Skip to content

Update module github.com/stacklok/toolhive to v0.33.0#195

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-stacklok-toolhive-0.x
Open

Update module github.com/stacklok/toolhive to v0.33.0#195
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github.com-stacklok-toolhive-0.x

Conversation

@renovate

@renovate renovate Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/stacklok/toolhive v0.30.0v0.33.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.33.0

Compare Source

What's Changed

Full Changelog: stacklok/toolhive@v0.32.0...v0.33.0

v0.32.0

Compare Source

🚀 Toolhive v0.32.0 is live!

This release advances vMCP cross-application authentication — adding the XAA (Cross-Application Access) outgoing-auth strategy, the OBO strategy seam, and upstream ID-token propagation — alongside meaningful security hardening (Origin/DNS-rebind protection and a credential-passthrough fix) and a batch of operator and proxy robustness fixes.

⚠️ Breaking Changes

  • Origin validation & SSE CORS hardening — ToolHive now validates the HTTP Origin header (MCP 2025-11-25 DNS-rebind protection) and removed the insecure Access-Control-Allow-Origin: * from the legacy SSE transport. Default local (loopback) usage is unaffected; only browser clients on a non-http://localhost origin need action via the new --allowed-origins flag (migration guide) (#​4908).
  • vMCP Go embedders: server.New signature changedpkg/vmcp/server.New dropped its discovery.Manager parameter (7 → 6 args) and the pkg/vmcp/discovery package was removed. CLI, operator, and API behavior are unchanged; only out-of-tree code importing the vMCP library must update its call (migration guide) (#​5627).
Migration guide: Origin validation & SSE CORS hardening

Who is affected: Only browser-based MCP clients that make cross-origin requests to ToolHive's SSE transport from an origin that is not http://localhost:<port> / http://127.0.0.1:<port> (for example, a web app served over HTTPS or from a custom hostname). Non-browser clients (IDEs, CLIs, MCP SDK clients) do not send an Origin header and are unaffected. Loopback binds (the default 127.0.0.1) auto-derive a matching local allowlist, so default local usage continues to work. Non-loopback binds without --allowed-origins are not enforced — a warning is logged instead.

Before
# Relied on the implicit Access-Control-Allow-Origin: * wildcard
thv run --transport sse some/mcp-server
After
# Explicitly allow the browser origin that needs cross-origin access
thv run --transport sse --allowed-origins https://my-web-app.example.com some/mcp-server

# The same flag is available on thv proxy:
thv proxy --allowed-origins https://my-web-app.example.com ...
Migration steps
  1. Determine whether any client reaches ToolHive's SSE endpoint cross-origin from a browser. If not, no action is needed.
  2. For each such origin, pass --allowed-origins=<scheme>://<host>:<port> on thv run / thv proxy. The flag is repeatable for multiple origins; matching is exact on scheme + host + port.
  3. Consider migrating browser clients off the legacy SSE transport to the streamable-HTTP transport.

PR: #​4908

Migration guide: vMCP server.New signature change

Who is affected: Only out-of-tree Go code that imports github.com/stacklok/toolhive/pkg/vmcp/server and calls server.New directly (e.g. vMCP library embedders). All in-tree callers were updated in the same PR. There is no impact for CLI, operator, or API consumers.

Before
mgr := discovery.NewManager(agg)
srv, err := server.New(ctx, cfg, router, backendClient, mgr, backendRegistry, workflowDefs)
After
// discovery.Manager is removed; capability discovery is now the core's responsibility.
srv, err := server.New(ctx, cfg, router, backendClient, backendRegistry, workflowDefs)
Migration steps
  1. Remove the discovery.Manager argument from your server.New call (and delete the discovery.NewManager(...) construction).
  2. Ensure Config.Aggregator is set — the core now rejects a nil aggregator.
  3. If you set Config.AuthzMiddleware, also set Config.Authz; the combination without Authz now returns ErrInvalidConfig instead of silently allowing all requests.

