTH                         = 0xa
+	NL80211_RATE_INFO_16_MHZ_WIDTH                          = 0x1d
+	NL80211_RATE_INFO_1_MHZ_WIDTH                           = 0x19
+	NL80211_RATE_INFO_2_MHZ_WIDTH                           = 0x1a
 	NL80211_RATE_INFO_320_MHZ_WIDTH                         = 0x12
 	NL80211_RATE_INFO_40_MHZ_WIDTH                          = 0x3
+	NL80211_RATE_INFO_4_MHZ_WIDTH                           = 0x1b
 	NL80211_RATE_INFO_5_MHZ_WIDTH                           = 0xc
 	NL80211_RATE_INFO_80_MHZ_WIDTH                          = 0x8
 	NL80211_RATE_INFO_80P80_MHZ_WIDTH                       = 0x9
+	NL80211_RATE_INFO_8_MHZ_WIDTH                           = 0x1c
 	NL80211_RATE_INFO_BITRATE32                             = 0x5
 	NL80211_RATE_INFO_BITRATE                               = 0x1
 	NL80211_RATE_INFO_EHT_GI_0_8                            = 0x0
@@ -5753,6 +5849,8 @@ const (
 	NL80211_RATE_INFO_HE_RU_ALLOC                           = 0x11
 	NL80211_RATE_INFO_MAX                                   = 0x1d
 	NL80211_RATE_INFO_MCS                                   = 0x2
+	NL80211_RATE_INFO_S1G_MCS                               = 0x17
+	NL80211_RATE_INFO_S1G_NSS                               = 0x18
 	NL80211_RATE_INFO_SHORT_GI                              = 0x4
 	NL80211_RATE_INFO_VHT_MCS                               = 0x6
 	NL80211_RATE_INFO_VHT_NSS                               = 0x7
@@ -5770,14 +5868,19 @@ const (
 	NL80211_REKEY_DATA_KEK                                  = 0x1
 	NL80211_REKEY_DATA_REPLAY_CTR                           = 0x3
 	NL80211_REPLAY_CTR_LEN                                  = 0x8
+	NL80211_RRF_ALLOW_6GHZ_VLP_AP                           = 0x1000000
 	NL80211_RRF_AUTO_BW                                     = 0x800
 	NL80211_RRF_DFS                                         = 0x10
+	NL80211_RRF_DFS_CONCURRENT                              = 0x200000
 	NL80211_RRF_GO_CONCURRENT                               = 0x1000
 	NL80211_RRF_IR_CONCURRENT                               = 0x1000
 	NL80211_RRF_NO_160MHZ                                   = 0x10000
 	NL80211_RRF_NO_320MHZ                                   = 0x40000
+	NL80211_RRF_NO_6GHZ_AFC_CLIENT                          = 0x800000
+	NL80211_RRF_NO_6GHZ_VLP_CLIENT                          = 0x400000
 	NL80211_RRF_NO_80MHZ                                    = 0x8000
 	NL80211_RRF_NO_CCK                                      = 0x2
+	NL80211_RRF_NO_EHT                                      = 0x80000
 	NL80211_RRF_NO_HE                                       = 0x20000
 	NL80211_RRF_NO_HT40                                     = 0x6000
 	NL80211_RRF_NO_HT40MINUS                                = 0x2000
@@ -5788,7 +5891,10 @@ const (
 	NL80211_RRF_NO_IR                                       = 0x80
 	NL80211_RRF_NO_OFDM                                     = 0x1
 	NL80211_RRF_NO_OUTDOOR                                  = 0x8
+	NL80211_RRF_NO_UHB_AFC_CLIENT                           = 0x800000
+	NL80211_RRF_NO_UHB_VLP_CLIENT                           = 0x400000
 	NL80211_RRF_PASSIVE_SCAN                                = 0x80
+	NL80211_RRF_PSD                                         = 0x100000
 	NL80211_RRF_PTMP_ONLY                                   = 0x40
 	NL80211_RRF_PTP_ONLY                                    = 0x20
 	NL80211_RXMGMT_FLAG_ANSWERED                            = 0x1
@@ -5849,6 +5955,7 @@ const (
 	NL80211_STA_FLAG_MAX_OLD_API                            = 0x6
 	NL80211_STA_FLAG_MFP                                    = 0x4
 	NL80211_STA_FLAG_SHORT_PREAMBLE                         = 0x2
+	NL80211_STA_FLAG_SPP_AMSDU                              = 0x8
 	NL80211_STA_FLAG_TDLS_PEER                              = 0x6
 	NL80211_STA_FLAG_WME                                    = 0x3
 	NL80211_STA_INFO_ACK_SIGNAL_AVG                         = 0x23
@@ -6007,6 +6114,13 @@ const (
 	NL80211_VHT_CAPABILITY_LEN                              = 0xc
 	NL80211_VHT_NSS_MAX                                     = 0x8
 	NL80211_WIPHY_NAME_MAXLEN                               = 0x40
+	NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE                     = 0x2
+	NL80211_WIPHY_RADIO_ATTR_INDEX                          = 0x1
+	NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION          = 0x3
+	NL80211_WIPHY_RADIO_ATTR_MAX                            = 0x4
+	NL80211_WIPHY_RADIO_FREQ_ATTR_END                       = 0x2
+	NL80211_WIPHY_RADIO_FREQ_ATTR_MAX                       = 0x2
+	NL80211_WIPHY_RADIO_FREQ_ATTR_START                     = 0x1
 	NL80211_WMMR_AIFSN                                      = 0x3
 	NL80211_WMMR_CW_MAX                                     = 0x2
 	NL80211_WMMR_CW_MIN                                     = 0x1
@@ -6038,6 +6152,7 @@ const (
 	NL80211_WOWLAN_TRIG_PKT_PATTERN                         = 0x4
 	NL80211_WOWLAN_TRIG_RFKILL_RELEASE                      = 0x9
 	NL80211_WOWLAN_TRIG_TCP_CONNECTION                      = 0xe
+	NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC         = 0x14
 	NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211                    = 0xa
 	NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN                = 0xb
 	NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023                     = 0xc
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_386.go b/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
index fd402da4..485f2d3a 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
@@ -282,7 +282,7 @@ type Taskstats struct {
 	Ac_exitcode               uint32
 	Ac_flag                   uint8
 	Ac_nice                   uint8
-	_                         [4]byte
+	_                         [6]byte
 	Cpu_count                 uint64
 	Cpu_delay_total           uint64
 	Blkio_count               uint64
@@ -338,6 +338,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint32
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
index eb7a5e18..ecbd1ad8 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
@@ -351,6 +351,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go b/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
index d78ac108..02f0463a 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
@@ -91,7 +91,7 @@ type Stat_t struct {
 	Gid     uint32
 	Rdev    uint64
 	_       uint16
-	_       [4]byte
+	_       [6]byte
 	Size    int64
 	Blksize int32
 	_       [4]byte
@@ -273,7 +273,7 @@ type Taskstats struct {
 	Ac_exitcode               uint32
 	Ac_flag                   uint8
 	Ac_nice                   uint8
-	_                         [4]byte
+	_                         [6]byte
 	Cpu_count                 uint64
 	Cpu_delay_total           uint64
 	Blkio_count               uint64
@@ -329,6 +329,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint32
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
index cd06d47f..6f4d400d 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
@@ -330,6 +330,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
index 2f28fe26..cd532cfa 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
@@ -331,6 +331,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
index 71d6cac2..41336208 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
@@ -278,7 +278,7 @@ type Taskstats struct {
 	Ac_exitcode               uint32
 	Ac_flag                   uint8
 	Ac_nice                   uint8
-	_                         [4]byte
+	_                         [6]byte
 	Cpu_count                 uint64
 	Cpu_delay_total           uint64
 	Blkio_count               uint64
@@ -334,6 +334,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint32
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
index 8596d453..eaa37eb7 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
@@ -333,6 +333,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
index cd60ea18..98ae6a1e 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
@@ -333,6 +333,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
index b0ae420c..cae19615 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
@@ -278,7 +278,7 @@ type Taskstats struct {
 	Ac_exitcode               uint32
 	Ac_flag                   uint8
 	Ac_nice                   uint8
-	_                         [4]byte
+	_                         [6]byte
 	Cpu_count                 uint64
 	Cpu_delay_total           uint64
 	Blkio_count               uint64
@@ -334,6 +334,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint32
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
index 83597287..6ce3b4e0 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
@@ -90,7 +90,7 @@ type Stat_t struct {
 	Gid     uint32
 	Rdev    uint64
 	_       uint16
-	_       [4]byte
+	_       [6]byte
 	Size    int64
 	Blksize int32
 	_       [4]byte
@@ -285,7 +285,7 @@ type Taskstats struct {
 	Ac_exitcode               uint32
 	Ac_flag                   uint8
 	Ac_nice                   uint8
-	_                         [4]byte
+	_                         [6]byte
 	Cpu_count                 uint64
 	Cpu_delay_total           uint64
 	Blkio_count               uint64
@@ -341,6 +341,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint32
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
index 69eb6a5c..c7429c6a 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
@@ -340,6 +340,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
index 5f583cb6..4bf4baf4 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
@@ -340,6 +340,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
index ad05b51a..e9709d70 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
@@ -358,6 +358,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go b/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
index cf3ce900..fb44268c 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
@@ -353,6 +353,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
index 590b5673..9c38265c 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
@@ -335,6 +335,22 @@ type Taskstats struct {
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
+	Cpu_delay_max             uint64
+	Cpu_delay_min             uint64
+	Blkio_delay_max           uint64
+	Blkio_delay_min           uint64
+	Swapin_delay_max          uint64
+	Swapin_delay_min          uint64
+	Freepages_delay_max       uint64
+	Freepages_delay_min       uint64
+	Thrashing_delay_max       uint64
+	Thrashing_delay_min       uint64
+	Compact_delay_max         uint64
+	Compact_delay_min         uint64
+	Wpcopy_delay_max          uint64
+	Wpcopy_delay_min          uint64
+	Irq_delay_max             uint64
+	Irq_delay_min             uint64
 }
 
 type cpuMask uint64
diff --git a/vendor/golang.org/x/sys/windows/registry/key.go b/vendor/golang.org/x/sys/windows/registry/key.go
index fd863244..39aeeb64 100644
--- a/vendor/golang.org/x/sys/windows/registry/key.go
+++ b/vendor/golang.org/x/sys/windows/registry/key.go
@@ -164,7 +164,12 @@ loopItems:
 func CreateKey(k Key, path string, access uint32) (newk Key, openedExisting bool, err error) {
 	var h syscall.Handle
 	var d uint32
-	err = regCreateKeyEx(syscall.Handle(k), syscall.StringToUTF16Ptr(path),
+	var pathPointer *uint16
+	pathPointer, err = syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, false, err
+	}
+	err = regCreateKeyEx(syscall.Handle(k), pathPointer,
 		0, nil, _REG_OPTION_NON_VOLATILE, access, nil, &h, &d)
 	if err != nil {
 		return 0, false, err
@@ -174,7 +179,11 @@ func CreateKey(k Key, path string, access uint32) (newk Key, openedExisting bool
 
 // DeleteKey deletes the subkey path of key k and its values.
 func DeleteKey(k Key, path string) error {
-	return regDeleteKey(syscall.Handle(k), syscall.StringToUTF16Ptr(path))
+	pathPointer, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return err
+	}
+	return regDeleteKey(syscall.Handle(k), pathPointer)
 }
 
 // A KeyInfo describes the statistics of a key. It is returned by Stat.
diff --git a/vendor/golang.org/x/sys/windows/registry/value.go b/vendor/golang.org/x/sys/windows/registry/value.go
index 74db26b9..a1bcbb23 100644
--- a/vendor/golang.org/x/sys/windows/registry/value.go
+++ b/vendor/golang.org/x/sys/windows/registry/value.go
@@ -340,7 +340,11 @@ func (k Key) SetBinaryValue(name string, value []byte) error {
 
 // DeleteValue removes a named value from the key k.
 func (k Key) DeleteValue(name string) error {
-	return regDeleteValue(syscall.Handle(k), syscall.StringToUTF16Ptr(name))
+	namePointer, err := syscall.UTF16PtrFromString(name)
+	if err != nil {
+		return err
+	}
+	return regDeleteValue(syscall.Handle(k), namePointer)
 }
 
 // ReadValueNames returns the value names of key k.
diff --git a/vendor/golang.org/x/sys/windows/security_windows.go b/vendor/golang.org/x/sys/windows/security_windows.go
index b6e1ab76..a8b0364c 100644
--- a/vendor/golang.org/x/sys/windows/security_windows.go
+++ b/vendor/golang.org/x/sys/windows/security_windows.go
@@ -1303,7 +1303,10 @@ func (selfRelativeSD *SECURITY_DESCRIPTOR) ToAbsolute() (absoluteSD *SECURITY_DE
 		return nil, err
 	}
 	if absoluteSDSize > 0 {
-		absoluteSD = (*SECURITY_DESCRIPTOR)(unsafe.Pointer(&make([]byte, absoluteSDSize)[0]))
+		absoluteSD = new(SECURITY_DESCRIPTOR)
+		if unsafe.Sizeof(*absoluteSD) < uintptr(absoluteSDSize) {
+			panic("sizeof(SECURITY_DESCRIPTOR) too small")
+		}
 	}
 	var (
 		dacl  *ACL
@@ -1312,19 +1315,55 @@ func (selfRelativeSD *SECURITY_DESCRIPTOR) ToAbsolute() (absoluteSD *SECURITY_DE
 		group *SID
 	)
 	if daclSize > 0 {
-		dacl = (*ACL)(unsafe.Pointer(&make([]byte, daclSize)[0]))
+		dacl = (*ACL)(unsafe.Pointer(unsafe.SliceData(make([]byte, daclSize))))
 	}
 	if saclSize > 0 {
-		sacl = (*ACL)(unsafe.Pointer(&make([]byte, saclSize)[0]))
+		sacl = (*ACL)(unsafe.Pointer(unsafe.SliceData(make([]byte, saclSize))))
 	}
 	if ownerSize > 0 {
-		owner = (*SID)(unsafe.Pointer(&make([]byte, ownerSize)[0]))
+		owner = (*SID)(unsafe.Pointer(unsafe.SliceData(make([]byte, ownerSize))))
 	}
 	if groupSize > 0 {
-		group = (*SID)(unsafe.Pointer(&make([]byte, groupSize)[0]))
+		group = (*SID)(unsafe.Pointer(unsafe.SliceData(make([]byte, groupSize))))
 	}
+	// We call into Windows via makeAbsoluteSD, which sets up
+	// pointers within absoluteSD that point to other chunks of memory
+	// we pass into makeAbsoluteSD, and that happens outside the view of the GC.
+	// We therefore take some care here to then verify the pointers are as we expect
+	// and set them explicitly in view of the GC. See https://go.dev/issue/73199.
+	// TODO: consider weak pointers once Go 1.24 is appropriate. See suggestion in https://go.dev/cl/663575.
 	err = makeAbsoluteSD(selfRelativeSD, absoluteSD, &absoluteSDSize,
 		dacl, &daclSize, sacl, &saclSize, owner, &ownerSize, group, &groupSize)
+	if err != nil {
+		// Don't return absoluteSD, which might be partially initialized.
+		return nil, err
+	}
+	// Before using any fields, verify absoluteSD is in the format we expect according to Windows.
+	// See https://learn.microsoft.com/en-us/windows/win32/secauthz/absolute-and-self-relative-security-descriptors
+	absControl, _, err := absoluteSD.Control()
+	if err != nil {
+		panic("absoluteSD: " + err.Error())
+	}
+	if absControl&SE_SELF_RELATIVE != 0 {
+		panic("absoluteSD not in absolute format")
+	}
+	if absoluteSD.dacl != dacl {
+		panic("dacl pointer mismatch")
+	}
+	if absoluteSD.sacl != sacl {
+		panic("sacl pointer mismatch")
+	}
+	if absoluteSD.owner != owner {
+		panic("owner pointer mismatch")
+	}
+	if absoluteSD.group != group {
+		panic("group pointer mismatch")
+	}
+	absoluteSD.dacl = dacl
+	absoluteSD.sacl = sacl
+	absoluteSD.owner = owner
+	absoluteSD.group = group
+
 	return
 }
 
diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go
index 4a325438..640f6b15 100644
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -870,6 +870,7 @@ const socket_error = uintptr(^uint32(0))
 //sys	WSARecvFrom(s Handle, bufs *WSABuf, bufcnt uint32, recvd *uint32, flags *uint32,  from *RawSockaddrAny, fromlen *int32, overlapped *Overlapped, croutine *byte) (err error) [failretval==socket_error] = ws2_32.WSARecvFrom
 //sys	WSASendTo(s Handle, bufs *WSABuf, bufcnt uint32, sent *uint32, flags uint32, to *RawSockaddrAny, tolen int32,  overlapped *Overlapped, croutine *byte) (err error) [failretval==socket_error] = ws2_32.WSASendTo
 //sys	WSASocket(af int32, typ int32, protocol int32, protoInfo *WSAProtocolInfo, group uint32, flags uint32) (handle Handle, err error) [failretval==InvalidHandle] = ws2_32.WSASocketW
+//sys	WSADuplicateSocket(s Handle, processID uint32, info *WSAProtocolInfo) (err error) [failretval!=0] = ws2_32.WSADuplicateSocketW
 //sys	GetHostByName(name string) (h *Hostent, err error) [failretval==nil] = ws2_32.gethostbyname
 //sys	GetServByName(name string, proto string) (s *Servent, err error) [failretval==nil] = ws2_32.getservbyname
 //sys	Ntohs(netshort uint16) (u uint16) = ws2_32.ntohs
@@ -1698,8 +1699,9 @@ func NewNTUnicodeString(s string) (*NTUnicodeString, error) {
 
 // Slice returns a uint16 slice that aliases the data in the NTUnicodeString.
 func (s *NTUnicodeString) Slice() []uint16 {
-	slice := unsafe.Slice(s.Buffer, s.MaximumLength)
-	return slice[:s.Length]
+	// Note: this rounds the length down, if it happens
+	// to (incorrectly) be odd. Probably safer than rounding up.
+	return unsafe.Slice(s.Buffer, s.MaximumLength/2)[:s.Length/2]
 }
 
 func (s *NTUnicodeString) String() string {
diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go
index 9d138de5..958bcf47 100644
--- a/vendor/golang.org/x/sys/windows/types_windows.go
+++ b/vendor/golang.org/x/sys/windows/types_windows.go
@@ -1074,6 +1074,7 @@ const (
 	IP_ADD_MEMBERSHIP  = 0xc
 	IP_DROP_MEMBERSHIP = 0xd
 	IP_PKTINFO         = 0x13
+	IP_MTU_DISCOVER    = 0x47
 
 	IPV6_V6ONLY         = 0x1b
 	IPV6_UNICAST_HOPS   = 0x4
@@ -1083,6 +1084,7 @@ const (
 	IPV6_JOIN_GROUP     = 0xc
 	IPV6_LEAVE_GROUP    = 0xd
 	IPV6_PKTINFO        = 0x13
+	IPV6_MTU_DISCOVER   = 0x47
 
 	MSG_OOB       = 0x1
 	MSG_PEEK      = 0x2
@@ -1132,6 +1134,15 @@ const (
 	WSASYS_STATUS_LEN  = 128
 )
 
+// enum PMTUD_STATE from ws2ipdef.h
+const (
+	IP_PMTUDISC_NOT_SET = 0
+	IP_PMTUDISC_DO      = 1
+	IP_PMTUDISC_DONT    = 2
+	IP_PMTUDISC_PROBE   = 3
+	IP_PMTUDISC_MAX     = 4
+)
+
 type WSABuf struct {
 	Len uint32
 	Buf *byte
@@ -1146,6 +1157,22 @@ type WSAMsg struct {
 	Flags       uint32
 }
 
+type WSACMSGHDR struct {
+	Len   uintptr
+	Level int32
+	Type  int32
+}
+
+type IN_PKTINFO struct {
+	Addr    [4]byte
+	Ifindex uint32
+}
+
+type IN6_PKTINFO struct {
+	Addr    [16]byte
+	Ifindex uint32
+}
+
 // Flags for WSASocket
 const (
 	WSA_FLAG_OVERLAPPED             = 0x01
@@ -2673,6 +2700,8 @@ type CommTimeouts struct {
 
 // NTUnicodeString is a UTF-16 string for NT native APIs, corresponding to UNICODE_STRING.
 type NTUnicodeString struct {
+	// Note: Length and MaximumLength are in *bytes*, not uint16s.
+	// They should always be even.
 	Length        uint16
 	MaximumLength uint16
 	Buffer        *uint16
@@ -3601,3 +3630,213 @@ const (
 	KLF_NOTELLSHELL   = 0x00000080
 	KLF_SETFORPROCESS = 0x00000100
 )
+
+// Virtual Key codes
+// https://docs.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
+const (
+	VK_LBUTTON             = 0x01
+	VK_RBUTTON             = 0x02
+	VK_CANCEL              = 0x03
+	VK_MBUTTON             = 0x04
+	VK_XBUTTON1            = 0x05
+	VK_XBUTTON2            = 0x06
+	VK_BACK                = 0x08
+	VK_TAB                 = 0x09
+	VK_CLEAR               = 0x0C
+	VK_RETURN              = 0x0D
+	VK_SHIFT               = 0x10
+	VK_CONTROL             = 0x11
+	VK_MENU                = 0x12
+	VK_PAUSE               = 0x13
+	VK_CAPITAL             = 0x14
+	VK_KANA                = 0x15
+	VK_HANGEUL             = 0x15
+	VK_HANGUL              = 0x15
+	VK_IME_ON              = 0x16
+	VK_JUNJA               = 0x17
+	VK_FINAL               = 0x18
+	VK_HANJA               = 0x19
+	VK_KANJI               = 0x19
+	VK_IME_OFF             = 0x1A
+	VK_ESCAPE              = 0x1B
+	VK_CONVERT             = 0x1C
+	VK_NONCONVERT          = 0x1D
+	VK_ACCEPT              = 0x1E
+	VK_MODECHANGE          = 0x1F
+	VK_SPACE               = 0x20
+	VK_PRIOR               = 0x21
+	VK_NEXT                = 0x22
+	VK_END                 = 0x23
+	VK_HOME                = 0x24
+	VK_LEFT                = 0x25
+	VK_UP                  = 0x26
+	VK_RIGHT               = 0x27
+	VK_DOWN                = 0x28
+	VK_SELECT              = 0x29
+	VK_PRINT               = 0x2A
+	VK_EXECUTE             = 0x2B
+	VK_SNAPSHOT            = 0x2C
+	VK_INSERT              = 0x2D
+	VK_DELETE              = 0x2E
+	VK_HELP                = 0x2F
+	VK_LWIN                = 0x5B
+	VK_RWIN                = 0x5C
+	VK_APPS                = 0x5D
+	VK_SLEEP               = 0x5F
+	VK_NUMPAD0             = 0x60
+	VK_NUMPAD1             = 0x61
+	VK_NUMPAD2             = 0x62
+	VK_NUMPAD3             = 0x63
+	VK_NUMPAD4             = 0x64
+	VK_NUMPAD5             = 0x65
+	VK_NUMPAD6             = 0x66
+	VK_NUMPAD7             = 0x67
+	VK_NUMPAD8             = 0x68
+	VK_NUMPAD9             = 0x69
+	VK_MULTIPLY            = 0x6A
+	VK_ADD                 = 0x6B
+	VK_SEPARATOR           = 0x6C
+	VK_SUBTRACT            = 0x6D
+	VK_DECIMAL             = 0x6E
+	VK_DIVIDE              = 0x6F
+	VK_F1                  = 0x70
+	VK_F2                  = 0x71
+	VK_F3                  = 0x72
+	VK_F4                  = 0x73
+	VK_F5                  = 0x74
+	VK_F6                  = 0x75
+	VK_F7                  = 0x76
+	VK_F8                  = 0x77
+	VK_F9                  = 0x78
+	VK_F10                 = 0x79
+	VK_F11                 = 0x7A
+	VK_F12                 = 0x7B
+	VK_F13                 = 0x7C
+	VK_F14                 = 0x7D
+	VK_F15                 = 0x7E
+	VK_F16                 = 0x7F
+	VK_F17                 = 0x80
+	VK_F18                 = 0x81
+	VK_F19                 = 0x82
+	VK_F20                 = 0x83
+	VK_F21                 = 0x84
+	VK_F22                 = 0x85
+	VK_F23                 = 0x86
+	VK_F24                 = 0x87
+	VK_NUMLOCK             = 0x90
+	VK_SCROLL              = 0x91
+	VK_OEM_NEC_EQUAL       = 0x92
+	VK_OEM_FJ_JISHO        = 0x92
+	VK_OEM_FJ_MASSHOU      = 0x93
+	VK_OEM_FJ_TOUROKU      = 0x94
+	VK_OEM_FJ_LOYA         = 0x95
+	VK_OEM_FJ_ROYA         = 0x96
+	VK_LSHIFT              = 0xA0
+	VK_RSHIFT              = 0xA1
+	VK_LCONTROL            = 0xA2
+	VK_RCONTROL            = 0xA3
+	VK_LMENU               = 0xA4
+	VK_RMENU               = 0xA5
+	VK_BROWSER_BACK        = 0xA6
+	VK_BROWSER_FORWARD     = 0xA7
+	VK_BROWSER_REFRESH     = 0xA8
+	VK_BROWSER_STOP        = 0xA9
+	VK_BROWSER_SEARCH      = 0xAA
+	VK_BROWSER_FAVORITES   = 0xAB
+	VK_BROWSER_HOME        = 0xAC
+	VK_VOLUME_MUTE         = 0xAD
+	VK_VOLUME_DOWN         = 0xAE
+	VK_VOLUME_UP           = 0xAF
+	VK_MEDIA_NEXT_TRACK    = 0xB0
+	VK_MEDIA_PREV_TRACK    = 0xB1
+	VK_MEDIA_STOP          = 0xB2
+	VK_MEDIA_PLAY_PAUSE    = 0xB3
+	VK_LAUNCH_MAIL         = 0xB4
+	VK_LAUNCH_MEDIA_SELECT = 0xB5
+	VK_LAUNCH_APP1         = 0xB6
+	VK_LAUNCH_APP2         = 0xB7
+	VK_OEM_1               = 0xBA
+	VK_OEM_PLUS            = 0xBB
+	VK_OEM_COMMA           = 0xBC
+	VK_OEM_MINUS           = 0xBD
+	VK_OEM_PERIOD          = 0xBE
+	VK_OEM_2               = 0xBF
+	VK_OEM_3               = 0xC0
+	VK_OEM_4               = 0xDB
+	VK_OEM_5               = 0xDC
+	VK_OEM_6               = 0xDD
+	VK_OEM_7               = 0xDE
+	VK_OEM_8               = 0xDF
+	VK_OEM_AX              = 0xE1
+	VK_OEM_102             = 0xE2
+	VK_ICO_HELP            = 0xE3
+	VK_ICO_00              = 0xE4
+	VK_PROCESSKEY          = 0xE5
+	VK_ICO_CLEAR           = 0xE6
+	VK_OEM_RESET           = 0xE9
+	VK_OEM_JUMP            = 0xEA
+	VK_OEM_PA1             = 0xEB
+	VK_OEM_PA2             = 0xEC
+	VK_OEM_PA3             = 0xED
+	VK_OEM_WSCTRL          = 0xEE
+	VK_OEM_CUSEL           = 0xEF
+	VK_OEM_ATTN            = 0xF0
+	VK_OEM_FINISH          = 0xF1
+	VK_OEM_COPY            = 0xF2
+	VK_OEM_AUTO            = 0xF3
+	VK_OEM_ENLW            = 0xF4
+	VK_OEM_BACKTAB         = 0xF5
+	VK_ATTN                = 0xF6
+	VK_CRSEL               = 0xF7
+	VK_EXSEL               = 0xF8
+	VK_EREOF               = 0xF9
+	VK_PLAY                = 0xFA
+	VK_ZOOM                = 0xFB
+	VK_NONAME              = 0xFC
+	VK_PA1                 = 0xFD
+	VK_OEM_CLEAR           = 0xFE
+)
+
+// Mouse button constants.
+// https://docs.microsoft.com/en-us/windows/console/mouse-event-record-str
+const (
+	FROM_LEFT_1ST_BUTTON_PRESSED = 0x0001
+	RIGHTMOST_BUTTON_PRESSED     = 0x0002
+	FROM_LEFT_2ND_BUTTON_PRESSED = 0x0004
+	FROM_LEFT_3RD_BUTTON_PRESSED = 0x0008
+	FROM_LEFT_4TH_BUTTON_PRESSED = 0x0010
+)
+
+// Control key state constaints.
+// https://docs.microsoft.com/en-us/windows/console/key-event-record-str
+// https://docs.microsoft.com/en-us/windows/console/mouse-event-record-str
+const (
+	CAPSLOCK_ON        = 0x0080
+	ENHANCED_KEY       = 0x0100
+	LEFT_ALT_PRESSED   = 0x0002
+	LEFT_CTRL_PRESSED  = 0x0008
+	NUMLOCK_ON         = 0x0020
+	RIGHT_ALT_PRESSED  = 0x0001
+	RIGHT_CTRL_PRESSED = 0x0004
+	SCROLLLOCK_ON      = 0x0040
+	SHIFT_PRESSED      = 0x0010
+)
+
+// Mouse event record event flags.
+// https://docs.microsoft.com/en-us/windows/console/mouse-event-record-str
+const (
+	MOUSE_MOVED    = 0x0001
+	DOUBLE_CLICK   = 0x0002
+	MOUSE_WHEELED  = 0x0004
+	MOUSE_HWHEELED = 0x0008
+)
+
+// Input Record Event Types
+// https://learn.microsoft.com/en-us/windows/console/input-record-str
+const (
+	FOCUS_EVENT              = 0x0010
+	KEY_EVENT                = 0x0001
+	MENU_EVENT               = 0x0008
+	MOUSE_EVENT              = 0x0002
+	WINDOW_BUFFER_SIZE_EVENT = 0x0004
+)
diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
index 01c0716c..a58bc48b 100644
--- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@@ -511,6 +511,7 @@ var (
 	procFreeAddrInfoW                                        = modws2_32.NewProc("FreeAddrInfoW")
 	procGetAddrInfoW                                         = modws2_32.NewProc("GetAddrInfoW")
 	procWSACleanup                                           = modws2_32.NewProc("WSACleanup")
+	procWSADuplicateSocketW                                  = modws2_32.NewProc("WSADuplicateSocketW")
 	procWSAEnumProtocolsW                                    = modws2_32.NewProc("WSAEnumProtocolsW")
 	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
 	procWSAIoctl                                             = modws2_32.NewProc("WSAIoctl")
@@ -4391,6 +4392,14 @@ func WSACleanup() (err error) {
 	return
 }
 
+func WSADuplicateSocket(s Handle, processID uint32, info *WSAProtocolInfo) (err error) {
+	r1, _, e1 := syscall.Syscall(procWSADuplicateSocketW.Addr(), 3, uintptr(s), uintptr(processID), uintptr(unsafe.Pointer(info)))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func WSAEnumProtocols(protocols *int32, protocolBuffer *WSAProtocolInfo, bufferLength *uint32) (n int32, err error) {
 	r0, _, e1 := syscall.Syscall(procWSAEnumProtocolsW.Addr(), 3, uintptr(unsafe.Pointer(protocols)), uintptr(unsafe.Pointer(protocolBuffer)), uintptr(unsafe.Pointer(bufferLength)))
 	n = int32(r0)
diff --git a/vendor/golang.org/x/term/term_windows.go b/vendor/golang.org/x/term/term_windows.go
index df6bf948..0ddd81c0 100644
--- a/vendor/golang.org/x/term/term_windows.go
+++ b/vendor/golang.org/x/term/term_windows.go
@@ -20,12 +20,14 @@ func isTerminal(fd int) bool {
 	return err == nil
 }
 
+// This is intended to be used on a console input handle.
+// See https://learn.microsoft.com/en-us/windows/console/setconsolemode
 func makeRaw(fd int) (*State, error) {
 	var st uint32
 	if err := windows.GetConsoleMode(windows.Handle(fd), &st); err != nil {
 		return nil, err
 	}
-	raw := st &^ (windows.ENABLE_ECHO_INPUT | windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT | windows.ENABLE_PROCESSED_OUTPUT)
+	raw := st &^ (windows.ENABLE_ECHO_INPUT | windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT)
 	raw |= windows.ENABLE_VIRTUAL_TERMINAL_INPUT
 	if err := windows.SetConsoleMode(windows.Handle(fd), raw); err != nil {
 		return nil, err
diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go
index f636667f..bddb2e2a 100644
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -6,6 +6,7 @@ package term
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"runtime"
 	"strconv"
@@ -36,6 +37,26 @@ var vt100EscapeCodes = EscapeCodes{
 	Reset: []byte{keyEscape, '[', '0', 'm'},
 }
 
+// A History provides a (possibly bounded) queue of input lines read by [Terminal.ReadLine].
+type History interface {
+	// Add will be called by [Terminal.ReadLine] to add
+	// a new, most recent entry to the history.
+	// It is allowed to drop any entry, including
+	// the entry being added (e.g., if it's deemed an invalid entry),
+	// the least-recent entry (e.g., to keep the history bounded),
+	// or any other entry.
+	Add(entry string)
+
+	// Len returns the number of entries in the history.
+	Len() int
+
+	// At returns an entry from the history.
+	// Index 0 is the most-recently added entry and
+	// index Len()-1 is the least-recently added entry.
+	// If index is < 0 or >= Len(), it panics.
+	At(idx int) string
+}
+
 // Terminal contains the state for running a VT100 terminal that is capable of
 // reading lines of input.
 type Terminal struct {
@@ -44,6 +65,8 @@ type Terminal struct {
 	// bytes, as an index into |line|). If it returns ok=false, the key
 	// press is processed normally. Otherwise it returns a replacement line
 	// and the new cursor position.
+	//
+	// This will be disabled during ReadPassword.
 	AutoCompleteCallback func(line string, pos int, key rune) (newLine string, newPos int, ok bool)
 
 	// Escape contains a pointer to the escape codes for this terminal.
@@ -84,9 +107,14 @@ type Terminal struct {
 	remainder []byte
 	inBuf     [256]byte
 
-	// history contains previously entered commands so that they can be
-	// accessed with the up and down keys.
-	history stRingBuffer
+	// History records and retrieves lines of input read by [ReadLine] which
+	// a user can retrieve and navigate using the up and down arrow keys.
+	//
+	// It is not safe to call ReadLine concurrently with any methods on History.
+	//
+	// [NewTerminal] sets this to a default implementation that records the
+	// last 100 lines of input.
+	History History
 	// historyIndex stores the currently accessed history entry, where zero
 	// means the immediately previous entry.
 	historyIndex int
@@ -109,6 +137,7 @@ func NewTerminal(c io.ReadWriter, prompt string) *Terminal {
 		termHeight:   24,
 		echo:         true,
 		historyIndex: -1,
+		History:      &stRingBuffer{},
 	}
 }
 
@@ -117,6 +146,7 @@ const (
 	keyCtrlD     = 4
 	keyCtrlU     = 21
 	keyEnter     = '\r'
+	keyLF        = '\n'
 	keyEscape    = 27
 	keyBackspace = 127
 	keyUnknown   = 0xd800 /* UTF-16 surrogate area */ + iota
@@ -448,10 +478,27 @@ func visualLength(runes []rune) int {
 	return length
 }
 
+// histroryAt unlocks the terminal and relocks it while calling History.At.
+func (t *Terminal) historyAt(idx int) (string, bool) {
+	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
+	defer t.lock.Lock() // panic in At (or Len) protection.
+	if idx < 0 || idx >= t.History.Len() {
+		return "", false
+	}
+	return t.History.At(idx), true
+}
+
+// historyAdd unlocks the terminal and relocks it while calling History.Add.
+func (t *Terminal) historyAdd(entry string) {
+	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
+	defer t.lock.Lock() // panic in Add protection.
+	t.History.Add(entry)
+}
+
 // handleKey processes the given key and, optionally, returns a line of text
 // that the user has entered.
 func (t *Terminal) handleKey(key rune) (line string, ok bool) {
-	if t.pasteActive && key != keyEnter {
+	if t.pasteActive && key != keyEnter && key != keyLF {
 		t.addKeyToLine(key)
 		return
 	}
@@ -495,7 +542,7 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 		t.pos = len(t.line)
 		t.moveCursorToPos(t.pos)
 	case keyUp:
-		entry, ok := t.history.NthPreviousEntry(t.historyIndex + 1)
+		entry, ok := t.historyAt(t.historyIndex + 1)
 		if !ok {
 			return "", false
 		}
@@ -514,14 +561,14 @@ func (t *Terminal) handleKey(key rune) (line string, ok bool) {
 			t.setLine(runes, len(runes))
 			t.historyIndex--
 		default:
-			entry, ok := t.history.NthPreviousEntry(t.historyIndex - 1)
+			entry, ok := t.historyAt(t.historyIndex - 1)
 			if ok {
 				t.historyIndex--
 				runes := []rune(entry)
 				t.setLine(runes, len(runes))
 			}
 		}
-	case keyEnter:
+	case keyEnter, keyLF:
 		t.moveCursorToPos(len(t.line))
 		t.queue([]rune("\r\n"))
 		line = string(t.line)
@@ -692,6 +739,8 @@ func (t *Terminal) Write(buf []byte) (n int, err error) {
 
 // ReadPassword temporarily changes the prompt and reads a password, without
 // echo, from the terminal.
+//
+// The AutoCompleteCallback is disabled during this call.
 func (t *Terminal) ReadPassword(prompt string) (line string, err error) {
 	t.lock.Lock()
 	defer t.lock.Unlock()
@@ -699,6 +748,11 @@ func (t *Terminal) ReadPassword(prompt string) (line string, err error) {
 	oldPrompt := t.prompt
 	t.prompt = []rune(prompt)
 	t.echo = false
+	oldAutoCompleteCallback := t.AutoCompleteCallback
+	t.AutoCompleteCallback = nil
+	defer func() {
+		t.AutoCompleteCallback = oldAutoCompleteCallback
+	}()
 
 	line, err = t.readLine()
 
@@ -759,6 +813,10 @@ func (t *Terminal) readLine() (line string, err error) {
 			if !t.pasteActive {
 				lineIsPasted = false
 			}
+			// If we have CR, consume LF if present (CRLF sequence) to avoid returning an extra empty line.
+			if key == keyEnter && len(rest) > 0 && rest[0] == keyLF {
+				rest = rest[1:]
+			}
 			line, lineOk = t.handleKey(key)
 		}
 		if len(rest) > 0 {
@@ -772,7 +830,7 @@ func (t *Terminal) readLine() (line string, err error) {
 		if lineOk {
 			if t.echo {
 				t.historyIndex = -1
-				t.history.Add(line)
+				t.historyAdd(line)
 			}
 			if lineIsPasted {
 				err = ErrPasteIndicator
@@ -929,19 +987,23 @@ func (s *stRingBuffer) Add(a string) {
 	}
 }
 
-// NthPreviousEntry returns the value passed to the nth previous call to Add.
+func (s *stRingBuffer) Len() int {
+	return s.size
+}
+
+// At returns the value passed to the nth previous call to Add.
 // If n is zero then the immediately prior value is returned, if one, then the
 // next most recent, and so on. If such an element doesn't exist then ok is
 // false.
-func (s *stRingBuffer) NthPreviousEntry(n int) (value string, ok bool) {
+func (s *stRingBuffer) At(n int) string {
 	if n < 0 || n >= s.size {
-		return "", false
+		panic(fmt.Sprintf("term: history index [%d] out of range [0,%d)", n, s.size))
 	}
 	index := s.head - n
 	if index < 0 {
 		index += s.max
 	}
-	return s.entries[index], true
+	return s.entries[index]
 }
 
 // readPasswordLine reads from reader until it finds \n or io.EOF.
diff --git a/vendor/golang.org/x/time/rate/sometimes.go b/vendor/golang.org/x/time/rate/sometimes.go
index 6ba99ddb..9b839326 100644
--- a/vendor/golang.org/x/time/rate/sometimes.go
+++ b/vendor/golang.org/x/time/rate/sometimes.go
@@ -61,7 +61,9 @@ func (s *Sometimes) Do(f func()) {
 		(s.Every > 0 && s.count%s.Every == 0) ||
 		(s.Interval > 0 && time.Since(s.last) >= s.Interval) {
 		f()
-		s.last = time.Now()
+		if s.Interval > 0 {
+			s.last = time.Now()
+		}
 	}
 	s.count++
 }
diff --git a/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go b/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
index bed9216d..e017ef07 100644
--- a/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
@@ -703,6 +703,65 @@ type QuotaFailure_Violation struct {
 	// For example: "Service disabled" or "Daily Limit for read operations
 	// exceeded".
 	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	// The API Service from which the `QuotaFailure.Violation` orginates. In
+	// some cases, Quota issues originate from an API Service other than the one
+	// that was called. In other words, a dependency of the called API Service
+	// could be the cause of the `QuotaFailure`, and this field would have the
+	// dependency API service name.
+	//
+	// For example, if the called API is Kubernetes Engine API
+	// (container.googleapis.com), and a quota violation occurs in the
+	// Kubernetes Engine API itself, this field would be
+	// "container.googleapis.com". On the other hand, if the quota violation
+	// occurs when the Kubernetes Engine API creates VMs in the Compute Engine
+	// API (compute.googleapis.com), this field would be
+	// "compute.googleapis.com".
+	ApiService string `protobuf:"bytes,3,opt,name=api_service,json=apiService,proto3" json:"api_service,omitempty"`
+	// The metric of the violated quota. A quota metric is a named counter to
+	// measure usage, such as API requests or CPUs. When an activity occurs in a
+	// service, such as Virtual Machine allocation, one or more quota metrics
+	// may be affected.
+	//
+	// For example, "compute.googleapis.com/cpus_per_vm_family",
+	// "storage.googleapis.com/internet_egress_bandwidth".
+	QuotaMetric string `protobuf:"bytes,4,opt,name=quota_metric,json=quotaMetric,proto3" json:"quota_metric,omitempty"`
+	// The id of the violated quota. Also know as "limit name", this is the
+	// unique identifier of a quota in the context of an API service.
+	//
+	// For example, "CPUS-PER-VM-FAMILY-per-project-region".
+	QuotaId string `protobuf:"bytes,5,opt,name=quota_id,json=quotaId,proto3" json:"quota_id,omitempty"`
+	// The dimensions of the violated quota. Every non-global quota is enforced
+	// on a set of dimensions. While quota metric defines what to count, the
+	// dimensions specify for what aspects the counter should be increased.
+	//
+	// For example, the quota "CPUs per region per VM family" enforces a limit
+	// on the metric "compute.googleapis.com/cpus_per_vm_family" on dimensions
+	// "region" and "vm_family". And if the violation occurred in region
+	// "us-central1" and for VM family "n1", the quota_dimensions would be,
+	//
+	//	{
+	//	  "region": "us-central1",
+	//	  "vm_family": "n1",
+	//	}
+	//
+	// When a quota is enforced globally, the quota_dimensions would always be
+	// empty.
+	QuotaDimensions map[string]string `protobuf:"bytes,6,rep,name=quota_dimensions,json=quotaDimensions,proto3" json:"quota_dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// The enforced quota value at the time of the `QuotaFailure`.
+	//
+	// For example, if the enforced quota value at the time of the
+	// `QuotaFailure` on the number of CPUs is "10", then the value of this
+	// field would reflect this quantity.
+	QuotaValue int64 `protobuf:"varint,7,opt,name=quota_value,json=quotaValue,proto3" json:"quota_value,omitempty"`
+	// The new quota value being rolled out at the time of the violation. At the
+	// completion of the rollout, this value will be enforced in place of
+	// quota_value. If no rollout is in progress at the time of the violation,
+	// this field is not set.
+	//
+	// For example, if at the time of the violation a rollout is in progress
+	// changing the number of CPUs quota from 10 to 20, 20 would be the value of
+	// this field.
+	FutureQuotaValue *int64 `protobuf:"varint,8,opt,name=future_quota_value,json=futureQuotaValue,proto3,oneof" json:"future_quota_value,omitempty"`
 }
 
 func (x *QuotaFailure_Violation) Reset() {
@@ -751,6 +810,48 @@ func (x *QuotaFailure_Violation) GetDescription() string {
 	return ""
 }
 
+func (x *QuotaFailure_Violation) GetApiService() string {
+	if x != nil {
+		return x.ApiService
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaMetric() string {
+	if x != nil {
+		return x.QuotaMetric
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaId() string {
+	if x != nil {
+		return x.QuotaId
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaDimensions() map[string]string {
+	if x != nil {
+		return x.QuotaDimensions
+	}
+	return nil
+}
+
+func (x *QuotaFailure_Violation) GetQuotaValue() int64 {
+	if x != nil {
+		return x.QuotaValue
+	}
+	return 0
+}
+
+func (x *QuotaFailure_Violation) GetFutureQuotaValue() int64 {
+	if x != nil && x.FutureQuotaValue != nil {
+		return *x.FutureQuotaValue
+	}
+	return 0
+}
+
 // A message type used to describe a single precondition failure.
 type PreconditionFailure_Violation struct {
 	state         protoimpl.MessageState
@@ -775,7 +876,7 @@ type PreconditionFailure_Violation struct {
 func (x *PreconditionFailure_Violation) Reset() {
 	*x = PreconditionFailure_Violation{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[12]
+		mi := &file_google_rpc_error_details_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -788,7 +889,7 @@ func (x *PreconditionFailure_Violation) String() string {
 func (*PreconditionFailure_Violation) ProtoMessage() {}
 
 func (x *PreconditionFailure_Violation) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[12]
+	mi := &file_google_rpc_error_details_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -886,7 +987,7 @@ type BadRequest_FieldViolation struct {
 func (x *BadRequest_FieldViolation) Reset() {
 	*x = BadRequest_FieldViolation{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[13]
+		mi := &file_google_rpc_error_details_proto_msgTypes[14]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -899,7 +1000,7 @@ func (x *BadRequest_FieldViolation) String() string {
 func (*BadRequest_FieldViolation) ProtoMessage() {}
 
 func (x *BadRequest_FieldViolation) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[13]
+	mi := &file_google_rpc_error_details_proto_msgTypes[14]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -958,7 +1059,7 @@ type Help_Link struct {
 func (x *Help_Link) Reset() {
 	*x = Help_Link{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[14]
+		mi := &file_google_rpc_error_details_proto_msgTypes[15]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -971,7 +1072,7 @@ func (x *Help_Link) String() string {
 func (*Help_Link) ProtoMessage() {}
 
 func (x *Help_Link) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[14]
+	mi := &file_google_rpc_error_details_proto_msgTypes[15]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1029,79 +1130,102 @@ var file_google_rpc_error_details_proto_rawDesc = []byte{
 	0x0a, 0x0d, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18,
 	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x45, 0x6e, 0x74, 0x72,
 	0x69, 0x65, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x22, 0x9b, 0x01, 0x0a, 0x0c,
+	0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x22, 0x8e, 0x04, 0x0a, 0x0c,
 	0x51, 0x75, 0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x12, 0x42, 0x0a, 0x0a,
 	0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
 	0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x51, 0x75,
 	0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61,
 	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x1a, 0x47, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
-	0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xbd, 0x01, 0x0a, 0x13, 0x50, 0x72,
-	0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72,
-	0x65, 0x12, 0x49, 0x0a, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72,
-	0x70, 0x63, 0x2e, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46,
-	0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x5b, 0x0a, 0x09,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
-	0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8c, 0x02, 0x0a, 0x0a, 0x42, 0x61,
-	0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x10, 0x66, 0x69, 0x65, 0x6c,
-	0x64, 0x5f, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e,
-	0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0xab, 0x01, 0x0a, 0x0e, 0x46,
-	0x69, 0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a,
-	0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x66, 0x69,
-	0x65, 0x6c, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x49, 0x0a,
-	0x11, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x4f, 0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d, 0x0a, 0x0a, 0x72, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69, 0x6e,
-	0x67, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65,
-	0x72, 0x76, 0x69, 0x6e, 0x67, 0x44, 0x61, 0x74, 0x61, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x52, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x6f, 0x0a, 0x04,
-	0x48, 0x65, 0x6c, 0x70, 0x12, 0x2b, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x6b, 0x73, 0x18, 0x01, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63,
-	0x2e, 0x48, 0x65, 0x6c, 0x70, 0x2e, 0x4c, 0x69, 0x6e, 0x6b, 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x6b,
-	0x73, 0x1a, 0x3a, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73,
-	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
-	0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x75,
-	0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x44, 0x0a,
-	0x10, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x42, 0x6c, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x72, 0x70, 0x63, 0x42, 0x11, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x44, 0x65, 0x74, 0x61,
-	0x69, 0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65,
-	0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69,
-	0x73, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73,
-	0x3b, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0xa2, 0x02, 0x03, 0x52, 0x50,
-	0x43, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x1a, 0xb9, 0x03, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18,
+	0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63,
+	0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64,
+	0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70,
+	0x69, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x71,
+	0x75, 0x6f, 0x74, 0x61, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x19,
+	0x0a, 0x08, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x49, 0x64, 0x12, 0x62, 0x0a, 0x10, 0x71, 0x75, 0x6f,
+	0x74, 0x61, 0x5f, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63,
+	0x2e, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69,
+	0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0f, 0x71, 0x75,
+	0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a,
+	0x0b, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x07, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x0a, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x31,
+	0x0a, 0x12, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x48, 0x00, 0x52, 0x10, 0x66, 0x75,
+	0x74, 0x75, 0x72, 0x65, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x88, 0x01,
+	0x01, 0x1a, 0x42, 0x0a, 0x14, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x15, 0x0a, 0x13, 0x5f, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65,
+	0x5f, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xbd, 0x01, 0x0a,
+	0x13, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69,
+	0x6c, 0x75, 0x72, 0x65, 0x12, 0x49, 0x0a, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69,
+	0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a,
+	0x5b, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65,
+	0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65,
+	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8c, 0x02, 0x0a,
+	0x0a, 0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x10, 0x66,
+	0x69, 0x65, 0x6c, 0x64, 0x5f, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72,
+	0x70, 0x63, 0x2e, 0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x46, 0x69,
+	0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x66, 0x69,
+	0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0xab, 0x01,
+	0x0a, 0x0e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x12, 0x14, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73,
+	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73,
+	0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e,
+	0x12, 0x49, 0x0a, 0x11, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a,
+	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
+	0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x4f, 0x0a, 0x0b, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d, 0x0a, 0x0a, 0x72, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
+	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72,
+	0x76, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x6e, 0x67, 0x44, 0x61, 0x74, 0x61, 0x22, 0x90, 0x01, 0x0a,
+	0x0c, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x23, 0x0a,
+	0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79,
+	0x70, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x20, 0x0a,
+	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22,
+	0x6f, 0x0a, 0x04, 0x48, 0x65, 0x6c, 0x70, 0x12, 0x2b, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x6b, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x72, 0x70, 0x63, 0x2e, 0x48, 0x65, 0x6c, 0x70, 0x2e, 0x4c, 0x69, 0x6e, 0x6b, 0x52, 0x05, 0x6c,
+	0x69, 0x6e, 0x6b, 0x73, 0x1a, 0x3a, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x20, 0x0a, 0x0b,
+	0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10,
+	0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c,
+	0x22, 0x44, 0x0a, 0x10, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07,
+	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6c, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x42, 0x11, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x44,
+	0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67,
+	0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x61, 0x70, 0x69, 0x73, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61,
+	0x69, 0x6c, 0x73, 0x3b, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0xa2, 0x02,
+	0x03, 0x52, 0x50, 0x43, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1116,7 +1240,7 @@ func file_google_rpc_error_details_proto_rawDescGZIP() []byte {
 	return file_google_rpc_error_details_proto_rawDescData
 }
 
-var file_google_rpc_error_details_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
+var file_google_rpc_error_details_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
 var file_google_rpc_error_details_proto_goTypes = []interface{}{
 	(*ErrorInfo)(nil),                     // 0: google.rpc.ErrorInfo
 	(*RetryInfo)(nil),                     // 1: google.rpc.RetryInfo
@@ -1130,24 +1254,26 @@ var file_google_rpc_error_details_proto_goTypes = []interface{}{
 	(*LocalizedMessage)(nil),              // 9: google.rpc.LocalizedMessage
 	nil,                                   // 10: google.rpc.ErrorInfo.MetadataEntry
 	(*QuotaFailure_Violation)(nil),        // 11: google.rpc.QuotaFailure.Violation
-	(*PreconditionFailure_Violation)(nil), // 12: google.rpc.PreconditionFailure.Violation
-	(*BadRequest_FieldViolation)(nil),     // 13: google.rpc.BadRequest.FieldViolation
-	(*Help_Link)(nil),                     // 14: google.rpc.Help.Link
-	(*durationpb.Duration)(nil),           // 15: google.protobuf.Duration
+	nil,                                   // 12: google.rpc.QuotaFailure.Violation.QuotaDimensionsEntry
+	(*PreconditionFailure_Violation)(nil), // 13: google.rpc.PreconditionFailure.Violation
+	(*BadRequest_FieldViolation)(nil),     // 14: google.rpc.BadRequest.FieldViolation
+	(*Help_Link)(nil),                     // 15: google.rpc.Help.Link
+	(*durationpb.Duration)(nil),           // 16: google.protobuf.Duration
 }
 var file_google_rpc_error_details_proto_depIdxs = []int32{
 	10, // 0: google.rpc.ErrorInfo.metadata:type_name -> google.rpc.ErrorInfo.MetadataEntry
-	15, // 1: google.rpc.RetryInfo.retry_delay:type_name -> google.protobuf.Duration
+	16, // 1: google.rpc.RetryInfo.retry_delay:type_name -> google.protobuf.Duration
 	11, // 2: google.rpc.QuotaFailure.violations:type_name -> google.rpc.QuotaFailure.Violation
-	12, // 3: google.rpc.PreconditionFailure.violations:type_name -> google.rpc.PreconditionFailure.Violation
-	13, // 4: google.rpc.BadRequest.field_violations:type_name -> google.rpc.BadRequest.FieldViolation
-	14, // 5: google.rpc.Help.links:type_name -> google.rpc.Help.Link
-	9,  // 6: google.rpc.BadRequest.FieldViolation.localized_message:type_name -> google.rpc.LocalizedMessage
-	7,  // [7:7] is the sub-list for method output_type
-	7,  // [7:7] is the sub-list for method input_type
-	7,  // [7:7] is the sub-list for extension type_name
-	7,  // [7:7] is the sub-list for extension extendee
-	0,  // [0:7] is the sub-list for field type_name
+	13, // 3: google.rpc.PreconditionFailure.violations:type_name -> google.rpc.PreconditionFailure.Violation
+	14, // 4: google.rpc.BadRequest.field_violations:type_name -> google.rpc.BadRequest.FieldViolation
+	15, // 5: google.rpc.Help.links:type_name -> google.rpc.Help.Link
+	12, // 6: google.rpc.QuotaFailure.Violation.quota_dimensions:type_name -> google.rpc.QuotaFailure.Violation.QuotaDimensionsEntry
+	9,  // 7: google.rpc.BadRequest.FieldViolation.localized_message:type_name -> google.rpc.LocalizedMessage
+	8,  // [8:8] is the sub-list for method output_type
+	8,  // [8:8] is the sub-list for method input_type
+	8,  // [8:8] is the sub-list for extension type_name
+	8,  // [8:8] is the sub-list for extension extendee
+	0,  // [0:8] is the sub-list for field type_name
 }
 
 func init() { file_google_rpc_error_details_proto_init() }
@@ -1288,7 +1414,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*PreconditionFailure_Violation); i {
 			case 0:
 				return &v.state
@@ -1300,7 +1426,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*BadRequest_FieldViolation); i {
 			case 0:
 				return &v.state
@@ -1312,7 +1438,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Help_Link); i {
 			case 0:
 				return &v.state
@@ -1325,13 +1451,14 @@ func file_google_rpc_error_details_proto_init() {
 			}
 		}
 	}
+	file_google_rpc_error_details_proto_msgTypes[11].OneofWrappers = []interface{}{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_google_rpc_error_details_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   15,
+			NumMessages:   16,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index d9bfa6e1..1de0ce66 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -1,73 +1,102 @@
 # How to contribute
 
-We definitely welcome your patches and contributions to gRPC! Please read the gRPC
-organization's [governance rules](https://github.com/grpc/grpc-community/blob/master/governance.md)
-and [contribution guidelines](https://github.com/grpc/grpc-community/blob/master/CONTRIBUTING.md) before proceeding.
+We welcome your patches and contributions to gRPC! Please read the gRPC
+organization's [governance
+rules](https://github.com/grpc/grpc-community/blob/master/governance.md) before
+proceeding.
 
 If you are new to GitHub, please start by reading [Pull Request howto](https://help.github.com/articles/about-pull-requests/)
 
 ## Legal requirements
 
 In order to protect both you and ourselves, you will need to sign the
-[Contributor License Agreement](https://identity.linuxfoundation.org/projects/cncf).
+[Contributor License
+Agreement](https://identity.linuxfoundation.org/projects/cncf). When you create
+your first PR, a link will be added as a comment that contains the steps needed
+to complete this process.
+
+## Getting Started
+
+A great way to start is by searching through our open issues. [Unassigned issues
+labeled as "help
+wanted"](https://github.com/grpc/grpc-go/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22Status%3A%20Help%20Wanted%22%20no%3Aassignee)
+are especially nice for first-time contributors, as they should be well-defined
+problems that already have agreed-upon solutions.
+
+## Code Style
+
+We follow [Google's published Go style
+guide](https://google.github.io/styleguide/go/). Note that there are three
+primary documents that make up this style guide; please follow them as closely
+as possible. If a reviewer recommends something that contradicts those
+guidelines, there may be valid reasons to do so, but it should be rare.
 
 ## Guidelines for Pull Requests
-How to get your contributions merged smoothly and quickly.
+
+How to get your contributions merged smoothly and quickly:
 
 - Create **small PRs** that are narrowly focused on **addressing a single
-  concern**. We often times receive PRs that are trying to fix several things at
-  a time, but only one fix is considered acceptable, nothing gets merged and
-  both author's & review's time is wasted. Create more PRs to address different
-  concerns and everyone will be happy.
+  concern**. We often receive PRs that attempt to fix several things at the same
+  time, and if one part of the PR has a problem, that will hold up the entire
+  PR.
 
-- If you are searching for features to work on, issues labeled [Status: Help
-  Wanted](https://github.com/grpc/grpc-go/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22Status%3A+Help+Wanted%22)
-  is a great place to start. These issues are well-documented and usually can be
-  resolved with a single pull request.
+- For **speculative changes**, consider opening an issue and discussing it
+  first. If you are suggesting a behavioral or API change, consider starting
+  with a [gRFC proposal](https://github.com/grpc/proposal). Many new features
+  that are not bug fixes will require cross-language agreement.
 
-- If you are adding a new file, make sure it has the copyright message template
-  at the top as a comment. You can copy over the message from an existing file
-  and update the year.
+- If you want to fix **formatting or style**, consider whether your changes are
+  an obvious improvement or might be considered a personal preference. If a
+  style change is based on preference, it likely will not be accepted. If it
+  corrects widely agreed-upon anti-patterns, then please do create a PR and
+  explain the benefits of the change.
 
-- The grpc package should only depend on standard Go packages and a small number
-  of exceptions. If your contribution introduces new dependencies which are NOT
-  in the [list](https://godoc.org/google.golang.org/grpc?imports), you need a
-  discussion with gRPC-Go authors and consultants.
-
-- For speculative changes, consider opening an issue and discussing it first. If
-  you are suggesting a behavioral or API change, consider starting with a [gRFC
-  proposal](https://github.com/grpc/proposal).
+- For correcting **misspellings**, please be aware that we use some terms that
+  are sometimes flagged by spell checkers. As an example, "if an only if" is
+  often written as "iff". Please do not make spelling correction changes unless
+  you are certain they are misspellings.
 
 - Provide a good **PR description** as a record of **what** change is being made
   and **why** it was made. Link to a GitHub issue if it exists.
 
-- If you want to fix formatting or style, consider whether your changes are an
-  obvious improvement or might be considered a personal preference. If a style
-  change is based on preference, it likely will not be accepted. If it corrects
-  widely agreed-upon anti-patterns, then please do create a PR and explain the
-  benefits of the change.
-
-- Unless your PR is trivial, you should expect there will be reviewer comments
-  that you'll need to address before merging. We'll mark it as `Status: Requires
-  Reporter Clarification` if we expect you to respond to these comments in a
-  timely manner. If the PR remains inactive for 6 days, it will be marked as
-  `stale` and automatically close 7 days after that if we don't hear back from
-  you.
-
-- Maintain **clean commit history** and use **meaningful commit messages**. PRs
-  with messy commit history are difficult to review and won't be merged. Use
-  `rebase -i upstream/master` to curate your commit history and/or to bring in
-  latest changes from master (but avoid rebasing in the middle of a code
-  review).
-
-- Keep your PR up to date with upstream/master (if there are merge conflicts, we
-  can't really merge your change).
+- Maintain a **clean commit history** and use **meaningful commit messages**.
+  PRs with messy commit histories are difficult to review and won't be merged.
+  Before sending your PR, ensure your changes are based on top of the latest
+  `upstream/master` commits, and avoid rebasing in the middle of a code review.
+  You should **never use `git push -f`** unless absolutely necessary during a
+  review, as it can interfere with GitHub's tracking of comments.
 