PR: #​5627

🆕 New Features

  • New XAA (Cross-Application Access) outgoing auth strategy implementing the ID-JAG two-step token exchange (RFC 8693 → RFC 7523) for lazy per-backend cross-application access tokens (#​5684).
  • Surface upstream ID tokens through the auth middleware, consolidating upstream credential retrieval into a single bulk lookup that carries both access and ID tokens (#​5682).
  • Added the vMCP OBO (on-behalf-of) strategy seam — a new optional OBO field on BackendAuthStrategy plus strategy registration and override hook (#​5624).
  • The vMCP optimizer can now use an OpenAI-compatible embedding client via the optional embeddingProvider/embeddingModel config fields (defaults to TEI, so existing configs are unchanged) (#​5633).
  • Added insecureAllowHTTP to EmbeddedAuthServerConfig so VirtualMCPServer deployers can explicitly allow an http:// issuer for in-cluster hosts, with admission-time validation instead of a proxyrunner crash (#​5671).
  • The operator Helm chart now prints a post-install NOTES.txt with verification commands, a minimal MCPServer example, and documentation links (#​5656).

🐛 Bug Fixes

  • vMCP now returns HTTP 401 + WWW-Authenticate (RFC 6750) when an upstream provider token is expired and cannot be refreshed, letting clients re-authenticate instead of receiving an opaque error (#​5651).
  • Security: the upstreamswap custom header strategy no longer forwards the client's ToolHive JWT in Authorization to the backend; the upstream IdP token is still delivered in the configured custom header (#​5661).
  • MCPRemoteProxy now mounts and validates the referenced OIDC CA bundle ConfigMap, fixing silent TLS failures and surfacing a CABundleRefValidated status condition (#​5630).
  • Concurrent upstream-token refreshes are now deduplicated on a shared refresher, preventing spurious upstream logouts on IdPs with refresh-token rotation + reuse detection (#​5635).
  • The operator no longer perpetually reconciles MCPServers using Redis session storage with a password ref — deploymentNeedsUpdate now mirrors the Redis password env var (#​5639).
  • Container-internal target ports are no longer validated against host availability, so SSE/streamable-HTTP workloads keep their registry-defined target port (#​5638).
  • Remote proxies now set X-Forwarded-Proto to the upstream scheme, fixing infinite redirect loops when MCPRemoteProxy runs behind a TLS-terminating load balancer (#​5646).
  • Upstream-token refresh now fails closed when a rotated refresh token can't be persisted, deleting the stale row instead of stranding a poisoned token (#​5636).
  • A typed-nil *Identity stored in the request context is now treated as absent, restoring vMCP fallback identity injection and preventing nil-deref panics (#​5653).
  • VirtualMCPServer now always applies its PodTemplateSpec strategic merge patch, so fields like runtimeClassName, topologySpreadConstraints, and hostNetwork are no longer silently dropped (#​5641).
  • RestoreSession no longer fabricates a partial identity, and session restore now threads the authenticated request context, fixing cross-pod Redis failover with upstream-auth strategies (#​5650).
  • DetachedEnvVarValidator no longer rejects optional secret env vars left blank, fixing spurious "missing required secret" errors when installing registry servers via ToolHive Studio (#​5689).

🧹 Misc

  • Landed Phase 2 of the plugin lifecycle epic — new pkg/plugins / pluginsvc packages, validation, and storage migration (no user-facing surface yet) (#​5676).
  • Removed the now-unreachable legacy vMCP discovery seam and default router (#​5627).
  • Removed redundant stale-ref scans from config controller watches, relying on controller-runtime's old+new object enqueue (−648 lines) (#​5626).
  • Removed redundant annotation-based reconcile triggers in config controllers and added the missing MCPToolConfig watch (#​5629).
  • Added unit + E2E test coverage for --allow-docker-gateway deny/allow behavior (#​5644).
  • Added E2E test infrastructure for upstreamInject identity propagation after cross-pod Redis restore, plus several embedded-auth-server in-cluster fixes (#​5660).
  • Expanded CONTRIBUTING guidelines with good-first-issue and good-tenth-issue descriptions (#​5634).