 - **All tests need to be passing** before your change can be merged. We
-  recommend you **run tests locally** before creating your PR to catch breakages
-  early on.
-  - `./scripts/vet.sh` to catch vet errors
-  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests
-  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode
+  recommend you run tests locally before creating your PR to catch breakages
+  early on:
 
-- Exceptions to the rules can be made if there's a compelling reason for doing so.
+  - `./scripts/vet.sh` to catch vet errors.
+  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests.
+  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode.
+
+  Note that we have a multi-module repo, so `go test` commands may need to be
+  run from the root of each module in order to cause all tests to run.
+
+  *Alternatively*, you may find it easier to push your changes to your fork on
+  GitHub, which will trigger a GitHub Actions run that you can use to verify
+  everything is passing.
+
+- If you are adding a new file, make sure it has the **copyright message**
+  template at the top as a comment. You can copy the message from an existing
+  file and update the year.
+
+- The grpc package should only depend on standard Go packages and a small number
+  of exceptions. **If your contribution introduces new dependencies**, you will
+  need a discussion with gRPC-Go maintainers. A GitHub action check will run on
+  every PR, and will flag any transitive dependency changes from any public
+  package.
+
+- Unless your PR is trivial, you should **expect reviewer comments** that you
+  will need to address before merging. We'll label the PR as `Status: Requires
+  Reporter Clarification` if we expect you to respond to these comments in a
+  timely manner. If the PR remains inactive for 6 days, it will be marked as
+  `stale`, and we will automatically close it after 7 days if we don't hear back
+  from you. Please feel free to ping issues or bugs if you do not get a response
+  within a week.
+
+- Exceptions to the rules can be made if there's a compelling reason to do so.
diff --git a/vendor/google.golang.org/grpc/README.md b/vendor/google.golang.org/grpc/README.md
index b572707c..f9a88d59 100644
--- a/vendor/google.golang.org/grpc/README.md
+++ b/vendor/google.golang.org/grpc/README.md
@@ -32,6 +32,7 @@ import "google.golang.org/grpc"
 - [Low-level technical docs](Documentation) from this repository
 - [Performance benchmark][]
 - [Examples](examples)
+- [Contribution guidelines](CONTRIBUTING.md)
 
 ## FAQ
 
diff --git a/vendor/google.golang.org/grpc/balancer/balancer.go b/vendor/google.golang.org/grpc/balancer/balancer.go
index c9b343c7..b1264017 100644
--- a/vendor/google.golang.org/grpc/balancer/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/balancer.go
@@ -360,6 +360,10 @@ type Balancer interface {
 	// call SubConn.Shutdown for its existing SubConns; however, this will be
 	// required in a future release, so it is recommended.
 	Close()
+	// ExitIdle instructs the LB policy to reconnect to backends / exit the
+	// IDLE state, if appropriate and possible.  Note that SubConns that enter
+	// the IDLE state will not reconnect until SubConn.Connect is called.
+	ExitIdle()
 }
 
 // ExitIdler is an optional interface for balancers to implement.  If
@@ -367,8 +371,8 @@ type Balancer interface {
 // the ClientConn is idle.  If unimplemented, ClientConn.Connect will cause
 // all SubConns to connect.
 //
-// Notice: it will be required for all balancers to implement this in a future
-// release.
+// Deprecated: All balancers must implement this interface. This interface will
+// be removed in a future release.
 type ExitIdler interface {
 	// ExitIdle instructs the LB policy to reconnect to backends / exit the
 	// IDLE state, if appropriate and possible.  Note that SubConns that enter
diff --git a/vendor/google.golang.org/grpc/balancer/base/balancer.go b/vendor/google.golang.org/grpc/balancer/base/balancer.go
index d5ed172a..4d576876 100644
--- a/vendor/google.golang.org/grpc/balancer/base/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/base/balancer.go
@@ -41,7 +41,7 @@ func (bb *baseBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) ba
 		cc:            cc,
 		pickerBuilder: bb.pickerBuilder,
 
-		subConns: resolver.NewAddressMap(),
+		subConns: resolver.NewAddressMapV2[balancer.SubConn](),
 		scStates: make(map[balancer.SubConn]connectivity.State),
 		csEvltr:  &balancer.ConnectivityStateEvaluator{},
 		config:   bb.config,
@@ -65,7 +65,7 @@ type baseBalancer struct {
 	csEvltr *balancer.ConnectivityStateEvaluator
 	state   connectivity.State
 
-	subConns *resolver.AddressMap
+	subConns *resolver.AddressMapV2[balancer.SubConn]
 	scStates map[balancer.SubConn]connectivity.State
 	picker   balancer.Picker
 	config   Config
@@ -100,7 +100,7 @@ func (b *baseBalancer) UpdateClientConnState(s balancer.ClientConnState) error {
 	// Successful resolution; clear resolver error and ensure we return nil.
 	b.resolverErr = nil
 	// addrsSet is the set converted from addrs, it's used for quick lookup of an address.
-	addrsSet := resolver.NewAddressMap()
+	addrsSet := resolver.NewAddressMapV2[any]()
 	for _, a := range s.ResolverState.Addresses {
 		addrsSet.Set(a, nil)
 		if _, ok := b.subConns.Get(a); !ok {
@@ -122,8 +122,7 @@ func (b *baseBalancer) UpdateClientConnState(s balancer.ClientConnState) error {
 		}
 	}
 	for _, a := range b.subConns.Keys() {
-		sci, _ := b.subConns.Get(a)
-		sc := sci.(balancer.SubConn)
+		sc, _ := b.subConns.Get(a)
 		// a was removed by resolver.
 		if _, ok := addrsSet.Get(a); !ok {
 			sc.Shutdown()
@@ -173,8 +172,7 @@ func (b *baseBalancer) regeneratePicker() {
 
 	// Filter out all ready SCs from full subConn map.
 	for _, addr := range b.subConns.Keys() {
-		sci, _ := b.subConns.Get(addr)
-		sc := sci.(balancer.SubConn)
+		sc, _ := b.subConns.Get(addr)
 		if st, ok := b.scStates[sc]; ok && st == connectivity.Ready {
 			readySCs[sc] = SubConnInfo{Address: addr}
 		}
diff --git a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
index 421c4fec..0ad6bb1f 100644
--- a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
+++ b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
@@ -45,7 +45,15 @@ type ChildState struct {
 
 	// Balancer exposes only the ExitIdler interface of the child LB policy.
 	// Other methods of the child policy are called only by endpointsharding.
-	Balancer balancer.ExitIdler
+	Balancer ExitIdler
+}
+
+// ExitIdler provides access to only the ExitIdle method of the child balancer.
+type ExitIdler interface {
+	// ExitIdle instructs the LB policy to reconnect to backends / exit the
+	// IDLE state, if appropriate and possible.  Note that SubConns that enter
+	// the IDLE state will not reconnect until SubConn.Connect is called.
+	ExitIdle()
 }
 
 // Options are the options to configure the behaviour of the
@@ -73,7 +81,7 @@ func NewBalancer(cc balancer.ClientConn, opts balancer.BuildOptions, childBuilde
 		esOpts:       esOpts,
 		childBuilder: childBuilder,
 	}
-	es.children.Store(resolver.NewEndpointMap())
+	es.children.Store(resolver.NewEndpointMap[*balancerWrapper]())
 	return es
 }
 
@@ -90,7 +98,7 @@ type endpointSharding struct {
 	// calls into a child. To avoid deadlocks, do not acquire childMu while
 	// holding mu.
 	childMu  sync.Mutex
-	children atomic.Pointer[resolver.EndpointMap] // endpoint -> *balancerWrapper
+	children atomic.Pointer[resolver.EndpointMap[*balancerWrapper]]
 
 	// inhibitChildUpdates is set during UpdateClientConnState/ResolverError
 	// calls (calls to children will each produce an update, only want one
@@ -122,7 +130,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 	var ret error
 
 	children := es.children.Load()
-	newChildren := resolver.NewEndpointMap()
+	newChildren := resolver.NewEndpointMap[*balancerWrapper]()
 
 	// Update/Create new children.
 	for _, endpoint := range state.ResolverState.Endpoints {
@@ -131,9 +139,8 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 			// update.
 			continue
 		}
-		var childBalancer *balancerWrapper
-		if val, ok := children.Get(endpoint); ok {
-			childBalancer = val.(*balancerWrapper)
+		childBalancer, ok := children.Get(endpoint)
+		if ok {
 			// Endpoint attributes may have changed, update the stored endpoint.
 			es.mu.Lock()
 			childBalancer.childState.Endpoint = endpoint
@@ -166,7 +173,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 	for _, e := range children.Keys() {
 		child, _ := children.Get(e)
 		if _, ok := newChildren.Get(e); !ok {
-			child.(*balancerWrapper).closeLocked()
+			child.closeLocked()
 		}
 	}
 	es.children.Store(newChildren)
@@ -189,7 +196,7 @@ func (es *endpointSharding) ResolverError(err error) {
 	}()
 	children := es.children.Load()
 	for _, child := range children.Values() {
-		child.(*balancerWrapper).resolverErrorLocked(err)
+		child.resolverErrorLocked(err)
 	}
 }
 
@@ -202,7 +209,17 @@ func (es *endpointSharding) Close() {
 	defer es.childMu.Unlock()
 	children := es.children.Load()
 	for _, child := range children.Values() {
-		child.(*balancerWrapper).closeLocked()
+		child.closeLocked()
+	}
+}
+
+func (es *endpointSharding) ExitIdle() {
+	es.childMu.Lock()
+	defer es.childMu.Unlock()
+	for _, bw := range es.children.Load().Values() {
+		if !bw.isClosed {
+			bw.child.ExitIdle()
+		}
 	}
 }
 
@@ -222,8 +239,7 @@ func (es *endpointSharding) updateState() {
 	childStates := make([]ChildState, 0, children.Len())
 
 	for _, child := range children.Values() {
-		bw := child.(*balancerWrapper)
-		childState := bw.childState
+		childState := child.childState
 		childStates = append(childStates, childState)
 		childPicker := childState.State.Picker
 		switch childState.State.ConnectivityState {
@@ -328,15 +344,13 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
 // ExitIdle pings an IDLE child balancer to exit idle in a new goroutine to
 // avoid deadlocks due to synchronous balancer state updates.
 func (bw *balancerWrapper) ExitIdle() {
-	if ei, ok := bw.child.(balancer.ExitIdler); ok {
-		go func() {
-			bw.es.childMu.Lock()
-			if !bw.isClosed {
-				ei.ExitIdle()
-			}
-			bw.es.childMu.Unlock()
-		}()
-	}
+	go func() {
+		bw.es.childMu.Lock()
+		if !bw.isClosed {
+			bw.child.ExitIdle()
+		}
+		bw.es.childMu.Unlock()
+	}()
 }
 
 // updateClientConnStateLocked delivers the ClientConnState to the child
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
index 113181e6..e6204725 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
@@ -54,18 +54,9 @@ func init() {
 	balancer.Register(pickfirstBuilder{})
 }
 
-type (
-	// enableHealthListenerKeyType is a unique key type used in resolver
-	// attributes to indicate whether the health listener usage is enabled.
-	enableHealthListenerKeyType struct{}
-	// managedByPickfirstKeyType is an attribute key type to inform Outlier
-	// Detection that the generic health listener is being used.
-	// TODO: https://github.com/grpc/grpc-go/issues/7915 - Remove this when
-	// implementing the dualstack design. This is a hack. Once Dualstack is
-	// completed, outlier detection will stop sending ejection updates through
-	// the connectivity listener.
-	managedByPickfirstKeyType struct{}
-)
+// enableHealthListenerKeyType is a unique key type used in resolver
+// attributes to indicate whether the health listener usage is enabled.
+type enableHealthListenerKeyType struct{}
 
 var (
 	logger = grpclog.Component("pick-first-leaf-lb")
@@ -122,7 +113,7 @@ func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions)
 		target:          bo.Target.String(),
 		metricsRecorder: cc.MetricsRecorder(),
 
-		subConns:              resolver.NewAddressMap(),
+		subConns:              resolver.NewAddressMapV2[*scData](),
 		state:                 connectivity.Connecting,
 		cancelConnectionTimer: func() {},
 	}
@@ -149,17 +140,6 @@ func EnableHealthListener(state resolver.State) resolver.State {
 	return state
 }
 
-// IsManagedByPickfirst returns whether an address belongs to a SubConn
-// managed by the pickfirst LB policy.
-// TODO: https://github.com/grpc/grpc-go/issues/7915 - This is a hack to disable
-// outlier_detection via the with connectivity listener when using pick_first.
-// Once Dualstack changes are complete, all SubConns will be created by
-// pick_first and outlier detection will only use the health listener for
-// ejection. This hack can then be removed.
-func IsManagedByPickfirst(addr resolver.Address) bool {
-	return addr.BalancerAttributes.Value(managedByPickfirstKeyType{}) != nil
-}
-
 type pfConfig struct {
 	serviceconfig.LoadBalancingConfig `json:"-"`
 
@@ -186,7 +166,6 @@ type scData struct {
 }
 
 func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
-	addr.BalancerAttributes = addr.BalancerAttributes.WithValue(managedByPickfirstKeyType{}, true)
 	sd := &scData{
 		rawConnectivityState: connectivity.Idle,
 		effectiveState:       connectivity.Idle,
@@ -220,7 +199,7 @@ type pickfirstBalancer struct {
 	// updates.
 	state connectivity.State
 	// scData for active subonns mapped by address.
-	subConns              *resolver.AddressMap
+	subConns              *resolver.AddressMapV2[*scData]
 	addressList           addressList
 	firstPass             bool
 	numTF                 int
@@ -319,7 +298,7 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
 	prevAddr := b.addressList.currentAddress()
 	prevSCData, found := b.subConns.Get(prevAddr)
 	prevAddrsCount := b.addressList.size()
-	isPrevRawConnectivityStateReady := found && prevSCData.(*scData).rawConnectivityState == connectivity.Ready
+	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
 	b.addressList.updateAddrs(newAddrs)
 
 	// If the previous ready SubConn exists in new address list,
@@ -381,21 +360,21 @@ func (b *pickfirstBalancer) startFirstPassLocked() {
 	b.numTF = 0
 	// Reset the connection attempt record for existing SubConns.
 	for _, sd := range b.subConns.Values() {
-		sd.(*scData).connectionFailedInFirstPass = false
+		sd.connectionFailedInFirstPass = false
 	}
 	b.requestConnectionLocked()
 }
 
 func (b *pickfirstBalancer) closeSubConnsLocked() {
 	for _, sd := range b.subConns.Values() {
-		sd.(*scData).subConn.Shutdown()
+		sd.subConn.Shutdown()
 	}
-	b.subConns = resolver.NewAddressMap()
+	b.subConns = resolver.NewAddressMapV2[*scData]()
 }
 
 // deDupAddresses ensures that each address appears only once in the slice.
 func deDupAddresses(addrs []resolver.Address) []resolver.Address {
-	seenAddrs := resolver.NewAddressMap()
+	seenAddrs := resolver.NewAddressMapV2[*scData]()
 	retAddrs := []resolver.Address{}
 
 	for _, addr := range addrs {
@@ -481,7 +460,7 @@ func addressFamily(address string) ipAddrFamily {
 // This ensures that the subchannel map accurately reflects the current set of
 // addresses received from the name resolver.
 func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
-	newAddrsMap := resolver.NewAddressMap()
+	newAddrsMap := resolver.NewAddressMapV2[bool]()
 	for _, addr := range newAddrs {
 		newAddrsMap.Set(addr, true)
 	}
@@ -491,7 +470,7 @@ func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address)
 			continue
 		}
 		val, _ := b.subConns.Get(oldAddr)
-		val.(*scData).subConn.Shutdown()
+		val.subConn.Shutdown()
 		b.subConns.Delete(oldAddr)
 	}
 }
@@ -500,13 +479,12 @@ func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address)
 // becomes ready, which means that all other subConn must be shutdown.
 func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
 	b.cancelConnectionTimer()
-	for _, v := range b.subConns.Values() {
-		sd := v.(*scData)
+	for _, sd := range b.subConns.Values() {
 		if sd.subConn != selected.subConn {
 			sd.subConn.Shutdown()
 		}
 	}
-	b.subConns = resolver.NewAddressMap()
+	b.subConns = resolver.NewAddressMapV2[*scData]()
 	b.subConns.Set(selected.addr, selected)
 }
 
@@ -539,18 +517,17 @@ func (b *pickfirstBalancer) requestConnectionLocked() {
 			b.subConns.Set(curAddr, sd)
 		}
 
-		scd := sd.(*scData)
-		switch scd.rawConnectivityState {
+		switch sd.rawConnectivityState {
 		case connectivity.Idle:
-			scd.subConn.Connect()
+			sd.subConn.Connect()
 			b.scheduleNextConnectionLocked()
 			return
 		case connectivity.TransientFailure:
 			// The SubConn is being re-used and failed during a previous pass
 			// over the addressList. It has not completed backoff yet.
 			// Mark it as having failed and try the next address.
-			scd.connectionFailedInFirstPass = true
-			lastErr = scd.lastErr
+			sd.connectionFailedInFirstPass = true
+			lastErr = sd.lastErr
 			continue
 		case connectivity.Connecting:
 			// Wait for the connection attempt to complete or the timer to fire
@@ -558,7 +535,7 @@ func (b *pickfirstBalancer) requestConnectionLocked() {
 			b.scheduleNextConnectionLocked()
 			return
 		default:
-			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", scd.rawConnectivityState)
+			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
 			return
 
 		}
@@ -753,8 +730,7 @@ func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
 	}
 	// Connect() has been called on all the SubConns. The first pass can be
 	// ended if all the SubConns have reported a failure.
-	for _, v := range b.subConns.Values() {
-		sd := v.(*scData)
+	for _, sd := range b.subConns.Values() {
 		if !sd.connectionFailedInFirstPass {
 			return
 		}
@@ -765,8 +741,7 @@ func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
 		Picker:            &picker{err: lastErr},
 	})
 	// Start re-connecting all the SubConns that are already in IDLE.
-	for _, v := range b.subConns.Values() {
-		sd := v.(*scData)
+	for _, sd := range b.subConns.Values() {
 		if sd.rawConnectivityState == connectivity.Idle {
 			sd.subConn.Connect()
 		}
@@ -927,6 +902,5 @@ func (al *addressList) hasNext() bool {
 // fields that are meaningful to the SubConn.
 func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
 	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
-		a.Attributes.Equal(b.Attributes) &&
-		a.Metadata == b.Metadata
+		a.Attributes.Equal(b.Attributes)
 }
diff --git a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
index 35da5d1e..22045bf3 100644
--- a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
+++ b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
@@ -70,10 +70,3 @@ func (b *rrBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
 		ResolverState: pickfirstleaf.EnableHealthListener(ccs.ResolverState),
 	})
 }
-
-func (b *rrBalancer) ExitIdle() {
-	// Should always be ok, as child is endpoint sharding.
-	if ei, ok := b.Balancer.(balancer.ExitIdler); ok {
-		ei.ExitIdle()
-	}
-}
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index b2f8fc7f..b1364a03 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.4
+// 	protoc-gen-go v1.36.6
 // 	protoc        v5.27.1
 // source: grpc/binlog/v1/binarylog.proto
 
@@ -858,133 +858,68 @@ func (x *Address) GetIpPort() uint32 {
 
 var File_grpc_binlog_v1_binarylog_proto protoreflect.FileDescriptor
 
-var file_grpc_binlog_v1_binarylog_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62, 0x69, 0x6e, 0x6c, 0x6f, 0x67, 0x2f, 0x76, 0x31,
-	0x2f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x11, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x07, 0x0a, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
-	0x17, 0x0a, 0x07, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04,
-	0x52, 0x06, 0x63, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x12, 0x35, 0x0a, 0x17, 0x73, 0x65, 0x71, 0x75,
-	0x65, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x5f, 0x63,
-	0x61, 0x6c, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x14, 0x73, 0x65, 0x71, 0x75, 0x65,
-	0x6e, 0x63, 0x65, 0x49, 0x64, 0x57, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x43, 0x61, 0x6c, 0x6c, 0x12,
-	0x3d, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e,
-	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x45,
-	0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3e,
-	0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
-	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e,
-	0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e,
-	0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x46,
-	0x0a, 0x0d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
-	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
-	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
-	0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00,
-	0x52, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x36,
-	0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x48, 0x00, 0x52, 0x07, 0x6d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x36, 0x0a, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65,
-	0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69,
-	0x6c, 0x65, 0x72, 0x48, 0x00, 0x52, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x2b,
-	0x0a, 0x11, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61,
-	0x74, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x54, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x04, 0x70,
-	0x65, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63,
-	0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x04, 0x70, 0x65, 0x65, 0x72, 0x22, 0xf5, 0x01, 0x0a, 0x09,
-	0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x12, 0x45, 0x56, 0x45,
-	0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x00, 0x12, 0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x01, 0x12,
-	0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45,
-	0x52, 0x56, 0x45, 0x52, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x1d, 0x0a,
-	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45,
-	0x4e, 0x54, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x03, 0x12, 0x1d, 0x0a, 0x19,
-	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45,
-	0x52, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x04, 0x12, 0x20, 0x0a, 0x1c, 0x45,
-	0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54,
-	0x5f, 0x48, 0x41, 0x4c, 0x46, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x05, 0x12, 0x1d, 0x0a,
-	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56,
-	0x45, 0x52, 0x5f, 0x54, 0x52, 0x41, 0x49, 0x4c, 0x45, 0x52, 0x10, 0x06, 0x12, 0x15, 0x0a, 0x11,
-	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x41, 0x4e, 0x43, 0x45,
-	0x4c, 0x10, 0x07, 0x22, 0x42, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x12, 0x0a,
-	0x0e, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x00, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x43, 0x4c, 0x49, 0x45,
-	0x4e, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x53,
-	0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x02, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x22, 0xbb, 0x01, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x48, 0x65, 0x61,
-	0x64, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
-	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f, 0x0a, 0x0b,
-	0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0a, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a,
-	0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x33, 0x0a, 0x07, 0x74,
-	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44,
-	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
-	0x22, 0x47, 0x0a, 0x0c, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
-	0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79,
-	0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb1, 0x01, 0x0a, 0x07, 0x54, 0x72,
-	0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f,
-	0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0d, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, 0x65, 0x12,
-	0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d,
-	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0x35, 0x0a,
-	0x07, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67,
-	0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
-	0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04,
-	0x64, 0x61, 0x74, 0x61, 0x22, 0x42, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x12, 0x36, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x20, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
-	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x37, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x22, 0xb8, 0x01, 0x0a, 0x07, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x33, 0x0a,
-	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x67, 0x72,
-	0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e,
-	0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
-	0x70, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x17, 0x0a, 0x07,
-	0x69, 0x70, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x69,
-	0x70, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x45, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a,
-	0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
-	0x0d, 0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x34, 0x10, 0x01, 0x12, 0x0d,
-	0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x36, 0x10, 0x02, 0x12, 0x0d, 0x0a,
-	0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x58, 0x10, 0x03, 0x42, 0x5c, 0x0a, 0x14,
-	0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f,
-	0x67, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x4c, 0x6f, 0x67, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
-	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62,
-	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x62, 0x69,
-	0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-})
+const file_grpc_binlog_v1_binarylog_proto_rawDesc = "" +
+	"\n" +
+	"\x1egrpc/binlog/v1/binarylog.proto\x12\x11grpc.binarylog.v1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xbb\a\n" +
+	"\fGrpcLogEntry\x128\n" +
+	"\ttimestamp\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12\x17\n" +
+	"\acall_id\x18\x02 \x01(\x04R\x06callId\x125\n" +
+	"\x17sequence_id_within_call\x18\x03 \x01(\x04R\x14sequenceIdWithinCall\x12=\n" +
+	"\x04type\x18\x04 \x01(\x0e2).grpc.binarylog.v1.GrpcLogEntry.EventTypeR\x04type\x12>\n" +
+	"\x06logger\x18\x05 \x01(\x0e2&.grpc.binarylog.v1.GrpcLogEntry.LoggerR\x06logger\x12F\n" +
+	"\rclient_header\x18\x06 \x01(\v2\x1f.grpc.binarylog.v1.ClientHeaderH\x00R\fclientHeader\x12F\n" +
+	"\rserver_header\x18\a \x01(\v2\x1f.grpc.binarylog.v1.ServerHeaderH\x00R\fserverHeader\x126\n" +
+	"\amessage\x18\b \x01(\v2\x1a.grpc.binarylog.v1.MessageH\x00R\amessage\x126\n" +
+	"\atrailer\x18\t \x01(\v2\x1a.grpc.binarylog.v1.TrailerH\x00R\atrailer\x12+\n" +
+	"\x11payload_truncated\x18\n" +
+	" \x01(\bR\x10payloadTruncated\x12.\n" +
+	"\x04peer\x18\v \x01(\v2\x1a.grpc.binarylog.v1.AddressR\x04peer\"\xf5\x01\n" +
+	"\tEventType\x12\x16\n" +
+	"\x12EVENT_TYPE_UNKNOWN\x10\x00\x12\x1c\n" +
+	"\x18EVENT_TYPE_CLIENT_HEADER\x10\x01\x12\x1c\n" +
+	"\x18EVENT_TYPE_SERVER_HEADER\x10\x02\x12\x1d\n" +
+	"\x19EVENT_TYPE_CLIENT_MESSAGE\x10\x03\x12\x1d\n" +
+	"\x19EVENT_TYPE_SERVER_MESSAGE\x10\x04\x12 \n" +
+	"\x1cEVENT_TYPE_CLIENT_HALF_CLOSE\x10\x05\x12\x1d\n" +
+	"\x19EVENT_TYPE_SERVER_TRAILER\x10\x06\x12\x15\n" +
+	"\x11EVENT_TYPE_CANCEL\x10\a\"B\n" +
+	"\x06Logger\x12\x12\n" +
+	"\x0eLOGGER_UNKNOWN\x10\x00\x12\x11\n" +
+	"\rLOGGER_CLIENT\x10\x01\x12\x11\n" +
+	"\rLOGGER_SERVER\x10\x02B\t\n" +
+	"\apayload\"\xbb\x01\n" +
+	"\fClientHeader\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+	"\vmethod_name\x18\x02 \x01(\tR\n" +
+	"methodName\x12\x1c\n" +
+	"\tauthority\x18\x03 \x01(\tR\tauthority\x123\n" +
+	"\atimeout\x18\x04 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"G\n" +
+	"\fServerHeader\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\"\xb1\x01\n" +
+	"\aTrailer\x127\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
+	"\vstatus_code\x18\x02 \x01(\rR\n" +
+	"statusCode\x12%\n" +
+	"\x0estatus_message\x18\x03 \x01(\tR\rstatusMessage\x12%\n" +
+	"\x0estatus_details\x18\x04 \x01(\fR\rstatusDetails\"5\n" +
+	"\aMessage\x12\x16\n" +
+	"\x06length\x18\x01 \x01(\rR\x06length\x12\x12\n" +
+	"\x04data\x18\x02 \x01(\fR\x04data\"B\n" +
+	"\bMetadata\x126\n" +
+	"\x05entry\x18\x01 \x03(\v2 .grpc.binarylog.v1.MetadataEntryR\x05entry\"7\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05value\"\xb8\x01\n" +
+	"\aAddress\x123\n" +
+	"\x04type\x18\x01 \x01(\x0e2\x1f.grpc.binarylog.v1.Address.TypeR\x04type\x12\x18\n" +
+	"\aaddress\x18\x02 \x01(\tR\aaddress\x12\x17\n" +
+	"\aip_port\x18\x03 \x01(\rR\x06ipPort\"E\n" +
+	"\x04Type\x12\x10\n" +
+	"\fTYPE_UNKNOWN\x10\x00\x12\r\n" +
+	"\tTYPE_IPV4\x10\x01\x12\r\n" +
+	"\tTYPE_IPV6\x10\x02\x12\r\n" +
+	"\tTYPE_UNIX\x10\x03B\\\n" +
+	"\x14io.grpc.binarylog.v1B\x0eBinaryLogProtoP\x01Z2google.golang.org/grpc/binarylog/grpc_binarylog_v1b\x06proto3"
 
 var (
 	file_grpc_binlog_v1_binarylog_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index a319ef97..cd3eaf8d 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -689,22 +689,31 @@ func (cc *ClientConn) Connect() {
 	cc.mu.Unlock()
 }
 
-// waitForResolvedAddrs blocks until the resolver has provided addresses or the
-// context expires.  Returns nil unless the context expires first; otherwise
-// returns a status error based on the context.
-func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) error {
+// waitForResolvedAddrs blocks until the resolver provides addresses or the
+// context expires, whichever happens first.
+//
+// Error is nil unless the context expires first; otherwise returns a status
+// error based on the context.
+//
+// The returned boolean indicates whether it did block or not. If the
+// resolution has already happened once before, it returns false without
+// blocking. Otherwise, it wait for the resolution and return true if
+// resolution has succeeded or return false along with error if resolution has
+// failed.
+func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) (bool, error) {
 	// This is on the RPC path, so we use a fast path to avoid the
 	// more-expensive "select" below after the resolver has returned once.
 	if cc.firstResolveEvent.HasFired() {
-		return nil
+		return false, nil
 	}
+	internal.NewStreamWaitingForResolver()
 	select {
 	case <-cc.firstResolveEvent.Done():
-		return nil
+		return true, nil
 	case <-ctx.Done():
-		return status.FromContextError(ctx.Err()).Err()
+		return false, status.FromContextError(ctx.Err()).Err()
 	case <-cc.ctx.Done():
-		return ErrClientConnClosing
+		return false, ErrClientConnClosing
 	}
 }
 
@@ -1231,8 +1240,7 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
 // adjustParams updates parameters used to create transports upon
 // receiving a GoAway.
 func (ac *addrConn) adjustParams(r transport.GoAwayReason) {
-	switch r {
-	case transport.GoAwayTooManyPings:
+	if r == transport.GoAwayTooManyPings {
 		v := 2 * ac.dopts.copts.KeepaliveParams.Time
 		ac.cc.mu.Lock()
 		if v > ac.cc.keepaliveParams.Time {
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index 665e790b..a63ab606 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -120,6 +120,20 @@ type AuthInfo interface {
 	AuthType() string
 }
 
+// AuthorityValidator validates the authority used to override the `:authority`
+// header. This is an optional interface that implementations of AuthInfo can
+// implement if they support per-RPC authority overrides. It is invoked when the
+// application attempts to override the HTTP/2 `:authority` header using the
+// CallAuthority call option.
+type AuthorityValidator interface {
+	// ValidateAuthority checks the authority value used to override the
+	// `:authority` header. The authority parameter is the override value
+	// provided by the application via the CallAuthority option. This value
+	// typically corresponds to the server hostname or endpoint the RPC is
+	// targeting. It returns non-nil error if the validation fails.
+	ValidateAuthority(authority string) error
+}
+
 // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
 // and the caller should not close rawConn.
 var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
@@ -207,14 +221,32 @@ type RequestInfo struct {
 	AuthInfo AuthInfo
 }
 
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
 // RequestInfoFromContext extracts the RequestInfo from the context if it exists.
 //
 // This API is experimental.
 func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) {
-	ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo)
+	ri, ok = ctx.Value(requestInfoKey{}).(RequestInfo)
 	return ri, ok
 }
 
+// NewContextWithRequestInfo creates a new context from ctx and attaches ri to it.
+//
+// This RequestInfo will be accessible via RequestInfoFromContext.
+//
+// Intended to be used from tests for PerRPCCredentials implementations (that
+// often need to check connection's SecurityLevel). Should not be used from
+// non-test code: the gRPC client already prepares a context with the correct
+// RequestInfo attached when calling PerRPCCredentials.GetRequestMetadata.
+//
+// This API is experimental.
+func NewContextWithRequestInfo(ctx context.Context, ri RequestInfo) context.Context {
+	return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
 // ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
 // it possible to pass arbitrary data to the handshaker from gRPC, resolver,
 // balancer etc. Individual credential implementations control the actual
diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
index 4c805c64..93156c0f 100644
--- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
+++ b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
@@ -30,7 +30,7 @@ import (
 // NewCredentials returns a credentials which disables transport security.
 //
 // Note that using this credentials with per-RPC credentials which require
-// transport security is incompatible and will cause grpc.Dial() to fail.
+// transport security is incompatible and will cause RPCs to fail.
 func NewCredentials() credentials.TransportCredentials {
 	return insecureTC{}
 }
@@ -71,6 +71,12 @@ func (info) AuthType() string {
 	return "insecure"
 }
 
+// ValidateAuthority allows any value to be overridden for the :authority
+// header.
+func (info) ValidateAuthority(string) error {
+	return nil
+}
+
 // insecureBundle implements an insecure bundle.
 // An insecure bundle provides a thin wrapper around insecureTC to support
 // the credentials.Bundle interface.
diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go
index bd5fe22b..20f65f7b 100644
--- a/vendor/google.golang.org/grpc/credentials/tls.go
+++ b/vendor/google.golang.org/grpc/credentials/tls.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -50,6 +51,21 @@ func (t TLSInfo) AuthType() string {
 	return "tls"
 }
 
+// ValidateAuthority validates the provided authority being used to override the
+// :authority header by verifying it against the peer certificates. It returns a
+// non-nil error if the validation fails.
+func (t TLSInfo) ValidateAuthority(authority string) error {
+	var errs []error
+	for _, cert := range t.State.PeerCertificates {
+		var err error
+		if err = cert.VerifyHostname(authority); err == nil {
+			return nil
+		}
+		errs = append(errs, err)
+	}
+	return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
+}
+
 // cipherSuiteLookup returns the string version of a TLS cipher suite ID.
 func cipherSuiteLookup(cipherSuiteID uint16) string {
 	for _, s := range tls.CipherSuites() {
diff --git a/vendor/google.golang.org/grpc/dialoptions.go b/vendor/google.golang.org/grpc/dialoptions.go
index 405a2ffe..ec0ca89c 100644
--- a/vendor/google.golang.org/grpc/dialoptions.go
+++ b/vendor/google.golang.org/grpc/dialoptions.go
@@ -213,6 +213,7 @@ func WithReadBufferSize(s int) DialOption {
 func WithInitialWindowSize(s int32) DialOption {
 	return newFuncDialOption(func(o *dialOptions) {
 		o.copts.InitialWindowSize = s
+		o.copts.StaticWindowSize = true
 	})
 }
 
@@ -222,6 +223,26 @@ func WithInitialWindowSize(s int32) DialOption {
 func WithInitialConnWindowSize(s int32) DialOption {
 	return newFuncDialOption(func(o *dialOptions) {
 		o.copts.InitialConnWindowSize = s
+		o.copts.StaticWindowSize = true
+	})
+}
+
+// WithStaticStreamWindowSize returns a DialOption which sets the initial
+// stream window size to the value provided and disables dynamic flow control.
+func WithStaticStreamWindowSize(s int32) DialOption {
+	return newFuncDialOption(func(o *dialOptions) {
+		o.copts.InitialWindowSize = s
+		o.copts.StaticWindowSize = true
+	})
+}
+
+// WithStaticConnWindowSize returns a DialOption which sets the initial
+// connection window size to the value provided and disables dynamic flow
+// control.
+func WithStaticConnWindowSize(s int32) DialOption {
+	return newFuncDialOption(func(o *dialOptions) {
+		o.copts.InitialConnWindowSize = s
+		o.copts.StaticWindowSize = true
 	})
 }
 
@@ -360,7 +381,7 @@ func WithReturnConnectionError() DialOption {
 //
 // Note that using this DialOption with per-RPC credentials (through
 // WithCredentialsBundle or WithPerRPCCredentials) which require transport
-// security is incompatible and will cause grpc.Dial() to fail.
+// security is incompatible and will cause RPCs to fail.
 //
 // Deprecated: use WithTransportCredentials and insecure.NewCredentials()
 // instead. Will be supported throughout 1.x.
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
index 94177b05..22d263fb 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.4
+// 	protoc-gen-go v1.36.6
 // 	protoc        v5.27.1
 // source: grpc/health/v1/health.proto
 
@@ -178,46 +178,112 @@ func (x *HealthCheckResponse) GetStatus() HealthCheckResponse_ServingStatus {
 	return HealthCheckResponse_UNKNOWN
 }
 
+type HealthListRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *HealthListRequest) Reset() {
+	*x = HealthListRequest{}
+	mi := &file_grpc_health_v1_health_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HealthListRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HealthListRequest) ProtoMessage() {}
+
+func (x *HealthListRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_grpc_health_v1_health_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HealthListRequest.ProtoReflect.Descriptor instead.
+func (*HealthListRequest) Descriptor() ([]byte, []int) {
+	return file_grpc_health_v1_health_proto_rawDescGZIP(), []int{2}
+}
+
+type HealthListResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// statuses contains all the services and their respective status.
+	Statuses      map[string]*HealthCheckResponse `protobuf:"bytes,1,rep,name=statuses,proto3" json:"statuses,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *HealthListResponse) Reset() {
+	*x = HealthListResponse{}
+	mi := &file_grpc_health_v1_health_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HealthListResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HealthListResponse) ProtoMessage() {}
+
+func (x *HealthListResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_grpc_health_v1_health_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HealthListResponse.ProtoReflect.Descriptor instead.
+func (*HealthListResponse) Descriptor() ([]byte, []int) {
+	return file_grpc_health_v1_health_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *HealthListResponse) GetStatuses() map[string]*HealthCheckResponse {
+	if x != nil {
+		return x.Statuses
+	}
+	return nil
+}
+
 var File_grpc_health_v1_health_proto protoreflect.FileDescriptor
 
-var file_grpc_health_v1_health_proto_rawDesc = string([]byte{
-	0x0a, 0x1b, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x76, 0x31,
-	0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x67,
-	0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x22, 0x2e, 0x0a,
-	0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0xb1, 0x01,
-	0x0a, 0x13, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x49, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
-	0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x22, 0x4f, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b,
-	0x0a, 0x07, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x4e,
-	0x4f, 0x54, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f,
-	0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
-	0x03, 0x32, 0xae, 0x01, 0x0a, 0x06, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x50, 0x0a, 0x05,
-	0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
-	0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63,
-	0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74,
-	0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x52,
-	0x0a, 0x05, 0x57, 0x61, 0x74, 0x63, 0x68, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68,
-	0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43,
-	0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72,
-	0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x30, 0x01, 0x42, 0x70, 0x0a, 0x11, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65,
-	0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
-	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68,
-	0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x68, 0x65, 0x61, 0x6c, 0x74,
-	0x68, 0x5f, 0x76, 0x31, 0xa2, 0x02, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x48, 0x65, 0x61, 0x6c, 0x74,
-	0x68, 0x56, 0x31, 0xaa, 0x02, 0x0e, 0x47, 0x72, 0x70, 0x63, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74,
-	0x68, 0x2e, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_grpc_health_v1_health_proto_rawDesc = "" +
+	"\n" +
+	"\x1bgrpc/health/v1/health.proto\x12\x0egrpc.health.v1\".\n" +
+	"\x12HealthCheckRequest\x12\x18\n" +
+	"\aservice\x18\x01 \x01(\tR\aservice\"\xb1\x01\n" +
+	"\x13HealthCheckResponse\x12I\n" +
+	"\x06status\x18\x01 \x01(\x0e21.grpc.health.v1.HealthCheckResponse.ServingStatusR\x06status\"O\n" +
+	"\rServingStatus\x12\v\n" +
+	"\aUNKNOWN\x10\x00\x12\v\n" +
+	"\aSERVING\x10\x01\x12\x0f\n" +
+	"\vNOT_SERVING\x10\x02\x12\x13\n" +
+	"\x0fSERVICE_UNKNOWN\x10\x03\"\x13\n" +
+	"\x11HealthListRequest\"\xc4\x01\n" +
+	"\x12HealthListResponse\x12L\n" +
+	"\bstatuses\x18\x01 \x03(\v20.grpc.health.v1.HealthListResponse.StatusesEntryR\bstatuses\x1a`\n" +
+	"\rStatusesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x129\n" +
+	"\x05value\x18\x02 \x01(\v2#.grpc.health.v1.HealthCheckResponseR\x05value:\x028\x012\xfd\x01\n" +
+	"\x06Health\x12P\n" +
+	"\x05Check\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse\x12M\n" +
+	"\x04List\x12!.grpc.health.v1.HealthListRequest\x1a\".grpc.health.v1.HealthListResponse\x12R\n" +
+	"\x05Watch\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse0\x01Bp\n" +
+	"\x11io.grpc.health.v1B\vHealthProtoP\x01Z,google.golang.org/grpc/health/grpc_health_v1\xa2\x02\fGrpcHealthV1\xaa\x02\x0eGrpc.Health.V1b\x06proto3"
 
 var (
 	file_grpc_health_v1_health_proto_rawDescOnce sync.Once
@@ -232,23 +298,30 @@ func file_grpc_health_v1_health_proto_rawDescGZIP() []byte {
 }
 
 var file_grpc_health_v1_health_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_grpc_health_v1_health_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_grpc_health_v1_health_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
 var file_grpc_health_v1_health_proto_goTypes = []any{
 	(HealthCheckResponse_ServingStatus)(0), // 0: grpc.health.v1.HealthCheckResponse.ServingStatus
 	(*HealthCheckRequest)(nil),             // 1: grpc.health.v1.HealthCheckRequest
 	(*HealthCheckResponse)(nil),            // 2: grpc.health.v1.HealthCheckResponse
+	(*HealthListRequest)(nil),              // 3: grpc.health.v1.HealthListRequest
+	(*HealthListResponse)(nil),             // 4: grpc.health.v1.HealthListResponse
+	nil,                                    // 5: grpc.health.v1.HealthListResponse.StatusesEntry
 }
 var file_grpc_health_v1_health_proto_depIdxs = []int32{
 	0, // 0: grpc.health.v1.HealthCheckResponse.status:type_name -> grpc.health.v1.HealthCheckResponse.ServingStatus
-	1, // 1: grpc.health.v1.Health.Check:input_type -> grpc.health.v1.HealthCheckRequest
-	1, // 2: grpc.health.v1.Health.Watch:input_type -> grpc.health.v1.HealthCheckRequest
-	2, // 3: grpc.health.v1.Health.Check:output_type -> grpc.health.v1.HealthCheckResponse
-	2, // 4: grpc.health.v1.Health.Watch:output_type -> grpc.health.v1.HealthCheckResponse
-	3, // [3:5] is the sub-list for method output_type
-	1, // [1:3] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
+	5, // 1: grpc.health.v1.HealthListResponse.statuses:type_name -> grpc.health.v1.HealthListResponse.StatusesEntry
+	2, // 2: grpc.health.v1.HealthListResponse.StatusesEntry.value:type_name -> grpc.health.v1.HealthCheckResponse
+	1, // 3: grpc.health.v1.Health.Check:input_type -> grpc.health.v1.HealthCheckRequest
+	3, // 4: grpc.health.v1.Health.List:input_type -> grpc.health.v1.HealthListRequest
+	1, // 5: grpc.health.v1.Health.Watch:input_type -> grpc.health.v1.HealthCheckRequest
+	2, // 6: grpc.health.v1.Health.Check:output_type -> grpc.health.v1.HealthCheckResponse
+	4, // 7: grpc.health.v1.Health.List:output_type -> grpc.health.v1.HealthListResponse
+	2, // 8: grpc.health.v1.Health.Watch:output_type -> grpc.health.v1.HealthCheckResponse
+	6, // [6:9] is the sub-list for method output_type
+	3, // [3:6] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
 }
 
 func init() { file_grpc_health_v1_health_proto_init() }
@@ -262,7 +335,7 @@ func file_grpc_health_v1_health_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_grpc_health_v1_health_proto_rawDesc), len(file_grpc_health_v1_health_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   2,
+			NumMessages:   5,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
index f96b8ab4..f2c01f29 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
@@ -37,6 +37,7 @@ const _ = grpc.SupportPackageIsVersion9
 
 const (
 	Health_Check_FullMethodName = "/grpc.health.v1.Health/Check"
+	Health_List_FullMethodName  = "/grpc.health.v1.Health/List"
 	Health_Watch_FullMethodName = "/grpc.health.v1.Health/Watch"
 )
 
@@ -55,9 +56,19 @@ type HealthClient interface {
 	//
 	// Clients should set a deadline when calling Check, and can declare the
 	// server unhealthy if they do not receive a timely response.
-	//
-	// Check implementations should be idempotent and side effect free.
 	Check(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error)
+	// List provides a non-atomic snapshot of the health of all the available
+	// services.
+	//
+	// The server may respond with a RESOURCE_EXHAUSTED error if too many services
+	// exist.
+	//
+	// Clients should set a deadline when calling List, and can declare the server
+	// unhealthy if they do not receive a timely response.
+	//
+	// Clients should keep in mind that the list of health services exposed by an
+	// application can change over the lifetime of the process.
+	List(ctx context.Context, in *HealthListRequest, opts ...grpc.CallOption) (*HealthListResponse, error)
 	// Performs a watch for the serving status of the requested service.
 	// The server will immediately send back a message indicating the current
 	// serving status.  It will then subsequently send a new message whenever
@@ -94,6 +105,16 @@ func (c *healthClient) Check(ctx context.Context, in *HealthCheckRequest, opts .
 	return out, nil
 }
 
+func (c *healthClient) List(ctx context.Context, in *HealthListRequest, opts ...grpc.CallOption) (*HealthListResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(HealthListResponse)
+	err := c.cc.Invoke(ctx, Health_List_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *healthClient) Watch(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HealthCheckResponse], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &Health_ServiceDesc.Streams[0], Health_Watch_FullMethodName, cOpts...)
@@ -128,9 +149,19 @@ type HealthServer interface {
 	//
 	// Clients should set a deadline when calling Check, and can declare the
 	// server unhealthy if they do not receive a timely response.
-	//
-	// Check implementations should be idempotent and side effect free.
 	Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error)
+	// List provides a non-atomic snapshot of the health of all the available
+	// services.
+	//
+	// The server may respond with a RESOURCE_EXHAUSTED error if too many services
+	// exist.
+	//
+	// Clients should set a deadline when calling List, and can declare the server
+	// unhealthy if they do not receive a timely response.
+	//
+	// Clients should keep in mind that the list of health services exposed by an
+	// application can change over the lifetime of the process.
+	List(context.Context, *HealthListRequest) (*HealthListResponse, error)
 	// Performs a watch for the serving status of the requested service.
 	// The server will immediately send back a message indicating the current
 	// serving status.  It will then subsequently send a new message whenever
@@ -157,10 +188,13 @@ type HealthServer interface {
 type UnimplementedHealthServer struct{}
 
 func (UnimplementedHealthServer) Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method Check not implemented")
+	return nil, status.Error(codes.Unimplemented, "method Check not implemented")
+}
+func (UnimplementedHealthServer) List(context.Context, *HealthListRequest) (*HealthListResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method List not implemented")
 }
 func (UnimplementedHealthServer) Watch(*HealthCheckRequest, grpc.ServerStreamingServer[HealthCheckResponse]) error {
-	return status.Errorf(codes.Unimplemented, "method Watch not implemented")
+	return status.Error(codes.Unimplemented, "method Watch not implemented")
 }
 func (UnimplementedHealthServer) testEmbeddedByValue() {}
 
@@ -200,6 +234,24 @@ func _Health_Check_Handler(srv interface{}, ctx context.Context, dec func(interf
 	return interceptor(ctx, in, info, handler)
 }
 
+func _Health_List_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(HealthListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HealthServer).List(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Health_List_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HealthServer).List(ctx, req.(*HealthListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _Health_Watch_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(HealthCheckRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -222,6 +274,10 @@ var Health_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Check",
 			Handler:    _Health_Check_Handler,
 		},
+		{
+			MethodName: "List",
+			Handler:    _Health_List_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
diff --git a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
index fbc1ca35..ba25b898 100644
--- a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
+++ b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
@@ -223,15 +223,7 @@ func (gsb *Balancer) ExitIdle() {
 	// There is no need to protect this read with a mutex, as the write to the
 	// Balancer field happens in SwitchTo, which completes before this can be
 	// called.
-	if ei, ok := balToUpdate.Balancer.(balancer.ExitIdler); ok {
-		ei.ExitIdle()
-		return
-	}
-	gsb.mu.Lock()
-	defer gsb.mu.Unlock()
-	for sc := range balToUpdate.subconns {
-		sc.Connect()
-	}
+	balToUpdate.ExitIdle()
 }
 
 // updateSubConnState forwards the update to the appropriate child.
diff --git a/vendor/google.golang.org/grpc/internal/credentials/credentials.go b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
index 9deee7f6..48b22d9c 100644
--- a/vendor/google.golang.org/grpc/internal/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
@@ -20,20 +20,6 @@ import (
 	"context"
 )
 
-// requestInfoKey is a struct to be used as the key to store RequestInfo in a
-// context.
-type requestInfoKey struct{}
-
-// NewRequestInfoContext creates a context with ri.
-func NewRequestInfoContext(ctx context.Context, ri any) context.Context {
-	return context.WithValue(ctx, requestInfoKey{}, ri)
-}
-
-// RequestInfoFromContext extracts the RequestInfo from ctx.
-func RequestInfoFromContext(ctx context.Context) any {
-	return ctx.Value(requestInfoKey{})
-}
-
 // clientHandshakeInfoKey is a struct used as the key to store
 // ClientHandshakeInfo in a context.
 type clientHandshakeInfoKey struct{}
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index 1e42b6fd..2fdaed88 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -33,10 +33,6 @@ var (
 	// "GRPC_RING_HASH_CAP".  This does not override the default bounds
 	// checking which NACKs configs specifying ring sizes > 8*1024*1024 (~8M).
 	RingHashCap = uint64FromEnv("GRPC_RING_HASH_CAP", 4096, 1, 8*1024*1024)
-	// LeastRequestLB is set if we should support the least_request_experimental
-	// LB policy, which can be enabled by setting the environment variable
-	// "GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST" to "true".
-	LeastRequestLB = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST", false)
 	// ALTSMaxConcurrentHandshakes is the maximum number of concurrent ALTS
 	// handshakes that can be performed.
 	ALTSMaxConcurrentHandshakes = uint64FromEnv("GRPC_ALTS_MAX_CONCURRENT_HANDSHAKES", 100, 1, 100)
@@ -51,10 +47,28 @@ var (
 	// xDS server in the list of server configs will be used.
 	XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", true)
 	// NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
-	// instead of the exiting pickfirst implementation. This can be enabled by
+	// instead of the exiting pickfirst implementation. This can be disabled by
 	// setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
-	// to "true".
-	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", false)
+	// to "false".
+	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
+
+	// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
+	// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
+	// setting "GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT" to "true". When the
+	// implementation of A76 is stable, we will flip the default value to false
+	// in a subsequent release. A final release will remove this environment
+	// variable, enabling the new behavior unconditionally.
+	XDSEndpointHashKeyBackwardCompat = boolFromEnv("GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT", true)
+
+	// RingHashSetRequestHashKey is set if the ring hash balancer can get the
+	// request hash header by setting the "requestHashHeader" field, according
+	// to gRFC A76. It can be enabled by setting the environment variable
+	// "GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY" to "true".
+	RingHashSetRequestHashKey = boolFromEnv("GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY", false)
+
+	// ALTSHandshakerKeepaliveParams is set if we should add the
+	// KeepaliveParams when dial the ALTS handshaker service.
+	ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
 )
 
 func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index 2eb97f83..e8755155 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -63,4 +63,9 @@ var (
 	// For more details, see:
 	// https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md.
 	XDSSystemRootCertsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS", false)
+
+	// XDSSPIFFEEnabled controls if SPIFFE Bundle Maps can be used as roots of
+	// trust.  For more details, see:
+	// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+	XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
 )
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/event.go b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
index fbe697c3..d788c249 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/event.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
@@ -21,28 +21,25 @@
 package grpcsync
 
 import (
-	"sync"
 	"sync/atomic"
 )
 
 // Event represents a one-time event that may occur in the future.
 type Event struct {
-	fired int32
+	fired atomic.Bool
 	c     chan struct{}
-	o     sync.Once
 }
 
 // Fire causes e to complete.  It is safe to call multiple times, and
 // concurrently.  It returns true iff this call to Fire caused the signaling
-// channel returned by Done to close.
+// channel returned by Done to close. If Fire returns false, it is possible
+// the Done channel has not been closed yet.
 func (e *Event) Fire() bool {
-	ret := false
-	e.o.Do(func() {
-		atomic.StoreInt32(&e.fired, 1)
+	if e.fired.CompareAndSwap(false, true) {
 		close(e.c)
-		ret = true
-	})
-	return ret
+		return true
+	}
+	return false
 }
 
 // Done returns a channel that will be closed when Fire is called.
@@ -52,7 +49,7 @@ func (e *Event) Done() <-chan struct{} {
 
 // HasFired returns true if Fire has been called.
 func (e *Event) HasFired() bool {
-	return atomic.LoadInt32(&e.fired) == 1
+	return e.fired.Load()
 }
 
 // NewEvent returns a new, ready-to-use Event.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 13e1f386..3ac798e8 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -259,6 +259,20 @@ var (
 	// SetBufferPoolingThresholdForTesting updates the buffer pooling threshold, for
 	// testing purposes.
 	SetBufferPoolingThresholdForTesting any // func(int)
+
+	// TimeAfterFunc is used to create timers. During tests the function is
+	// replaced to track allocated timers and fail the test if a timer isn't
+	// cancelled.
+	TimeAfterFunc = func(d time.Duration, f func()) Timer {
+		return time.AfterFunc(d, f)
+	}
+
+	// NewStreamWaitingForResolver is a test hook that is triggered when a
+	// new stream blocks while waiting for name resolution. This can be
+	// used in tests to synchronize resolver updates and avoid race conditions.
+	// When set, the function will be called before the stream enters
+	// the blocking state.
+	NewStreamWaitingForResolver = func() {}
 )
 
 // HealthChecker defines the signature of the client-side LB channel health
@@ -300,3 +314,9 @@ type EnforceSubConnEmbedding interface {
 type EnforceClientConnEmbedding interface {
 	enforceClientConnEmbedding()
 }
+
+// Timer is an interface to allow injecting different time.Timer implementations
+// during tests.
+type Timer interface {
+	Stop() bool
+}
diff --git a/vendor/google.golang.org/grpc/internal/metadata/metadata.go b/vendor/google.golang.org/grpc/internal/metadata/metadata.go
index 900bfb71..c4055bc0 100644
--- a/vendor/google.golang.org/grpc/internal/metadata/metadata.go
+++ b/vendor/google.golang.org/grpc/internal/metadata/metadata.go
@@ -97,13 +97,11 @@ func hasNotPrintable(msg string) bool {
 	return false
 }
 
-// ValidatePair validate a key-value pair with the following rules (the pseudo-header will be skipped) :
-//
-// - key must contain one or more characters.
-// - the characters in the key must be contained in [0-9 a-z _ - .].
-// - if the key ends with a "-bin" suffix, no validation of the corresponding value is performed.
-// - the characters in the every value must be printable (in [%x20-%x7E]).
-func ValidatePair(key string, vals ...string) error {
+// ValidateKey validates a key with the following rules (pseudo-headers are
+// skipped):
+// - the key must contain one or more characters.
+// - the characters in the key must be in [0-9 a-z _ - .].
+func ValidateKey(key string) error {
 	// key should not be empty
 	if key == "" {
 		return fmt.Errorf("there is an empty key in the header")
@@ -119,6 +117,20 @@ func ValidatePair(key string, vals ...string) error {
 			return fmt.Errorf("header key %q contains illegal characters not in [0-9a-z-_.]", key)
 		}
 	}
+	return nil
+}
+
+// ValidatePair validates a key-value pair with the following rules
+// (pseudo-header are skipped):
+//   - the key must contain one or more characters.
+//   - the characters in the key must be in [0-9 a-z _ - .].
+//   - if the key ends with a "-bin" suffix, no validation of the corresponding
+//     value is performed.
+//   - the characters in every value must be printable (in [%x20-%x7E]).
+func ValidatePair(key string, vals ...string) error {
+	if err := ValidateKey(key); err != nil {
+		return err
+	}
 	if strings.HasSuffix(key, "-bin") {
 		return nil
 	}
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index a6c64701..20b8fb09 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -28,6 +28,8 @@ import (
 
 	"google.golang.org/grpc/grpclog"
 	"google.golang.org/grpc/internal/proxyattributes"
+	"google.golang.org/grpc/internal/transport"
+	"google.golang.org/grpc/internal/transport/networktype"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
 )
@@ -40,19 +42,26 @@ var (
 
 // delegatingResolver manages both target URI and proxy address resolution by
 // delegating these tasks to separate child resolvers. Essentially, it acts as
-// a intermediary between the gRPC ClientConn and the child resolvers.
+// an intermediary between the gRPC ClientConn and the child resolvers.
 //
 // It implements the [resolver.Resolver] interface.
 type delegatingResolver struct {
-	target         resolver.Target     // parsed target URI to be resolved
-	cc             resolver.ClientConn // gRPC ClientConn
-	targetResolver resolver.Resolver   // resolver for the target URI, based on its scheme
-	proxyResolver  resolver.Resolver   // resolver for the proxy URI; nil if no proxy is configured
-	proxyURL       *url.URL            // proxy URL, derived from proxy environment and target
+	target   resolver.Target     // parsed target URI to be resolved
+	cc       resolver.ClientConn // gRPC ClientConn
+	proxyURL *url.URL            // proxy URL, derived from proxy environment and target
 
+	// We do not hold both mu and childMu in the same goroutine. Avoid holding
+	// both locks when calling into the child, as the child resolver may
+	// synchronously callback into the channel.
 	mu                  sync.Mutex         // protects all the fields below
 	targetResolverState *resolver.State    // state of the target resolver
 	proxyAddrs          []resolver.Address // resolved proxy addresses; empty if no proxy is configured
+
+	// childMu serializes calls into child resolvers. It also protects access to
+	// the following fields.
+	childMu        sync.Mutex
+	targetResolver resolver.Resolver // resolver for the target URI, based on its scheme
+	proxyResolver  resolver.Resolver // resolver for the proxy URI; nil if no proxy is configured
 }
 
 // nopResolver is a resolver that does nothing.
@@ -62,8 +71,8 @@ func (nopResolver) ResolveNow(resolver.ResolveNowOptions) {}
 
 func (nopResolver) Close() {}
 
-// proxyURLForTarget determines the proxy URL for the given address based on
-// the environment. It can return the following:
+// proxyURLForTarget determines the proxy URL for the given address based on the
+// environment. It can return the following:
 //   - nil URL, nil error: No proxy is configured or the address is excluded
 //     using the `NO_PROXY` environment variable or if req.URL.Host is
 //     "localhost" (with or without // a port number)
@@ -82,7 +91,8 @@ func proxyURLForTarget(address string) (*url.URL, error) {
 // resolvers:
 //   - one to resolve the proxy address specified using the supported
 //     environment variables. This uses the registered resolver for the "dns"
-//     scheme.
+//     scheme. It is lazily built when a target resolver update contains at least
+//     one TCP address.
 //   - one to resolve the target URI using the resolver specified by the scheme
 //     in the target URI or specified by the user using the WithResolvers dial
 //     option. As a special case, if the target URI's scheme is "dns" and a
@@ -91,8 +101,10 @@ func proxyURLForTarget(address string) (*url.URL, error) {
 //     resolution is enabled using the dial option.
 func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOptions, targetResolverBuilder resolver.Builder, targetResolutionEnabled bool) (resolver.Resolver, error) {
 	r := &delegatingResolver{
-		target: target,
-		cc:     cc,
+		target:         target,
+		cc:             cc,
+		proxyResolver:  nopResolver{},
+		targetResolver: nopResolver{},
 	}
 
 	var err error
@@ -111,41 +123,34 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 		logger.Infof("Proxy URL detected : %s", r.proxyURL)
 	}
 
+	// Resolver updates from one child may trigger calls into the other. Block
+	// updates until the children are initialized.
+	r.childMu.Lock()
+	defer r.childMu.Unlock()
 	// When the scheme is 'dns' and target resolution on client is not enabled,
 	// resolution should be handled by the proxy, not the client. Therefore, we
 	// bypass the target resolver and store the unresolved target address.
 	if target.URL.Scheme == "dns" && !targetResolutionEnabled {
-		state := resolver.State{
+		r.targetResolverState = &resolver.State{
 			Addresses: []resolver.Address{{Addr: target.Endpoint()}},
 			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: target.Endpoint()}}}},
 		}
-		r.targetResolverState = &state
-	} else {
-		wcc := &wrappingClientConn{
-			stateListener: r.updateTargetResolverState,
-			parent:        r,
-		}
-		if r.targetResolver, err = targetResolverBuilder.Build(target, wcc, opts); err != nil {
-			return nil, fmt.Errorf("delegating_resolver: unable to build the resolver for target %s: %v", target, err)
-		}
+		r.updateTargetResolverState(*r.targetResolverState)
+		return r, nil
 	}
-
-	if r.proxyResolver, err = r.proxyURIResolver(opts); err != nil {
-		return nil, fmt.Errorf("delegating_resolver: failed to build resolver for proxy URL %q: %v", r.proxyURL, err)
+	wcc := &wrappingClientConn{
+		stateListener: r.updateTargetResolverState,
+		parent:        r,
 	}
-
-	if r.targetResolver == nil {
-		r.targetResolver = nopResolver{}
-	}
-	if r.proxyResolver == nil {
-		r.proxyResolver = nopResolver{}
+	if r.targetResolver, err = targetResolverBuilder.Build(target, wcc, opts); err != nil {
+		return nil, fmt.Errorf("delegating_resolver: unable to build the resolver for target %s: %v", target, err)
 	}
 	return r, nil
 }
 
-// proxyURIResolver creates a resolver for resolving proxy URIs using the
-// "dns" scheme. It adjusts the proxyURL to conform to the "dns:///" format and
-// builds a resolver with a wrappingClientConn to capture resolved addresses.
+// proxyURIResolver creates a resolver for resolving proxy URIs using the "dns"
+// scheme. It adjusts the proxyURL to conform to the "dns:///" format and builds
+// a resolver with a wrappingClientConn to capture resolved addresses.
 func (r *delegatingResolver) proxyURIResolver(opts resolver.BuildOptions) (resolver.Resolver, error) {
 	proxyBuilder := resolver.Get("dns")
 	if proxyBuilder == nil {
@@ -165,11 +170,15 @@ func (r *delegatingResolver) proxyURIResolver(opts resolver.BuildOptions) (resol
 }
 
 func (r *delegatingResolver) ResolveNow(o resolver.ResolveNowOptions) {
+	r.childMu.Lock()
+	defer r.childMu.Unlock()
 	r.targetResolver.ResolveNow(o)
 	r.proxyResolver.ResolveNow(o)
 }
 
 func (r *delegatingResolver) Close() {
+	r.childMu.Lock()
+	defer r.childMu.Unlock()
 	r.targetResolver.Close()
 	r.targetResolver = nil
 
@@ -177,18 +186,58 @@ func (r *delegatingResolver) Close() {
 	r.proxyResolver = nil
 }
 
-// updateClientConnStateLocked creates a list of combined addresses by
-// pairing each proxy address with every target address. For each pair, it
-// generates a new [resolver.Address] using the proxy address, and adding the
-// target address as the attribute along with user info. It returns nil if
-// either resolver has not sent update even once and returns the error from
-// ClientConn update once both resolvers have sent update atleast once.
+func needsProxyResolver(state *resolver.State) bool {
+	for _, addr := range state.Addresses {
+		if !skipProxy(addr) {
+			return true
+		}
+	}
+	for _, endpoint := range state.Endpoints {
+		for _, addr := range endpoint.Addresses {
+			if !skipProxy(addr) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func skipProxy(address resolver.Address) bool {
+	// Avoid proxy when network is not tcp.
+	networkType, ok := networktype.Get(address)
+	if !ok {
+		networkType, _ = transport.ParseDialTarget(address.Addr)
+	}
+	if networkType != "tcp" {
+		return true
+	}
+
+	req := &http.Request{URL: &url.URL{
+		Scheme: "https",
+		Host:   address.Addr,
+	}}
+	// Avoid proxy when address included in `NO_PROXY` environment variable or
+	// fails to get the proxy address.
+	url, err := HTTPSProxyFromEnvironment(req)
+	if err != nil || url == nil {
+		return true
+	}
+	return false
+}
+
+// updateClientConnStateLocked constructs a combined list of addresses by
+// pairing each proxy address with every target address of type TCP. For each
+// pair, it creates a new [resolver.Address] using the proxy address and
+// attaches the corresponding target address and user info as attributes. Target
+// addresses that are not of type TCP are appended to the list as-is. The
+// function returns nil if either resolver has not yet provided an update, and
+// returns the result of ClientConn.UpdateState once both resolvers have
+// provided at least one update.
 func (r *delegatingResolver) updateClientConnStateLocked() error {
 	if r.targetResolverState == nil || r.proxyAddrs == nil {
 		return nil
 	}
 