📦 Dependencies

Module Version
github.com/stacklok/toolhive-catalog v0.20260629.0
anthropics/claude-code-action v1.0.159 (digest a92e7c7)
actions/create-github-app-token v3.2.0
alpine (Docker tag) v3.24.1
Core workflow actions (updated)
Setup and language actions (updated)

👋 Welcome to our newest contributors: @​syf2211 and @​claude[bot] 🎉

Full commit log

What's Changed

New Contributors

Full Changelog: stacklok/toolhive@v0.31.0...v0.32.0

🔗 Full changelog: stacklok/toolhive@v0.31.0...v0.32.0

v0.31.0

Compare Source

What's Changed

Full Changelog: stacklok/toolhive@v0.30.1...v0.31.0

v0.30.1

Compare Source

📝 Generated release notes for v0.30.1


🚀 Toolhive v0.30.1 is live!

A security-and-resilience focused release: local MCP servers now isolate their network by default, shared MCPAuthzConfig references are enforced end-to-end across every workload kind, OAuth-backed workloads self-recover from transient refresh failures, and OIDC gains per-provider subject-claim selection — alongside the continuing vMCP interface refactor.

⚠️ Breaking & Behavior Changes

  • Network isolation is now ON by default for local MCP serversthv run and REST-API-created workloads now isolate the container network from the host unless you opt out; servers that reach the host, do proxy-unaware/non-HTTP outbound, or run offline may need action (migration guide) (#​5583)
  • A non-Cedar authzConfigRef on a VirtualMCPServer now fails reconciliation — the reference is finally enforced at runtime, but because vMCP authz is Cedar-only, a ref to a non-cedarv1 MCPAuthzConfig (previously a silent no-op) now sets AuthzConfigRefValidated=False and stops updating the workload (migration guide) (#​5580)

Migration guide: Network isolation default flip

Who is affected: thv run users and REST API (thv serve) consumers whose servers talk to the host (e.g. host.docker.internal), do non-HTTP or proxy-unaware outbound (notably some Node/npx servers), run under a restrictive permission profile, or run in constrained/offline environments. Already-running servers are unaffected until restarted. Kubernetes/operator behavior is unchanged — the operator does not consume this flag or field.

Before (v0.30.0)
thv run my-server                       # network isolation OFF (old default)
thv run --isolate-network my-server     # explicit opt-in
After (v0.30.1)
thv run my-server                          # network isolation ON (new default)
thv run --isolate-network=false my-server  # opt out — restores old behavior
thv run --allow-docker-gateway my-server   # keep isolation, allow host gateway (host.docker.internal)

For the REST API, the network_isolation field changed from bool to an optional *bool — an omitted field now means enabled:

// Before: omitting the field meant isolation OFF
{ "name": "my-server", "image": "..." }

// After: omitting the field means isolation ON; send false explicitly to opt out
{ "name": "my-server", "image": "...", "network_isolation": false }
Migration steps
  1. For any local server that must reach the host or relies on proxy-unaware outbound, add --isolate-network=false (full opt-out) or --allow-docker-gateway (keep isolation, allow the host gateway).
  2. REST API consumers: regenerate clients from the updated swagger; send "network_isolation": false explicitly for workloads that must not be isolated.
  3. Update/PUT requests built from scratch must include network_isolation explicitly — omitting it will enable isolation on a workload that previously had it off (round-trip GET→modify→PUT clients are unaffected, since GET always returns an explicit value).

PR: #​5583

Migration guide: VirtualMCPServer non-Cedar authzConfigRef

Who is affected: Operator users with an existing VirtualMCPServer whose spec.incomingAuth.authzConfigRef points at an MCPAuthzConfig of a type other than cedarv1 (e.g. a CEL config). Previously such a reference was a documented no-op and reconciled cleanly while silently enforcing no authorization. It now fails reconciliation. References to a cedarv1 config, inline spec.incomingAuth.authzConfig, or no ref at all are unaffected. The CRD schema is unchanged (only the authzConfigRef field description was updated).