-	curState := *r.targetResolverState
 	// If multiple resolved proxy addresses are present, we send only the
 	// unresolved proxy host and let net.Dial handle the proxy host name
 	// resolution when creating the transport. Sending all resolved addresses
@@ -206,24 +255,29 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 	}
 	var addresses []resolver.Address
 	for _, targetAddr := range (*r.targetResolverState).Addresses {
+		if skipProxy(targetAddr) {
+			addresses = append(addresses, targetAddr)
+			continue
+		}
 		addresses = append(addresses, proxyattributes.Set(proxyAddr, proxyattributes.Options{
 			User:        r.proxyURL.User,
 			ConnectAddr: targetAddr.Addr,
 		}))
 	}
 
-	// Create a list of combined endpoints by pairing all proxy endpoints
-	// with every target endpoint. Each time, it constructs a new
-	// [resolver.Endpoint] using the all addresses from all the proxy endpoint
-	// and the target addresses from one endpoint. The target address and user
-	// information from the proxy URL are added as attributes to the proxy
-	// address.The resulting list of addresses is then grouped into endpoints,
-	// covering all combinations of proxy and target endpoints.
+	// For each target endpoint, construct a new [resolver.Endpoint] that
+	// includes all addresses from all proxy endpoints and the addresses from
+	// that target endpoint, preserving the number of target endpoints.
 	var endpoints []resolver.Endpoint
 	for _, endpt := range (*r.targetResolverState).Endpoints {
 		var addrs []resolver.Address
-		for _, proxyAddr := range r.proxyAddrs {
-			for _, targetAddr := range endpt.Addresses {
+		for _, targetAddr := range endpt.Addresses {
+			// Avoid proxy when network is not tcp.
+			if skipProxy(targetAddr) {
+				addrs = append(addrs, targetAddr)
+				continue
+			}
+			for _, proxyAddr := range r.proxyAddrs {
 				addrs = append(addrs, proxyattributes.Set(proxyAddr, proxyattributes.Options{
 					User:        r.proxyURL.User,
 					ConnectAddr: targetAddr.Addr,
@@ -234,8 +288,9 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 	}
 	// Use the targetResolverState for its service config and attributes
 	// contents. The state update is only sent after both the target and proxy
-	// resolvers have sent their updates, and curState has been updated with
-	// the combined addresses.
+	// resolvers have sent their updates, and curState has been updated with the
+	// combined addresses.
+	curState := *r.targetResolverState
 	curState.Addresses = addresses
 	curState.Endpoints = endpoints
 	return r.cc.UpdateState(curState)
@@ -245,7 +300,8 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 // addresses and endpoints, marking the resolver as ready, and triggering a
 // state update if both proxy and target resolvers are ready. If the ClientConn
 // returns a non-nil error, it calls `ResolveNow()` on the target resolver.  It
-// is a StateListener function of wrappingClientConn passed to the proxy resolver.
+// is a StateListener function of wrappingClientConn passed to the proxy
+// resolver.
 func (r *delegatingResolver) updateProxyResolverState(state resolver.State) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
@@ -253,8 +309,8 @@ func (r *delegatingResolver) updateProxyResolverState(state resolver.State) erro
 		logger.Infof("Addresses received from proxy resolver: %s", state.Addresses)
 	}
 	if len(state.Endpoints) > 0 {
-		// We expect exactly one address per endpoint because the proxy
-		// resolver uses "dns" resolution.
+		// We expect exactly one address per endpoint because the proxy resolver
+		// uses "dns" resolution.
 		r.proxyAddrs = make([]resolver.Address, 0, len(state.Endpoints))
 		for _, endpoint := range state.Endpoints {
 			r.proxyAddrs = append(r.proxyAddrs, endpoint.Addresses...)
@@ -267,20 +323,29 @@ func (r *delegatingResolver) updateProxyResolverState(state resolver.State) erro
 	err := r.updateClientConnStateLocked()
 	// Another possible approach was to block until updates are received from
 	// both resolvers. But this is not used because calling `New()` triggers
-	// `Build()`  for the first resolver, which calls `UpdateState()`. And the
+	// `Build()` for the first resolver, which calls `UpdateState()`. And the
 	// second resolver hasn't sent an update yet, so it would cause `New()` to
 	// block indefinitely.
 	if err != nil {
-		r.targetResolver.ResolveNow(resolver.ResolveNowOptions{})
+		go func() {
+			r.childMu.Lock()
+			defer r.childMu.Unlock()
+			if r.targetResolver != nil {
+				r.targetResolver.ResolveNow(resolver.ResolveNowOptions{})
+			}
+		}()
 	}
 	return err
 }
 
-// updateTargetResolverState updates the target resolver state by storing target
-// addresses, endpoints, and service config, marking the resolver as ready, and
-// triggering a state update if both resolvers are ready. If the ClientConn
-// returns a non-nil error, it calls `ResolveNow()` on the proxy resolver. It
-// is a StateListener function of wrappingClientConn passed to the target resolver.
+// updateTargetResolverState is the StateListener function provided to the
+// target resolver via wrappingClientConn. It updates the resolver state and
+// marks the target resolver as ready. If the update includes at least one TCP
+// address and the proxy resolver has not yet been constructed, it initializes
+// the proxy resolver. A combined state update is triggered once both resolvers
+// are ready. If all addresses are non-TCP, it proceeds without waiting for the
+// proxy resolver. If ClientConn.UpdateState returns a non-nil error,
+// ResolveNow() is called on the proxy resolver.
 func (r *delegatingResolver) updateTargetResolverState(state resolver.State) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
@@ -289,9 +354,41 @@ func (r *delegatingResolver) updateTargetResolverState(state resolver.State) err
 		logger.Infof("Addresses received from target resolver: %v", state.Addresses)
 	}
 	r.targetResolverState = &state
+	// If all addresses returned by the target resolver have a non-TCP network
+	// type, or are listed in the `NO_PROXY` environment variable, do not wait
+	// for proxy update.
+	if !needsProxyResolver(r.targetResolverState) {
+		return r.cc.UpdateState(*r.targetResolverState)
+	}
+
+	// The proxy resolver may be rebuilt multiple times, specifically each time
+	// the target resolver sends an update, even if the target resolver is built
+	// successfully but building the proxy resolver fails.
+	if len(r.proxyAddrs) == 0 {
+		go func() {
+			r.childMu.Lock()
+			defer r.childMu.Unlock()
+			if _, ok := r.proxyResolver.(nopResolver); !ok {
+				return
+			}
+			proxyResolver, err := r.proxyURIResolver(resolver.BuildOptions{})
+			if err != nil {
+				r.cc.ReportError(fmt.Errorf("delegating_resolver: unable to build the proxy resolver: %v", err))
+				return
+			}
+			r.proxyResolver = proxyResolver
+		}()
+	}
+
 	err := r.updateClientConnStateLocked()
 	if err != nil {
-		r.proxyResolver.ResolveNow(resolver.ResolveNowOptions{})
+		go func() {
+			r.childMu.Lock()
+			defer r.childMu.Unlock()
+			if r.proxyResolver != nil {
+				r.proxyResolver.ResolveNow(resolver.ResolveNowOptions{})
+			}
+		}()
 	}
 	return nil
 }
@@ -311,7 +408,8 @@ func (wcc *wrappingClientConn) UpdateState(state resolver.State) error {
 	return wcc.stateListener(state)
 }
 
-// ReportError intercepts errors from the child resolvers and passes them to ClientConn.
+// ReportError intercepts errors from the child resolvers and passes them to
+// ClientConn.
 func (wcc *wrappingClientConn) ReportError(err error) {
 	wcc.parent.cc.ReportError(err)
 }
@@ -322,8 +420,8 @@ func (wcc *wrappingClientConn) NewAddress(addrs []resolver.Address) {
 	wcc.UpdateState(resolver.State{Addresses: addrs})
 }
 
-// ParseServiceConfig parses the provided service config and returns an
-// object that provides the parsed config.
+// ParseServiceConfig parses the provided service config and returns an object
+// that provides the parsed config.
 func (wcc *wrappingClientConn) ParseServiceConfig(serviceConfigJSON string) *serviceconfig.ParseResult {
 	return wcc.parent.cc.ParseServiceConfig(serviceConfigJSON)
 }
diff --git a/vendor/google.golang.org/grpc/internal/status/status.go b/vendor/google.golang.org/grpc/internal/status/status.go
index 1186f1e9..aad171cd 100644
--- a/vendor/google.golang.org/grpc/internal/status/status.go
+++ b/vendor/google.golang.org/grpc/internal/status/status.go
@@ -236,3 +236,11 @@ func IsRestrictedControlPlaneCode(s *Status) bool {
 	}
 	return false
 }
+
+// RawStatusProto returns the internal protobuf message for use by gRPC itself.
+func RawStatusProto(s *Status) *spb.Status {
+	if s == nil {
+		return nil
+	}
+	return s.s
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index 8ed347c5..ccc0e017 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -59,7 +59,7 @@ func (s *ClientStream) Read(n int) (mem.BufferSlice, error) {
 	return b, err
 }
 
-// Close closes the stream and popagates err to any readers.
+// Close closes the stream and propagates err to any readers.
 func (s *ClientStream) Close(err error) {
 	var (
 		rst     bool
diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
index ef72fbb3..a2831e5d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
+++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
@@ -40,6 +40,13 @@ var updateHeaderTblSize = func(e *hpack.Encoder, v uint32) {
 	e.SetMaxDynamicTableSizeLimit(v)
 }
 
+// itemNodePool is used to reduce heap allocations.
+var itemNodePool = sync.Pool{
+	New: func() any {
+		return &itemNode{}
+	},
+}
+
 type itemNode struct {
 	it   any
 	next *itemNode
@@ -51,7 +58,9 @@ type itemList struct {
 }
 
 func (il *itemList) enqueue(i any) {
-	n := &itemNode{it: i}
+	n := itemNodePool.Get().(*itemNode)
+	n.next = nil
+	n.it = i
 	if il.tail == nil {
 		il.head, il.tail = n, n
 		return
@@ -71,7 +80,9 @@ func (il *itemList) dequeue() any {
 		return nil
 	}
 	i := il.head.it
+	temp := il.head
 	il.head = il.head.next
+	itemNodePool.Put(temp)
 	if il.head == nil {
 		il.tail = nil
 	}
@@ -146,10 +157,11 @@ type earlyAbortStream struct {
 func (*earlyAbortStream) isTransportResponseFrame() bool { return false }
 
 type dataFrame struct {
-	streamID  uint32
-	endStream bool
-	h         []byte
-	reader    mem.Reader
+	streamID   uint32
+	endStream  bool
+	h          []byte
+	data       mem.BufferSlice
+	processing bool
 	// onEachWrite is called every time
 	// a part of data is written out.
 	onEachWrite func()
@@ -234,6 +246,7 @@ type outStream struct {
 	itl              *itemList
 	bytesOutStanding int
 	wq               *writeQuota
+	reader           mem.Reader
 
 	next *outStream
 	prev *outStream
@@ -461,7 +474,9 @@ func (c *controlBuffer) finish() {
 				v.onOrphaned(ErrConnClosing)
 			}
 		case *dataFrame:
-			_ = v.reader.Close()
+			if !v.processing {
+				v.data.Free()
+			}
 		}
 	}
 
@@ -650,10 +665,11 @@ func (l *loopyWriter) incomingSettingsHandler(s *incomingSettings) error {
 
 func (l *loopyWriter) registerStreamHandler(h *registerStream) {
 	str := &outStream{
-		id:    h.streamID,
-		state: empty,
-		itl:   &itemList{},
-		wq:    h.wq,
+		id:     h.streamID,
+		state:  empty,
+		itl:    &itemList{},
+		wq:     h.wq,
+		reader: mem.BufferSlice{}.Reader(),
 	}
 	l.estdStreams[h.streamID] = str
 }
@@ -685,10 +701,11 @@ func (l *loopyWriter) headerHandler(h *headerFrame) error {
 	}
 	// Case 2: Client wants to originate stream.
 	str := &outStream{
-		id:    h.streamID,
-		state: empty,
-		itl:   &itemList{},
-		wq:    h.wq,
+		id:     h.streamID,
+		state:  empty,
+		itl:    &itemList{},
+		wq:     h.wq,
+		reader: mem.BufferSlice{}.Reader(),
 	}
 	return l.originateStream(str, h)
 }
@@ -790,10 +807,13 @@ func (l *loopyWriter) cleanupStreamHandler(c *cleanupStream) error {
 		// a RST_STREAM before stream initialization thus the stream might
 		// not be established yet.
 		delete(l.estdStreams, c.streamID)
+		str.reader.Close()
 		str.deleteSelf()
 		for head := str.itl.dequeueAll(); head != nil; head = head.next {
 			if df, ok := head.it.(*dataFrame); ok {
-				_ = df.reader.Close()
+				if !df.processing {
+					df.data.Free()
+				}
 			}
 		}
 	}
@@ -928,7 +948,13 @@ func (l *loopyWriter) processData() (bool, error) {
 	if str == nil {
 		return true, nil
 	}
+	reader := str.reader
 	dataItem := str.itl.peek().(*dataFrame) // Peek at the first data item this stream.
+	if !dataItem.processing {
+		dataItem.processing = true
+		str.reader.Reset(dataItem.data)
+		dataItem.data.Free()
+	}
 	// A data item is represented by a dataFrame, since it later translates into
 	// multiple HTTP2 data frames.
 	// Every dataFrame has two buffers; h that keeps grpc-message header and data
@@ -936,13 +962,13 @@ func (l *loopyWriter) processData() (bool, error) {
 	// from data is copied to h to make as big as the maximum possible HTTP2 frame
 	// size.
 
-	if len(dataItem.h) == 0 && dataItem.reader.Remaining() == 0 { // Empty data frame
+	if len(dataItem.h) == 0 && reader.Remaining() == 0 { // Empty data frame
 		// Client sends out empty data frame with endStream = true
 		if err := l.framer.fr.WriteData(dataItem.streamID, dataItem.endStream, nil); err != nil {
 			return false, err
 		}
 		str.itl.dequeue() // remove the empty data item from stream
-		_ = dataItem.reader.Close()
+		_ = reader.Close()
 		if str.itl.isEmpty() {
 			str.state = empty
 		} else if trailer, ok := str.itl.peek().(*headerFrame); ok { // the next item is trailers.
@@ -971,8 +997,8 @@ func (l *loopyWriter) processData() (bool, error) {
 	}
 	// Compute how much of the header and data we can send within quota and max frame length
 	hSize := min(maxSize, len(dataItem.h))
-	dSize := min(maxSize-hSize, dataItem.reader.Remaining())
-	remainingBytes := len(dataItem.h) + dataItem.reader.Remaining() - hSize - dSize
+	dSize := min(maxSize-hSize, reader.Remaining())
+	remainingBytes := len(dataItem.h) + reader.Remaining() - hSize - dSize
 	size := hSize + dSize
 
 	var buf *[]byte
@@ -993,7 +1019,7 @@ func (l *loopyWriter) processData() (bool, error) {
 		defer pool.Put(buf)
 
 		copy((*buf)[:hSize], dataItem.h)
-		_, _ = dataItem.reader.Read((*buf)[hSize:])
+		_, _ = reader.Read((*buf)[hSize:])
 	}
 
 	// Now that outgoing flow controls are checked we can replenish str's write quota
@@ -1014,7 +1040,7 @@ func (l *loopyWriter) processData() (bool, error) {
 	dataItem.h = dataItem.h[hSize:]
 
 	if remainingBytes == 0 { // All the data from that message was written out.
-		_ = dataItem.reader.Close()
+		_ = reader.Close()
 		str.itl.dequeue()
 	}
 	if str.itl.isEmpty() {
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index 513dbb93..5467fe97 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -176,7 +176,7 @@ func dial(ctx context.Context, fn func(context.Context, string) (net.Conn, error
 		return fn(ctx, address)
 	}
 	if !ok {
-		networkType, address = parseDialTarget(address)
+		networkType, address = ParseDialTarget(address)
 	}
 	if opts, present := proxyattributes.Get(addr); present {
 		return proxyDial(ctx, addr, grpcUA, opts)
@@ -309,11 +309,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 			scheme = "https"
 		}
 	}
-	dynamicWindow := true
 	icwz := int32(initialWindowSize)
 	if opts.InitialConnWindowSize >= defaultWindowSize {
 		icwz = opts.InitialConnWindowSize
-		dynamicWindow = false
 	}
 	writeBufSize := opts.WriteBufferSize
 	readBufSize := opts.ReadBufferSize
@@ -381,9 +379,8 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 	t.controlBuf = newControlBuffer(t.ctxDone)
 	if opts.InitialWindowSize >= defaultWindowSize {
 		t.initialWindowSize = opts.InitialWindowSize
-		dynamicWindow = false
 	}
-	if dynamicWindow {
+	if !opts.StaticWindowSize {
 		t.bdpEst = &bdpEstimator{
 			bdp:               initialWindowSize,
 			updateFlowControl: t.updateFlowControl,
@@ -545,7 +542,7 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		Method:   callHdr.Method,
 		AuthInfo: t.authInfo,
 	}
-	ctxWithRequestInfo := icredentials.NewRequestInfoContext(ctx, ri)
+	ctxWithRequestInfo := credentials.NewContextWithRequestInfo(ctx, ri)
 	authData, err := t.getTrAuthData(ctxWithRequestInfo, aud)
 	if err != nil {
 		return nil, err
@@ -592,6 +589,9 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		// Send out timeout regardless its value. The server can detect timeout context by itself.
 		// TODO(mmukhi): Perhaps this field should be updated when actually writing out to the wire.
 		timeout := time.Until(dl)
+		if timeout <= 0 {
+			return nil, status.Error(codes.DeadlineExceeded, context.DeadlineExceeded.Error())
+		}
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-timeout", Value: grpcutil.EncodeDuration(timeout)})
 	}
 	for k, v := range authData {
@@ -749,6 +749,25 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		callHdr = &newCallHdr
 	}
 
+	// The authority specified via the `CallAuthority` CallOption takes the
+	// highest precedence when determining the `:authority` header. It overrides
+	// any value present in the Host field of CallHdr. Before applying this
+	// override, the authority string is validated. If the credentials do not
+	// implement the AuthorityValidator interface, or if validation fails, the
+	// RPC is failed with a status code of `UNAVAILABLE`.
+	if callHdr.Authority != "" {
+		auth, ok := t.authInfo.(credentials.AuthorityValidator)
+		if !ok {
+			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "credentials type %q does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType())}
+		}
+		if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
+			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "failed to validate authority %q : %v", callHdr.Authority, err)}
+		}
+		newCallHdr := *callHdr
+		newCallHdr.Host = callHdr.Authority
+		callHdr = &newCallHdr
+	}
+
 	headerFields, err := t.createHeaderFields(ctx, callHdr)
 	if err != nil {
 		return nil, &NewStreamError{Err: err, AllowTransparentRetry: false}
@@ -1069,32 +1088,29 @@ func (t *http2Client) GracefulClose() {
 // Write formats the data into HTTP2 data frame(s) and sends it out. The caller
 // should proceed only if Write returns nil.
 func (t *http2Client) write(s *ClientStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error {
-	reader := data.Reader()
-
 	if opts.Last {
 		// If it's the last message, update stream state.
 		if !s.compareAndSwapState(streamActive, streamWriteDone) {
-			_ = reader.Close()
 			return errStreamDone
 		}
 	} else if s.getState() != streamActive {
-		_ = reader.Close()
 		return errStreamDone
 	}
 	df := &dataFrame{
 		streamID:  s.id,
 		endStream: opts.Last,
 		h:         hdr,
-		reader:    reader,
+		data:      data,
 	}
-	if hdr != nil || df.reader.Remaining() != 0 { // If it's not an empty data frame, check quota.
-		if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
-			_ = reader.Close()
+	dataLen := data.Len()
+	if hdr != nil || dataLen != 0 { // If it's not an empty data frame, check quota.
+		if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
 			return err
 		}
 	}
+	data.Ref()
 	if err := t.controlBuf.put(df); err != nil {
-		_ = reader.Close()
+		data.Free()
 		return err
 	}
 	t.incrMsgSent()
@@ -1242,7 +1258,8 @@ func (t *http2Client) handleRSTStream(f *http2.RSTStreamFrame) {
 			statusCode = codes.DeadlineExceeded
 		}
 	}
-	t.closeStream(s, io.EOF, false, http2.ErrCodeNo, status.Newf(statusCode, "stream terminated by RST_STREAM with error code: %v", f.ErrCode), nil, false)
+	st := status.Newf(statusCode, "stream terminated by RST_STREAM with error code: %v", f.ErrCode)
+	t.closeStream(s, st.Err(), false, http2.ErrCodeNo, st, nil, false)
 }
 
 func (t *http2Client) handleSettings(f *http2.SettingsFrame, isFirst bool) {
@@ -1390,8 +1407,7 @@ func (t *http2Client) handleGoAway(f *http2.GoAwayFrame) error {
 // the caller.
 func (t *http2Client) setGoAwayReason(f *http2.GoAwayFrame) {
 	t.goAwayReason = GoAwayNoReason
-	switch f.ErrCode {
-	case http2.ErrCodeEnhanceYourCalm:
+	if f.ErrCode == http2.ErrCodeEnhanceYourCalm {
 		if string(f.DebugData()) == "too_many_pings" {
 			t.goAwayReason = GoAwayTooManyPings
 		}
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 997b0a59..9f725e15 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,9 +35,11 @@ import (
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
+	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/pretty"
+	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/mem"
 	"google.golang.org/protobuf/proto"
@@ -130,6 +132,10 @@ type http2Server struct {
 	maxStreamID uint32 // max stream ID ever seen
 
 	logger *grpclog.PrefixLogger
+	// setResetPingStrikes is stored as a closure instead of making this a
+	// method on http2Server to avoid a heap allocation when converting a method
+	// to a closure for passing to frames objects.
+	setResetPingStrikes func()
 }
 
 // NewServerTransport creates a http2 transport with conn and configuration
@@ -174,16 +180,13 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 			Val: config.MaxStreams,
 		})
 	}
-	dynamicWindow := true
 	iwz := int32(initialWindowSize)
 	if config.InitialWindowSize >= defaultWindowSize {
 		iwz = config.InitialWindowSize
-		dynamicWindow = false
 	}
 	icwz := int32(initialWindowSize)
 	if config.InitialConnWindowSize >= defaultWindowSize {
 		icwz = config.InitialConnWindowSize
-		dynamicWindow = false
 	}
 	if iwz != defaultWindowSize {
 		isettings = append(isettings, http2.Setting{
@@ -264,6 +267,9 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 		initialWindowSize: iwz,
 		bufferPool:        config.BufferPool,
 	}
+	t.setResetPingStrikes = func() {
+		atomic.StoreUint32(&t.resetPingStrikes, 1)
+	}
 	var czSecurity credentials.ChannelzSecurityValue
 	if au, ok := authInfo.(credentials.ChannelzSecurityInfo); ok {
 		czSecurity = au.GetSecurityValue()
@@ -283,7 +289,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 	t.logger = prefixLoggerForServerTransport(t)
 
 	t.controlBuf = newControlBuffer(t.done)
-	if dynamicWindow {
+	if !config.StaticWindowSize {
 		t.bdpEst = &bdpEstimator{
 			bdp:               initialWindowSize,
 			updateFlowControl: t.updateFlowControl,
@@ -594,10 +600,41 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 			return nil
 		}
 	}
+
+	if s.ctx.Err() != nil {
+		t.mu.Unlock()
+		// Early abort in case the timeout was zero or so low it already fired.
+		t.controlBuf.put(&earlyAbortStream{
+			httpStatus:     http.StatusOK,
+			streamID:       s.id,
+			contentSubtype: s.contentSubtype,
+			status:         status.New(codes.DeadlineExceeded, context.DeadlineExceeded.Error()),
+			rst:            !frame.StreamEnded(),
+		})
+		return nil
+	}
+
 	t.activeStreams[streamID] = s
 	if len(t.activeStreams) == 1 {
 		t.idle = time.Time{}
 	}
+
+	// Start a timer to close the stream on reaching the deadline.
+	if timeoutSet {
+		// We need to wait for s.cancel to be updated before calling
+		// t.closeStream to avoid data races.
+		cancelUpdated := make(chan struct{})
+		timer := internal.TimeAfterFunc(timeout, func() {
+			<-cancelUpdated
+			t.closeStream(s, true, http2.ErrCodeCancel, false)
+		})
+		oldCancel := s.cancel
+		s.cancel = func() {
+			oldCancel()
+			timer.Stop()
+		}
+		close(cancelUpdated)
+	}
 	t.mu.Unlock()
 	if channelz.IsOn() {
 		t.channelz.SocketMetrics.StreamsStarted.Add(1)
@@ -998,10 +1035,6 @@ func (t *http2Server) writeHeader(s *ServerStream, md metadata.MD) error {
 	return nil
 }
 
-func (t *http2Server) setResetPingStrikes() {
-	atomic.StoreUint32(&t.resetPingStrikes, 1)
-}
-
 func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 	// TODO(mmukhi): Benchmark if the performance gets better if count the metadata and other header fields
 	// first and create a slice of that exact size.
@@ -1038,7 +1071,7 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 	return nil
 }
 
-// WriteStatus sends stream status to the client and terminates the stream.
+// writeStatus sends stream status to the client and terminates the stream.
 // There is no further I/O operations being able to perform on this stream.
 // TODO(zhaoq): Now it indicates the end of entire stream. Revisit if early
 // OK is adopted.
@@ -1066,7 +1099,7 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-status", Value: strconv.Itoa(int(st.Code()))})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-message", Value: encodeGrpcMessage(st.Message())})
 
-	if p := st.Proto(); p != nil && len(p.Details) > 0 {
+	if p := istatus.RawStatusProto(st); len(p.GetDetails()) > 0 {
 		// Do not use the user's grpc-status-details-bin (if present) if we are
 		// even attempting to set our own.
 		delete(s.trailer, grpcStatusDetailsBinHeader)
@@ -1114,17 +1147,13 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 // Write converts the data into HTTP2 data frame and sends it out. Non-nil error
 // is returns if it fails (e.g., framing error, transport error).
 func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _ *WriteOptions) error {
-	reader := data.Reader()
-
 	if !s.isHeaderSent() { // Headers haven't been written yet.
 		if err := t.writeHeader(s, nil); err != nil {
-			_ = reader.Close()
 			return err
 		}
 	} else {
 		// Writing headers checks for this condition.
 		if s.getState() == streamDone {
-			_ = reader.Close()
 			return t.streamContextErr(s)
 		}
 	}
@@ -1132,15 +1161,16 @@ func (t *http2Server) write(s *ServerStream, hdr []byte, data mem.BufferSlice, _
 	df := &dataFrame{
 		streamID:    s.id,
 		h:           hdr,
-		reader:      reader,
+		data:        data,
 		onEachWrite: t.setResetPingStrikes,
 	}
-	if err := s.wq.get(int32(len(hdr) + df.reader.Remaining())); err != nil {
-		_ = reader.Close()
+	dataLen := data.Len()
+	if err := s.wq.get(int32(len(hdr) + dataLen)); err != nil {
 		return t.streamContextErr(s)
 	}
+	data.Ref()
 	if err := t.controlBuf.put(df); err != nil {
-		_ = reader.Close()
+		data.Free()
 		return err
 	}
 	t.incrMsgSent()
@@ -1274,7 +1304,6 @@ func (t *http2Server) Close(err error) {
 
 // deleteStream deletes the stream s from transport's active streams.
 func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
-
 	t.mu.Lock()
 	if _, ok := t.activeStreams[s.id]; ok {
 		delete(t.activeStreams, s.id)
@@ -1324,7 +1353,10 @@ func (t *http2Server) closeStream(s *ServerStream, rst bool, rstCode http2.ErrCo
 	// called to interrupt the potential blocking on other goroutines.
 	s.cancel()
 
-	s.swapState(streamDone)
+	oldState := s.swapState(streamDone)
+	if oldState == streamDone {
+		return
+	}
 	t.deleteStream(s, eosReceived)
 
 	t.controlBuf.put(&cleanupStream{
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index 3613d7b6..e3663f87 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -196,11 +196,11 @@ func decodeTimeout(s string) (time.Duration, error) {
 	if !ok {
 		return 0, fmt.Errorf("transport: timeout unit is not recognized: %q", s)
 	}
-	t, err := strconv.ParseInt(s[:size-1], 10, 64)
+	t, err := strconv.ParseUint(s[:size-1], 10, 64)
 	if err != nil {
 		return 0, err
 	}
-	const maxHours = math.MaxInt64 / int64(time.Hour)
+	const maxHours = math.MaxInt64 / uint64(time.Hour)
 	if d == time.Hour && t > maxHours {
 		// This timeout would overflow math.MaxInt64; clamp it.
 		return time.Duration(math.MaxInt64), nil
@@ -439,8 +439,8 @@ func getWriteBufferPool(size int) *sync.Pool {
 	return pool
 }
 
-// parseDialTarget returns the network and address to pass to dialer.
-func parseDialTarget(target string) (string, string) {
+// ParseDialTarget returns the network and address to pass to dialer.
+func ParseDialTarget(target string) (string, string) {
 	net := "tcp"
 	m1 := strings.Index(target, ":")
 	m2 := strings.Index(target, ":/")
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index a22a9015..cf8da0b5 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -35,8 +35,10 @@ type ServerStream struct {
 	*Stream // Embed for common stream functionality.
 
 	st      internalServerTransport
-	ctxDone <-chan struct{}    // closed at the end of stream.  Cache of ctx.Done() (for performance)
-	cancel  context.CancelFunc // invoked at the end of stream to cancel ctx.
+	ctxDone <-chan struct{} // closed at the end of stream.  Cache of ctx.Done() (for performance)
+	// cancel is invoked at the end of stream to cancel ctx. It also stops the
+	// timer for monitoring the rpc deadline if configured.
+	cancel func()
 
 	// Holds compressor names passed in grpc-accept-encoding metadata from the
 	// client.
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index af4a4aea..7dd53e80 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -466,6 +466,7 @@ type ServerConfig struct {
 	MaxHeaderListSize     *uint32
 	HeaderTableSize       *uint32
 	BufferPool            mem.BufferPool
+	StaticWindowSize      bool
 }
 
 // ConnectOptions covers all relevant options for communicating with the server.
@@ -504,6 +505,8 @@ type ConnectOptions struct {
 	MaxHeaderListSize *uint32
 	// The mem.BufferPool to use when reading/writing to the wire.
 	BufferPool mem.BufferPool
+	// StaticWindowSize controls whether dynamic window sizing is enabled.
+	StaticWindowSize bool
 }
 
 // WriteOptions provides additional hints and information for message
@@ -540,6 +543,11 @@ type CallHdr struct {
 	PreviousAttempts int // value of grpc-previous-rpc-attempts header to set
 
 	DoneFunc func() // called when the stream is finished
+
+	// Authority is used to explicitly override the `:authority` header. If set,
+	// this value takes precedence over the Host field and will be used as the
+	// value for the `:authority` header.
+	Authority string
 }
 
 // ClientTransport is the common interface for all gRPC client-side transport
diff --git a/vendor/google.golang.org/grpc/mem/buffer_slice.go b/vendor/google.golang.org/grpc/mem/buffer_slice.go
index 65002e2c..af510d20 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_slice.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_slice.go
@@ -137,6 +137,9 @@ type Reader interface {
 	Close() error
 	// Remaining returns the number of unread bytes remaining in the slice.
 	Remaining() int
+	// Reset frees the currently held buffer slice and starts reading from the
+	// provided slice. This allows reusing the reader object.
+	Reset(s BufferSlice)
 }
 
 type sliceReader struct {
@@ -150,6 +153,14 @@ func (r *sliceReader) Remaining() int {
 	return r.len
 }
 