Before
apiVersion: toolhive.stacklok.dev/v1beta1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  incomingAuth:
    authzConfigRef:
      name: my-cel-authz   # non-cedarv1 MCPAuthzConfig → previously inert, now rejected
After
apiVersion: toolhive.stacklok.dev/v1beta1
kind: MCPAuthzConfig
metadata:
  name: my-cedar-authz
spec:
  type: cedarv1
  # ... cedar policies ...
---
apiVersion: toolhive.stacklok.dev/v1beta1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  incomingAuth:
    authzConfigRef:
      name: my-cedar-authz   # cedarv1 → resolved and enforced
Migration steps
  1. List affected resources: kubectl get virtualmcpserver -A -o json | jq -r '.items[] | select(.spec.incomingAuth.authzConfigRef != null) | "\(.metadata.namespace)/\(.metadata.name) -> \(.spec.incomingAuth.authzConfigRef.name)"'.
  2. For each referenced MCPAuthzConfig, check spec.type. If it is cedarv1, no action is needed.
  3. If it is anything else, your authorization was never actually enforced. Convert the policy to a cedarv1 MCPAuthzConfig and point the ref at it, or move it inline under spec.incomingAuth.authzConfig (Cedar). These two are mutually exclusive.
  4. To run with no incoming authorization, remove authzConfigRef entirely (the controller clears the hash and condition).
  5. After upgrade, confirm AuthzConfigRefValidated=True and Ready=True. Note: an already-running pod keeps its last-applied policy (fail-stale, not fail-open).

PR: #​5580 — Part of #​4778

🆕 New Features

  • Shared MCPAuthzConfig references (spec.authzConfigRef) are now resolved and enforced at runtime across MCPServer and MCPRemoteProxy (backend-agnostic: cedarv1 and httpv1) and VirtualMCPServer (Cedar-only), instead of being reference-tracked no-ops (#​5563, #​5564, #​5580, foundation #​5559)
  • OIDC upstreams accept an optional subjectClaim (Go config and subjectClaim on the CRD) to select which validated ID-token claim is the subject — fixing IdPs where sub isn't stable, such as Entra/Azure AD's rotating sub (use oid) (#​5589)
  • The operator can configure a global default Redis/Valkey session store once via operator.defaultRedis (or global.redis in an umbrella chart); workloads without an explicit spec.sessionStorage fall back to it, and per-CR storage always wins (#​5595)
  • The operator now emits Kubernetes Event objects from the MCPOIDCConfig, MCPExternalAuthConfig, and MCPAuthzConfig controllers, so kubectl describe shows why a config was rejected or which workloads block its deletion (#​5514)
  • New WithDialControl option on the vMCP NewHTTPBackendClient lets embedders install a per-connection dialer hook for SSRF / DNS-rebinding defense without abandoning the built-in auth registry and RoundTripper chain (#​5551)
  • New public NewKubernetesBackendRegistry constructor gives embedders one-call, live Kubernetes-driven backend discovery without importing the vMCP watch substrate (#​5542)
  • New PlatformUserID field on auth.PrincipalInfo and an exported NewEmbeddedAuthServerWithStorage constructor lay the OSS groundwork for per-user-keyed upstream token storage (no runtime change for standalone OSS) (#​5575)

🐛 Bug Fixes

  • OAuth-backed workloads now self-recover from transient token-refresh failures (e.g. a VPN drop or network-context change) via a new auth_retrying status with tunable cadence and ceiling, instead of going permanently dead (#​5350)
  • The LLM gateway token refresh window is now synced with Claude Code's helper TTL, eliminating the occasional 401 blip at the hourly token boundary (#​5557)
  • The runner readiness probe now accepts 401/403 from the local proxy when OIDC auth is configured, so auth-protected workloads become ready immediately instead of hanging for the full 5-minute timeout (#​5554)
  • Operator-managed pods now satisfy the restricted Pod Security Standard on all platforms — seccompProfile: RuntimeDefault and capabilities.drop: [ALL] are set in the base security context, not just on OpenShift (#​5555)
  • thv stop and thv rm now free an orphaned proxy port and stop the proxy even when the workload's status file is missing, instead of silently leaving a port-holding process (#​5394)
  • Allowlisted passthrough headers (e.g. X-Api-Key) are once again forwarded to backends on the vMCP Serve path, fixing a regression from the legacy path (#​5561)
  • The MCPOIDCConfig controller is now the sole owner of its ReferencingWorkloads status, removing a merge-patch-vs-PUT clobber hazard and an append-only staleness bug (#​5544)
  • OBO SecretEnvVars are now wired into MCPServer and MCPRemoteProxy (previously only VirtualMCPServer), so OBO middleware can read its credential at startup in builds with a registered handler (inert in stock builds) (#​5540)

🧹 Misc

  • Removed the experimental, unauthenticated embedded MCP control-plane server — the thv mcp serve command and thv serve --experimental-mcp* flags are gone; use the authenticated REST/OpenAPI API instead (thv mcp call / thv mcp list debug commands are retained) (#​5591)
  • Routed vmcp server construction through the domain core (core.New + Serve) as the single live path; no CLI/operator change, but out-of-tree Go embedders of pkg/vmcp/server must now supply Config.Aggregator and use Config.Authz rather than Config.AuthzMiddleware (#​5556)
  • Wired the tool optimizer onto the Serve path so --enable-optimizer keeps advertising find_tool/call_tool once server.New routes through Serve (#​5543)
  • Migrated operator test fixtures to the shared v1beta1test builder and added reconciler/scheme test helpers across MCPServer, MCPRemoteProxy, EmbeddingServer, and VirtualMCPServer (#​5565, #​5566, #​5576, #​5578, #​5579, #​5577, #​5584)
  • Added MCPServer and MCPToolConfig integration tests (#​5593)
  • Isolated TestWorkloadFromContainerInfo state writes and fixed a data race in TestMCPAuthzConfigReconciler_watchHandlers (#​5549, #​5558)
  • Minted the Homebrew tap token from a GitHub App and replaced the retest action with an inline gh api script (#​5552, #​5548)
  • Removed broken image links from SECURITY.md and fixed a contributing-guide link (#​5547, #​5587)

📦 Dependencies

Module Version
github.com/stacklok/toolhive-core v0.0.25
go.mongodb.org/mongo-driver v1.17.9
github.com/google/go-containerregistry v0.21.7
github.com/shirou/gopsutil/v4 v4.26.5
github.com/redis/go-redis/v9 v9.20.1
github.com/stacklok/toolhive-catalog v0.20260623.0
golangci/golangci-lint-action v9.2.1
anthropics/claude-code-action 2fee155
security scanning & signing actions v4.1.2
release & publishing actions (updated)

👋 Welcome to our newest contributor: @​kriptoburak 🎉

Full commit log

What's Changed

New Contributors

Full Changelog: stacklok/toolhive@v0.30.0...v0.30.1

🔗 Full changelog: stacklok/toolhive@v0.30.0...v0.30.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/shirou/gopsutil/v4 v4.26.3 -> v4.26.5

@renovate renovate Bot force-pushed the renovate/github.com-stacklok-toolhive-0.x branch from 5800e36 to 901cce6 Compare June 24, 2026 22:35
@renovate renovate Bot changed the title Update module github.com/stacklok/toolhive to v0.30.1 Update module github.com/stacklok/toolhive to v0.31.0 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/github.com-stacklok-toolhive-0.x branch 2 times, most recently from 43b2f9d to 889c5ed Compare June 30, 2026 18:50
@renovate renovate Bot changed the title Update module github.com/stacklok/toolhive to v0.31.0 Update module github.com/stacklok/toolhive to v0.32.0 Jun 30, 2026
@renovate

renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: downloading github.com/adrg/xdg v0.5.3
go: downloading github.com/google/go-containerregistry v0.21.7
go: downloading github.com/spf13/cobra v1.10.2
go: downloading github.com/stacklok/go-microvm v0.0.37
go: downloading go.opentelemetry.io/otel v1.44.0
go: downloading go.opentelemetry.io/otel/sdk v1.44.0
go: downloading github.com/stretchr/testify v1.11.1
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/sergi/go-diff v1.4.0
go: downloading golang.org/x/sync v0.21.0
go: downloading github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
go: downloading github.com/stacklok/toolhive-core v0.0.26
go: downloading github.com/stacklok/toolhive v0.33.0
go: downloading go.uber.org/zap v1.28.0
go: downloading github.com/cedar-policy/cedar-go v1.8.0
go: downloading charm.land/lipgloss/v2 v2.0.4
go: downloading charm.land/glamour/v2 v2.0.1
go: downloading github.com/pelletier/go-toml/v2 v2.4.2
go: downloading golang.org/x/crypto v0.53.0
go: downloading golang.org/x/sys v0.46.0
go: downloading golang.org/x/term v0.44.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.44.0
go: downloading github.com/gofrs/flock v0.13.0
go: downloading go.opentelemetry.io/otel/trace v1.44.0
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.10
go: downloading github.com/go-logr/logr v1.4.3
go: downloading go.opentelemetry.io/otel/metric v1.44.0
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/elastic/go-seccomp-bpf v1.6.0
go: downloading github.com/cenkalti/backoff/v5 v5.0.3
go: downloading github.com/golang-jwt/jwt/v5 v5.3.1
go: downloading github.com/lestrrat-go/httprc/v3 v3.0.6
go: downloading github.com/lestrrat-go/jwx/v3 v3.0.13
go: downloading golang.org/x/oauth2 v0.36.0
go: downloading golang.org/x/time v0.15.0
go: downloading k8s.io/apimachinery v0.35.3
go: downloading k8s.io/client-go v0.35.3
go: downloading sigs.k8s.io/controller-runtime v0.23.3
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading github.com/mark3labs/mcp-go v0.55.0
go: downloading dario.cat/mergo v1.0.2
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading go.uber.org/multierr v1.11.0
go: downloading golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
go: downloading github.com/charmbracelet/colorprofile v0.4.3
go: downloading github.com/charmbracelet/ultraviolet v0.0.0-20251205161215-1948445e3318
go: downloading github.com/charmbracelet/x/ansi v0.11.7
go: downloading github.com/charmbracelet/x/term v0.2.2
go: downloading github.com/clipperhouse/displaywidth v0.11.0
go: downloading github.com/lucasb-eyer/go-colorful v1.4.0
go: downloading github.com/rivo/uniseg v0.4.7
go: downloading github.com/yuin/goldmark v1.7.8
go: downloading github.com/yuin/goldmark-emoji v1.0.5
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/containers/gvisor-tap-vsock v0.8.9
go: downloading github.com/docker/cli v29.6.0+incompatible
go: downloading github.com/moby/docker-image-spec v1.3.1
go: downloading github.com/moby/moby/api v1.54.2
go: downloading github.com/moby/moby/client v0.4.1
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading github.com/vishvananda/netlink v1.3.1
go: downloading github.com/creack/pty v1.1.24
go: downloading golang.org/x/net v0.56.0
go: downloading github.com/lestrrat-go/blackmagic v1.0.4
go: downloading github.com/lestrrat-go/httpcc v1.0.1
go: downloading github.com/lestrrat-go/option/v2 v2.0.0
go: downloading github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0
go: downloading github.com/shirou/gopsutil/v4 v4.26.5
go: downloading github.com/ory/fosite v0.49.0
go: downloading golang.org/x/exp/jsonrpc2 v0.0.0-20260611194520-c48552f49976
go: downloading k8s.io/api v0.35.3
go: downloading k8s.io/apiextensions-apiserver v0.35.0
go: downloading k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
go: downloading sigs.k8s.io/randfill v1.0.0
go: downloading k8s.io/klog/v2 v2.140.0
go: downloading k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482
go: downloading github.com/evanphx/json-patch/v5 v5.9.11
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading github.com/google/jsonschema-go v0.4.2
go: downloading github.com/spf13/cast v1.10.0
go: downloading github.com/yosida95/uritemplate/v3 v3.0.2
go: downloading github.com/go-jose/go-jose/v3 v3.0.5
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
go: downloading github.com/redis/go-redis/v9 v9.21.0
go: downloading github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd
go: downloading github.com/tidwall/gjson v1.18.0
go: downloading github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e
go: downloading github.com/charmbracelet/x/termios v0.1.1
go: downloading github.com/charmbracelet/x/windows v0.2.2
go: downloading github.com/muesli/cancelreader v0.2.2