+func (r *sliceReader) Reset(s BufferSlice) {
+	r.data.Free()
+	s.Ref()
+	r.data = s
+	r.len = s.Len()
+	r.bufferIdx = 0
+}
+
 func (r *sliceReader) Close() error {
 	r.data.Free()
 	r.data = nil
diff --git a/vendor/google.golang.org/grpc/resolver/map.go b/vendor/google.golang.org/grpc/resolver/map.go
index ada5b9bb..c3c15ac9 100644
--- a/vendor/google.golang.org/grpc/resolver/map.go
+++ b/vendor/google.golang.org/grpc/resolver/map.go
@@ -18,16 +18,28 @@
 
 package resolver
 
-type addressMapEntry struct {
+import (
+	"encoding/base64"
+	"sort"
+	"strings"
+)
+
+type addressMapEntry[T any] struct {
 	addr  Address
-	value any
+	value T
 }
 
-// AddressMap is a map of addresses to arbitrary values taking into account
+// AddressMap is an AddressMapV2[any].  It will be deleted in an upcoming
+// release of grpc-go.
+//
+// Deprecated: use the generic AddressMapV2 type instead.
+type AddressMap = AddressMapV2[any]
+
+// AddressMapV2 is a map of addresses to arbitrary values taking into account
 // Attributes.  BalancerAttributes are ignored, as are Metadata and Type.
 // Multiple accesses may not be performed concurrently.  Must be created via
 // NewAddressMap; do not construct directly.
-type AddressMap struct {
+type AddressMapV2[T any] struct {
 	// The underlying map is keyed by an Address with fields that we don't care
 	// about being set to their zero values. The only fields that we care about
 	// are `Addr`, `ServerName` and `Attributes`. Since we need to be able to
@@ -41,23 +53,30 @@ type AddressMap struct {
 	// The value type of the map contains a slice of addresses which match the key
 	// in their `Addr` and `ServerName` fields and contain the corresponding value
 	// associated with them.
-	m map[Address]addressMapEntryList
+	m map[Address]addressMapEntryList[T]
 }
 
 func toMapKey(addr *Address) Address {
 	return Address{Addr: addr.Addr, ServerName: addr.ServerName}
 }
 
-type addressMapEntryList []*addressMapEntry
+type addressMapEntryList[T any] []*addressMapEntry[T]
 
-// NewAddressMap creates a new AddressMap.
+// NewAddressMap creates a new AddressMapV2[any].
+//
+// Deprecated: use the generic NewAddressMapV2 constructor instead.
 func NewAddressMap() *AddressMap {
-	return &AddressMap{m: make(map[Address]addressMapEntryList)}
+	return NewAddressMapV2[any]()
+}
+
+// NewAddressMapV2 creates a new AddressMapV2.
+func NewAddressMapV2[T any]() *AddressMapV2[T] {
+	return &AddressMapV2[T]{m: make(map[Address]addressMapEntryList[T])}
 }
 
 // find returns the index of addr in the addressMapEntry slice, or -1 if not
 // present.
-func (l addressMapEntryList) find(addr Address) int {
+func (l addressMapEntryList[T]) find(addr Address) int {
 	for i, entry := range l {
 		// Attributes are the only thing to match on here, since `Addr` and
 		// `ServerName` are already equal.
@@ -69,28 +88,28 @@ func (l addressMapEntryList) find(addr Address) int {
 }
 
 // Get returns the value for the address in the map, if present.
-func (a *AddressMap) Get(addr Address) (value any, ok bool) {
+func (a *AddressMapV2[T]) Get(addr Address) (value T, ok bool) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	if entry := entryList.find(addr); entry != -1 {
 		return entryList[entry].value, true
 	}
-	return nil, false
+	return value, false
 }
 
 // Set updates or adds the value to the address in the map.
-func (a *AddressMap) Set(addr Address, value any) {
+func (a *AddressMapV2[T]) Set(addr Address, value T) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	if entry := entryList.find(addr); entry != -1 {
 		entryList[entry].value = value
 		return
 	}
-	a.m[addrKey] = append(entryList, &addressMapEntry{addr: addr, value: value})
+	a.m[addrKey] = append(entryList, &addressMapEntry[T]{addr: addr, value: value})
 }
 
 // Delete removes addr from the map.
-func (a *AddressMap) Delete(addr Address) {
+func (a *AddressMapV2[T]) Delete(addr Address) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	entry := entryList.find(addr)
@@ -107,7 +126,7 @@ func (a *AddressMap) Delete(addr Address) {
 }
 
 // Len returns the number of entries in the map.
-func (a *AddressMap) Len() int {
+func (a *AddressMapV2[T]) Len() int {
 	ret := 0
 	for _, entryList := range a.m {
 		ret += len(entryList)
@@ -116,7 +135,7 @@ func (a *AddressMap) Len() int {
 }
 
 // Keys returns a slice of all current map keys.
-func (a *AddressMap) Keys() []Address {
+func (a *AddressMapV2[T]) Keys() []Address {
 	ret := make([]Address, 0, a.Len())
 	for _, entryList := range a.m {
 		for _, entry := range entryList {
@@ -127,8 +146,8 @@ func (a *AddressMap) Keys() []Address {
 }
 
 // Values returns a slice of all current map values.
-func (a *AddressMap) Values() []any {
-	ret := make([]any, 0, a.Len())
+func (a *AddressMapV2[T]) Values() []T {
+	ret := make([]T, 0, a.Len())
 	for _, entryList := range a.m {
 		for _, entry := range entryList {
 			ret = append(ret, entry.value)
@@ -137,70 +156,65 @@ func (a *AddressMap) Values() []any {
 	return ret
 }
 
-type endpointNode struct {
-	addrs map[string]struct{}
-}
-
-// Equal returns whether the unordered set of addrs are the same between the
-// endpoint nodes.
-func (en *endpointNode) Equal(en2 *endpointNode) bool {
-	if len(en.addrs) != len(en2.addrs) {
-		return false
-	}
-	for addr := range en.addrs {
-		if _, ok := en2.addrs[addr]; !ok {
-			return false
-		}
-	}
-	return true
-}
-
-func toEndpointNode(endpoint Endpoint) endpointNode {
-	en := make(map[string]struct{})
-	for _, addr := range endpoint.Addresses {
-		en[addr.Addr] = struct{}{}
-	}
-	return endpointNode{
-		addrs: en,
-	}
-}
+type endpointMapKey string
 
 // EndpointMap is a map of endpoints to arbitrary values keyed on only the
 // unordered set of address strings within an endpoint. This map is not thread
 // safe, thus it is unsafe to access concurrently. Must be created via
 // NewEndpointMap; do not construct directly.
-type EndpointMap struct {
-	endpoints map[*endpointNode]any
+type EndpointMap[T any] struct {
+	endpoints map[endpointMapKey]endpointData[T]
+}
+
+type endpointData[T any] struct {
+	// decodedKey stores the original key to avoid decoding when iterating on
+	// EndpointMap keys.
+	decodedKey Endpoint
+	value      T
 }
 
 // NewEndpointMap creates a new EndpointMap.
-func NewEndpointMap() *EndpointMap {
-	return &EndpointMap{
-		endpoints: make(map[*endpointNode]any),
+func NewEndpointMap[T any]() *EndpointMap[T] {
+	return &EndpointMap[T]{
+		endpoints: make(map[endpointMapKey]endpointData[T]),
 	}
 }
 
+// encodeEndpoint returns a string that uniquely identifies the unordered set of
+// addresses within an endpoint.
+func encodeEndpoint(e Endpoint) endpointMapKey {
+	addrs := make([]string, 0, len(e.Addresses))
+	// base64 encoding the address strings restricts the characters present
+	// within the strings. This allows us to use a delimiter without the need of
+	// escape characters.
+	for _, addr := range e.Addresses {
+		addrs = append(addrs, base64.StdEncoding.EncodeToString([]byte(addr.Addr)))
+	}
+	sort.Strings(addrs)
+	// " " should not appear in base64 encoded strings.
+	return endpointMapKey(strings.Join(addrs, " "))
+}
+
 // Get returns the value for the address in the map, if present.
-func (em *EndpointMap) Get(e Endpoint) (value any, ok bool) {
-	en := toEndpointNode(e)
-	if endpoint := em.find(en); endpoint != nil {
-		return em.endpoints[endpoint], true
+func (em *EndpointMap[T]) Get(e Endpoint) (value T, ok bool) {
+	val, found := em.endpoints[encodeEndpoint(e)]
+	if found {
+		return val.value, true
 	}
-	return nil, false
+	return value, false
 }
 
 // Set updates or adds the value to the address in the map.
-func (em *EndpointMap) Set(e Endpoint, value any) {
-	en := toEndpointNode(e)
-	if endpoint := em.find(en); endpoint != nil {
-		em.endpoints[endpoint] = value
-		return
+func (em *EndpointMap[T]) Set(e Endpoint, value T) {
+	en := encodeEndpoint(e)
+	em.endpoints[en] = endpointData[T]{
+		decodedKey: Endpoint{Addresses: e.Addresses},
+		value:      value,
 	}
-	em.endpoints[&en] = value
 }
 
 // Len returns the number of entries in the map.
-func (em *EndpointMap) Len() int {
+func (em *EndpointMap[T]) Len() int {
 	return len(em.endpoints)
 }
 
@@ -209,43 +223,25 @@ func (em *EndpointMap) Len() int {
 // the unordered set of addresses. Thus, endpoint information returned is not
 // the full endpoint data (drops duplicated addresses and attributes) but can be
 // used for EndpointMap accesses.
-func (em *EndpointMap) Keys() []Endpoint {
+func (em *EndpointMap[T]) Keys() []Endpoint {
 	ret := make([]Endpoint, 0, len(em.endpoints))
-	for en := range em.endpoints {
-		var endpoint Endpoint
-		for addr := range en.addrs {
-			endpoint.Addresses = append(endpoint.Addresses, Address{Addr: addr})
-		}
-		ret = append(ret, endpoint)
+	for _, en := range em.endpoints {
+		ret = append(ret, en.decodedKey)
 	}
 	return ret
 }
 
 // Values returns a slice of all current map values.
-func (em *EndpointMap) Values() []any {
-	ret := make([]any, 0, len(em.endpoints))
+func (em *EndpointMap[T]) Values() []T {
+	ret := make([]T, 0, len(em.endpoints))
 	for _, val := range em.endpoints {
-		ret = append(ret, val)
+		ret = append(ret, val.value)
 	}
 	return ret
 }
 
-// find returns a pointer to the endpoint node in em if the endpoint node is
-// already present. If not found, nil is returned. The comparisons are done on
-// the unordered set of addresses within an endpoint.
-func (em EndpointMap) find(e endpointNode) *endpointNode {
-	for endpoint := range em.endpoints {
-		if e.Equal(endpoint) {
-			return endpoint
-		}
-	}
-	return nil
-}
-
 // Delete removes the specified endpoint from the map.
-func (em *EndpointMap) Delete(e Endpoint) {
-	en := toEndpointNode(e)
-	if entry := em.find(en); entry != nil {
-		delete(em.endpoints, entry)
-	}
+func (em *EndpointMap[T]) Delete(e Endpoint) {
+	en := encodeEndpoint(e)
+	delete(em.endpoints, en)
 }
diff --git a/vendor/google.golang.org/grpc/resolver_wrapper.go b/vendor/google.golang.org/grpc/resolver_wrapper.go
index 945e24ff..80e16a32 100644
--- a/vendor/google.golang.org/grpc/resolver_wrapper.go
+++ b/vendor/google.golang.org/grpc/resolver_wrapper.go
@@ -134,12 +134,7 @@ func (ccr *ccResolverWrapper) UpdateState(s resolver.State) error {
 		return nil
 	}
 	if s.Endpoints == nil {
-		s.Endpoints = make([]resolver.Endpoint, 0, len(s.Addresses))
-		for _, a := range s.Addresses {
-			ep := resolver.Endpoint{Addresses: []resolver.Address{a}, Attributes: a.BalancerAttributes}
-			ep.Addresses[0].BalancerAttributes = nil
-			s.Endpoints = append(s.Endpoints, ep)
-		}
+		s.Endpoints = addressesToEndpoints(s.Addresses)
 	}
 	ccr.addChannelzTraceEvent(s)
 	ccr.curState = s
@@ -172,7 +167,11 @@ func (ccr *ccResolverWrapper) NewAddress(addrs []resolver.Address) {
 		ccr.cc.mu.Unlock()
 		return
 	}
-	s := resolver.State{Addresses: addrs, ServiceConfig: ccr.curState.ServiceConfig}
+	s := resolver.State{
+		Addresses:     addrs,
+		ServiceConfig: ccr.curState.ServiceConfig,
+		Endpoints:     addressesToEndpoints(addrs),
+	}
 	ccr.addChannelzTraceEvent(s)
 	ccr.curState = s
 	ccr.mu.Unlock()
@@ -210,3 +209,13 @@ func (ccr *ccResolverWrapper) addChannelzTraceEvent(s resolver.State) {
 	}
 	channelz.Infof(logger, ccr.cc.channelz, "Resolver state updated: %s (%v)", pretty.ToJSON(s), strings.Join(updates, "; "))
 }
+
+func addressesToEndpoints(addrs []resolver.Address) []resolver.Endpoint {
+	endpoints := make([]resolver.Endpoint, 0, len(addrs))
+	for _, a := range addrs {
+		ep := resolver.Endpoint{Addresses: []resolver.Address{a}, Attributes: a.BalancerAttributes}
+		ep.Addresses[0].BalancerAttributes = nil
+		endpoints = append(endpoints, ep)
+	}
+	return endpoints
+}
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index a8ddb0af..47ea09f5 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -160,6 +160,7 @@ type callInfo struct {
 	codec                 baseCodec
 	maxRetryRPCBufferSize int
 	onFinish              []func(err error)
+	authority             string
 }
 
 func defaultCallInfo() *callInfo {
@@ -365,6 +366,36 @@ func (o MaxRecvMsgSizeCallOption) before(c *callInfo) error {
 }
 func (o MaxRecvMsgSizeCallOption) after(*callInfo, *csAttempt) {}
 
+// CallAuthority returns a CallOption that sets the HTTP/2 :authority header of
+// an RPC to the specified value. When using CallAuthority, the credentials in
+// use must implement the AuthorityValidator interface.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func CallAuthority(authority string) CallOption {
+	return AuthorityOverrideCallOption{Authority: authority}
+}
+
+// AuthorityOverrideCallOption is a CallOption that indicates the HTTP/2
+// :authority header value to use for the call.
+//
+// # Experimental
+//
+// Notice: This type is EXPERIMENTAL and may be changed or removed in a later
+// release.
+type AuthorityOverrideCallOption struct {
+	Authority string
+}
+
+func (o AuthorityOverrideCallOption) before(c *callInfo) error {
+	c.authority = o.Authority
+	return nil
+}
+
+func (o AuthorityOverrideCallOption) after(*callInfo, *csAttempt) {}
+
 // MaxCallSendMsgSize returns a CallOption which sets the maximum message size
 // in bytes the client can send. If this is not set, gRPC uses the default
 // `math.MaxInt32`.
@@ -870,13 +901,19 @@ func decompress(compressor encoding.Compressor, d mem.BufferSlice, dc Decompress
 			return nil, status.Errorf(codes.Internal, "grpc: failed to decompress the message: %v", err)
 		}
 
-		out, err := mem.ReadAll(io.LimitReader(dcReader, int64(maxReceiveMessageSize)), pool)
+		// Read at most one byte more than the limit from the decompressor.
+		// Unless the limit is MaxInt64, in which case, that's impossible, so
+		// apply no limit.
+		if limit := int64(maxReceiveMessageSize); limit < math.MaxInt64 {
+			dcReader = io.LimitReader(dcReader, limit+1)
+		}
+		out, err := mem.ReadAll(dcReader, pool)
 		if err != nil {
 			out.Free()
 			return nil, status.Errorf(codes.Internal, "grpc: failed to read decompressed data: %v", err)
 		}
 
-		if out.Len() == maxReceiveMessageSize && !atEOF(dcReader) {
+		if out.Len() > maxReceiveMessageSize {
 			out.Free()
 			return nil, status.Errorf(codes.ResourceExhausted, "grpc: received message after decompression larger than max %d", maxReceiveMessageSize)
 		}
@@ -885,12 +922,6 @@ func decompress(compressor encoding.Compressor, d mem.BufferSlice, dc Decompress
 	return nil, status.Errorf(codes.Internal, "grpc: no decompressor available for compressed payload")
 }
 
-// atEOF reads data from r and returns true if zero bytes could be read and r.Read returns EOF.
-func atEOF(dcReader io.Reader) bool {
-	n, err := dcReader.Read(make([]byte, 1))
-	return n == 0 && err == io.EOF
-}
-
 type recvCompressor interface {
 	RecvCompress() string
 }
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 976e70ae..70fe23f5 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -179,6 +179,7 @@ type serverOptions struct {
 	numServerWorkers      uint32
 	bufferPool            mem.BufferPool
 	waitForHandlers       bool
+	staticWindowSize      bool
 }
 
 var defaultServerOptions = serverOptions{
@@ -279,6 +280,7 @@ func ReadBufferSize(s int) ServerOption {
 func InitialWindowSize(s int32) ServerOption {
 	return newFuncServerOption(func(o *serverOptions) {
 		o.initialWindowSize = s
+		o.staticWindowSize = true
 	})
 }
 
@@ -287,6 +289,29 @@ func InitialWindowSize(s int32) ServerOption {
 func InitialConnWindowSize(s int32) ServerOption {
 	return newFuncServerOption(func(o *serverOptions) {
 		o.initialConnWindowSize = s
+		o.staticWindowSize = true
+	})
+}
+
+// StaticStreamWindowSize returns a ServerOption to set the initial stream
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticStreamWindowSize(s int32) ServerOption {
+	return newFuncServerOption(func(o *serverOptions) {
+		o.initialWindowSize = s
+		o.staticWindowSize = true
+	})
+}
+
+// StaticConnWindowSize returns a ServerOption to set the initial connection
+// window size to the value provided and disables dynamic flow control.
+// The lower bound for window size is 64K and any value smaller than that
+// will be ignored.
+func StaticConnWindowSize(s int32) ServerOption {
+	return newFuncServerOption(func(o *serverOptions) {
+		o.initialConnWindowSize = s
+		o.staticWindowSize = true
 	})
 }
 
@@ -986,6 +1011,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 		MaxHeaderListSize:     s.opts.maxHeaderListSize,
 		HeaderTableSize:       s.opts.headerTableSize,
 		BufferPool:            s.opts.bufferPool,
+		StaticWindowSize:      s.opts.staticWindowSize,
 	}
 	st, err := transport.NewServerTransport(c, config)
 	if err != nil {
diff --git a/vendor/google.golang.org/grpc/stats/handlers.go b/vendor/google.golang.org/grpc/stats/handlers.go
index dc03731e..67194a59 100644
--- a/vendor/google.golang.org/grpc/stats/handlers.go
+++ b/vendor/google.golang.org/grpc/stats/handlers.go
@@ -38,6 +38,15 @@ type RPCTagInfo struct {
 	// FailFast indicates if this RPC is failfast.
 	// This field is only valid on client side, it's always false on server side.
 	FailFast bool
+	// NameResolutionDelay indicates if the RPC needed to wait for the
+	// initial name resolver update before it could begin. This should only
+	// happen if the channel is IDLE when the RPC is started.  Note that
+	// all retry or hedging attempts for an RPC that experienced a delay
+	// will have it set.
+	//
+	// This field is only valid on the client side; it is always false on
+	// the server side.
+	NameResolutionDelay bool
 }
 
 // Handler defines the interface for the related stats handling (e.g., RPCs, connections).
diff --git a/vendor/google.golang.org/grpc/stats/stats.go b/vendor/google.golang.org/grpc/stats/stats.go
index 6f20d2d5..baf7740e 100644
--- a/vendor/google.golang.org/grpc/stats/stats.go
+++ b/vendor/google.golang.org/grpc/stats/stats.go
@@ -36,7 +36,12 @@ type RPCStats interface {
 	IsClient() bool
 }
 
-// Begin contains stats when an RPC attempt begins.
+// Begin contains stats for the start of an RPC attempt.
+//
+//   - Server-side: Triggered after `InHeader`, as headers are processed
+//     before the RPC lifecycle begins.
+//   - Client-side: The first stats event recorded.
+//
 // FailFast is only valid if this Begin is from client side.
 type Begin struct {
 	// Client is true if this Begin is from client side.
@@ -69,7 +74,7 @@ func (*PickerUpdated) IsClient() bool { return true }
 
 func (*PickerUpdated) isRPCStats() {}
 
-// InPayload contains the information for an incoming payload.
+// InPayload contains stats about an incoming payload.
 type InPayload struct {
 	// Client is true if this InPayload is from client side.
 	Client bool
@@ -98,7 +103,9 @@ func (s *InPayload) IsClient() bool { return s.Client }
 
 func (s *InPayload) isRPCStats() {}
 
-// InHeader contains stats when a header is received.
+// InHeader contains stats about header reception.
+//
+// - Server-side: The first stats event after the RPC request is received.
 type InHeader struct {
 	// Client is true if this InHeader is from client side.
 	Client bool
@@ -123,7 +130,7 @@ func (s *InHeader) IsClient() bool { return s.Client }
 
 func (s *InHeader) isRPCStats() {}
 
-// InTrailer contains stats when a trailer is received.
+// InTrailer contains stats about trailer reception.
 type InTrailer struct {
 	// Client is true if this InTrailer is from client side.
 	Client bool
@@ -139,7 +146,7 @@ func (s *InTrailer) IsClient() bool { return s.Client }
 
 func (s *InTrailer) isRPCStats() {}
 
-// OutPayload contains the information for an outgoing payload.
+// OutPayload contains stats about an outgoing payload.
 type OutPayload struct {
 	// Client is true if this OutPayload is from client side.
 	Client bool
@@ -166,7 +173,10 @@ func (s *OutPayload) IsClient() bool { return s.Client }
 
 func (s *OutPayload) isRPCStats() {}
 
-// OutHeader contains stats when a header is sent.
+// OutHeader contains stats about header transmission.
+//
+//   - Client-side: Only occurs after 'Begin', as headers are always the first
+//     thing sent on a stream.
 type OutHeader struct {
 	// Client is true if this OutHeader is from client side.
 	Client bool
@@ -189,14 +199,15 @@ func (s *OutHeader) IsClient() bool { return s.Client }
 
 func (s *OutHeader) isRPCStats() {}
 
-// OutTrailer contains stats when a trailer is sent.
+// OutTrailer contains stats about trailer transmission.
 type OutTrailer struct {
 	// Client is true if this OutTrailer is from client side.
 	Client bool
 	// WireLength is the wire length of trailer.
 	//
-	// Deprecated: This field is never set. The length is not known when this message is
-	// emitted because the trailer fields are compressed with hpack after that.
+	// Deprecated: This field is never set. The length is not known when this
+	// message is emitted because the trailer fields are compressed with hpack
+	// after that.
 	WireLength int
 	// Trailer contains the trailer metadata sent to the client. This
 	// field is only valid if this OutTrailer is from the server side.
@@ -208,7 +219,7 @@ func (s *OutTrailer) IsClient() bool { return s.Client }
 
 func (s *OutTrailer) isRPCStats() {}
 
-// End contains stats when an RPC ends.
+// End contains stats about RPC completion.
 type End struct {
 	// Client is true if this End is from client side.
 	Client bool
@@ -238,7 +249,7 @@ type ConnStats interface {
 	IsClient() bool
 }
 
-// ConnBegin contains the stats of a connection when it is established.
+// ConnBegin contains stats about connection establishment.
 type ConnBegin struct {
 	// Client is true if this ConnBegin is from client side.
 	Client bool
@@ -249,7 +260,7 @@ func (s *ConnBegin) IsClient() bool { return s.Client }
 
 func (s *ConnBegin) isConnStats() {}
 
-// ConnEnd contains the stats of a connection when it ends.
+// ConnEnd contains stats about connection termination.
 type ConnEnd struct {
 	// Client is true if this ConnEnd is from client side.
 	Client bool
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index 12163150..ca694892 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -101,9 +101,9 @@ type ClientStream interface {
 	// It must only be called after stream.CloseAndRecv has returned, or
 	// stream.Recv has returned a non-nil error (including io.EOF).
 	Trailer() metadata.MD
-	// CloseSend closes the send direction of the stream. It closes the stream
-	// when non-nil error is met. It is also not safe to call CloseSend
-	// concurrently with SendMsg.
+	// CloseSend closes the send direction of the stream. This method always
+	// returns a nil error. The status of the stream may be discovered using
+	// RecvMsg. It is also not safe to call CloseSend concurrently with SendMsg.
 	CloseSend() error
 	// Context returns the context for this stream.
 	//
@@ -212,14 +212,15 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	}
 	// Provide an opportunity for the first RPC to see the first service config
 	// provided by the resolver.
-	if err := cc.waitForResolvedAddrs(ctx); err != nil {
+	nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
+	if err != nil {
 		return nil, err
 	}
 
 	var mc serviceconfig.MethodConfig
 	var onCommit func()
 	newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
-		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, opts...)
+		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
 	}
 
 	rpcInfo := iresolver.RPCInfo{Context: ctx, Method: method}
@@ -257,7 +258,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return newStream(ctx, func() {})
 }
 
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
 	callInfo := defaultCallInfo()
 	if mc.WaitForReady != nil {
 		callInfo.failFast = !*mc.WaitForReady
@@ -296,6 +297,7 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 		Method:         method,
 		ContentSubtype: callInfo.contentSubtype,
 		DoneFunc:       doneFunc,
+		Authority:      callInfo.authority,
 	}
 
 	// Set our outgoing compression according to the UseCompressor CallOption, if
@@ -321,19 +323,20 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 	}
 
 	cs := &clientStream{
-		callHdr:      callHdr,
-		ctx:          ctx,
-		methodConfig: &mc,
-		opts:         opts,
-		callInfo:     callInfo,
-		cc:           cc,
-		desc:         desc,
-		codec:        callInfo.codec,
-		compressorV0: compressorV0,
-		compressorV1: compressorV1,
-		cancel:       cancel,
-		firstAttempt: true,
-		onCommit:     onCommit,
+		callHdr:             callHdr,
+		ctx:                 ctx,
+		methodConfig:        &mc,
+		opts:                opts,
+		callInfo:            callInfo,
+		cc:                  cc,
+		desc:                desc,
+		codec:               callInfo.codec,
+		compressorV0:        compressorV0,
+		compressorV1:        compressorV1,
+		cancel:              cancel,
+		firstAttempt:        true,
+		onCommit:            onCommit,
+		nameResolutionDelay: nameResolutionDelayed,
 	}
 	if !cc.dopts.disableRetry {
 		cs.retryThrottler = cc.retryThrottler.Load().(*retryThrottler)
@@ -417,7 +420,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 	var beginTime time.Time
 	shs := cs.cc.dopts.copts.StatsHandlers
 	for _, sh := range shs {
-		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast})
+		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast, NameResolutionDelay: cs.nameResolutionDelay})
 		beginTime = time.Now()
 		begin := &stats.Begin{
 			Client:                    true,
@@ -573,6 +576,9 @@ type clientStream struct {
 	onCommit         func()
 	replayBuffer     []replayOp // operations to replay on retry
 	replayBufferSize int        // current size of replayBuffer
+	// nameResolutionDelay indicates if there was a delay in the name resolution.
+	// This field is only valid on client side, it's always false on server side.
+	nameResolutionDelay bool
 }
 
 type replayOp struct {
@@ -987,7 +993,7 @@ func (cs *clientStream) RecvMsg(m any) error {
 
 func (cs *clientStream) CloseSend() error {
 	if cs.sentLast {
-		// TODO: return an error and finish the stream instead, due to API misuse?
+		// Return a nil error on repeated calls to this method.
 		return nil
 	}
 	cs.sentLast = true
@@ -1008,7 +1014,10 @@ func (cs *clientStream) CloseSend() error {
 			binlog.Log(cs.ctx, chc)
 		}
 	}
-	// We never returned an error here for reasons.
+	// We don't return an error here as we expect users to read all messages
+	// from the stream and get the RPC status from RecvMsg().  Note that
+	// SendMsg() must return an error when one occurs so the application
+	// knows to stop sending messages, but that does not apply here.
 	return nil
 }
 
@@ -1162,7 +1171,7 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return toRPCErr(errors.New("grpc: client streaming protocol violation: get <nil>, want <EOF>"))
+	return status.Errorf(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (a *csAttempt) finish(err error) {
@@ -1372,7 +1381,7 @@ func (as *addrConnStream) Trailer() metadata.MD {
 
 func (as *addrConnStream) CloseSend() error {
 	if as.sentLast {
-		// TODO: return an error and finish the stream instead, due to API misuse?
+		// Return a nil error on repeated calls to this method.
 		return nil
 	}
 	as.sentLast = true
@@ -1486,7 +1495,7 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return toRPCErr(errors.New("grpc: client streaming protocol violation: get <nil>, want <EOF>"))
+	return status.Errorf(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (as *addrConnStream) finish(err error) {
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 783c41f7..8b0e5f97 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.71.0"
+const Version = "1.74.2"
diff --git a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
index e942bc98..743bfb81 100644
--- a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
+++ b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
@@ -371,7 +371,31 @@ func ConsumeVarint(b []byte) (v uint64, n int) {
 func SizeVarint(v uint64) int {
 	// This computes 1 + (bits.Len64(v)-1)/7.
 	// 9/64 is a good enough approximation of 1/7
-	return int(9*uint32(bits.Len64(v))+64) / 64
+	//
+	// The Go compiler can translate the bits.LeadingZeros64 call into the LZCNT
+	// instruction, which is very fast on CPUs from the last few years. The
+	// specific way of expressing the calculation matches C++ Protobuf, see
+	// https://godbolt.org/z/4P3h53oM4 for the C++ code and how gcc/clang
+	// optimize that function for GOAMD64=v1 and GOAMD64=v3 (-march=haswell).
+
+	// By OR'ing v with 1, we guarantee that v is never 0, without changing the
+	// result of SizeVarint. LZCNT is not defined for 0, meaning the compiler
+	// needs to add extra instructions to handle that case.
+	//
+	// The Go compiler currently (go1.24.4) does not make use of this knowledge.
+	// This opportunity (removing the XOR instruction, which handles the 0 case)
+	// results in a small (1%) performance win across CPU architectures.
+	//
+	// Independently of avoiding the 0 case, we need the v |= 1 line because
+	// it allows the Go compiler to eliminate an extra XCHGL barrier.
+	v |= 1
+
+	// It would be clearer to write log2value := 63 - uint32(...), but
+	// writing uint32(...) ^ 63 is much more efficient (-14% ARM, -20% Intel).
+	// Proof of identity for our value range [0..63]:
+	// https://go.dev/play/p/Pdn9hEWYakX
+	log2value := uint32(bits.LeadingZeros64(v)) ^ 63
+	return int((log2value*9 + (64 + 9)) / 64)
 }
 
 // AppendFixed32 appends v to b as a little-endian uint32.
diff --git a/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb b/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb
index 5a57ef6f..04696351 100644
Binary files a/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb and b/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb differ
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
index 10132c9b..a0aad277 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
@@ -69,6 +69,12 @@ func unmarshalFeatureSet(b []byte, parent EditionFeatures) EditionFeatures {
 				parent.IsDelimitedEncoded = v == genid.FeatureSet_DELIMITED_enum_value
 			case genid.FeatureSet_JsonFormat_field_number:
 				parent.IsJSONCompliant = v == genid.FeatureSet_ALLOW_enum_value
+			case genid.FeatureSet_EnforceNamingStyle_field_number:
+				// EnforceNamingStyle is enforced in protoc, languages other than C++
+				// are not supposed to do anything with this feature.
+			case genid.FeatureSet_DefaultSymbolVisibility_field_number:
+				// DefaultSymbolVisibility is enforced in protoc, runtimes should not
+				// inspect this value.
 			default:
 				panic(fmt.Sprintf("unkown field number %d while unmarshalling FeatureSet", num))
 			}
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/presence.go b/vendor/google.golang.org/protobuf/internal/filedesc/presence.go
new file mode 100644
index 00000000..a12ec979
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/presence.go
@@ -0,0 +1,33 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package filedesc
+
+import "google.golang.org/protobuf/reflect/protoreflect"
+
+// UsePresenceForField reports whether the presence bitmap should be used for
+// the specified field.
+func UsePresenceForField(fd protoreflect.FieldDescriptor) (usePresence, canBeLazy bool) {
+	switch {
+	case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
+		// Oneof fields never use the presence bitmap.
+		//
+		// Synthetic oneofs are an exception: Those are used to implement proto3
+		// optional fields and hence should follow non-oneof field semantics.
+		return false, false
+
+	case fd.IsMap():
+		// Map-typed fields never use the presence bitmap.
+		return false, false
+
+	case fd.Kind() == protoreflect.MessageKind || fd.Kind() == protoreflect.GroupKind:
+		// Lazy fields always use the presence bitmap (only messages can be lazy).
+		isLazy := fd.(interface{ IsLazy() bool }).IsLazy()
+		return isLazy, isLazy
+
+	default:
+		// If the field has presence, use the presence bitmap.
+		return fd.HasPresence(), false
+	}
+}
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index f30ab6b5..950a6a32 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -34,6 +34,19 @@ const (
 	Edition_EDITION_MAX_enum_value             = 2147483647
 )
 
+// Full and short names for google.protobuf.SymbolVisibility.
+const (
+	SymbolVisibility_enum_fullname = "google.protobuf.SymbolVisibility"
+	SymbolVisibility_enum_name     = "SymbolVisibility"
+)
+
+// Enum values for google.protobuf.SymbolVisibility.
+const (
+	SymbolVisibility_VISIBILITY_UNSET_enum_value  = 0
+	SymbolVisibility_VISIBILITY_LOCAL_enum_value  = 1
+	SymbolVisibility_VISIBILITY_EXPORT_enum_value = 2
+)
+
 // Names for google.protobuf.FileDescriptorSet.
 const (
 	FileDescriptorSet_message_name     protoreflect.Name     = "FileDescriptorSet"
@@ -65,6 +78,7 @@ const (
 	FileDescriptorProto_Dependency_field_name       protoreflect.Name = "dependency"
 	FileDescriptorProto_PublicDependency_field_name protoreflect.Name = "public_dependency"
 	FileDescriptorProto_WeakDependency_field_name   protoreflect.Name = "weak_dependency"
+	FileDescriptorProto_OptionDependency_field_name protoreflect.Name = "option_dependency"
 	FileDescriptorProto_MessageType_field_name      protoreflect.Name = "message_type"
 	FileDescriptorProto_EnumType_field_name         protoreflect.Name = "enum_type"
 	FileDescriptorProto_Service_field_name          protoreflect.Name = "service"
@@ -79,6 +93,7 @@ const (
 	FileDescriptorProto_Dependency_field_fullname       protoreflect.FullName = "google.protobuf.FileDescriptorProto.dependency"
 	FileDescriptorProto_PublicDependency_field_fullname protoreflect.FullName = "google.protobuf.FileDescriptorProto.public_dependency"
 	FileDescriptorProto_WeakDependency_field_fullname   protoreflect.FullName = "google.protobuf.FileDescriptorProto.weak_dependency"
+	FileDescriptorProto_OptionDependency_field_fullname protoreflect.FullName = "google.protobuf.FileDescriptorProto.option_dependency"
 	FileDescriptorProto_MessageType_field_fullname      protoreflect.FullName = "google.protobuf.FileDescriptorProto.message_type"
 	FileDescriptorProto_EnumType_field_fullname         protoreflect.FullName = "google.protobuf.FileDescriptorProto.enum_type"
 	FileDescriptorProto_Service_field_fullname          protoreflect.FullName = "google.protobuf.FileDescriptorProto.service"
@@ -96,6 +111,7 @@ const (
 	FileDescriptorProto_Dependency_field_number       protoreflect.FieldNumber = 3
 	FileDescriptorProto_PublicDependency_field_number protoreflect.FieldNumber = 10
 	FileDescriptorProto_WeakDependency_field_number   protoreflect.FieldNumber = 11
+	FileDescriptorProto_OptionDependency_field_number protoreflect.FieldNumber = 15
 	FileDescriptorProto_MessageType_field_number      protoreflect.FieldNumber = 4
 	FileDescriptorProto_EnumType_field_number         protoreflect.FieldNumber = 5
 	FileDescriptorProto_Service_field_number          protoreflect.FieldNumber = 6
@@ -124,6 +140,7 @@ const (
 	DescriptorProto_Options_field_name        protoreflect.Name = "options"
 	DescriptorProto_ReservedRange_field_name  protoreflect.Name = "reserved_range"
 	DescriptorProto_ReservedName_field_name   protoreflect.Name = "reserved_name"
+	DescriptorProto_Visibility_field_name     protoreflect.Name = "visibility"
 
 	DescriptorProto_Name_field_fullname           protoreflect.FullName = "google.protobuf.DescriptorProto.name"
 	DescriptorProto_Field_field_fullname          protoreflect.FullName = "google.protobuf.DescriptorProto.field"
@@ -135,6 +152,7 @@ const (
 	DescriptorProto_Options_field_fullname        protoreflect.FullName = "google.protobuf.DescriptorProto.options"
 	DescriptorProto_ReservedRange_field_fullname  protoreflect.FullName = "google.protobuf.DescriptorProto.reserved_range"
 	DescriptorProto_ReservedName_field_fullname   protoreflect.FullName = "google.protobuf.DescriptorProto.reserved_name"
+	DescriptorProto_Visibility_field_fullname     protoreflect.FullName = "google.protobuf.DescriptorProto.visibility"
 )
 
 // Field numbers for google.protobuf.DescriptorProto.
@@ -149,6 +167,7 @@ const (
 	DescriptorProto_Options_field_number        protoreflect.FieldNumber = 7
 	DescriptorProto_ReservedRange_field_number  protoreflect.FieldNumber = 9
 	DescriptorProto_ReservedName_field_number   protoreflect.FieldNumber = 10
+	DescriptorProto_Visibility_field_number     protoreflect.FieldNumber = 11
 )
 
 // Names for google.protobuf.DescriptorProto.ExtensionRange.
@@ -388,12 +407,14 @@ const (
 	EnumDescriptorProto_Options_field_name       protoreflect.Name = "options"
 	EnumDescriptorProto_ReservedRange_field_name protoreflect.Name = "reserved_range"
 	EnumDescriptorProto_ReservedName_field_name  protoreflect.Name = "reserved_name"
+	EnumDescriptorProto_Visibility_field_name    protoreflect.Name = "visibility"
 
 	EnumDescriptorProto_Name_field_fullname          protoreflect.FullName = "google.protobuf.EnumDescriptorProto.name"
 	EnumDescriptorProto_Value_field_fullname         protoreflect.FullName = "google.protobuf.EnumDescriptorProto.value"
 	EnumDescriptorProto_Options_field_fullname       protoreflect.FullName = "google.protobuf.EnumDescriptorProto.options"
 	EnumDescriptorProto_ReservedRange_field_fullname protoreflect.FullName = "google.protobuf.EnumDescriptorProto.reserved_range"
 	EnumDescriptorProto_ReservedName_field_fullname  protoreflect.FullName = "google.protobuf.EnumDescriptorProto.reserved_name"
+	EnumDescriptorProto_Visibility_field_fullname    protoreflect.FullName = "google.protobuf.EnumDescriptorProto.visibility"
 )
 
 // Field numbers for google.protobuf.EnumDescriptorProto.
@@ -403,6 +424,7 @@ const (
 	EnumDescriptorProto_Options_field_number       protoreflect.FieldNumber = 3
 	EnumDescriptorProto_ReservedRange_field_number protoreflect.FieldNumber = 4
 	EnumDescriptorProto_ReservedName_field_number  protoreflect.FieldNumber = 5
+	EnumDescriptorProto_Visibility_field_number    protoreflect.FieldNumber = 6
 )
 
 // Names for google.protobuf.EnumDescriptorProto.EnumReservedRange.
@@ -1008,29 +1030,35 @@ const (
 
 // Field names for google.protobuf.FeatureSet.
 const (
-	FeatureSet_FieldPresence_field_name         protoreflect.Name = "field_presence"
-	FeatureSet_EnumType_field_name              protoreflect.Name = "enum_type"
-	FeatureSet_RepeatedFieldEncoding_field_name protoreflect.Name = "repeated_field_encoding"
-	FeatureSet_Utf8Validation_field_name        protoreflect.Name = "utf8_validation"
-	FeatureSet_MessageEncoding_field_name       protoreflect.Name = "message_encoding"
-	FeatureSet_JsonFormat_field_name            protoreflect.Name = "json_format"
+	FeatureSet_FieldPresence_field_name           protoreflect.Name = "field_presence"
+	FeatureSet_EnumType_field_name                protoreflect.Name = "enum_type"
+	FeatureSet_RepeatedFieldEncoding_field_name   protoreflect.Name = "repeated_field_encoding"
+	FeatureSet_Utf8Validation_field_name          protoreflect.Name = "utf8_validation"
+	FeatureSet_MessageEncoding_field_name         protoreflect.Name = "message_encoding"
+	FeatureSet_JsonFormat_field_name              protoreflect.Name = "json_format"
+	FeatureSet_EnforceNamingStyle_field_name      protoreflect.Name = "enforce_naming_style"
+	FeatureSet_DefaultSymbolVisibility_field_name protoreflect.Name = "default_symbol_visibility"
 
-	FeatureSet_FieldPresence_field_fullname         protoreflect.FullName = "google.protobuf.FeatureSet.field_presence"
-	FeatureSet_EnumType_field_fullname              protoreflect.FullName = "google.protobuf.FeatureSet.enum_type"
-	FeatureSet_RepeatedFieldEncoding_field_fullname protoreflect.FullName = "google.protobuf.FeatureSet.repeated_field_encoding"
-	FeatureSet_Utf8Validation_field_fullname        protoreflect.FullName = "google.protobuf.FeatureSet.utf8_validation"
-	FeatureSet_MessageEncoding_field_fullname       protoreflect.FullName = "google.protobuf.FeatureSet.message_encoding"
-	FeatureSet_JsonFormat_field_fullname            protoreflect.FullName = "google.protobuf.FeatureSet.json_format"
+	FeatureSet_FieldPresence_field_fullname           protoreflect.FullName = "google.protobuf.FeatureSet.field_presence"
+	FeatureSet_EnumType_field_fullname                protoreflect.FullName = "google.protobuf.FeatureSet.enum_type"
+	FeatureSet_RepeatedFieldEncoding_field_fullname   protoreflect.FullName = "google.protobuf.FeatureSet.repeated_field_encoding"
+	FeatureSet_Utf8Validation_field_fullname          protoreflect.FullName = "google.protobuf.FeatureSet.utf8_validation"
+	FeatureSet_MessageEncoding_field_fullname         protoreflect.FullName = "google.protobuf.FeatureSet.message_encoding"
+	FeatureSet_JsonFormat_field_fullname              protoreflect.FullName = "google.protobuf.FeatureSet.json_format"
+	FeatureSet_EnforceNamingStyle_field_fullname      protoreflect.FullName = "google.protobuf.FeatureSet.enforce_naming_style"
+	FeatureSet_DefaultSymbolVisibility_field_fullname protoreflect.FullName = "google.protobuf.FeatureSet.default_symbol_visibility"
 )
 
 // Field numbers for google.protobuf.FeatureSet.
 const (
-	FeatureSet_FieldPresence_field_number         protoreflect.FieldNumber = 1
-	FeatureSet_EnumType_field_number              protoreflect.FieldNumber = 2
-	FeatureSet_RepeatedFieldEncoding_field_number protoreflect.FieldNumber = 3
-	FeatureSet_Utf8Validation_field_number        protoreflect.FieldNumber = 4
-	FeatureSet_MessageEncoding_field_number       protoreflect.FieldNumber = 5
-	FeatureSet_JsonFormat_field_number            protoreflect.FieldNumber = 6
+	FeatureSet_FieldPresence_field_number           protoreflect.FieldNumber = 1
+	FeatureSet_EnumType_field_number                protoreflect.FieldNumber = 2
+	FeatureSet_RepeatedFieldEncoding_field_number   protoreflect.FieldNumber = 3
+	FeatureSet_Utf8Validation_field_number          protoreflect.FieldNumber = 4
+	FeatureSet_MessageEncoding_field_number         protoreflect.FieldNumber = 5
+	FeatureSet_JsonFormat_field_number              protoreflect.FieldNumber = 6
+	FeatureSet_EnforceNamingStyle_field_number      protoreflect.FieldNumber = 7
+	FeatureSet_DefaultSymbolVisibility_field_number protoreflect.FieldNumber = 8
 )
 
 // Full and short names for google.protobuf.FeatureSet.FieldPresence.
@@ -1112,6 +1140,40 @@ const (
 	FeatureSet_LEGACY_BEST_EFFORT_enum_value  = 2
 )
 
+// Full and short names for google.protobuf.FeatureSet.EnforceNamingStyle.
+const (
+	FeatureSet_EnforceNamingStyle_enum_fullname = "google.protobuf.FeatureSet.EnforceNamingStyle"
+	FeatureSet_EnforceNamingStyle_enum_name     = "EnforceNamingStyle"
+)
+
+// Enum values for google.protobuf.FeatureSet.EnforceNamingStyle.
+const (
+	FeatureSet_ENFORCE_NAMING_STYLE_UNKNOWN_enum_value = 0
+	FeatureSet_STYLE2024_enum_value                    = 1
+	FeatureSet_STYLE_LEGACY_enum_value                 = 2
+)
+
+// Names for google.protobuf.FeatureSet.VisibilityFeature.
+const (
+	FeatureSet_VisibilityFeature_message_name     protoreflect.Name     = "VisibilityFeature"
+	FeatureSet_VisibilityFeature_message_fullname protoreflect.FullName = "google.protobuf.FeatureSet.VisibilityFeature"
+)
+
+// Full and short names for google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility.
+const (
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_enum_fullname = "google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility"
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_enum_name     = "DefaultSymbolVisibility"
+)
+
+// Enum values for google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility.
+const (
+	FeatureSet_VisibilityFeature_DEFAULT_SYMBOL_VISIBILITY_UNKNOWN_enum_value = 0
+	FeatureSet_VisibilityFeature_EXPORT_ALL_enum_value                        = 1
+	FeatureSet_VisibilityFeature_EXPORT_TOP_LEVEL_enum_value                  = 2
+	FeatureSet_VisibilityFeature_LOCAL_ALL_enum_value                         = 3
+	FeatureSet_VisibilityFeature_STRICT_enum_value                            = 4
+)
+
 // Names for google.protobuf.FeatureSetDefaults.
 const (
 	FeatureSetDefaults_message_name     protoreflect.Name     = "FeatureSetDefaults"
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
index 41c1f74e..bdad12a9 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
@@ -11,6 +11,7 @@ import (
 
 	"google.golang.org/protobuf/encoding/protowire"
 	"google.golang.org/protobuf/internal/encoding/messageset"
+	"google.golang.org/protobuf/internal/filedesc"
 	"google.golang.org/protobuf/internal/order"
 	"google.golang.org/protobuf/reflect/protoreflect"
 	piface "google.golang.org/protobuf/runtime/protoiface"
@@ -80,7 +81,7 @@ func (mi *MessageInfo) makeOpaqueCoderMethods(t reflect.Type, si opaqueStructInf
 		// permit us to skip over definitely-unset fields at marshal time.
 
 		var hasPresence bool
-		hasPresence, cf.isLazy = usePresenceForField(si, fd)
+		hasPresence, cf.isLazy = filedesc.UsePresenceForField(fd)
 
 		if hasPresence {
 			cf.presenceIndex, mi.presenceSize = presenceIndex(mi.Desc, fd)
diff --git a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
index dd55e8e0..5a439daa 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"sync/atomic"
 
+	"google.golang.org/protobuf/internal/filedesc"
 	"google.golang.org/protobuf/reflect/protoreflect"
 )
 
@@ -53,7 +54,7 @@ func opaqueInitHook(mi *MessageInfo) bool {
 		fd := fds.Get(i)
 		fs := si.fieldsByNumber[fd.Number()]
 		var fi fieldInfo
-		usePresence, _ := usePresenceForField(si, fd)
+		usePresence, _ := filedesc.UsePresenceForField(fd)
 
 		switch {
 		case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
@@ -343,17 +344,15 @@ func (mi *MessageInfo) fieldInfoForMessageListOpaqueNoPresence(si opaqueStructIn
 			if p.IsNil() {
 				return false
 			}
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if sp.IsNil() {
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if rv.IsNil() {
 				return false
 			}
-			rv := sp.AsValueOf(fs.Type.Elem())
 			return rv.Elem().Len() > 0
 		},
 		clear: func(p pointer) {
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if !sp.IsNil() {
-				rv := sp.AsValueOf(fs.Type.Elem())
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if !rv.IsNil() {
 				rv.Elem().Set(reflect.Zero(rv.Type().Elem()))
 			}
 		},
@@ -361,11 +360,10 @@ func (mi *MessageInfo) fieldInfoForMessageListOpaqueNoPresence(si opaqueStructIn
 			if p.IsNil() {
 				return conv.Zero()
 			}
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if sp.IsNil() {
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if rv.IsNil() {
 				return conv.Zero()
 			}
-			rv := sp.AsValueOf(fs.Type.Elem())
 			if rv.Elem().Len() == 0 {
 				return conv.Zero()
 			}
@@ -598,30 +596,3 @@ func (mi *MessageInfo) clearPresent(p pointer, index uint32) {
 func (mi *MessageInfo) present(p pointer, index uint32) bool {
 	return p.Apply(mi.presenceOffset).PresenceInfo().Present(index)
 }
-
-// usePresenceForField implements the somewhat intricate logic of when
-// the presence bitmap is used for a field.  The main logic is that a
-// field that is optional or that can be lazy will use the presence
-// bit, but for proto2, also maps have a presence bit. It also records
-// if the field can ever be lazy, which is true if we have a
-// lazyOffset and the field is a message or a slice of messages. A
-// field that is lazy will always need a presence bit.  Oneofs are not
-// lazy and do not use presence, unless they are a synthetic oneof,
-// which is a proto3 optional field. For proto3 optionals, we use the
-// presence and they can also be lazy when applicable (a message).
-func usePresenceForField(si opaqueStructInfo, fd protoreflect.FieldDescriptor) (usePresence, canBeLazy bool) {
-	hasLazyField := fd.(interface{ IsLazy() bool }).IsLazy()
-
-	// Non-oneof scalar fields with explicit field presence use the presence array.
-	usesPresenceArray := fd.HasPresence() && fd.Message() == nil && (fd.ContainingOneof() == nil || fd.ContainingOneof().IsSynthetic())
-	switch {
-	case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
-		return false, false
-	case fd.IsMap():
-		return false, false
-	case fd.Kind() == protoreflect.MessageKind || fd.Kind() == protoreflect.GroupKind:
-		return hasLazyField, hasLazyField
-	default:
-		return usesPresenceArray || (hasLazyField && fd.HasPresence()), false
-	}
-}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/presence.go b/vendor/google.golang.org/protobuf/internal/impl/presence.go
index 914cb1de..443afe81 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/presence.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/presence.go
@@ -32,9 +32,6 @@ func (p presence) toElem(num uint32) (ret *uint32) {
 
 // Present checks for the presence of a specific field number in a presence set.
 func (p presence) Present(num uint32) bool {
-	if p.P == nil {
-		return false
-	}
 	return Export{}.Present(p.toElem(num), num)
 }
 
diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go
similarity index 99%
rename from vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go
rename to vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go
index 1ffddf68..42dd6f70 100644
--- a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go
+++ b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go
@@ -2,8 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.21
-
 package strs
 
 import (
diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go
deleted file mode 100644
index 832a7988..00000000
--- a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go
+++ /dev/null
@@ -1,94 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.21
-
-package strs
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/reflect/protoreflect"
-)
-
-type (
-	stringHeader struct {
-		Data unsafe.Pointer
-		Len  int
-	}
-	sliceHeader struct {
-		Data unsafe.Pointer
-		Len  int
-		Cap  int
-	}
-)
-
-// UnsafeString returns an unsafe string reference of b.
-// The caller must treat the input slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user
-// unless the input slice is provably immutable.
-func UnsafeString(b []byte) (s string) {
-	src := (*sliceHeader)(unsafe.Pointer(&b))
-	dst := (*stringHeader)(unsafe.Pointer(&s))
-	dst.Data = src.Data
-	dst.Len = src.Len
-	return s
-}
-
-// UnsafeBytes returns an unsafe bytes slice reference of s.
-// The caller must treat returned slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user.
-func UnsafeBytes(s string) (b []byte) {
-	src := (*stringHeader)(unsafe.Pointer(&s))
-	dst := (*sliceHeader)(unsafe.Pointer(&b))
-	dst.Data = src.Data
-	dst.Len = src.Len
-	dst.Cap = src.Len
-	return b
-}
-
-// Builder builds a set of strings with shared lifetime.
-// This differs from strings.Builder, which is for building a single string.
-type Builder struct {
-	buf []byte
-}
-
-// AppendFullName is equivalent to protoreflect.FullName.Append,
-// but optimized for large batches where each name has a shared lifetime.
-func (sb *Builder) AppendFullName(prefix protoreflect.FullName, name protoreflect.Name) protoreflect.FullName {
-	n := len(prefix) + len(".") + len(name)
-	if len(prefix) == 0 {
-		n -= len(".")
-	}
-	sb.grow(n)
-	sb.buf = append(sb.buf, prefix...)
-	sb.buf = append(sb.buf, '.')
-	sb.buf = append(sb.buf, name...)
-	return protoreflect.FullName(sb.last(n))
-}
-
-// MakeString is equivalent to string(b), but optimized for large batches
-// with a shared lifetime.
-func (sb *Builder) MakeString(b []byte) string {
-	sb.grow(len(b))
-	sb.buf = append(sb.buf, b...)
-	return sb.last(len(b))
-}
-
-func (sb *Builder) grow(n int) {
-	if cap(sb.buf)-len(sb.buf) >= n {
-		return
-	}
-
-	// Unlike strings.Builder, we do not need to copy over the contents
-	// of the old buffer since our builder provides no API for
-	// retrieving previously created strings.
-	sb.buf = make([]byte, 0, 2*(cap(sb.buf)+n))
-}
-
-func (sb *Builder) last(n int) string {
-	return UnsafeString(sb.buf[len(sb.buf)-n:])
-}
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 01efc330..a53364c5 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 5
+	Patch      = 7
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/proto/merge.go b/vendor/google.golang.org/protobuf/proto/merge.go
index 3c6fe578..ef55b97d 100644
--- a/vendor/google.golang.org/protobuf/proto/merge.go
+++ b/vendor/google.golang.org/protobuf/proto/merge.go
@@ -59,6 +59,12 @@ func Clone(m Message) Message {
 	return dst.Interface()
 }
 
+// CloneOf returns a deep copy of m. If the top-level message is invalid,
+// it returns an invalid message as well.
+func CloneOf[M Message](m M) M {
+	return Clone(m).(M)
+}
+
 // mergeOptions provides a namespace for merge functions, and can be
 // exported in the future if we add user-visible merge options.
 type mergeOptions struct{}
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
index ea154eec..730331e6 100644
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
+++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
@@ -21,6 +21,8 @@ func (p *SourcePath) appendFileDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "public_dependency", nil)
 	case 11:
 		b = p.appendRepeatedField(b, "weak_dependency", nil)
+	case 15:
+		b = p.appendRepeatedField(b, "option_dependency", nil)
 	case 4:
 		b = p.appendRepeatedField(b, "message_type", (*SourcePath).appendDescriptorProto)
 	case 5:
@@ -66,6 +68,8 @@ func (p *SourcePath) appendDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "reserved_range", (*SourcePath).appendDescriptorProto_ReservedRange)
 	case 10:
 		b = p.appendRepeatedField(b, "reserved_name", nil)
+	case 11:
+		b = p.appendSingularField(b, "visibility", nil)
 	}
 	return b
 }
@@ -85,6 +89,8 @@ func (p *SourcePath) appendEnumDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "reserved_range", (*SourcePath).appendEnumDescriptorProto_EnumReservedRange)
 	case 5:
 		b = p.appendRepeatedField(b, "reserved_name", nil)
+	case 6:
+		b = p.appendSingularField(b, "visibility", nil)
 	}
 	return b
 }
@@ -398,6 +404,10 @@ func (p *SourcePath) appendFeatureSet(b []byte) []byte {
 		b = p.appendSingularField(b, "message_encoding", nil)
 	case 6:
 		b = p.appendSingularField(b, "json_format", nil)
+	case 7:
+		b = p.appendSingularField(b, "enforce_naming_style", nil)
+	case 8:
+		b = p.appendSingularField(b, "default_symbol_visibility", nil)
 	}
 	return b
 }
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go
similarity index 99%
rename from vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go
rename to vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go
index 479527b5..fe17f372 100644
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go
+++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go
@@ -2,8 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.21
-
 package protoreflect
 
 import (
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go
deleted file mode 100644
index 0015fcb3..00000000
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go
+++ /dev/null
@@ -1,98 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.21
-
-package protoreflect
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/internal/pragma"
-)
-
-type (
-	stringHeader struct {
-		Data unsafe.Pointer
-		Len  int
-	}
-	sliceHeader struct {
-		Data unsafe.Pointer
-		Len  int
-		Cap  int
-	}
-	ifaceHeader struct {
-		Type unsafe.Pointer
-		Data unsafe.Pointer
-	}
-)
-
-var (
-	nilType     = typeOf(nil)
-	boolType    = typeOf(*new(bool))
-	int32Type   = typeOf(*new(int32))
-	int64Type   = typeOf(*new(int64))
-	uint32Type  = typeOf(*new(uint32))
-	uint64Type  = typeOf(*new(uint64))
-	float32Type = typeOf(*new(float32))
-	float64Type = typeOf(*new(float64))
-	stringType  = typeOf(*new(string))
-	bytesType   = typeOf(*new([]byte))
-	enumType    = typeOf(*new(EnumNumber))
-)
-
-// typeOf returns a pointer to the Go type information.
-// The pointer is comparable and equal if and only if the types are identical.
-func typeOf(t any) unsafe.Pointer {
-	return (*ifaceHeader)(unsafe.Pointer(&t)).Type
-}
-
-// value is a union where only one type can be represented at a time.
-// The struct is 24B large on 64-bit systems and requires the minimum storage
-// necessary to represent each possible type.
-//
-// The Go GC needs to be able to scan variables containing pointers.
-// As such, pointers and non-pointers cannot be intermixed.
-type value struct {
-	pragma.DoNotCompare // 0B
-
-	// typ stores the type of the value as a pointer to the Go type.
-	typ unsafe.Pointer // 8B
-
-	// ptr stores the data pointer for a String, Bytes, or interface value.
-	ptr unsafe.Pointer // 8B
-
-	// num stores a Bool, Int32, Int64, Uint32, Uint64, Float32, Float64, or
-	// Enum value as a raw uint64.
-	//
-	// It is also used to store the length of a String or Bytes value;
-	// the capacity is ignored.
-	num uint64 // 8B
-}
-
-func valueOfString(v string) Value {
-	p := (*stringHeader)(unsafe.Pointer(&v))
-	return Value{typ: stringType, ptr: p.Data, num: uint64(len(v))}
-}
-func valueOfBytes(v []byte) Value {
-	p := (*sliceHeader)(unsafe.Pointer(&v))
-	return Value{typ: bytesType, ptr: p.Data, num: uint64(len(v))}
-}
-func valueOfIface(v any) Value {
-	p := (*ifaceHeader)(unsafe.Pointer(&v))
-	return Value{typ: p.Type, ptr: p.Data}
-}
-
-func (v Value) getString() (x string) {
-	*(*stringHeader)(unsafe.Pointer(&x)) = stringHeader{Data: v.ptr, Len: int(v.num)}
-	return x
-}
-func (v Value) getBytes() (x []byte) {
-	*(*sliceHeader)(unsafe.Pointer(&x)) = sliceHeader{Data: v.ptr, Len: int(v.num), Cap: int(v.num)}
-	return x
-}
-func (v Value) getIface() (x any) {
-	*(*ifaceHeader)(unsafe.Pointer(&x)) = ifaceHeader{Type: v.typ, Data: v.ptr}
-	return x
-}
diff --git a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
index 497da66e..1ff0d149 100644
--- a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
@@ -412,23 +412,13 @@ func (x *Any) GetValue() []byte {
 
 var File_google_protobuf_any_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_any_proto_rawDesc = string([]byte{
-	0x0a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, 0x36, 0x0a, 0x03,
-	0x41, 0x6e, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x74, 0x79, 0x70, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x42, 0x76, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x08, 0x41, 0x6e, 0x79,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f,
-	0x61, 0x6e, 0x79, 0x70, 0x62, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65,
-	0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_any_proto_rawDesc = "" +
+	"\n" +
+	"\x19google/protobuf/any.proto\x12\x0fgoogle.protobuf\"6\n" +
+	"\x03Any\x12\x19\n" +
+	"\btype_url\x18\x01 \x01(\tR\atypeUrl\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05valueBv\n" +
+	"\x13com.google.protobufB\bAnyProtoP\x01Z,google.golang.org/protobuf/types/known/anypb\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_any_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
index 193880d1..ca2e7b38 100644
--- a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
@@ -289,24 +289,13 @@ func (x *Duration) GetNanos() int32 {
 
 var File_google_protobuf_duration_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_duration_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x22, 0x3a, 0x0a, 0x08, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07,
-	0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73, 0x42, 0x83, 0x01,
-	0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0d, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x31, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
-	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x64,
-	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47,
-	0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79,
-	0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_duration_proto_rawDesc = "" +
+	"\n" +
+	"\x1egoogle/protobuf/duration.proto\x12\x0fgoogle.protobuf\":\n" +
+	"\bDuration\x12\x18\n" +
+	"\aseconds\x18\x01 \x01(\x03R\aseconds\x12\x14\n" +
+	"\x05nanos\x18\x02 \x01(\x05R\x05nanosB\x83\x01\n" +
+	"\x13com.google.protobufB\rDurationProtoP\x01Z1google.golang.org/protobuf/types/known/durationpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_duration_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
index 041feb0f..91ee89a5 100644
--- a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
@@ -504,23 +504,12 @@ func (x *FieldMask) GetPaths() []string {
 
 var File_google_protobuf_field_mask_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_field_mask_proto_rawDesc = string([]byte{
-	0x0a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x22, 0x21, 0x0a, 0x09, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4d, 0x61, 0x73, 0x6b,
-	0x12, 0x14, 0x0a, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x42, 0x85, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0e,
-	0x46, 0x69, 0x65, 0x6c, 0x64, 0x4d, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
-	0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e,
-	0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70,
-	0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x6d, 0x61,
-	0x73, 0x6b, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e,
-	0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_field_mask_proto_rawDesc = "" +
+	"\n" +
+	" google/protobuf/field_mask.proto\x12\x0fgoogle.protobuf\"!\n" +
+	"\tFieldMask\x12\x14\n" +
+	"\x05paths\x18\x01 \x03(\tR\x05pathsB\x85\x01\n" +
+	"\x13com.google.protobufB\x0eFieldMaskProtoP\x01Z2google.golang.org/protobuf/types/known/fieldmaskpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_field_mask_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
index ecdd31ab..30411b72 100644
--- a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
@@ -672,55 +672,31 @@ func (x *ListValue) GetValues() []*Value {
 
 var File_google_protobuf_struct_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_struct_proto_rawDesc = string([]byte{
-	0x0a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22,
-	0x98, 0x01, 0x0a, 0x06, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x12, 0x3b, 0x0a, 0x06, 0x66, 0x69,
-	0x65, 0x6c, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72,
-	0x75, 0x63, 0x74, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
-	0x06, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x1a, 0x51, 0x0a, 0x0b, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xb2, 0x02, 0x0a, 0x05, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x3b, 0x0a, 0x0a, 0x6e, 0x75, 0x6c, 0x6c, 0x5f, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4e, 0x75, 0x6c, 0x6c, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6e, 0x75, 0x6c, 0x6c, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x23, 0x0a, 0x0c, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x01, 0x48, 0x00, 0x52, 0x0b, 0x6e, 0x75, 0x6d, 0x62, 0x65,
-	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x23, 0x0a, 0x0c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67,
-	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b,
-	0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x1f, 0x0a, 0x0a, 0x62,
-	0x6f, 0x6f, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x48,
-	0x00, 0x52, 0x09, 0x62, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x3c, 0x0a, 0x0c,
-	0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x73,
-	0x74, 0x72, 0x75, 0x63, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x3b, 0x0a, 0x0a, 0x6c, 0x69,
-	0x73, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6c, 0x69,
-	0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x06, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22,
-	0x3b, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2e, 0x0a, 0x06,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x2a, 0x1b, 0x0a, 0x09,
-	0x4e, 0x75, 0x6c, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x0a, 0x4e, 0x55, 0x4c,
-	0x4c, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x10, 0x00, 0x42, 0x7f, 0x0a, 0x13, 0x63, 0x6f, 0x6d,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x42, 0x0b, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f,
-	0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65,
-	0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x70, 0x62,
-	0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c,
-	0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-})
+const file_google_protobuf_struct_proto_rawDesc = "" +
+	"\n" +
+	"\x1cgoogle/protobuf/struct.proto\x12\x0fgoogle.protobuf\"\x98\x01\n" +
+	"\x06Struct\x12;\n" +
+	"\x06fields\x18\x01 \x03(\v2#.google.protobuf.Struct.FieldsEntryR\x06fields\x1aQ\n" +
+	"\vFieldsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12,\n" +
+	"\x05value\x18\x02 \x01(\v2\x16.google.protobuf.ValueR\x05value:\x028\x01\"\xb2\x02\n" +
+	"\x05Value\x12;\n" +
+	"\n" +
+	"null_value\x18\x01 \x01(\x0e2\x1a.google.protobuf.NullValueH\x00R\tnullValue\x12#\n" +
+	"\fnumber_value\x18\x02 \x01(\x01H\x00R\vnumberValue\x12#\n" +
+	"\fstring_value\x18\x03 \x01(\tH\x00R\vstringValue\x12\x1f\n" +
+	"\n" +
+	"bool_value\x18\x04 \x01(\bH\x00R\tboolValue\x12<\n" +
+	"\fstruct_value\x18\x05 \x01(\v2\x17.google.protobuf.StructH\x00R\vstructValue\x12;\n" +
+	"\n" +
+	"list_value\x18\x06 \x01(\v2\x1a.google.protobuf.ListValueH\x00R\tlistValueB\x06\n" +
+	"\x04kind\";\n" +
+	"\tListValue\x12.\n" +
+	"\x06values\x18\x01 \x03(\v2\x16.google.protobuf.ValueR\x06values*\x1b\n" +
+	"\tNullValue\x12\x0e\n" +
+	"\n" +
+	"NULL_VALUE\x10\x00B\x7f\n" +
+	"\x13com.google.protobufB\vStructProtoP\x01Z/google.golang.org/protobuf/types/known/structpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_struct_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 00ac835c..06d584c1 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -298,24 +298,13 @@ func (x *Timestamp) GetNanos() int32 {
 
 var File_google_protobuf_timestamp_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_timestamp_proto_rawDesc = string([]byte{
-	0x0a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x22, 0x3b, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
-	0x18, 0x0a, 0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03,
-	0x52, 0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6e,
-	0x6f, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73, 0x42,
-	0x85, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77,
-	0x6e, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x70, 0x62, 0xf8, 0x01, 0x01,
-	0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f,
-	0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_timestamp_proto_rawDesc = "" +
+	"\n" +
+	"\x1fgoogle/protobuf/timestamp.proto\x12\x0fgoogle.protobuf\";\n" +
+	"\tTimestamp\x12\x18\n" +
+	"\aseconds\x18\x01 \x01(\x03R\aseconds\x12\x14\n" +
+	"\x05nanos\x18\x02 \x01(\x05R\x05nanosB\x85\x01\n" +
+	"\x13com.google.protobufB\x0eTimestampProtoP\x01Z2google.golang.org/protobuf/types/known/timestamppb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_timestamp_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
index 5de53010..b7c2d060 100644
--- a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
@@ -28,10 +28,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Wrappers for primitive (non-message) types. These types are useful
-// for embedding primitives in the `google.protobuf.Any` type and for places
-// where we need to distinguish between the absence of a primitive
-// typed field and its default value.
+// Wrappers for primitive (non-message) types. These types were needed
+// for legacy reasons and are not recommended for use in new APIs.
+//
+// Historically these wrappers were useful to have presence on proto3 primitive
+// fields, but proto3 syntax has been updated to support the `optional` keyword.
+// Using that keyword is now the strongly preferred way to add presence to
+// proto3 primitive fields.
+//
+// A secondary usecase was to embed primitives in the `google.protobuf.Any`
+// type: it is now recommended that you embed your value in your own wrapper
+// message which can be specifically documented.
 //
 // These wrappers have no meaningful use within repeated fields as they lack
 // the ability to detect presence on individual elements.
@@ -54,6 +61,9 @@ import (
 // Wrapper message for `double`.
 //
 // The JSON representation for `DoubleValue` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type DoubleValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The double value.
@@ -107,6 +117,9 @@ func (x *DoubleValue) GetValue() float64 {
 // Wrapper message for `float`.
 //
 // The JSON representation for `FloatValue` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type FloatValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The float value.
@@ -160,6 +173,9 @@ func (x *FloatValue) GetValue() float32 {
 // Wrapper message for `int64`.
 //
 // The JSON representation for `Int64Value` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type Int64Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The int64 value.
@@ -213,6 +229,9 @@ func (x *Int64Value) GetValue() int64 {
 // Wrapper message for `uint64`.
 //
 // The JSON representation for `UInt64Value` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type UInt64Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The uint64 value.
@@ -266,6 +285,9 @@ func (x *UInt64Value) GetValue() uint64 {
 // Wrapper message for `int32`.
 //
 // The JSON representation for `Int32Value` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type Int32Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The int32 value.
@@ -319,6 +341,9 @@ func (x *Int32Value) GetValue() int32 {
 // Wrapper message for `uint32`.
 //
 // The JSON representation for `UInt32Value` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type UInt32Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The uint32 value.
@@ -372,6 +397,9 @@ func (x *UInt32Value) GetValue() uint32 {
 // Wrapper message for `bool`.
 //
 // The JSON representation for `BoolValue` is JSON `true` and `false`.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type BoolValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The bool value.
@@ -425,6 +453,9 @@ func (x *BoolValue) GetValue() bool {
 // Wrapper message for `string`.
 //
 // The JSON representation for `StringValue` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type StringValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The string value.
@@ -478,6 +509,9 @@ func (x *StringValue) GetValue() string {
 // Wrapper message for `bytes`.
 //
 // The JSON representation for `BytesValue` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type BytesValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The bytes value.
@@ -530,41 +564,32 @@ func (x *BytesValue) GetValue() []byte {
 
 var File_google_protobuf_wrappers_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_wrappers_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x22, 0x23, 0x0a, 0x0b, 0x44, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x01, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x46, 0x6c, 0x6f, 0x61, 0x74, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x02, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x49, 0x6e,
-	0x74, 0x36, 0x34, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x23,
-	0x0a, 0x0b, 0x55, 0x49, 0x6e, 0x74, 0x36, 0x34, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x23, 0x0a, 0x0b, 0x55, 0x49, 0x6e, 0x74, 0x33,
-	0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x21, 0x0a, 0x09,
-	0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22,
-	0x23, 0x0a, 0x0b, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x42, 0x79, 0x74, 0x65, 0x73, 0x56, 0x61, 0x6c,
-	0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x83, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x42, 0x0d, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
-	0x01, 0x5a, 0x31, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67,
-	0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79,
-	0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65,
-	0x72, 0x73, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e,
-	0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_wrappers_proto_rawDesc = "" +
+	"\n" +
+	"\x1egoogle/protobuf/wrappers.proto\x12\x0fgoogle.protobuf\"#\n" +
+	"\vDoubleValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x01R\x05value\"\"\n" +
+	"\n" +
+	"FloatValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x02R\x05value\"\"\n" +
+	"\n" +
+	"Int64Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x03R\x05value\"#\n" +
+	"\vUInt64Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x04R\x05value\"\"\n" +
+	"\n" +
+	"Int32Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x05R\x05value\"#\n" +
+	"\vUInt32Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\rR\x05value\"!\n" +
+	"\tBoolValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\bR\x05value\"#\n" +
+	"\vStringValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\tR\x05value\"\"\n" +
+	"\n" +
+	"BytesValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\fR\x05valueB\x83\x01\n" +
+	"\x13com.google.protobufB\rWrappersProtoP\x01Z1google.golang.org/protobuf/types/known/wrapperspb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_wrappers_proto_rawDescOnce sync.Once
diff --git a/vendor/modules.txt b/vendor/modules.txt
index e16533d3..5e1306c3 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,13 +1,13 @@
-# coopcloud.tech/tagcmp v0.0.0-20230809071031-eb3e7758d4eb
+# coopcloud.tech/tagcmp v0.0.0-20250427094623-9ea3bbbde8e5
 ## explicit; go 1.16
 coopcloud.tech/tagcmp
-# dario.cat/mergo v1.0.1
+# dario.cat/mergo v1.0.2
 ## explicit; go 1.13
 dario.cat/mergo
 # git.coopcloud.tech/toolshed/godotenv v1.5.2-0.20250103171850-4d0ca41daa5c
 ## explicit; go 1.12
 git.coopcloud.tech/toolshed/godotenv
-# github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24
+# github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
 ## explicit; go 1.20
 # github.com/AlecAivazis/survey/v2 v2.3.7
 ## explicit; go 1.13
@@ -18,7 +18,7 @@ github.com/AlecAivazis/survey/v2/terminal
 ## explicit; go 1.16
 github.com/Azure/go-ansiterm
 github.com/Azure/go-ansiterm/winterm
-# github.com/BurntSushi/toml v1.4.0
+# github.com/BurntSushi/toml v1.5.0
 ## explicit; go 1.18
 github.com/BurntSushi/toml
 github.com/BurntSushi/toml/internal
@@ -29,8 +29,8 @@ github.com/Microsoft/go-winio/internal/fs
 github.com/Microsoft/go-winio/internal/socket
 github.com/Microsoft/go-winio/internal/stringbuffer
 github.com/Microsoft/go-winio/pkg/guid
-# github.com/ProtonMail/go-crypto v1.1.6
-## explicit; go 1.17
+# github.com/ProtonMail/go-crypto v1.3.0
+## explicit; go 1.22.0
 github.com/ProtonMail/go-crypto/bitcurves
 github.com/ProtonMail/go-crypto/brainpool
 github.com/ProtonMail/go-crypto/eax
@@ -61,27 +61,28 @@ github.com/aymanbagabas/go-osc52/v2
 github.com/beorn7/perks/quantile
 # github.com/cenkalti/backoff/v4 v4.3.0
 ## explicit; go 1.18
-github.com/cenkalti/backoff/v4
+# github.com/cenkalti/backoff/v5 v5.0.3
+## explicit; go 1.23
+github.com/cenkalti/backoff/v5
 # github.com/cespare/xxhash/v2 v2.3.0
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/charmbracelet/bubbletea v1.3.4
-## explicit; go 1.18
+# github.com/charmbracelet/bubbletea v1.3.6
+## explicit; go 1.23.0
 github.com/charmbracelet/bubbletea
-# github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc
-## explicit; go 1.18
+# github.com/charmbracelet/colorprofile v0.3.1
+## explicit; go 1.23.0
 github.com/charmbracelet/colorprofile
 # github.com/charmbracelet/lipgloss v1.1.0
 ## explicit; go 1.18
 github.com/charmbracelet/lipgloss
 github.com/charmbracelet/lipgloss/table
-# github.com/charmbracelet/log v0.4.1
+# github.com/charmbracelet/log v0.4.2
 ## explicit; go 1.19
 github.com/charmbracelet/log
-# github.com/charmbracelet/x/ansi v0.8.0
-## explicit; go 1.18
+# github.com/charmbracelet/x/ansi v0.10.1
+## explicit; go 1.23.0
 github.com/charmbracelet/x/ansi
-github.com/charmbracelet/x/ansi/kitty
 github.com/charmbracelet/x/ansi/parser
 # github.com/charmbracelet/x/cellbuf v0.0.13
 ## explicit; go 1.18
@@ -89,7 +90,7 @@ github.com/charmbracelet/x/cellbuf
 # github.com/charmbracelet/x/term v0.2.1
 ## explicit; go 1.18
 github.com/charmbracelet/x/term
-# github.com/cloudflare/circl v1.6.0
+# github.com/cloudflare/circl v1.6.1
 ## explicit; go 1.22.0
 github.com/cloudflare/circl/dh/x25519
 github.com/cloudflare/circl/dh/x448
@@ -103,9 +104,19 @@ github.com/cloudflare/circl/math/mlsbset
 github.com/cloudflare/circl/sign
 github.com/cloudflare/circl/sign/ed25519
 github.com/cloudflare/circl/sign/ed448
+# github.com/containerd/errdefs v1.0.0
+## explicit; go 1.20
+github.com/containerd/errdefs
+# github.com/containerd/errdefs/pkg v0.3.0
+## explicit; go 1.22
+github.com/containerd/errdefs/pkg/errhttp
+github.com/containerd/errdefs/pkg/internal/cause
 # github.com/containerd/log v0.1.0
 ## explicit; go 1.20
 github.com/containerd/log
+# github.com/containerd/platforms v0.2.1
+## explicit; go 1.20
+github.com/containerd/platforms
 # github.com/containers/image v3.0.2+incompatible
 ## explicit
 github.com/containers/image/docker
@@ -123,7 +134,7 @@ github.com/containers/image/transports
 github.com/containers/image/types
 # github.com/containers/storage v1.38.2
 ## explicit; go 1.14
-# github.com/cpuguy83/go-md2man/v2 v2.0.6
+# github.com/cpuguy83/go-md2man/v2 v2.0.7
 ## explicit; go 1.12
 github.com/cpuguy83/go-md2man/v2/md2man
 # github.com/cyphar/filepath-securejoin v0.4.1
@@ -138,11 +149,10 @@ github.com/decentral1se/passgen
 # github.com/distribution/reference v0.6.0
 ## explicit; go 1.20
 github.com/distribution/reference
-# github.com/docker/cli v28.0.1+incompatible
+# github.com/docker/cli v28.3.3+incompatible
 ## explicit
 github.com/docker/cli/cli
-github.com/docker/cli/cli-plugins/hooks
-github.com/docker/cli/cli-plugins/manager
+github.com/docker/cli/cli-plugins/metadata
 github.com/docker/cli/cli/command
 github.com/docker/cli/cli/command/formatter
 github.com/docker/cli/cli/command/formatter/tabwriter
@@ -156,9 +166,11 @@ github.com/docker/cli/cli/compose/types
 github.com/docker/cli/cli/config
 github.com/docker/cli/cli/config/configfile
 github.com/docker/cli/cli/config/credentials
+github.com/docker/cli/cli/config/memorystore
 github.com/docker/cli/cli/config/types
 github.com/docker/cli/cli/connhelper
 github.com/docker/cli/cli/connhelper/commandconn
+github.com/docker/cli/cli/connhelper/internal/syntax
 github.com/docker/cli/cli/connhelper/ssh
 github.com/docker/cli/cli/context
 github.com/docker/cli/cli/context/docker
@@ -166,38 +178,32 @@ github.com/docker/cli/cli/context/store
 github.com/docker/cli/cli/debug
 github.com/docker/cli/cli/flags
 github.com/docker/cli/cli/hints
-github.com/docker/cli/cli/manifest/store
-github.com/docker/cli/cli/manifest/types
-github.com/docker/cli/cli/registry/client
 github.com/docker/cli/cli/streams
-github.com/docker/cli/cli/trust
 github.com/docker/cli/cli/version
+github.com/docker/cli/internal/lazyregexp
+github.com/docker/cli/internal/prompt
 github.com/docker/cli/internal/tui
 github.com/docker/cli/opts
+github.com/docker/cli/opts/swarmopts
 github.com/docker/cli/pkg/kvfile
 github.com/docker/cli/templates
 # github.com/docker/distribution v2.8.3+incompatible
 ## explicit
 github.com/docker/distribution
-github.com/docker/distribution/manifest
-github.com/docker/distribution/manifest/manifestlist
-github.com/docker/distribution/manifest/ocischema
-github.com/docker/distribution/manifest/schema2
 github.com/docker/distribution/metrics
 github.com/docker/distribution/registry/api/errcode
 github.com/docker/distribution/registry/api/v2
 github.com/docker/distribution/registry/client
-github.com/docker/distribution/registry/client/auth
 github.com/docker/distribution/registry/client/auth/challenge
 github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
-github.com/docker/distribution/uuid
-# github.com/docker/docker v28.0.1+incompatible
+# github.com/docker/docker v28.3.3+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
 github.com/docker/docker/api/types/blkiodev
+github.com/docker/docker/api/types/build
 github.com/docker/docker/api/types/checkpoint
 github.com/docker/docker/api/types/common
 github.com/docker/docker/api/types/container
@@ -220,7 +226,6 @@ github.com/docker/docker/errdefs
 github.com/docker/docker/internal/lazyregexp
 github.com/docker/docker/internal/multierror
 github.com/docker/docker/pkg/archive
-github.com/docker/docker/pkg/atomicwriter
 github.com/docker/docker/pkg/homedir
 github.com/docker/docker/pkg/idtools
 github.com/docker/docker/pkg/ioutils
@@ -228,16 +233,13 @@ github.com/docker/docker/pkg/jsonmessage
 github.com/docker/docker/pkg/progress
 github.com/docker/docker/pkg/stdcopy
 github.com/docker/docker/pkg/streamformatter
-github.com/docker/docker/pkg/stringid
-github.com/docker/docker/registry
 # github.com/docker/docker-credential-helpers v0.9.3
 ## explicit; go 1.21
 github.com/docker/docker-credential-helpers/client
 github.com/docker/docker-credential-helpers/credentials
 # github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c
 ## explicit
-github.com/docker/go/canonical/json
-# github.com/docker/go-connections v0.5.0
+# github.com/docker/go-connections v0.6.0
 ## explicit; go 1.18
 github.com/docker/go-connections/nat
 github.com/docker/go-connections/sockets
@@ -287,7 +289,7 @@ github.com/go-git/go-billy/v5/helper/polyfill
 github.com/go-git/go-billy/v5/memfs
 github.com/go-git/go-billy/v5/osfs
 github.com/go-git/go-billy/v5/util
-# github.com/go-git/go-git/v5 v5.14.0
+# github.com/go-git/go-git/v5 v5.16.2
 ## explicit; go 1.23.0
 github.com/go-git/go-git/v5
 github.com/go-git/go-git/v5/config
@@ -338,14 +340,14 @@ github.com/go-git/go-git/v5/utils/trace
 # github.com/go-logfmt/logfmt v0.6.0
 ## explicit; go 1.17
 github.com/go-logfmt/logfmt
-# github.com/go-logr/logr v1.4.2
+# github.com/go-logr/logr v1.4.3
 ## explicit; go 1.18
 github.com/go-logr/logr
 github.com/go-logr/logr/funcr
 # github.com/go-logr/stdr v1.2.2
 ## explicit; go 1.16
 github.com/go-logr/stdr
-# github.com/go-viper/mapstructure/v2 v2.2.1
+# github.com/go-viper/mapstructure/v2 v2.4.0
 ## explicit; go 1.18
 github.com/go-viper/mapstructure/v2
 github.com/go-viper/mapstructure/v2/internal/errors
@@ -371,7 +373,7 @@ github.com/google/uuid
 # github.com/gorilla/mux v1.8.1
 ## explicit; go 1.20
 github.com/gorilla/mux
-# github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
+# github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1
 ## explicit; go 1.23.0
 github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule
 github.com/grpc-ecosystem/grpc-gateway/v2/runtime
@@ -379,8 +381,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2/utilities
 # github.com/hashicorp/go-cleanhttp v0.5.2
 ## explicit; go 1.13
 github.com/hashicorp/go-cleanhttp
-# github.com/hashicorp/go-retryablehttp v0.7.7
-## explicit; go 1.19
+# github.com/hashicorp/go-retryablehttp v0.7.8
+## explicit; go 1.23
 github.com/hashicorp/go-retryablehttp
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
@@ -428,7 +430,6 @@ github.com/mattn/go-runewidth
 github.com/mgutz/ansi
 # github.com/miekg/pkcs11 v1.1.1
 ## explicit; go 1.12
-github.com/miekg/pkcs11
 # github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
 ## explicit
 github.com/mitchellh/colorstring
@@ -437,18 +438,26 @@ github.com/mitchellh/colorstring
 # github.com/moby/docker-image-spec v1.3.1
 ## explicit; go 1.18
 github.com/moby/docker-image-spec/specs-go/v1
+# github.com/moby/go-archive v0.1.0
+## explicit; go 1.23.0
+github.com/moby/go-archive
+github.com/moby/go-archive/compression
+github.com/moby/go-archive/tarheader
 # github.com/moby/patternmatcher v0.6.0
 ## explicit; go 1.19
 github.com/moby/patternmatcher
-# github.com/moby/sys/mountinfo v0.6.2
-## explicit; go 1.16
+# github.com/moby/sys/atomicwriter v0.1.0
+## explicit; go 1.18
+github.com/moby/sys/atomicwriter
+# github.com/moby/sys/mountinfo v0.7.2
+## explicit; go 1.17
 # github.com/moby/sys/sequential v0.6.0
 ## explicit; go 1.17
 github.com/moby/sys/sequential
 # github.com/moby/sys/signal v0.7.1
 ## explicit; go 1.17
 github.com/moby/sys/signal
-# github.com/moby/sys/user v0.3.0
+# github.com/moby/sys/user v0.4.0
 ## explicit; go 1.17
 github.com/moby/sys/user
 # github.com/moby/sys/userns v0.1.0
@@ -487,7 +496,7 @@ github.com/opencontainers/image-spec/specs-go/v1
 ## explicit
 # github.com/pelletier/go-toml v1.9.5
 ## explicit; go 1.12
-# github.com/pjbgf/sha1cd v0.3.2
+# github.com/pjbgf/sha1cd v0.4.0
 ## explicit; go 1.21
 github.com/pjbgf/sha1cd
 github.com/pjbgf/sha1cd/internal
@@ -498,22 +507,23 @@ github.com/pkg/errors
 # github.com/pmezard/go-difflib v1.0.0
 ## explicit
 github.com/pmezard/go-difflib/difflib
-# github.com/prometheus/client_golang v1.21.1
-## explicit; go 1.21
+# github.com/prometheus/client_golang v1.23.0
+## explicit; go 1.23.0
 github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil
 github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil/header
 github.com/prometheus/client_golang/prometheus
 github.com/prometheus/client_golang/prometheus/internal
 github.com/prometheus/client_golang/prometheus/promhttp
-# github.com/prometheus/client_model v0.6.1
-## explicit; go 1.19
+github.com/prometheus/client_golang/prometheus/promhttp/internal
+# github.com/prometheus/client_model v0.6.2
+## explicit; go 1.22.0
 github.com/prometheus/client_model/go
-# github.com/prometheus/common v0.63.0
-## explicit; go 1.21
+# github.com/prometheus/common v0.65.0
+## explicit; go 1.23.0
 github.com/prometheus/common/expfmt
 github.com/prometheus/common/model
-# github.com/prometheus/procfs v0.15.1
-## explicit; go 1.20
+# github.com/prometheus/procfs v0.17.0
+## explicit; go 1.23.0
 github.com/prometheus/procfs
 github.com/prometheus/procfs/internal/fs
 github.com/prometheus/procfs/internal/util
@@ -526,7 +536,7 @@ github.com/russross/blackfriday/v2
 # github.com/schollz/progressbar/v3 v3.18.0
 ## explicit; go 1.22
 github.com/schollz/progressbar/v3
-# github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
+# github.com/sergi/go-diff v1.4.0
 ## explicit; go 1.13
 github.com/sergi/go-diff/diffmatchpatch
 # github.com/sirupsen/logrus v1.9.3
@@ -539,7 +549,7 @@ github.com/skeema/knownhosts
 ## explicit; go 1.15
 github.com/spf13/cobra
 github.com/spf13/cobra/doc
-# github.com/spf13/pflag v1.0.6
+# github.com/spf13/pflag v1.0.7
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/stretchr/testify v1.10.0
@@ -548,20 +558,6 @@ github.com/stretchr/testify/assert
 github.com/stretchr/testify/assert/yaml
 # github.com/theupdateframework/notary v0.7.0
 ## explicit; go 1.12
-github.com/theupdateframework/notary
-github.com/theupdateframework/notary/client
-github.com/theupdateframework/notary/client/changelist
-github.com/theupdateframework/notary/cryptoservice
-github.com/theupdateframework/notary/passphrase
-github.com/theupdateframework/notary/storage
-github.com/theupdateframework/notary/trustmanager
-github.com/theupdateframework/notary/trustmanager/yubikey
-github.com/theupdateframework/notary/trustpinning
-github.com/theupdateframework/notary/tuf
-github.com/theupdateframework/notary/tuf/data
-github.com/theupdateframework/notary/tuf/signed
-github.com/theupdateframework/notary/tuf/utils
-github.com/theupdateframework/notary/tuf/validation
 # github.com/xanzy/ssh-agent v0.3.3
 ## explicit; go 1.16
 github.com/xanzy/ssh-agent
@@ -581,39 +577,40 @@ github.com/xo/terminfo
 ## explicit; go 1.22.0
 go.opentelemetry.io/auto/sdk
 go.opentelemetry.io/auto/sdk/internal/telemetry
-# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
+## explicit; go 1.23.0
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil
-# go.opentelemetry.io/otel v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel
 go.opentelemetry.io/otel/attribute
+go.opentelemetry.io/otel/attribute/internal
 go.opentelemetry.io/otel/baggage
 go.opentelemetry.io/otel/codes
-go.opentelemetry.io/otel/internal
-go.opentelemetry.io/otel/internal/attribute
 go.opentelemetry.io/otel/internal/baggage
 go.opentelemetry.io/otel/internal/global
 go.opentelemetry.io/otel/propagation
 go.opentelemetry.io/otel/semconv/v1.20.0
 go.opentelemetry.io/otel/semconv/v1.26.0
-# go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0
-## explicit; go 1.22.0
+go.opentelemetry.io/otel/semconv/v1.34.0
+go.opentelemetry.io/otel/semconv/v1.34.0/httpconv
+# go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform
-# go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/exporters/otlp/otlptrace
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform
-# go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig
@@ -621,42 +618,42 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpcon
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry
 # go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0
 ## explicit; go 1.20
-# go.opentelemetry.io/otel/metric v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/metric v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/metric
 go.opentelemetry.io/otel/metric/embedded
 go.opentelemetry.io/otel/metric/noop
-# go.opentelemetry.io/otel/sdk v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/sdk v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/sdk
 go.opentelemetry.io/otel/sdk/instrumentation
 go.opentelemetry.io/otel/sdk/internal/env
 go.opentelemetry.io/otel/sdk/internal/x
 go.opentelemetry.io/otel/sdk/resource
 go.opentelemetry.io/otel/sdk/trace
-# go.opentelemetry.io/otel/sdk/metric v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/sdk/metric v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/sdk/metric
 go.opentelemetry.io/otel/sdk/metric/exemplar
 go.opentelemetry.io/otel/sdk/metric/internal
 go.opentelemetry.io/otel/sdk/metric/internal/aggregate
 go.opentelemetry.io/otel/sdk/metric/internal/x
 go.opentelemetry.io/otel/sdk/metric/metricdata
-# go.opentelemetry.io/otel/trace v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/trace v1.37.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/trace
 go.opentelemetry.io/otel/trace/embedded
 go.opentelemetry.io/otel/trace/internal/telemetry
 go.opentelemetry.io/otel/trace/noop
-# go.opentelemetry.io/proto/otlp v1.5.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/proto/otlp v1.7.1
+## explicit; go 1.23.0
 go.opentelemetry.io/proto/otlp/collector/metrics/v1
 go.opentelemetry.io/proto/otlp/collector/trace/v1
 go.opentelemetry.io/proto/otlp/common/v1
 go.opentelemetry.io/proto/otlp/metrics/v1
 go.opentelemetry.io/proto/otlp/resource/v1
 go.opentelemetry.io/proto/otlp/trace/v1
-# golang.org/x/crypto v0.36.0
+# golang.org/x/crypto v0.41.0
 ## explicit; go 1.23.0
 golang.org/x/crypto/argon2
 golang.org/x/crypto/blake2b
@@ -666,23 +663,21 @@ golang.org/x/crypto/chacha20
 golang.org/x/crypto/cryptobyte
 golang.org/x/crypto/cryptobyte/asn1
 golang.org/x/crypto/curve25519
-golang.org/x/crypto/ed25519
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
-golang.org/x/crypto/pbkdf2
 golang.org/x/crypto/sha3
 golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/agent
 golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 golang.org/x/crypto/ssh/knownhosts
-# golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
+# golang.org/x/exp v0.0.0-20250811191247-51f88131bc50
 ## explicit; go 1.23.0
 golang.org/x/exp/slices
 golang.org/x/exp/slog
 golang.org/x/exp/slog/internal
 golang.org/x/exp/slog/internal/buffer
-# golang.org/x/net v0.37.0
+# golang.org/x/net v0.43.0
 ## explicit; go 1.23.0
 golang.org/x/net/context
 golang.org/x/net/http/httpguts
@@ -694,10 +689,10 @@ golang.org/x/net/internal/socks
 golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
-# golang.org/x/sync v0.12.0
+# golang.org/x/sync v0.16.0
 ## explicit; go 1.23.0
 golang.org/x/sync/errgroup
-# golang.org/x/sys v0.31.0
+# golang.org/x/sys v0.35.0
 ## explicit; go 1.23.0
 golang.org/x/sys/cpu
 golang.org/x/sys/execabs
@@ -705,10 +700,10 @@ golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
-# golang.org/x/term v0.30.0
+# golang.org/x/term v0.34.0
 ## explicit; go 1.23.0
 golang.org/x/term
-# golang.org/x/text v0.23.0
+# golang.org/x/text v0.28.0
 ## explicit; go 1.23.0
 golang.org/x/text/cases
 golang.org/x/text/internal
@@ -721,18 +716,18 @@ golang.org/x/text/transform
 golang.org/x/text/unicode/bidi
 golang.org/x/text/unicode/norm
 golang.org/x/text/width
-# golang.org/x/time v0.11.0
+# golang.org/x/time v0.12.0
 ## explicit; go 1.23.0
 golang.org/x/time/rate
-# google.golang.org/genproto/googleapis/api v0.0.0-20250313205543-e70fdf4c4cb4
+# google.golang.org/genproto/googleapis/api v0.0.0-20250811230008-5f3141c8851a
 ## explicit; go 1.23.0
 google.golang.org/genproto/googleapis/api/httpbody
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a
 ## explicit; go 1.23.0
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.71.0
-## explicit; go 1.22.0
+# google.golang.org/grpc v1.74.2
+## explicit; go 1.23.0
 google.golang.org/grpc
 google.golang.org/grpc/attributes
 google.golang.org/grpc/backoff
@@ -795,8 +790,8 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.5
-## explicit; go 1.21
+# google.golang.org/protobuf v1.36.7
+## explicit; go 1.22
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson
 google.golang.org/protobuf/encoding/prototext