go: downloading github.com/clipperhouse/uax29/v2 v2.7.0
go: downloading github.com/mattn/go-runewidth v0.0.23
go: downloading github.com/alecthomas/chroma/v2 v2.14.0
go: downloading github.com/charmbracelet/x/exp/slice v0.0.0-20250327172914-2fdc97757edf
go: downloading github.com/microcosm-cc/bluemonday v1.0.27
go: downloading golang.org/x/text v0.38.0
go: downloading github.com/inetaf/tcpproxy v0.0.0-20250222171855-c4b9df066048
go: downloading github.com/sirupsen/logrus v1.9.4
go: downloading gvisor.dev/gvisor v0.0.0-20240916094835-a174eb65023f
go: downloading github.com/miekg/dns v1.1.72
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading github.com/containerd/errdefs v1.0.0
go: downloading github.com/containerd/errdefs/pkg v0.3.0
go: downloading github.com/distribution/reference v0.6.0
go: downloading github.com/docker/go-connections v0.7.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
go: downloading github.com/vishvananda/netns v0.0.5
go: downloading github.com/segmentio/asm v1.2.1
go: downloading github.com/goccy/go-json v0.10.5
go: downloading github.com/go-jose/go-jose/v4 v4.1.4
go: downloading github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading github.com/dgraph-io/ristretto v1.0.0
go: downloading github.com/golang/mock v1.7.0-rc.1
go: downloading github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
go: downloading github.com/hashicorp/go-retryablehttp v0.7.8
go: downloading github.com/mattn/goveralls v0.0.12
go: downloading github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
go: downloading github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe
go: downloading github.com/ory/go-convenience v0.1.0
go: downloading github.com/ory/x v0.0.665
go: downloading github.com/pkg/errors v0.9.1
go: downloading golang.ngrok.com/ngrok/v2 v2.1.4
go: downloading golang.org/x/exp/event v0.0.0-20260603202125-055de637280b
go: downloading golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
go: downloading github.com/json-iterator/go v1.1.12
go: downloading go.yaml.in/yaml/v2 v2.4.4
go: downloading github.com/aws/aws-sdk-go-v2 v1.42.0
go: downloading github.com/aws/aws-sdk-go-v2/config v1.32.25
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.43.3
go: downloading github.com/google/cel-go v0.28.1
go: downloading github.com/1password/onepassword-sdk-go v0.3.1
go: downloading github.com/zalando/go-keyring v0.2.8
go: downloading github.com/go-chi/chi/v5 v5.3.0
go: downloading github.com/coreos/go-oidc/v3 v3.18.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.44.0
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
go: downloading github.com/getsentry/sentry-go v0.44.1
go: downloading github.com/getsentry/sentry-go/otel v0.44.1
go: downloading go.starlark.net v0.0.0-20260630144053-529d8e869a14
go: downloading modernc.org/sqlite v1.49.1
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.1
go: downloading github.com/modelcontextprotocol/registry v1.7.9
go: downloading github.com/tklauser/go-sysconf v0.3.16
go: downloading github.com/dlclark/regexp2 v1.11.0
go: downloading github.com/aymerick/douceur v0.2.0
go: downloading github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
go: downloading github.com/apparentlymart/go-cidr v1.1.1
go: downloading github.com/google/gopacket v1.1.19
go: downloading github.com/google/btree v1.1.3
go: downloading golang.org/x/tools v0.46.0
go: downloading github.com/docker/docker-credential-helpers v0.9.5
go: downloading github.com/klauspost/compress v1.18.7
go: downloading github.com/docker/go-units v0.5.0
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/ebitengine/purego v0.10.0
go: downloading github.com/yusufpapurcu/wmi v1.2.4
go: downloading golang.org/x/mod v0.37.0
go: downloading github.com/hashicorp/go-cleanhttp v0.5.2
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.21.0
go: downloading go.opentelemetry.io/contrib/propagators/jaeger v1.21.1
go: downloading go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1
go: downloading go.opentelemetry.io/otel/exporters/jaeger v1.17.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
go: downloading go.opentelemetry.io/otel/exporters/zipkin v1.21.0
go: downloading golang.ngrok.com/muxado/v2 v2.0.1
go: downloading github.com/google/gnostic-models v0.7.0
go: downloading google.golang.org/protobuf v1.36.11
go: downloading github.com/fxamacker/cbor/v2 v2.9.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/go-openapi/jsonreference v0.21.6
go: downloading github.com/go-openapi/swag v0.26.0
go: downloading github.com/aws/smithy-go v1.27.1
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.19.24
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.29
go: downloading github.com/aws/aws-sdk-go-v2/service/signin v1.2.0
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.31.3
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.6
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.29
go: downloading github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.30
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.12
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.29
go: downloading cel.dev/expr v0.25.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa
go: downloading github.com/danieljoos/wincred v1.2.3
go: downloading github.com/godbus/dbus/v5 v5.2.2
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading go.opentelemetry.io/otel/exporters/prometheus v0.65.0
go: downloading go.uber.org/atomic v1.11.0
go: downloading modernc.org/libc v1.72.1
go: downloading oras.land/oras-go/v2 v2.6.1
go: downloading github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0
go: downloading github.com/tklauser/numcpus v0.11.0
go: downloading github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
go: downloading github.com/gorilla/css v1.0.1
go: downloading github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701
go: downloading github.com/go-ole/go-ole v1.2.6
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/spf13/viper v1.21.0
go: downloading github.com/gobuffalo/pop/v6 v6.1.1
go: downloading github.com/seatgeek/logrus-gelf-formatter v0.0.0-20210414080842-5b05eb8ff761
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading go.opentelemetry.io/proto/otlp v1.10.0
go: downloading github.com/openzipkin/zipkin-go v0.4.2
go: downloading github.com/jpillora/backoff v1.0.0
go: downloading github.com/x448/float16 v0.8.4
go: downloading github.com/go-openapi/jsonpointer v0.23.1
go: downloading github.com/go-openapi/swag/cmdutils v0.26.0
go: downloading github.com/go-openapi/swag/conv v0.26.0
go: downloading github.com/go-openapi/swag/fileutils v0.26.0
go: downloading github.com/go-openapi/swag/jsonname v0.26.0
go: downloading github.com/go-openapi/swag/jsonutils v0.26.0
go: downloading github.com/go-openapi/swag/loading v0.26.0
go: downloading github.com/go-openapi/swag/mangling v0.26.0
go: downloading github.com/go-openapi/swag/netutils v0.26.0
go: downloading github.com/go-openapi/swag/stringutils v0.26.0
go: downloading github.com/go-openapi/swag/typeutils v0.26.0
go: downloading github.com/go-openapi/swag/yamlutils v0.26.0
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.29
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260523011958-0a33c5d7ca68
go: downloading github.com/extism/go-sdk v1.7.0
go: downloading github.com/tetratelabs/wazero v1.9.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/common v0.67.5
go: downloading github.com/prometheus/procfs v0.20.1
go: downloading github.com/prometheus/otlptranslator v1.0.0
go: downloading github.com/mattn/go-isatty v0.0.21
go: downloading github.com/ncruces/go-strftime v1.0.0
go: downloading modernc.org/mathutil v1.7.1
go: downloading modernc.org/memory v1.11.0
go: downloading github.com/pierrec/lz4/v4 v4.1.26
go: downloading github.com/cristalhq/jwt/v4 v4.0.2
go: downloading github.com/fsnotify/fsnotify v1.9.0
go: downloading github.com/go-viper/mapstructure/v2 v2.5.0
go: downloading github.com/sagikazarmark/locafero v0.11.0
go: downloading github.com/spf13/afero v1.15.0
go: downloading google.golang.org/grpc v1.81.1
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0
go: downloading gopkg.in/evanphx/json-patch.v4 v4.13.0
go: downloading github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a
go: downloading github.com/gobwas/glob v0.2.3
go: downloading github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec
go: downloading github.com/moby/spdystream v0.5.1
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/emicklei/go-restful/v3 v3.12.2
go: downloading github.com/ianlancetaylor/demangle v0.0.0-20250417193237-f615e6bd150b
go: downloading github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: github.com/stacklok/brood-box/internal/infra/mcp imports
	github.com/stacklok/toolhive/pkg/vmcp/discovery: cannot find module providing package github.com/stacklok/toolhive/pkg/vmcp/discovery
go: warning: github.com/dgraph-io/ristretto@v1.0.0: retracted by module author: we retract v1.0.0 because v0.2.0 is not backwards compatible with v1.0.0.
go: to switch to the latest unretracted version, run:
	go get github.com/dgraph-io/ristretto@latest

@renovate renovate Bot force-pushed the renovate/github.com-stacklok-toolhive-0.x branch from 889c5ed to 921f95f Compare July 1, 2026 22:58
@renovate renovate Bot changed the title Update module github.com/stacklok/toolhive to v0.32.0 Update module github.com/stacklok/toolhive to v0.33.0 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/github.com-stacklok-toolhive-0.x branch from 921f95f to 92d6f03 Compare July 2, 2026 04:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants