diff --git a/go.mod b/go.mod
index bfaad3dd9f0..d423ca1cbe0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/tektoncd/pipeline
 
 go 1.22
-toolchain go1.22.5
-
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20220720053627-e327d0730470 // Waiting for https://github.com/ahmetb/gen-crd-api-reference-docs/pull/43/files to merge
@@ -10,7 +8,7 @@ require (
 	github.com/containerd/containerd v1.7.20
 	github.com/go-git/go-git/v5 v5.12.0
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.19.2
+	github.com/google/go-containerregistry v0.20.2
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1
@@ -25,7 +23,7 @@ require (
 	github.com/tektoncd/plumbing v0.0.0-20220817140952-3da8ce01aeeb
 	go.opencensus.io v0.24.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc
+	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
 	golang.org/x/oauth2 v0.22.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.29.6
@@ -45,7 +43,7 @@ require (
 	github.com/google/cel-go v0.20.1
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4
-	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4
+	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4
 	github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.4
 	go.opentelemetry.io/otel v1.28.0
@@ -76,9 +74,9 @@ require (
 	cloud.google.com/go/kms v1.17.1 // indirect
 	cloud.google.com/go/longrunning v0.5.7 // indirect
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
@@ -86,7 +84,7 @@ require (
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -114,9 +112,9 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/vault/api v1.14.0 // indirect
-	github.com/jellydator/ttlcache/v3 v3.2.0 // indirect
+	github.com/jellydator/ttlcache/v3 v3.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
@@ -128,14 +126,13 @@ require (
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 )
 
 // TODO: Remove this once github.com/google/go-containerregistry uses github.com/aws/aws-sdk-go-v2 >v1.23.0
@@ -156,18 +153,18 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.27.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.16 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.16.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -180,9 +177,8 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v24.0.7+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v26.1.5+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
diff --git a/go.sum b/go.sum
index bcd9cf96176..4c024c8d58f 100644
--- a/go.sum
+++ b/go.sum
@@ -64,12 +64,12 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7
 github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
@@ -165,25 +165,25 @@ github.com/aws/aws-sdk-go v1.53.10 h1:3enP5l5WtezT9Ql+XZqs56JBf5YUd/FEzTCg///OIG
 github.com/aws/aws-sdk-go v1.53.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgiLlo=
-github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4=
-github.com/aws/aws-sdk-go-v2/config v1.27.16 h1:knpCuH7laFVGYTNd99Ns5t+8PuRjDn4HnnZK48csipM=
-github.com/aws/aws-sdk-go-v2/config v1.27.16/go.mod h1:vutqgRhDUktwSge3hrC3nkuirzkJ4E/mLj5GvI0BQas=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
 github.com/aws/aws-sdk-go-v2/credentials v1.13.24/go.mod h1:jYPYi99wUOPIFi0rhiOvXeSEReVOzBqFNOX5bXYoG2o=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.16 h1:7d2QxY83uYl0l58ceyiSpxg9bSbStqBC6BeEeHEchwo=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.16/go.mod h1:Ae6li/6Yc6eMzysRL2BXlPYvnrLLBg3D11/AmOjw50k=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3/go.mod h1:4Q0UFP0YJf0NrsEuEYHpM9fTSEVnD16Z3uyEF7J9JGM=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 h1:dQLK4TjtnlRGb0czOht2CevZ5l6RSyRWAnKeGd7VAFE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3/go.mod h1:TL79f2P6+8Q7dTsILpiVST+AL9lkF6PPGI167Ny0Cjw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
@@ -194,19 +194,19 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3/go.mod h1:vn+Rz9fAFGJtDXb
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 h1:Wx0rlZoEJR7JwlSZcHnEa7CNjrSIyVxMFWGAaXy4fJY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9/go.mod h1:aVMHdE0aHO3v+f/iw01fmXV/5DbfQ3Bi9nN7nd9bE9Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
 github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 h1:FARrQLRQXpCFYylIUVF1dRij6YbPCmtwudq9NBk4kFc=
 github.com/aws/aws-sdk-go-v2/service/kms v1.32.1/go.mod h1:8lETO9lelSG2B6KMXFh2OwPPqGV6WQM3RqLAEjP1xaU=
 github.com/aws/aws-sdk-go-v2/service/sso v1.12.10/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 h1:aD7AGQhvPuAxlSUfo0CWU7s6FpkbyykMhGYMvlqTjVs=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.9/go.mod h1:c1qtZUWtygI6ZdvKppzCSXsDOq5I4luJPZ0Ud3juFCA=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10/go.mod h1:AFvkxc8xfBe8XA+5St5XIHHrQQtkxqrRincx4hmMHOk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 h1:Pav5q3cA260Zqez42T9UhIlsd9QeypszRPwC9LdSSsQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3/go.mod h1:9lmoVDVLz/yUZwLaQ676TK02fhCu4+PgRSmMaKR1ozk=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
 github.com/aws/aws-sdk-go-v2/service/sts v1.19.0/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 h1:69tpbPED7jKPyzMcrwSvhWcJ9bPnZsZs18NT40JwM0g=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.10/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
@@ -405,16 +405,14 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg=
-github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
-github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
@@ -606,8 +604,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw=
-github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
-github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
+github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc h1:eJ9J17+23quNw5z6O9AdTH+irI7JI+6eQX9TswViyvk=
 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc/go.mod h1:Ek+8PQrShkA7aHEj3/zSW33wU0V/Bx3zW/gFh7l21xY=
 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240108195214-a0658aa1d0cc h1:fHDosK/RhxYQpWBRo+bbawVuR402odSaNToA0Pp+ojw=
@@ -732,8 +730,8 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE=
-github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
+github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
+github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
 github.com/jenkins-x/go-scm v1.14.37 h1:Tq59JXyg5p4iuvIKf6+EA+Yzgxgpn/yG/yfM1mL8DDg=
 github.com/jenkins-x/go-scm v1.14.37/go.mod h1:MRLj/i0mhpMtqwwZV+x78SkEB8mx9rv3ebdRg9WunS8=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -793,8 +791,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXToqxpM90Ws4hXEo4Wfh81jr9DX1n/4WOo=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -1012,8 +1010,8 @@ github.com/sigstore/sigstore v1.8.4 h1:g4ICNpiENFnWxjmBzBDWUn62rNFeny/P77HUC8da3
 github.com/sigstore/sigstore v1.8.4/go.mod h1:1jIKtkTFEeISen7en+ZPWdDHazqhxco/+v9CNjc7oNg=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4 h1:okxaVlaTrQowE1FA4UQ3rw54f7BUjdnzERIxbZTBZuc=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4/go.mod h1:jkcPErmnCECuSJajUaUq5pwCMOeBF19VzQo6bv4l1D0=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4 h1:1G6uLTZaqvu867DbgH7p75L6Y7Tu8LLnYJGZnWsTUu8=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4/go.mod h1:QtKKb8DChi1mRi9xSNr8ImSQu6m+0MZAV0sYIoPOta0=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9 h1:eXFm3cte0hvxxYsvGpCMd7aBusEgKJdlUw1Fb5AZQpw=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9/go.mod h1:RYy9GKnFKKwqbg3Uc6rUyhQdichSVkFlfxnY6f7cAWc=
 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4 h1:fjnDR5Lw9ElfOSRUGKkgwjaynqj93nLu0twAw+QxhHE=
 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4/go.mod h1:9KFn5MwelyNoFXu3gNyVzvN/yAhcL6FE053oxih9+vM=
 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.4 h1:QEXOb+feQmNOyLVT+FrghBqKKK4QDMP5dyic8RZHXdE=
@@ -1153,10 +1151,10 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
 go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
 go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
@@ -1226,8 +1224,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU=
-golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o=
+golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1703,8 +1701,6 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
-gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/h2non/gock.v1 v1.1.2 h1:jBbHXgGBK/AoPVfJh5x4r/WxIrElvbLel8TCZkkZJoY=
 gopkg.in/h2non/gock.v1 v1.1.2/go.mod h1:n7UGz/ckNChHiK05rDoiC4MYSunEC/lyaUm2WWaDva0=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
index a6675492b1a..d13f2e0b352 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
@@ -1,5 +1,36 @@
 # Release History
 
+## 1.14.0 (2024-08-07)
+
+### Features Added
+
+* Added field `Attributes` to `runtime.StartSpanOptions` to simplify creating spans with attributes.
+
+### Other Changes
+
+* Include the HTTP verb and URL in `log.EventRetryPolicy` log entries so it's clear which operation is being retried.
+
+## 1.13.0 (2024-07-16)
+
+### Features Added
+
+- Added runtime.NewRequestFromRequest(), allowing for a policy.Request to be created from an existing *http.Request.
+
+## 1.12.0 (2024-06-06)
+
+### Features Added
+
+* Added field `StatusCodes` to `runtime.FetcherForNextLinkOptions` allowing for additional HTTP status codes indicating success.
+* Added func `NewUUID` to the `runtime` package for generating UUIDs.
+
+### Bugs Fixed
+
+* Fixed an issue that prevented pollers using the `Operation-Location` strategy from unmarshaling the final result in some cases.
+
+### Other Changes
+
+* Updated dependencies.
+
 ## 1.11.1 (2024-04-02)
 
 ### Bugs Fixed
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
index 187fe82b97c..00f2d5a0ab9 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
@@ -192,7 +192,7 @@ func appendNext(parent *ResourceID, parts []string, id string) (*ResourceID, err
 	}
 
 	if strings.EqualFold(parts[0], providersKey) && (len(parts) == 2 || strings.EqualFold(parts[2], providersKey)) {
-		//provider resource can only be on a tenant or a subscription parent
+		// provider resource can only be on a tenant or a subscription parent
 		if parent.ResourceType.String() != SubscriptionResourceType.String() && parent.ResourceType.String() != TenantResourceType.String() {
 			return nil, fmt.Errorf("invalid resource ID: %s", id)
 		}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go
index 039b758bf98..6a7c916b43e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go
@@ -34,18 +34,22 @@ func NewPipeline(module, version string, cred azcore.TokenCredential, plOpts azr
 		InsecureAllowCredentialWithHTTP: options.InsecureAllowCredentialWithHTTP,
 		Scopes:                          []string{conf.Audience + "/.default"},
 	})
+	// we don't want to modify the underlying array in plOpts.PerRetry
 	perRetry := make([]azpolicy.Policy, len(plOpts.PerRetry), len(plOpts.PerRetry)+1)
 	copy(perRetry, plOpts.PerRetry)
-	plOpts.PerRetry = append(perRetry, authPolicy, exported.PolicyFunc(httpTraceNamespacePolicy))
+	perRetry = append(perRetry, authPolicy, exported.PolicyFunc(httpTraceNamespacePolicy))
+	plOpts.PerRetry = perRetry
 	if !options.DisableRPRegistration {
 		regRPOpts := armpolicy.RegistrationOptions{ClientOptions: options.ClientOptions}
 		regPolicy, err := NewRPRegistrationPolicy(cred, &regRPOpts)
 		if err != nil {
 			return azruntime.Pipeline{}, err
 		}
+		// we don't want to modify the underlying array in plOpts.PerCall
 		perCall := make([]azpolicy.Policy, len(plOpts.PerCall), len(plOpts.PerCall)+1)
 		copy(perCall, plOpts.PerCall)
-		plOpts.PerCall = append(perCall, regPolicy)
+		perCall = append(perCall, regPolicy)
+		plOpts.PerCall = perCall
 	}
 	if plOpts.APIVersion.Name == "" {
 		plOpts.APIVersion.Name = "api-version"
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
index 3041984d9b1..e3e2d4e588a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
@@ -7,6 +7,7 @@
 package exported
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"errors"
@@ -67,6 +68,42 @@ func (ov opValues) get(value any) bool {
 	return ok
 }
 
+// NewRequestFromRequest creates a new policy.Request with an existing *http.Request
+// Exported as runtime.NewRequestFromRequest().
+func NewRequestFromRequest(req *http.Request) (*Request, error) {
+	policyReq := &Request{req: req}
+
+	if req.Body != nil {
+		// we can avoid a body copy here if the underlying stream is already a
+		// ReadSeekCloser.
+		readSeekCloser, isReadSeekCloser := req.Body.(io.ReadSeekCloser)
+
+		if !isReadSeekCloser {
+			// since this is an already populated http.Request we want to copy
+			// over its body, if it has one.
+			bodyBytes, err := io.ReadAll(req.Body)
+
+			if err != nil {
+				return nil, err
+			}
+
+			if err := req.Body.Close(); err != nil {
+				return nil, err
+			}
+
+			readSeekCloser = NopCloser(bytes.NewReader(bodyBytes))
+		}
+
+		// SetBody also takes care of updating the http.Request's body
+		// as well, so they should stay in-sync from this point.
+		if err := policyReq.SetBody(readSeekCloser, req.Header.Get("Content-Type")); err != nil {
+			return nil, err
+		}
+	}
+
+	return policyReq, nil
+}
+
 // NewRequest creates a new Request with the specified input.
 // Exported as runtime.NewRequest().
 func NewRequest(ctx context.Context, httpMethod string, endpoint string) (*Request, error) {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
index ccd4794e9e9..a5346276056 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
@@ -155,5 +155,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
 		p.resp = resp
 	}
 
-	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
+	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), "", out)
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
index 0d781b31d0c..8751b05147f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
@@ -131,5 +131,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
 }
 
 func (p *Poller[T]) Result(ctx context.Context, out *T) error {
-	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
+	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), "", out)
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go
index 51aede8a2b8..7f8d11b8ba3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go
@@ -124,7 +124,7 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
 		return exported.NewResponseError(p.resp)
 	}
 
-	return pollers.ResultHelper(p.resp, poller.Failed(p.FakeStatus), out)
+	return pollers.ResultHelper(p.resp, poller.Failed(p.FakeStatus), "", out)
 }
 
 // SanitizePollerPath removes any fake-appended suffix from a URL's path.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
index 7a56c5211b7..048285275df 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
@@ -119,5 +119,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
 }
 
 func (p *Poller[T]) Result(ctx context.Context, out *T) error {
-	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
+	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), "", out)
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
index ac1c0efb5ac..03699fd7629 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
@@ -115,10 +115,13 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
 func (p *Poller[T]) Result(ctx context.Context, out *T) error {
 	var req *exported.Request
 	var err error
+
+	// when the payload is included with the status monitor on
+	// terminal success it's in the "result" JSON property
+	payloadPath := "result"
+
 	if p.FinalState == pollers.FinalStateViaLocation && p.LocURL != "" {
 		req, err = exported.NewRequest(ctx, http.MethodGet, p.LocURL)
-	} else if p.FinalState == pollers.FinalStateViaOpLocation && p.Method == http.MethodPost {
-		// no final GET required, terminal response should have it
 	} else if rl, rlErr := poller.GetResourceLocation(p.resp); rlErr != nil && !errors.Is(rlErr, poller.ErrNoBody) {
 		return rlErr
 	} else if rl != "" {
@@ -134,6 +137,8 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
 
 	// if a final GET request has been created, execute it
 	if req != nil {
+		// no JSON path when making a final GET request
+		payloadPath = ""
 		resp, err := p.pl.Do(req)
 		if err != nil {
 			return err
@@ -141,5 +146,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
 		p.resp = resp
 	}
 
-	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
+	return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), payloadPath, out)
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
index eb3cf651db0..6a7a32e0342 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
@@ -159,7 +159,7 @@ func PollHelper(ctx context.Context, endpoint string, pl azexported.Pipeline, up
 // ResultHelper processes the response as success or failure.
 // In the success case, it unmarshals the payload into either a new instance of T or out.
 // In the failure case, it creates an *azcore.Response error from the response.
-func ResultHelper[T any](resp *http.Response, failed bool, out *T) error {
+func ResultHelper[T any](resp *http.Response, failed bool, jsonPath string, out *T) error {
 	// short-circuit the simple success case with no response body to unmarshal
 	if resp.StatusCode == http.StatusNoContent {
 		return nil
@@ -176,6 +176,18 @@ func ResultHelper[T any](resp *http.Response, failed bool, out *T) error {
 	if err != nil {
 		return err
 	}
+
+	if jsonPath != "" && len(payload) > 0 {
+		// extract the payload from the specified JSON path.
+		// do this before the zero-length check in case there
+		// is no payload.
+		jsonBody := map[string]json.RawMessage{}
+		if err = json.Unmarshal(payload, &jsonBody); err != nil {
+			return err
+		}
+		payload = jsonBody[jsonPath]
+	}
+
 	if len(payload) == 0 {
 		return nil
 	}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
index 03691cbf024..7cb8c207e66 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
@@ -40,5 +40,5 @@ const (
 	Module = "azcore"
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	Version = "v1.11.1"
+	Version = "v1.14.0"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
index cffe692d7e3..b960cff0b2d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
@@ -94,6 +94,10 @@ type FetcherForNextLinkOptions struct {
 	// NextReq is the func to be called when requesting subsequent pages.
 	// Used for paged operations that have a custom next link operation.
 	NextReq func(context.Context, string) (*policy.Request, error)
+
+	// StatusCodes contains additional HTTP status codes indicating success.
+	// The default value is http.StatusOK.
+	StatusCodes []int
 }
 
 // FetcherForNextLink is a helper containing boilerplate code to simplify creating a PagingHandler[T].Fetcher from a next link URL.
@@ -105,10 +109,13 @@ type FetcherForNextLinkOptions struct {
 func FetcherForNextLink(ctx context.Context, pl Pipeline, nextLink string, firstReq func(context.Context) (*policy.Request, error), options *FetcherForNextLinkOptions) (*http.Response, error) {
 	var req *policy.Request
 	var err error
+	if options == nil {
+		options = &FetcherForNextLinkOptions{}
+	}
 	if nextLink == "" {
 		req, err = firstReq(ctx)
 	} else if nextLink, err = EncodeQueryParams(nextLink); err == nil {
-		if options != nil && options.NextReq != nil {
+		if options.NextReq != nil {
 			req, err = options.NextReq(ctx, nextLink)
 		} else {
 			req, err = NewRequest(ctx, http.MethodGet, nextLink)
@@ -121,7 +128,9 @@ func FetcherForNextLink(ctx context.Context, pl Pipeline, nextLink string, first
 	if err != nil {
 		return nil, err
 	}
-	if !HasStatusCode(resp, http.StatusOK) {
+	successCodes := []int{http.StatusOK}
+	successCodes = append(successCodes, options.StatusCodes...)
+	if !HasStatusCode(resp, successCodes...) {
 		return nil, NewResponseError(resp)
 	}
 	return resp, nil
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go
index 3df1c121890..bc6989310bd 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go
@@ -96,7 +96,8 @@ func (h *httpTracePolicy) Do(req *policy.Request) (resp *http.Response, err erro
 
 // StartSpanOptions contains the optional values for StartSpan.
 type StartSpanOptions struct {
-	// for future expansion
+	// Attributes contains key-value pairs of attributes for the span.
+	Attributes []tracing.Attribute
 }
 
 // StartSpan starts a new tracing span.
@@ -126,8 +127,14 @@ func StartSpan(ctx context.Context, name string, tracer tracing.Tracer, options
 			return ctx, func(err error) {}
 		}
 	}
+
+	if options == nil {
+		options = &StartSpanOptions{}
+	}
+
 	ctx, span := tracer.Start(ctx, name, &tracing.SpanOptions{
-		Kind: newSpanKind,
+		Kind:       newSpanKind,
+		Attributes: options.Attributes,
 	})
 	ctx = context.WithValue(ctx, ctxActiveSpan{}, newSpanKind)
 	return ctx, func(err error) {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
index 04d7bb4ecbc..e15eea8249a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
@@ -102,7 +102,8 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
 	try := int32(1)
 	for {
 		resp = nil // reset
-		log.Writef(log.EventRetryPolicy, "=====> Try=%d", try)
+		// unfortunately we don't have access to the custom allow-list of query params, so we'll redact everything but the default allowed QPs
+		log.Writef(log.EventRetryPolicy, "=====> Try=%d for %s %s", try, req.Raw().Method, getSanitizedURL(*req.Raw().URL, getAllowedQueryParams(nil)))
 
 		// For each try, seek to the beginning of the Body stream. We do this even for the 1st try because
 		// the stream may not be at offset 0 when we first get it and we want the same behavior for the
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
index 06ac95b1b71..7d34b7803af 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
@@ -15,6 +15,7 @@ import (
 	"fmt"
 	"io"
 	"mime/multipart"
+	"net/http"
 	"net/textproto"
 	"net/url"
 	"path"
@@ -24,6 +25,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/uuid"
 )
 
 // Base64Encoding is usesd to specify which base-64 encoder/decoder to use when
@@ -44,6 +46,11 @@ func NewRequest(ctx context.Context, httpMethod string, endpoint string) (*polic
 	return exported.NewRequest(ctx, httpMethod, endpoint)
 }
 
+// NewRequestFromRequest creates a new policy.Request with an existing *http.Request
+func NewRequestFromRequest(req *http.Request) (*policy.Request, error) {
+	return exported.NewRequestFromRequest(req)
+}
+
 // EncodeQueryParams will parse and encode any query parameters in the specified URL.
 // Any semicolons will automatically be escaped.
 func EncodeQueryParams(u string) (string, error) {
@@ -263,3 +270,12 @@ func SkipBodyDownload(req *policy.Request) {
 
 // CtxAPINameKey is used as a context key for adding/retrieving the API name.
 type CtxAPINameKey = shared.CtxAPINameKey
+
+// NewUUID returns a new UUID using the RFC4122 algorithm.
+func NewUUID() (string, error) {
+	u, err := uuid.New()
+	if err != nil {
+		return "", err
+	}
+	return u.String(), nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index 6d4b6feb86e..a8c2feb6d47 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,5 +1,29 @@
 # Release History
 
+## 1.7.0 (2024-06-20)
+
+### Features Added
+* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
+  workload identity federation
+
+### Breaking Changes
+> These changes affect only code written against a beta version such as v1.7.0-beta.1
+* Removed the persistent token caching API. It will return in v1.8.0-beta.1
+
+## 1.7.0-beta.1 (2024-06-10)
+
+### Features Added
+* Restored `AzurePipelinesCredential` and persistent token caching API
+
+## Breaking Changes
+> These changes affect only code written against a beta version such as v1.6.0-beta.4
+* Values which `NewAzurePipelinesCredential` read from environment variables in
+  prior versions are now parameters
+* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
+
+### Bugs Fixed
+* Managed identity bug fixes
+
 ## 1.6.0 (2024-06-10)
 
 ### Features Added
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
index b5acff0e632..7e201ea2fdb 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
@@ -140,6 +140,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
 
 |Credential|Usage
 |-|-
+|[AzurePipelinesCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePipelinesCredential)|Authenticate an Azure Pipelines [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml)
 |[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
 |[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
 |[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
index f9cc4894339..fbaa2922048 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
@@ -57,6 +57,7 @@ The following table indicates the state of in-memory and persistent caching in e
 |--------------------------------|---------------------------------------------------------------------|--------------------------|
 | `AzureCLICredential`           | Not Supported                                                       | Not Supported            |
 | `AzureDeveloperCLICredential`  | Not Supported                                                       | Not Supported            |
+| `AzurePipelinesCredential`     | Supported                                                           | Supported                |
 | `ClientAssertionCredential`    | Supported                                                           | Supported                |
 | `ClientCertificateCredential`  | Supported                                                           | Supported                |
 | `ClientSecretCredential`       | Supported                                                           | Supported                |
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 3564e685e18..54016a07098 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -10,6 +10,7 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Enable and configure logging](#enable-and-configure-logging)
 - [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
 - [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
+- [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
 - [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
 - [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
 - [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@@ -226,6 +227,15 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
 |---|---|---|
 |no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
 
+<a id="apc"></a>
+## Troubleshoot AzurePipelinesCredential authentication issues
+
+| Error Message |Description| Mitigation |
+|---|---|---|
+| AADSTS900023: Specified tenant identifier 'some tenant ID' is neither a valid DNS name, nor a valid external domain.|The `tenantID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the tenant ID. It must identify the tenant of the user-assigned managed identity or service principal configured for the service connection.|
+| No service connection found with identifier |The `serviceConnectionID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the service connection ID. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the service connection's configuration in Azure DevOps. [Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) has more information about service connections.|
+|302 (Found) response from OIDC endpoint|The `systemAccessToken` argument to `NewAzurePipelinesCredential` is incorrect|Check pipeline configuration. This value comes from the predefined variable `System.AccessToken` [as described in Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken).|
+
 ## Get additional help
 
 Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
index 2655543aee6..80c1806bb18 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
@@ -19,21 +19,20 @@ import (
 const (
 	credNameAzurePipelines = "AzurePipelinesCredential"
 	oidcAPIVersion         = "7.1"
-	systemAccessToken      = "SYSTEM_ACCESSTOKEN"
 	systemOIDCRequestURI   = "SYSTEM_OIDCREQUESTURI"
 )
 
-// azurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
+// AzurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
 // [Azure Pipelines documentation] for more information.
 //
 // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation
-type azurePipelinesCredential struct {
+type AzurePipelinesCredential struct {
 	connectionID, oidcURI, systemAccessToken string
 	cred                                     *ClientAssertionCredential
 }
 
-// azurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
-type azurePipelinesCredentialOptions struct {
+// AzurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
+type AzurePipelinesCredentialOptions struct {
 	azcore.ClientOptions
 
 	// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
@@ -48,28 +47,39 @@ type azurePipelinesCredentialOptions struct {
 	DisableInstanceDiscovery bool
 }
 
-// newAzurePipelinesCredential is the constructor for AzurePipelinesCredential. In addition to its required arguments,
-// it reads a security token for the running build, which is required to authenticate the service connection, from the
-// environment variable SYSTEM_ACCESSTOKEN. See the [Azure Pipelines documentation] for an example showing how to set
-// this variable in build job YAML.
+// NewAzurePipelinesCredential is the constructor for AzurePipelinesCredential.
+//
+//   - tenantID: tenant ID of the service principal federated with the service connection
+//   - clientID: client ID of that service principal
+//   - serviceConnectionID: ID of the service connection to authenticate
+//   - systemAccessToken: security token for the running build. See [Azure Pipelines documentation] for
+//     an example showing how to get this value.
 //
 // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
-func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string, options *azurePipelinesCredentialOptions) (*azurePipelinesCredential, error) {
-	if options == nil {
-		options = &azurePipelinesCredentialOptions{}
+func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken string, options *AzurePipelinesCredentialOptions) (*AzurePipelinesCredential, error) {
+	if !validTenantID(tenantID) {
+		return nil, errInvalidTenantID
+	}
+	if clientID == "" {
+		return nil, errors.New("no client ID specified")
+	}
+	if serviceConnectionID == "" {
+		return nil, errors.New("no service connection ID specified")
+	}
+	if systemAccessToken == "" {
+		return nil, errors.New("no system access token specified")
 	}
 	u := os.Getenv(systemOIDCRequestURI)
 	if u == "" {
 		return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI)
 	}
-	sat := os.Getenv(systemAccessToken)
-	if sat == "" {
-		return nil, errors.New("no value for environment variable " + systemAccessToken)
-	}
-	a := azurePipelinesCredential{
+	a := AzurePipelinesCredential{
 		connectionID:      serviceConnectionID,
 		oidcURI:           u,
-		systemAccessToken: sat,
+		systemAccessToken: systemAccessToken,
+	}
+	if options == nil {
+		options = &AzurePipelinesCredentialOptions{}
 	}
 	caco := ClientAssertionCredentialOptions{
 		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
@@ -86,7 +96,7 @@ func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string,
 }
 
 // GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically.
-func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+func (a *AzurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
 	var err error
 	ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil)
 	defer func() { endSpan(err) }()
@@ -94,7 +104,7 @@ func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.Tok
 	return tk, err
 }
 
-func (a *azurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
+func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
 	url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
 	url, err := runtime.EncodeQueryParams(url)
 	if err != nil {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 698650bbb62..35fa01d136e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -83,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
 		anchor = "azure-cli"
 	case credNameAzureDeveloperCLI:
 		anchor = "azd"
+	case credNameAzurePipelines:
+		anchor = "apc"
 	case credNameCert:
 		anchor = "client-cert"
 	case credNameSecret:
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 459ef64c6f7..4305b5d3d80 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -14,5 +14,5 @@ const (
 	module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.6.0"
+	version = "v1.7.0"
 )
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
index aa10a9b40f0..99edbf3ee63 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
@@ -70,6 +70,10 @@ func GetUseFIPSEndpoint(options ...interface{}) (value FIPSEndpointState, found
 // The SDK will automatically resolve these endpoints per API client using an
 // internal endpoint resolvers. If you'd like to provide custom endpoint
 // resolving behavior you can implement the EndpointResolver interface.
+//
+// Deprecated: This structure was used with the global [EndpointResolver]
+// interface, which has been deprecated in favor of service-specific endpoint
+// resolution. See the deprecation docs on that interface for more information.
 type Endpoint struct {
 	// The base URL endpoint the SDK API clients will use to make API calls to.
 	// The SDK will suffix URI path and query elements to this endpoint.
@@ -124,6 +128,8 @@ type Endpoint struct {
 }
 
 // EndpointSource is the endpoint source type.
+//
+// Deprecated: The global [Endpoint] structure is deprecated.
 type EndpointSource int
 
 const (
@@ -161,19 +167,25 @@ func (e *EndpointNotFoundError) Unwrap() error {
 // API clients will fallback to attempting to resolve the endpoint using its
 // internal default endpoint resolver.
 //
-// Deprecated: See EndpointResolverWithOptions
+// Deprecated: The global endpoint resolution interface is deprecated. The API
+// for endpoint resolution is now unique to each service and is set via the
+// EndpointResolverV2 field on service client options. Setting a value for
+// EndpointResolver on aws.Config or service client options will prevent you
+// from using any endpoint-related service features released after the
+// introduction of EndpointResolverV2. You may also encounter broken or
+// unexpected behavior when using the old global interface with services that
+// use many endpoint-related customizations such as S3.
 type EndpointResolver interface {
 	ResolveEndpoint(service, region string) (Endpoint, error)
 }
 
 // EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface.
 //
-// Deprecated: See EndpointResolverWithOptionsFunc
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverFunc func(service, region string) (Endpoint, error)
 
 // ResolveEndpoint calls the wrapped function and returns the results.
-//
-// Deprecated: See EndpointResolverWithOptions.ResolveEndpoint
 func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) {
 	return e(service, region)
 }
@@ -184,11 +196,17 @@ func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint,
 // available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error,
 // API clients will fallback to attempting to resolve the endpoint using its
 // internal default endpoint resolver.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverWithOptions interface {
 	ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error)
 }
 
 // EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error)
 
 // ResolveEndpoint calls the wrapped function and returns the results.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index e648346be72..a62b33dde17 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.27.0"
+const goModuleVersion = "1.27.2"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
index dc703d482d2..b645fbdf132 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
@@ -2,12 +2,15 @@ package retry
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -39,6 +42,10 @@ type Attempt struct {
 	requestCloner RequestCloner
 }
 
+// define the threshold at which we will consider certain kind of errors to be probably
+// caused by clock skew
+const skewThreshold = 4 * time.Minute
+
 // NewAttemptMiddleware returns a new Attempt retry middleware.
 func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt {
 	m := &Attempt{
@@ -86,6 +93,9 @@ func (r *Attempt) HandleFinalize(ctx context.Context, in smithymiddle.FinalizeIn
 			AttemptClockSkew: attemptClockSkew,
 		})
 
+		// Setting clock skew to be used on other context (like signing)
+		ctx = internalcontext.SetAttemptSkewContext(ctx, attemptClockSkew)
+
 		var attemptResult AttemptResult
 		out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next)
 		attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata)
@@ -185,6 +195,8 @@ func (r *Attempt) handleAttempt(
 		return out, attemptResult, nopRelease, err
 	}
 
+	err = wrapAsClockSkew(ctx, err)
+
 	//------------------------------
 	// Is Retryable and Should Retry
 	//------------------------------
@@ -247,6 +259,37 @@ func (r *Attempt) handleAttempt(
 	return out, attemptResult, releaseRetryToken, err
 }
 
+// errors that, if detected when we know there's a clock skew,
+// can be retried and have a high chance of success
+var possibleSkewCodes = map[string]struct{}{
+	"InvalidSignatureException": {},
+	"SignatureDoesNotMatch":     {},
+	"AuthFailure":               {},
+}
+
+var definiteSkewCodes = map[string]struct{}{
+	"RequestExpired":       {},
+	"RequestInTheFuture":   {},
+	"RequestTimeTooSkewed": {},
+}
+
+// wrapAsClockSkew checks if this error could be related to a clock skew
+// error and if so, wrap the error.
+func wrapAsClockSkew(ctx context.Context, err error) error {
+	var v interface{ ErrorCode() string }
+	if !errors.As(err, &v) {
+		return err
+	}
+	if _, ok := definiteSkewCodes[v.ErrorCode()]; ok {
+		return &retryableClockSkewError{Err: err}
+	}
+	_, isPossibleSkewCode := possibleSkewCodes[v.ErrorCode()]
+	if skew := internalcontext.GetAttemptSkewContext(ctx); skew > skewThreshold && isPossibleSkewCode {
+		return &retryableClockSkewError{Err: err}
+	}
+	return err
+}
+
 // MetricsHeader attaches SDK request metric header for retries to the transport
 type MetricsHeader struct{}
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
index 987affdde6f..acd8d1cc3d6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
@@ -2,6 +2,7 @@ package retry
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -199,3 +200,23 @@ func (r RetryableErrorCode) IsErrorRetryable(err error) aws.Ternary {
 
 	return aws.TrueTernary
 }
+
+// retryableClockSkewError marks errors that can be caused by clock skew
+// (difference between server time and client time).
+// This is returned when there's certain confidence that adjusting the client time
+// could allow a retry to succeed
+type retryableClockSkewError struct{ Err error }
+
+func (e *retryableClockSkewError) Error() string {
+	return fmt.Sprintf("Probable clock skew error: %v", e.Err)
+}
+
+// Unwrap returns the wrapped error.
+func (e *retryableClockSkewError) Unwrap() error {
+	return e.Err
+}
+
+// RetryableError allows the retryer to retry this request
+func (e *retryableClockSkewError) RetryableError() bool {
+	return true
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
index ca738f234b3..71b1a352171 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
@@ -38,7 +38,6 @@ var RequiredSignedHeaders = Rules{
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
-			"X-Amz-Expected-Bucket-Owner":                                 struct{}{},
 			"X-Amz-Grant-Full-control":                                    struct{}{},
 			"X-Amz-Grant-Read":                                            struct{}{},
 			"X-Amz-Grant-Read-Acp":                                        struct{}{},
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
index 55dfd07ba87..dcd896a9bf6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
@@ -395,6 +395,12 @@ func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header)
 	query := url.Values{}
 	unsignedHeaders := http.Header{}
 	for k, h := range header {
+		// literally just this header has this constraint for some stupid reason,
+		// see #2508
+		if k == "X-Amz-Expected-Bucket-Owner" {
+			k = "x-amz-expected-bucket-owner"
+		}
+
 		if r.IsValid(k) {
 			query[k] = h
 		} else {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
index 20ce6ee8712..0b70c9ece75 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
@@ -1,3 +1,12 @@
+# v1.27.18 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.17 (2024-06-03)
+
+* **Documentation**: Add deprecation docs to global endpoint resolution interfaces. These APIs were previously deprecated with the introduction of service-specific endpoint resolution (EndpointResolverV2 and BaseEndpoint on service client options).
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.27.16 (2024-05-23)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
index 60d884c4f71..8cd98241658 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
@@ -3,4 +3,4 @@
 package config
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.27.16"
+const goModuleVersion = "1.27.18"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go b/vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go
index 06596c1b7c8..7ff38b9da84 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go
@@ -824,7 +824,14 @@ func (o LoadOptions) getEndpointResolver(ctx context.Context) (aws.EndpointResol
 // the EndpointResolver value is ignored. If multiple WithEndpointResolver calls
 // are made, the last call overrides the previous call values.
 //
-// Deprecated: See WithEndpointResolverWithOptions
+// Deprecated: The global endpoint resolution interface is deprecated. The API
+// for endpoint resolution is now unique to each service and is set via the
+// EndpointResolverV2 field on service client options. Use of
+// WithEndpointResolver or WithEndpointResolverWithOptions will prevent you
+// from using any endpoint-related service features released after the
+// introduction of EndpointResolverV2. You may also encounter broken or
+// unexpected behavior when using the old global interface with services that
+// use many endpoint-related customizations such as S3.
 func WithEndpointResolver(v aws.EndpointResolver) LoadOptionsFunc {
 	return func(o *LoadOptions) error {
 		o.EndpointResolver = v
@@ -844,6 +851,9 @@ func (o LoadOptions) getEndpointResolverWithOptions(ctx context.Context) (aws.En
 // that sets the EndpointResolverWithOptions on LoadOptions. If the EndpointResolverWithOptions is set to nil,
 // the EndpointResolver value is ignored. If multiple WithEndpointResolver calls
 // are made, the last call overrides the previous call values.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [WithEndpointResolver].
 func WithEndpointResolverWithOptions(v aws.EndpointResolverWithOptions) LoadOptionsFunc {
 	return func(o *LoadOptions) error {
 		o.EndpointResolverWithOptions = v
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
index d93b31f47a4..c809fc4904d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.17.18 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.17 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.17.16 (2024-05-23)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
index 91c40c6e709..a7b06996686 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
@@ -3,4 +3,4 @@
 package credentials
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.16"
+const goModuleVersion = "1.17.18"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
index 15f2dff92d5..59b18c59f7d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.16.5 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.4 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.16.3 (2024-05-16)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
index 18c7d54f872..53bf07399e5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
@@ -3,4 +3,4 @@
 package imds
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.16.3"
+const goModuleVersion = "1.16.5"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
index 0c5a2d40c9f..24db8e144cb 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
 	"github.com/aws/smithy-go"
 	"github.com/aws/smithy-go/auth"
@@ -39,7 +40,10 @@ func (v *V4SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request
 	}
 
 	hash := v4.GetPayloadHash(ctx)
-	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, sdk.NowTime(), func(o *v4.SignerOptions) {
+	signingTime := sdk.NowTime()
+	skew := internalcontext.GetAttemptSkewContext(ctx)
+	signingTime = signingTime.Add(skew)
+	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, signingTime, func(o *v4.SignerOptions) {
 		o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
 
 		o.Logger = v.Logger
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index e5ab27663e7..e9cbca3c8a8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.3.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.3.7 (2024-05-16)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index 67cbc376748..4147405a90b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.7"
+const goModuleVersion = "1.3.9"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
new file mode 100644
index 00000000000..f0c283d3942
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
@@ -0,0 +1,52 @@
+package context
+
+import (
+	"context"
+	"time"
+
+	"github.com/aws/smithy-go/middleware"
+)
+
+type s3BackendKey struct{}
+type checksumInputAlgorithmKey struct{}
+type clockSkew struct{}
+
+const (
+	// S3BackendS3Express identifies the S3Express backend
+	S3BackendS3Express = "S3Express"
+)
+
+// SetS3Backend stores the resolved endpoint backend within the request
+// context, which is required for a variety of custom S3 behaviors.
+func SetS3Backend(ctx context.Context, typ string) context.Context {
+	return middleware.WithStackValue(ctx, s3BackendKey{}, typ)
+}
+
+// GetS3Backend retrieves the stored endpoint backend within the context.
+func GetS3Backend(ctx context.Context) string {
+	v, _ := middleware.GetStackValue(ctx, s3BackendKey{}).(string)
+	return v
+}
+
+// SetChecksumInputAlgorithm sets the request checksum algorithm on the
+// context.
+func SetChecksumInputAlgorithm(ctx context.Context, value string) context.Context {
+	return middleware.WithStackValue(ctx, checksumInputAlgorithmKey{}, value)
+}
+
+// GetChecksumInputAlgorithm returns the checksum algorithm from the context.
+func GetChecksumInputAlgorithm(ctx context.Context) string {
+	v, _ := middleware.GetStackValue(ctx, checksumInputAlgorithmKey{}).(string)
+	return v
+}
+
+// SetAttemptSkewContext sets the clock skew value on the context
+func SetAttemptSkewContext(ctx context.Context, v time.Duration) context.Context {
+	return middleware.WithStackValue(ctx, clockSkew{}, v)
+}
+
+// GetAttemptSkewContext gets the clock skew value from the context
+func GetAttemptSkewContext(ctx context.Context) time.Duration {
+	x, _ := middleware.GetStackValue(ctx, clockSkew{}).(time.Duration)
+	return x
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
index f376f6908aa..7a28569c3de 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
@@ -198,7 +198,11 @@
       "supportsFIPS" : true
     },
     "regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$",
-    "regions" : { }
+    "regions" : {
+      "eu-isoe-west-1" : {
+        "description" : "EU ISOE West"
+      }
+    }
   }, {
     "id" : "aws-iso-f",
     "outputs" : {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index 5ff8fef9364..8b9ffa0b270 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v2.6.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.6.7 (2024-05-16)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index cc9b78076ac..7d3ecf1b739 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.6.7"
+const goModuleVersion = "2.6.9"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
new file mode 100644
index 00000000000..8e24a3f0a47
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
@@ -0,0 +1,42 @@
+package middleware
+
+import (
+	"context"
+	"sync/atomic"
+	"time"
+
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+	"github.com/aws/smithy-go/middleware"
+)
+
+// AddTimeOffsetMiddleware sets a value representing clock skew on the request context.
+// This can be read by other operations (such as signing) to correct the date value they send
+// on the request
+type AddTimeOffsetMiddleware struct {
+	Offset *atomic.Int64
+}
+
+// ID the identifier for AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) ID() string { return "AddTimeOffsetMiddleware" }
+
+// HandleBuild sets a value for attemptSkew on the request context if one is set on the client.
+func (m AddTimeOffsetMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
+	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+) {
+	if m.Offset != nil {
+		offset := time.Duration(m.Offset.Load())
+		ctx = internalcontext.SetAttemptSkewContext(ctx, offset)
+	}
+	return next.HandleBuild(ctx, in)
+}
+
+// HandleDeserialize gets the clock skew context from the context, and if set, sets it on the pointer
+// held by AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
+	out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
+) {
+	if v := internalcontext.GetAttemptSkewContext(ctx); v != 0 {
+		m.Offset.Store(v.Nanoseconds())
+	}
+	return next.HandleDeserialize(ctx, in)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index 60670452103..14bb43611a0 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.11.11 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.10 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.11.9 (2024-05-16)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index 24fd480d379..c1a5e0da1e1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.9"
+const goModuleVersion = "1.11.11"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
index d477f4212fc..aaffd4f35da 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
@@ -1,3 +1,12 @@
+# v1.20.11 (2024-06-07)
+
+* **Bug Fix**: Add clock skew correction on all service clients
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.20.10 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.20.9 (2024-05-23)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
index fff457735be..34f19ded2df 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
@@ -14,6 +14,7 @@ import (
 	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
+	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	smithy "github.com/aws/smithy-go"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
@@ -21,6 +22,7 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
+	"sync/atomic"
 	"time"
 )
 
@@ -30,6 +32,9 @@ const ServiceAPIVersion = "2019-06-10"
 // Client provides the API client to make operations call for AWS Single Sign-On.
 type Client struct {
 	options Options
+
+	// Difference between the time reported by the server and the client
+	timeOffset *atomic.Int64
 }
 
 // New returns an initialized Client based on the functional options. Provide
@@ -68,6 +73,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
 		options: options,
 	}
 
+	initializeTimeOffsetResolver(client)
+
 	return client
 }
 
@@ -484,6 +491,17 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
+	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
+	if err := stack.Build.Add(&mw, middleware.After); err != nil {
+		return err
+	}
+	return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
+}
+func initializeTimeOffsetResolver(c *Client) {
+	c.timeOffset = new(atomic.Int64)
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
index 44ad9ff1d23..77d54b9f15b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
@@ -114,6 +114,9 @@ func (c *Client) addOperationGetRoleCredentialsMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpGetRoleCredentialsValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
index 5861c9bbccb..77374f48f3d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
@@ -119,6 +119,9 @@ func (c *Client) addOperationListAccountRolesMiddlewares(stack *middleware.Stack
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpListAccountRolesValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
index 7f2b2397879..ac15831f91b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
@@ -118,6 +118,9 @@ func (c *Client) addOperationListAccountsMiddlewares(stack *middleware.Stack, op
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpListAccountsValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
index 65f582a8747..a9e349c5db8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
@@ -113,6 +113,9 @@ func (c *Client) addOperationLogoutMiddlewares(stack *middleware.Stack, options
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpLogoutValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
index e9adaf46aa4..ad5b48930e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sso
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.20.9"
+const goModuleVersion = "1.20.11"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
index b70701a5287..d82a89482fe 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
@@ -1,3 +1,12 @@
+# v1.24.5 (2024-06-07)
+
+* **Bug Fix**: Add clock skew correction on all service clients
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.4 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.24.3 (2024-05-23)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
index 8dc643bb0c5..bfd5c68c4dd 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
@@ -14,6 +14,7 @@ import (
 	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
+	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	smithy "github.com/aws/smithy-go"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
@@ -21,6 +22,7 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
+	"sync/atomic"
 	"time"
 )
 
@@ -30,6 +32,9 @@ const ServiceAPIVersion = "2019-06-10"
 // Client provides the API client to make operations call for AWS SSO OIDC.
 type Client struct {
 	options Options
+
+	// Difference between the time reported by the server and the client
+	timeOffset *atomic.Int64
 }
 
 // New returns an initialized Client based on the functional options. Provide
@@ -68,6 +73,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
 		options: options,
 	}
 
+	initializeTimeOffsetResolver(client)
+
 	return client
 }
 
@@ -484,6 +491,17 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
+	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
+	if err := stack.Build.Add(&mw, middleware.After); err != nil {
+		return err
+	}
+	return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
+}
+func initializeTimeOffsetResolver(c *Client) {
+	c.timeOffset = new(atomic.Int64)
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
index 393ab84b043..e33f3f0599f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
@@ -186,6 +186,9 @@ func (c *Client) addOperationCreateTokenMiddlewares(stack *middleware.Stack, opt
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpCreateTokenValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
index 1d54f14d804..9159db93b6d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
@@ -217,6 +217,9 @@ func (c *Client) addOperationCreateTokenWithIAMMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpCreateTokenWithIAMValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
index 9daccf79b8c..9820fae48ca 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
@@ -147,6 +147,9 @@ func (c *Client) addOperationRegisterClientMiddlewares(stack *middleware.Stack,
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpRegisterClientValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
index 0b727e38b96..a3bae9912d8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
@@ -137,6 +137,9 @@ func (c *Client) addOperationStartDeviceAuthorizationMiddlewares(stack *middlewa
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpStartDeviceAuthorizationValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
index 80189fbfbc6..b05fd1174f8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ssooidc
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.24.3"
+const goModuleVersion = "1.24.5"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index 77cd6034609..e43842793da 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,12 @@
+# v1.28.12 (2024-06-07)
+
+* **Bug Fix**: Add clock skew correction on all service clients
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.11 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.28.10 (2024-05-23)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
index 4d18dc86bd7..b281ba293f3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
@@ -15,6 +15,7 @@ import (
 	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
+	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
 	presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
 	smithy "github.com/aws/smithy-go"
@@ -24,6 +25,7 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
+	"sync/atomic"
 	"time"
 )
 
@@ -34,6 +36,9 @@ const ServiceAPIVersion = "2011-06-15"
 // Service.
 type Client struct {
 	options Options
+
+	// Difference between the time reported by the server and the client
+	timeOffset *atomic.Int64
 }
 
 // New returns an initialized Client based on the functional options. Provide
@@ -72,6 +77,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
 		options: options,
 	}
 
+	initializeTimeOffsetResolver(client)
+
 	return client
 }
 
@@ -488,6 +495,17 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
+	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
+	if err := stack.Build.Add(&mw, middleware.After); err != nil {
+		return err
+	}
+	return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
+}
+func initializeTimeOffsetResolver(c *Client) {
+	c.timeOffset = new(atomic.Int64)
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
index 936f917bfd2..ddad1cdfc23 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
@@ -457,6 +457,9 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
index f88ab4a22b4..31b7ba5c4ac 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
@@ -397,6 +397,9 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
index 6c8cf43e534..30dac8c6ff7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
@@ -408,6 +408,9 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
index 186a8cb5838..925ee2eeb1d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
@@ -138,6 +138,9 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
index b6eb6401af0..75da475979e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
@@ -129,6 +129,9 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
index ed4c82832a3..ea90ff7d41f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
@@ -120,6 +120,9 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
index 37bde0cce6b..a0b5ebdbab2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
@@ -342,6 +342,9 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
index 097ccd84480..645ccaeb2ea 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
@@ -191,6 +191,9 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index f8c5b4e9162..acc380e9812 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.28.10"
+const goModuleVersion = "1.28.12"
diff --git a/vendor/github.com/docker/cli/AUTHORS b/vendor/github.com/docker/cli/AUTHORS
index 483743c9921..ad1abd49642 100644
--- a/vendor/github.com/docker/cli/AUTHORS
+++ b/vendor/github.com/docker/cli/AUTHORS
@@ -2,6 +2,7 @@
 # This file lists all contributors to the repository.
 # See scripts/docs/generate-authors.sh to make modifications.
 
+A. Lester Buck III <github-reg@nbolt.com>
 Aanand Prasad <aanand.prasad@gmail.com>
 Aaron L. Xu <liker.xu@foxmail.com>
 Aaron Lehmann <alehmann@netflix.com>
@@ -16,6 +17,7 @@ Adolfo Ochagavía <aochagavia92@gmail.com>
 Adrian Plata <adrian.plata@docker.com>
 Adrien Duermael <adrien@duermael.com>
 Adrien Folie <folie.adrien@gmail.com>
+Adyanth Hosavalike <ahosavalike@ucsd.edu>
 Ahmet Alp Balkan <ahmetb@microsoft.com>
 Aidan Feldman <aidan.feldman@gmail.com>
 Aidan Hobson Sayers <aidanhs@cantab.net>
@@ -24,9 +26,10 @@ Akhil Mohan <akhil.mohan@mayadata.io>
 Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Akim Demaille <akim.demaille@docker.com>
 Alan Thompson <cloojure@gmail.com>
+Alano Terblanche <alano.terblanche@docker.com>
 Albert Callarisa <shark234@gmail.com>
 Alberto Roura <mail@albertoroura.com>
-Albin Kerouanton <albin@akerouanton.name>
+Albin Kerouanton <albinker@gmail.com>
 Aleksa Sarai <asarai@suse.de>
 Aleksander Piotrowski <apiotrowski312@gmail.com>
 Alessandro Boch <aboch@tetrationanalytics.com>
@@ -34,6 +37,7 @@ Alex Couture-Beil <alex@earthly.dev>
 Alex Mavrogiannis <alex.mavrogiannis@docker.com>
 Alex Mayer <amayer5125@gmail.com>
 Alexander Boyd <alex@opengroove.org>
+Alexander Chneerov <achneerov@gmail.com>
 Alexander Larsson <alexl@redhat.com>
 Alexander Morozov <lk4d4math@gmail.com>
 Alexander Ryabov <i@sepa.spb.ru>
@@ -41,6 +45,7 @@ Alexandre González <agonzalezro@gmail.com>
 Alexey Igrychev <alexey.igrychev@flant.com>
 Alexis Couvreur <alexiscouvreur.pro@gmail.com>
 Alfred Landrum <alfred.landrum@docker.com>
+Ali Rostami <rostami.ali@gmail.com>
 Alicia Lauerman <alicia@eta.im>
 Allen Sun <allensun.shl@alibaba-inc.com>
 Alvin Deng <alvin.q.deng@utexas.edu>
@@ -61,6 +66,7 @@ Andrew Hsu <andrewhsu@docker.com>
 Andrew Macpherson <hopscotch23@gmail.com>
 Andrew McDonnell <bugs@andrewmcdonnell.net>
 Andrew Po <absourd.noise@gmail.com>
+Andrew-Zipperer <atzipperer@gmail.com>
 Andrey Petrov <andrey.petrov@shazow.net>
 Andrii Berehuliak <berkusandrew@gmail.com>
 André Martins <aanm90@gmail.com>
@@ -79,7 +85,9 @@ Arko Dasgupta <arko@tetrate.io>
 Arnaud Porterie <icecrime@gmail.com>
 Arnaud Rebillout <elboulangero@gmail.com>
 Arthur Peka <arthur.peka@outlook.com>
+Ashly Mathew <ashly.mathew@sap.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
+Aslam Ahemad <aslamahemad@gmail.com>
 Azat Khuyiyakhmetov <shadow_uz@mail.ru>
 Bardia Keyoumarsi <bkeyouma@ucsc.edu>
 Barnaby Gray <barnaby@pickle.me.uk>
@@ -98,7 +106,9 @@ Bill Wang <ozbillwang@gmail.com>
 Bin Liu <liubin0329@gmail.com>
 Bingshen Wang <bingshen.wbs@alibaba-inc.com>
 Bishal Das <bishalhnj127@gmail.com>
+Bjorn Neergaard <bjorn.neergaard@docker.com>
 Boaz Shuster <ripcurld.github@gmail.com>
+Boban Acimovic <boban.acimovic@gmail.com>
 Bogdan Anton <contact@bogdananton.ro>
 Boris Pruessmann <boris@pruessmann.org>
 Brad Baker <brad@brad.fi>
@@ -109,17 +119,20 @@ Brent Salisbury <brent.salisbury@docker.com>
 Bret Fisher <bret@bretfisher.com>
 Brian (bex) Exelbierd <bexelbie@redhat.com>
 Brian Goff <cpuguy83@gmail.com>
+Brian Tracy <brian.tracy33@gmail.com>
 Brian Wieder <brian@4wieders.com>
 Bruno Sousa <bruno.sousa@docker.com>
 Bryan Bess <squarejaw@bsbess.com>
 Bryan Boreham <bjboreham@gmail.com>
 Bryan Murphy <bmurphy1976@gmail.com>
 bryfry <bryon.fryer@gmail.com>
+Calvin Liu <flycalvin@qq.com>
 Cameron Spear <cameronspear@gmail.com>
 Cao Weiwei <cao.weiwei30@zte.com.cn>
 Carlo Mion <mion00@gmail.com>
 Carlos Alexandro Becker <caarlos0@gmail.com>
 Carlos de Paula <me@carlosedp.com>
+Casey Korver <casey@korver.dev>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
@@ -136,6 +149,7 @@ Chen Chuanliang <chen.chuanliang@zte.com.cn>
 Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
 Chen Mingjie <chenmingjie0828@163.com>
 Chen Qiu <cheney-90@hotmail.com>
+Chris Chinchilla <chris@chrischinchilla.com>
 Chris Couzens <ccouzens@gmail.com>
 Chris Gavin <chris@chrisgavin.me>
 Chris Gibson <chris@chrisg.io>
@@ -150,6 +164,8 @@ Christophe Vidal <kriss@krizalys.com>
 Christopher Biscardi <biscarch@sketcht.com>
 Christopher Crone <christopher.crone@docker.com>
 Christopher Jones <tophj@linux.vnet.ibm.com>
+Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Christopher Petito <chrisjpetito@gmail.com>
 Christopher Svensson <stoffus@stoffus.com>
 Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com>
@@ -163,6 +179,8 @@ Conner Crosby <conner@cavcrosby.tech>
 Corey Farrell <git@cfware.com>
 Corey Quon <corey.quon@docker.com>
 Cory Bennet <cbennett@netflix.com>
+Cory Snider <csnider@mirantis.com>
+Craig Osterhout <craig.osterhout@docker.com>
 Craig Wilhite <crwilhit@microsoft.com>
 Cristian Staretu <cristian.staretu@gmail.com>
 Daehyeok Mun <daehyeok@gmail.com>
@@ -171,6 +189,7 @@ Daisuke Ito <itodaisuke00@gmail.com>
 dalanlan <dalanlan925@gmail.com>
 Damien Nadé <github@livna.org>
 Dan Cotora <dan@bluevision.ro>
+Danial Gharib <danial.mail.gh@gmail.com>
 Daniel Artine <daniel.artine@ufrj.br>
 Daniel Cassidy <mail@danielcassidy.me.uk>
 Daniel Dao <dqminh@cloudflare.com>
@@ -199,6 +218,7 @@ David Cramer <davcrame@cisco.com>
 David Dooling <dooling@gmail.com>
 David Gageot <david@gageot.net>
 David Karlsson <david.karlsson@docker.com>
+David le Blanc <systemmonkey42@users.noreply.github.com>
 David Lechner <david@lechnology.com>
 David Scott <dave@recoil.org>
 David Sheets <dsheets@docker.com>
@@ -210,6 +230,7 @@ Denis Defreyne <denis@soundcloud.com>
 Denis Gladkikh <denis@gladkikh.email>
 Denis Ollier <larchunix@users.noreply.github.com>
 Dennis Docter <dennis@d23.nl>
+dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 Derek McGowan <derek@mcg.dev>
 Des Preston <despreston@gmail.com>
 Deshi Xiao <dxiao@redhat.com>
@@ -232,11 +253,13 @@ DongGeon Lee <secmatth1996@gmail.com>
 Doug Davis <dug@us.ibm.com>
 Drew Erny <derny@mirantis.com>
 Ed Costello <epc@epcostello.com>
+Ed Morley <501702+edmorley@users.noreply.github.com>
 Elango Sivanandam <elango.siva@docker.com>
 Eli Uriegas <eli.uriegas@docker.com>
 Eli Uriegas <seemethere101@gmail.com>
 Elias Faxö <elias.faxo@tre.se>
 Elliot Luo <956941328@qq.com>
+Eric Bode <eric.bode@foundries.io>
 Eric Curtin <ericcurtin17@gmail.com>
 Eric Engestrom <eric@engestrom.ch>
 Eric G. Noriega <enoriega@vizuri.com>
@@ -254,6 +277,7 @@ Eugene Yakubovich <eugene.yakubovich@coreos.com>
 Evan Allrich <evan@unguku.com>
 Evan Hazlett <ejhazlett@gmail.com>
 Evan Krall <krall@yelp.com>
+Evan Lezar <elezar@nvidia.com>
 Evelyn Xu <evelynhsu21@gmail.com>
 Everett Toews <everett.toews@rackspace.com>
 Fabio Falci <fabiofalci@gmail.com>
@@ -275,11 +299,13 @@ Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
 Frieder Bluemle <frieder.bluemle@gmail.com>
 Gabriel Gore <gabgore@cisco.com>
 Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gabriela Georgieva <gabriela.georgieva@docker.com>
 Gaetan de Villele <gdevillele@gmail.com>
 Gang Qiao <qiaohai8866@gmail.com>
 Gary Schaetz <gary@schaetzkc.com>
 Genki Takiuchi <genki@s21g.com>
 George MacRorie <gmacr31@gmail.com>
+George Margaritis <gmargaritis@protonmail.com>
 George Xie <georgexsh@gmail.com>
 Gianluca Borello <g.borello@gmail.com>
 Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
@@ -288,6 +314,8 @@ Gleb Stsenov <gleb.stsenov@gmail.com>
 Goksu Toprak <goksu.toprak@docker.com>
 Gou Rao <gou@portworx.com>
 Govind Rai <raigovind93@gmail.com>
+Grace Choi <grace.54109@gmail.com>
+Graeme Wiebe <graeme.wiebe@gmail.com>
 Grant Reaber <grant.reaber@gmail.com>
 Greg Pflaum <gpflaum@users.noreply.github.com>
 Gsealy <jiaojingwei1001@hotmail.com>
@@ -311,6 +339,7 @@ Hernan Garcia <hernandanielg@gmail.com>
 Hongbin Lu <hongbin034@gmail.com>
 Hu Keping <hukeping@huawei.com>
 Huayi Zhang <irachex@gmail.com>
+Hugo Chastel <Hugo-C@users.noreply.github.com>
 Hugo Gabriel Eyherabide <hugogabriel.eyherabide@gmail.com>
 huqun <huqun@zju.edu.cn>
 Huu Nguyen <huu@prismskylabs.com>
@@ -329,9 +358,12 @@ Ivan Grund <ivan.grund@gmail.com>
 Ivan Markin <sw@nogoegst.net>
 Jacob Atzen <jacob@jacobatzen.dk>
 Jacob Tomlinson <jacob@tom.linson.uk>
+Jacopo Rigoli <rigoli.jacopo@gmail.com>
 Jaivish Kothari <janonymous.codevulture@gmail.com>
 Jake Lambert <jake.lambert@volusion.com>
 Jake Sanders <jsand@google.com>
+Jake Stokes <contactjake@developerjake.com>
+Jakub Panek <me@panekj.dev>
 James Nesbitt <james.nesbitt@wunderkraut.com>
 James Turnbull <james@lovedthanlost.net>
 Jamie Hannaford <jamie@limetree.org>
@@ -363,6 +395,7 @@ Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
 Jie Luo <luo612@zju.edu.cn>
 Jilles Oldenbeuving <ojilles@gmail.com>
+Jim Chen <njucjc@gmail.com>
 Jim Galasyn <jim.galasyn@docker.com>
 Jim Lin <b04705003@ntu.edu.tw>
 Jimmy Leger <jimmy.leger@gmail.com>
@@ -393,6 +426,7 @@ John Willis <john.willis@docker.com>
 Jon Johnson <jonjohnson@google.com>
 Jon Zeolla <zeolla@gmail.com>
 Jonatas Baldin <jonatas.baldin@gmail.com>
+Jonathan A. Sternberg <jonathansternberg@gmail.com>
 Jonathan Boulle <jonathanboulle@gmail.com>
 Jonathan Lee <jonjohn1232009@gmail.com>
 Jonathan Lomas <jonathan@floatinglomas.ca>
@@ -408,10 +442,12 @@ Josh Chorlton <jchorlton@gmail.com>
 Josh Hawn <josh.hawn@docker.com>
 Josh Horwitz <horwitz@addthis.com>
 Josh Soref <jsoref@gmail.com>
+Julian <gitea+julian@ic.thejulian.uk>
 Julien Barbier <write0@gmail.com>
 Julien Kassar <github@kassisol.com>
 Julien Maitrehenry <julien.maitrehenry@me.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
+Justin Chadwell <me@jedevc.com>
 Justin Cormack <justin.cormack@docker.com>
 Justin Simonelis <justin.p.simonelis@gmail.com>
 Justyn Temme <justyntemme@gmail.com>
@@ -434,7 +470,7 @@ Kelton Bassingthwaite <KeltonBassingthwaite@gmail.com>
 Ken Cochrane <kencochrane@gmail.com>
 Ken ICHIKAWA <ichikawa.ken@jp.fujitsu.com>
 Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
-Kevin Alvarez <crazy-max@users.noreply.github.com>
+Kevin Alvarez <github@crazymax.dev>
 Kevin Burke <kev@inburke.com>
 Kevin Feyrer <kevin.feyrer@btinternet.com>
 Kevin Kern <kaiwentan@harmonycloud.cn>
@@ -445,6 +481,7 @@ Kevin Woblick <mail@kovah.de>
 khaled souf <khaled.souf@gmail.com>
 Kim Eik <kim@heldig.org>
 Kir Kolyshkin <kolyshkin@gmail.com>
+Kirill A. Korinsky <kirill@korins.ky>
 Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
 Krasi Georgiev <krasi@vip-consult.solutions>
 Kris-Mikael Krister <krismikael@protonmail.com>
@@ -454,6 +491,7 @@ Kyle Mitofsky <Kylemit@gmail.com>
 Lachlan Cooper <lachlancooper@gmail.com>
 Lai Jiangshan <jiangshanlai@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
+Laura Brehm <laurabrehm@hey.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
 Lee Gaines <eightlimbed@gmail.com>
@@ -462,10 +500,10 @@ Lennie <github@consolejunkie.net>
 Leo Gallucci <elgalu3@gmail.com>
 Leonid Skorospelov <leosko94@gmail.com>
 Lewis Daly <lewisdaly@me.com>
+Li Fu Bang <lifubang@acmcoder.com>
 Li Yi <denverdino@gmail.com>
 Li Yi <weiyuan.yl@alibaba-inc.com>
 Liang-Chi Hsieh <viirya@gmail.com>
-Lifubang <lifubang@acmcoder.com>
 Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
 Lin Lu <doraalin@163.com>
@@ -480,6 +518,7 @@ Louis Opter <kalessin@kalessin.fr>
 Luca Favatella <luca.favatella@erlang-solutions.com>
 Luca Marturana <lucamarturana@gmail.com>
 Lucas Chan <lucas-github@lucaschan.com>
+Luis Henrique Mulinari <luis.mulinari@gmail.com>
 Luka Hartwig <mail@lukahartwig.de>
 Lukas Heeren <lukas-heeren@hotmail.com>
 Lukasz Zajaczkowski <Lukasz.Zajaczkowski@ts.fujitsu.com>
@@ -498,10 +537,12 @@ mapk0y <mapk0y@gmail.com>
 Marc Bihlmaier <marc.bihlmaier@reddoxx.com>
 Marc Cornellà <hello@mcornella.com>
 Marco Mariani <marco.mariani@alterway.fr>
+Marco Spiess <marco.spiess@hotmail.de>
 Marco Vedovati <mvedovati@suse.com>
 Marcus Martins <marcus@docker.com>
 Marianna Tessel <mtesselh@gmail.com>
 Marius Ileana <marius.ileana@gmail.com>
+Marius Meschter <marius@meschter.me>
 Marius Sturm <marius@graylog.com>
 Mark Oates <fl0yd@me.com>
 Marsh Macy <marsma@microsoft.com>
@@ -510,6 +551,7 @@ Mary Anthony <mary.anthony@docker.com>
 Mason Fish <mason.fish@docker.com>
 Mason Malone <mason.malone@gmail.com>
 Mateusz Major <apkd@users.noreply.github.com>
+Mathias Duedahl <64321057+Lussebullen@users.noreply.github.com>
 Mathieu Champlon <mathieu.champlon@docker.com>
 Mathieu Rollet <matletix@gmail.com>
 Matt Gucci <matt9ucci@gmail.com>
@@ -519,9 +561,11 @@ Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
 Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
+Max-Julian Pogner <max-julian@pogner.at>
 Maxime Petazzoni <max@signalfuse.com>
 Maximillian Fan Xavier <maximillianfx@gmail.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
+Melroy van den Berg <melroy@melroy.org>
 Metal <2466052+tedhexaflow@users.noreply.github.com>
 Micah Zoltu <micah@newrelic.com>
 Michael A. Smith <michael@smith-li.com>
@@ -581,6 +625,7 @@ Nathan McCauley <nathan.mccauley@docker.com>
 Neil Peterson <neilpeterson@outlook.com>
 Nick Adcock <nick.adcock@docker.com>
 Nick Santos <nick.santos@docker.com>
+Nick Sieger <nick@nicksieger.com>
 Nico Stapelbroek <nstapelbroek@gmail.com>
 Nicola Kabar <nicolaka@gmail.com>
 Nicolas Borboën <ponsfrilus@gmail.com>
@@ -593,6 +638,7 @@ Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
+Oded Arbel <oded@geek.co.il>
 Odin Ugedal <odin@ugedal.com>
 ohmystack <jun.jiang02@ele.me>
 OKA Naoya <git@okanaoya.com>
@@ -604,19 +650,21 @@ Otto Kekäläinen <otto@seravo.fi>
 Ovidio Mallo <ovidio.mallo@gmail.com>
 Pascal Borreli <pascal@borreli.com>
 Patrick Böänziger <patrick.baenziger@bsi-software.com>
+Patrick Daigle <114765035+pdaig@users.noreply.github.com>
 Patrick Hemmer <patrick.hemmer@gmail.com>
 Patrick Lang <plang@microsoft.com>
 Paul <paul9869@gmail.com>
 Paul Kehrer <paul.l.kehrer@gmail.com>
 Paul Lietar <paul@lietar.net>
 Paul Mulders <justinkb@gmail.com>
+Paul Seyfert <pseyfert.mathphys@gmail.com>
 Paul Weaver <pauweave@cisco.com>
 Pavel Pospisil <pospispa@gmail.com>
 Paweł Gronowski <pawel.gronowski@docker.com>
 Paweł Pokrywka <pepawel@users.noreply.github.com>
 Paweł Szczekutowicz <pszczekutowicz@gmail.com>
 Peeyush Gupta <gpeeyush@linux.vnet.ibm.com>
-Per Lundberg <per.lundberg@ecraft.com>
+Per Lundberg <perlun@gmail.com>
 Peter Dave Hello <hsu@peterdavehello.org>
 Peter Edge <peter.edge@gmail.com>
 Peter Hsu <shhsu@microsoft.com>
@@ -639,6 +687,7 @@ Preston Cowley <preston.cowley@sony.com>
 Pure White <daniel48@126.com>
 Qiang Huang <h.huangqiang@huawei.com>
 Qinglan Peng <qinglanpeng@zju.edu.cn>
+QQå–µ <gqqnb2005@gmail.com>
 qudongfang <qudongfang@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
 Rahul Kadyan <hi@znck.me>
@@ -657,6 +706,7 @@ Rick Wieman <git@rickw.nl>
 Ritesh H Shukla <sritesh@vmware.com>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 Rob Gulewich <rgulewich@netflix.com>
+Rob Murray <rob.murray@docker.com>
 Robert Wallis <smilingrob@gmail.com>
 Robin Naundorf <r.naundorf@fh-muenster.de>
 Robin Speekenbrink <robin@kingsquare.nl>
@@ -670,6 +720,7 @@ Rory Hunter <roryhunter2@gmail.com>
 Ross Boucher <rboucher@gmail.com>
 Rubens Figueiredo <r.figueiredo.52@gmail.com>
 Rui Cao <ruicao@alauda.io>
+Rui JingAn <quiterace@gmail.com>
 Ryan Belgrave <rmb1993@gmail.com>
 Ryan Detzel <ryan.detzel@gmail.com>
 Ryan Stelly <ryan.stelly@live.com>
@@ -689,6 +740,7 @@ Sandro Jäckel <sandro.jaeckel@gmail.com>
 Santhosh Manohar <santhosh@docker.com>
 Sargun Dhillon <sargun@netflix.com>
 Saswat Bhattacharya <sas.saswat@gmail.com>
+Saurabh Kumar <saurabhkumar0184@gmail.com>
 Scott Brenner <scott@scottbrenner.me>
 Scott Collier <emailscottcollier@gmail.com>
 Sean Christopherson <sean.j.christopherson@intel.com>
@@ -762,6 +814,7 @@ Tim Hockin <thockin@google.com>
 Tim Sampson <tim@sampson.fi>
 Tim Smith <timbot@google.com>
 Tim Waugh <twaugh@redhat.com>
+Tim Welsh <timothy.welsh@docker.com>
 Tim Wraight <tim.wraight@tangentlabs.co.uk>
 timfeirg <kkcocogogo@gmail.com>
 Timothy Hobbs <timothyhobbs@seznam.cz>
@@ -788,6 +841,7 @@ uhayate <uhayate.gong@daocloud.io>
 Ulrich Bareth <ulrich.bareth@gmail.com>
 Ulysses Souza <ulysses.souza@docker.com>
 Umesh Yadav <umesh4257@gmail.com>
+Vaclav Struhar <struharv@gmail.com>
 Valentin Lorentz <progval+git@progval.net>
 Vardan Pogosian <vardan.pogosyan@gmail.com>
 Venkateswara Reddy Bukkasamudram <bukkasamudram@outlook.com>
@@ -795,6 +849,7 @@ Veres Lajos <vlajos@gmail.com>
 Victor Vieux <victor.vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Viktor Stanchev <me@viktorstanchev.com>
+Ville Skyttä <ville.skytta@iki.fi>
 Vimal Raghubir <vraghubir0418@gmail.com>
 Vincent Batts <vbatts@redhat.com>
 Vincent Bernat <Vincent.Bernat@exoscale.ch>
@@ -831,6 +886,7 @@ Yong Tang <yong.tang.github@outlook.com>
 Yosef Fertel <yfertel@gmail.com>
 Yu Peng <yu.peng36@zte.com.cn>
 Yuan Sun <sunyuan3@huawei.com>
+Yucheng Wu <wyc123wyc@gmail.com>
 Yue Zhang <zy675793960@yeah.net>
 Yunxiang Huang <hyxqshk@vip.qq.com>
 Zachary Romero <zacromero3@gmail.com>
@@ -842,9 +898,11 @@ Zhang Wei <zhangwei555@huawei.com>
 Zhang Wentao <zhangwentao234@huawei.com>
 ZhangHang <stevezhang2014@gmail.com>
 zhenghenghuo <zhenghenghuo@zju.edu.cn>
+Zhiwei Liang <zliang@akamai.com>
 Zhou Hao <zhouhao@cn.fujitsu.com>
 Zhoulin Xie <zhoulin.xie@daocloud.io>
 Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
+Zhuo Zhi <h.dwwwwww@gmail.com>
 �lex González <agonzalezro@gmail.com>
 �lvaro Lázaro <alvaro.lazaro.g@gmail.com>
 �tila Camurça Alves <camurca.home@gmail.com>
diff --git a/vendor/github.com/docker/cli/NOTICE b/vendor/github.com/docker/cli/NOTICE
index 58b19b6d15b..1c40faaec61 100644
--- a/vendor/github.com/docker/cli/NOTICE
+++ b/vendor/github.com/docker/cli/NOTICE
@@ -14,6 +14,6 @@ United States and other governments.
 It is your responsibility to ensure that your use and/or transfer does not
 violate applicable laws.
 
-For more information, please see https://www.bis.doc.gov
+For more information, see https://www.bis.doc.gov
 
 See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/docker/cli/cli/config/config.go b/vendor/github.com/docker/cli/cli/config/config.go
index b7c05c3f860..5a518432601 100644
--- a/vendor/github.com/docker/cli/cli/config/config.go
+++ b/vendor/github.com/docker/cli/cli/config/config.go
@@ -4,44 +4,38 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/user"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"sync"
 
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/config/credentials"
 	"github.com/docker/cli/cli/config/types"
-	"github.com/docker/docker/pkg/homedir"
 	"github.com/pkg/errors"
 )
 
 const (
-	// ConfigFileName is the name of config file
+	// EnvOverrideConfigDir is the name of the environment variable that can be
+	// used to override the location of the client configuration files (~/.docker).
+	//
+	// It takes priority over the default, but can be overridden by the "--config"
+	// command line option.
+	EnvOverrideConfigDir = "DOCKER_CONFIG"
+
+	// ConfigFileName is the name of the client configuration file inside the
+	// config-directory.
 	ConfigFileName = "config.json"
 	configFileDir  = ".docker"
-	oldConfigfile  = ".dockercfg" // Deprecated: remove once we stop printing deprecation warning
 	contextsDir    = "contexts"
 )
 
 var (
 	initConfigDir = new(sync.Once)
 	configDir     string
-	homeDir       string
 )
 
-// resetHomeDir is used in testing to reset the "homeDir" package variable to
-// force re-lookup of the home directory between tests.
-func resetHomeDir() {
-	homeDir = ""
-}
-
-func getHomeDir() string {
-	if homeDir == "" {
-		homeDir = homedir.Get()
-	}
-	return homeDir
-}
-
 // resetConfigDir is used in testing to reset the "configDir" package variable
 // and its sync.Once to force re-lookup between tests.
 func resetConfigDir() {
@@ -49,19 +43,40 @@ func resetConfigDir() {
 	initConfigDir = new(sync.Once)
 }
 
-func setConfigDir() {
-	if configDir != "" {
-		return
-	}
-	configDir = os.Getenv("DOCKER_CONFIG")
-	if configDir == "" {
-		configDir = filepath.Join(getHomeDir(), configFileDir)
+// getHomeDir returns the home directory of the current user with the help of
+// environment variables depending on the target operating system.
+// Returned path should be used with "path/filepath" to form new paths.
+//
+// On non-Windows platforms, it falls back to nss lookups, if the home
+// directory cannot be obtained from environment-variables.
+//
+// If linking statically with cgo enabled against glibc, ensure the
+// osusergo build tag is used.
+//
+// If needing to do nss lookups, do not disable cgo or set osusergo.
+//
+// getHomeDir is a copy of [pkg/homedir.Get] to prevent adding docker/docker
+// as dependency for consumers that only need to read the config-file.
+//
+// [pkg/homedir.Get]: https://pkg.go.dev/github.com/docker/docker@v26.1.4+incompatible/pkg/homedir#Get
+func getHomeDir() string {
+	home, _ := os.UserHomeDir()
+	if home == "" && runtime.GOOS != "windows" {
+		if u, err := user.Current(); err == nil {
+			return u.HomeDir
+		}
 	}
+	return home
 }
 
 // Dir returns the directory the configuration file is stored in
 func Dir() string {
-	initConfigDir.Do(setConfigDir)
+	initConfigDir.Do(func() {
+		configDir = os.Getenv(EnvOverrideConfigDir)
+		if configDir == "" {
+			configDir = filepath.Join(getHomeDir(), configFileDir)
+		}
+	})
 	return configDir
 }
 
@@ -72,6 +87,8 @@ func ContextStoreDir() string {
 
 // SetDir sets the directory the configuration file is stored in
 func SetDir(dir string) {
+	// trigger the sync.Once to synchronise with Dir()
+	initConfigDir.Do(func() {})
 	configDir = filepath.Clean(dir)
 }
 
@@ -85,7 +102,7 @@ func Path(p ...string) (string, error) {
 }
 
 // LoadFromReader is a convenience function that creates a ConfigFile object from
-// a reader
+// a reader. It returns an error if configData is malformed.
 func LoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
 	configFile := configfile.ConfigFile{
 		AuthConfigs: make(map[string]types.AuthConfig),
@@ -94,57 +111,59 @@ func LoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
 	return &configFile, err
 }
 
-// Load reads the configuration files in the given directory, and sets up
-// the auth config information and returns values.
-// FIXME: use the internal golang config parser
+// Load reads the configuration file ([ConfigFileName]) from the given directory.
+// If no directory is given, it uses the default [Dir]. A [*configfile.ConfigFile]
+// is returned containing the contents of the configuration file, or a default
+// struct if no configfile exists in the given location.
+//
+// Load returns an error if a configuration file exists in the given location,
+// but cannot be read, or is malformed. Consumers must handle errors to prevent
+// overwriting an existing configuration file.
 func Load(configDir string) (*configfile.ConfigFile, error) {
-	cfg, _, err := load(configDir)
-	return cfg, err
-}
-
-// TODO remove this temporary hack, which is used to warn about the deprecated ~/.dockercfg file
-// so we can remove the bool return value and collapse this back into `Load`
-func load(configDir string) (*configfile.ConfigFile, bool, error) {
-	printLegacyFileWarning := false
-
 	if configDir == "" {
 		configDir = Dir()
 	}
+	return load(configDir)
+}
 
+func load(configDir string) (*configfile.ConfigFile, error) {
 	filename := filepath.Join(configDir, ConfigFileName)
 	configFile := configfile.New(filename)
 
-	// Try happy path first - latest config file
-	if file, err := os.Open(filename); err == nil {
-		defer file.Close()
-		err = configFile.LoadFromReader(file)
-		if err != nil {
-			err = errors.Wrap(err, filename)
+	file, err := os.Open(filename)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// It is OK for no configuration file to be present, in which
+			// case we return a default struct.
+			return configFile, nil
 		}
-		return configFile, printLegacyFileWarning, err
-	} else if !os.IsNotExist(err) {
-		// if file is there but we can't stat it for any reason other
-		// than it doesn't exist then stop
-		return configFile, printLegacyFileWarning, errors.Wrap(err, filename)
+		// Any other error happening when failing to read the file must be returned.
+		return configFile, errors.Wrap(err, "loading config file")
 	}
-
-	// Can't find latest config file so check for the old one
-	filename = filepath.Join(getHomeDir(), oldConfigfile)
-	if _, err := os.Stat(filename); err == nil {
-		printLegacyFileWarning = true
+	defer file.Close()
+	err = configFile.LoadFromReader(file)
+	if err != nil {
+		err = errors.Wrapf(err, "loading config file: %s: ", filename)
 	}
-	return configFile, printLegacyFileWarning, nil
+	return configFile, err
 }
 
 // LoadDefaultConfigFile attempts to load the default config file and returns
-// an initialized ConfigFile struct if none is found.
+// a reference to the ConfigFile struct. If none is found or when failing to load
+// the configuration file, it initializes a default ConfigFile struct. If no
+// credentials-store is set in the configuration file, it attempts to discover
+// the default store to use for the current platform.
+//
+// Important: LoadDefaultConfigFile prints a warning to stderr when failing to
+// load the configuration file, but otherwise ignores errors. Consumers should
+// consider using [Load] (and [credentials.DetectDefaultStore]) to detect errors
+// when updating the configuration file, to prevent discarding a (malformed)
+// configuration file.
 func LoadDefaultConfigFile(stderr io.Writer) *configfile.ConfigFile {
-	configFile, printLegacyFileWarning, err := load(Dir())
+	configFile, err := load(Dir())
 	if err != nil {
-		fmt.Fprintf(stderr, "WARNING: Error loading config file: %v\n", err)
-	}
-	if printLegacyFileWarning {
-		_, _ = fmt.Fprintln(stderr, "WARNING: Support for the legacy ~/.dockercfg configuration file and file-format has been removed and the configuration file will be ignored")
+		// FIXME(thaJeztah): we should not proceed here to prevent overwriting existing (but malformed) config files; see https://github.com/docker/cli/issues/5075
+		_, _ = fmt.Fprintln(stderr, "WARNING: Error", err)
 	}
 	if !configFile.ContainsAuth() {
 		configFile.CredentialsStore = credentials.DetectDefaultStore(configFile.CredentialsStore)
diff --git a/vendor/github.com/docker/cli/cli/config/configfile/file.go b/vendor/github.com/docker/cli/cli/config/configfile/file.go
index 442c31110b1..ae9dcb3370c 100644
--- a/vendor/github.com/docker/cli/cli/config/configfile/file.go
+++ b/vendor/github.com/docker/cli/cli/config/configfile/file.go
@@ -41,6 +41,7 @@ type ConfigFile struct {
 	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
 	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
 	Aliases              map[string]string            `json:"aliases,omitempty"`
+	Features             map[string]string            `json:"features,omitempty"`
 }
 
 // ProxyConfig contains proxy configuration settings
@@ -302,6 +303,7 @@ func (configFile *ConfigFile) GetAllCredentials() (map[string]types.AuthConfig,
 	for registryHostname := range configFile.CredentialHelpers {
 		newAuth, err := configFile.GetAuthConfig(registryHostname)
 		if err != nil {
+			// TODO(thaJeztah): use context-logger, so that this output can be suppressed (in tests).
 			logrus.WithError(err).Warnf("Failed to get credentials for registry: %s", registryHostname)
 			continue
 		}
diff --git a/vendor/github.com/docker/cli/cli/config/configfile/file_unix.go b/vendor/github.com/docker/cli/cli/config/configfile/file_unix.go
index 353887547cd..06b811e7d5f 100644
--- a/vendor/github.com/docker/cli/cli/config/configfile/file_unix.go
+++ b/vendor/github.com/docker/cli/cli/config/configfile/file_unix.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package configfile
 
diff --git a/vendor/github.com/docker/cli/cli/config/credentials/default_store.go b/vendor/github.com/docker/cli/cli/config/credentials/default_store.go
index 402235bff02..a36afc41f4f 100644
--- a/vendor/github.com/docker/cli/cli/config/credentials/default_store.go
+++ b/vendor/github.com/docker/cli/cli/config/credentials/default_store.go
@@ -1,21 +1,22 @@
 package credentials
 
-import (
-	exec "golang.org/x/sys/execabs"
-)
+import "os/exec"
 
 // DetectDefaultStore return the default credentials store for the platform if
-// the store executable is available.
+// no user-defined store is passed, and the store executable is available.
 func DetectDefaultStore(store string) string {
-	platformDefault := defaultCredentialsStore()
-
-	// user defined or no default for platform
-	if store != "" || platformDefault == "" {
+	if store != "" {
+		// use user-defined
 		return store
 	}
 
-	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err == nil {
-		return platformDefault
+	platformDefault := defaultCredentialsStore()
+	if platformDefault == "" {
+		return ""
+	}
+
+	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err != nil {
+		return ""
 	}
-	return ""
+	return platformDefault
 }
diff --git a/vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go b/vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go
index c9630ea51ba..40c16eb837d 100644
--- a/vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go
+++ b/vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go
@@ -1,5 +1,4 @@
 //go:build !windows && !darwin && !linux
-// +build !windows,!darwin,!linux
 
 package credentials
 
diff --git a/vendor/github.com/docker/cli/cli/config/credentials/file_store.go b/vendor/github.com/docker/cli/cli/config/credentials/file_store.go
index ea30fc30063..3b8955994dc 100644
--- a/vendor/github.com/docker/cli/cli/config/credentials/file_store.go
+++ b/vendor/github.com/docker/cli/cli/config/credentials/file_store.go
@@ -1,6 +1,8 @@
 package credentials
 
 import (
+	"net"
+	"net/url"
 	"strings"
 
 	"github.com/docker/cli/cli/config/types"
@@ -68,14 +70,17 @@ func (c *fileStore) IsFileStore() bool {
 // ConvertToHostname converts a registry url which has http|https prepended
 // to just an hostname.
 // Copied from github.com/docker/docker/registry.ConvertToHostname to reduce dependencies.
-func ConvertToHostname(url string) string {
-	stripped := url
-	if strings.HasPrefix(url, "http://") {
-		stripped = strings.TrimPrefix(url, "http://")
-	} else if strings.HasPrefix(url, "https://") {
-		stripped = strings.TrimPrefix(url, "https://")
+func ConvertToHostname(maybeURL string) string {
+	stripped := maybeURL
+	if strings.Contains(stripped, "://") {
+		u, err := url.Parse(stripped)
+		if err == nil && u.Hostname() != "" {
+			if u.Port() == "" {
+				return u.Hostname()
+			}
+			return net.JoinHostPort(u.Hostname(), u.Port())
+		}
 	}
-
 	hostName, _, _ := strings.Cut(stripped, "/")
 	return hostName
 }
diff --git a/vendor/github.com/docker/cli/cli/config/credentials/native_store.go b/vendor/github.com/docker/cli/cli/config/credentials/native_store.go
index f9619b0381c..b9af145b9dc 100644
--- a/vendor/github.com/docker/cli/cli/config/credentials/native_store.go
+++ b/vendor/github.com/docker/cli/cli/config/credentials/native_store.go
@@ -51,6 +51,7 @@ func (c *nativeStore) Get(serverAddress string) (types.AuthConfig, error) {
 	auth.Username = creds.Username
 	auth.IdentityToken = creds.IdentityToken
 	auth.Password = creds.Password
+	auth.ServerAddress = creds.ServerAddress
 
 	return auth, nil
 }
@@ -76,6 +77,9 @@ func (c *nativeStore) GetAll() (map[string]types.AuthConfig, error) {
 		ac.Username = creds.Username
 		ac.Password = creds.Password
 		ac.IdentityToken = creds.IdentityToken
+		if ac.ServerAddress == "" {
+			ac.ServerAddress = creds.ServerAddress
+		}
 		authConfigs[registry] = ac
 	}
 
diff --git a/vendor/github.com/docker/docker/AUTHORS b/vendor/github.com/docker/docker/AUTHORS
deleted file mode 100644
index 36315d429d1..00000000000
--- a/vendor/github.com/docker/docker/AUTHORS
+++ /dev/null
@@ -1,2438 +0,0 @@
-# File @generated by hack/generate-authors.sh. DO NOT EDIT.
-# This file lists all contributors to the repository.
-# See hack/generate-authors.sh to make modifications.
-
-Aanand Prasad <aanand.prasad@gmail.com>
-Aaron Davidson <aaron@databricks.com>
-Aaron Feng <aaron.feng@gmail.com>
-Aaron Hnatiw <aaron@griddio.com>
-Aaron Huslage <huslage@gmail.com>
-Aaron L. Xu <liker.xu@foxmail.com>
-Aaron Lehmann <alehmann@netflix.com>
-Aaron Welch <welch@packet.net>
-Abel Muiño <amuino@gmail.com>
-Abhijeet Kasurde <akasurde@redhat.com>
-Abhinandan Prativadi <aprativadi@gmail.com>
-Abhinav Ajgaonkar <abhinav316@gmail.com>
-Abhishek Chanda <abhishek.becs@gmail.com>
-Abhishek Sharma <abhishek@asharma.me>
-Abin Shahab <ashahab@altiscale.com>
-Abirdcfly <fp544037857@gmail.com>
-Ada Mancini <ada@docker.com>
-Adam Avilla <aavilla@yp.com>
-Adam Dobrawy <naczelnik@jawnosc.tk>
-Adam Eijdenberg <adam.eijdenberg@gmail.com>
-Adam Kunk <adam.kunk@tiaa-cref.org>
-Adam Miller <admiller@redhat.com>
-Adam Mills <adam@armills.info>
-Adam Pointer <adam.pointer@skybettingandgaming.com>
-Adam Singer <financeCoding@gmail.com>
-Adam Thornton <adam.thornton@maryville.com>
-Adam Walz <adam@adamwalz.net>
-Adam Williams <awilliams@mirantis.com>
-AdamKorcz <adam@adalogics.com>
-Addam Hardy <addam.hardy@gmail.com>
-Aditi Rajagopal <arajagopal@us.ibm.com>
-Aditya <aditya@netroy.in>
-Adnan Khan <adnkha@amazon.com>
-Adolfo Ochagavía <aochagavia92@gmail.com>
-Adria Casas <adriacasas88@gmail.com>
-Adrian Moisey <adrian@changeover.za.net>
-Adrian Mouat <adrian.mouat@gmail.com>
-Adrian Oprea <adrian@codesi.nz>
-Adrien Folie <folie.adrien@gmail.com>
-Adrien Gallouët <adrien@gallouet.fr>
-Ahmed Kamal <email.ahmedkamal@googlemail.com>
-Ahmet Alp Balkan <ahmetb@microsoft.com>
-Aidan Feldman <aidan.feldman@gmail.com>
-Aidan Hobson Sayers <aidanhs@cantab.net>
-AJ Bowen <aj@soulshake.net>
-Ajey Charantimath <ajey.charantimath@gmail.com>
-ajneu <ajneu@users.noreply.github.com>
-Akash Gupta <akagup@microsoft.com>
-Akhil Mohan <akhil.mohan@mayadata.io>
-Akihiro Matsushima <amatsusbit@gmail.com>
-Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
-Akim Demaille <akim.demaille@docker.com>
-Akira Koyasu <mail@akirakoyasu.net>
-Akshay Karle <akshay.a.karle@gmail.com>
-Akshay Moghe <akshay.moghe@gmail.com>
-Al Tobey <al@ooyala.com>
-alambike <alambike@gmail.com>
-Alan Hoyle <alan@alanhoyle.com>
-Alan Scherger <flyinprogrammer@gmail.com>
-Alan Thompson <cloojure@gmail.com>
-Albert Callarisa <shark234@gmail.com>
-Albert Zhang <zhgwenming@gmail.com>
-Albin Kerouanton <albinker@gmail.com>
-Alec Benson <albenson@redhat.com>
-Alejandro González Hevia <alejandrgh11@gmail.com>
-Aleksa Sarai <asarai@suse.de>
-Aleksandr Chebotov <v-aleche@microsoft.com>
-Aleksandrs Fadins <aleks@s-ko.net>
-Alena Prokharchyk <alena@rancher.com>
-Alessandro Boch <aboch@tetrationanalytics.com>
-Alessio Biancalana <dottorblaster@gmail.com>
-Alex Chan <alex@alexwlchan.net>
-Alex Chen <alexchenunix@gmail.com>
-Alex Coventry <alx@empirical.com>
-Alex Crawford <alex.crawford@coreos.com>
-Alex Ellis <alexellis2@gmail.com>
-Alex Gaynor <alex.gaynor@gmail.com>
-Alex Goodman <wagoodman@gmail.com>
-Alex Nordlund <alexander.nordlund@nasdaq.com>
-Alex Olshansky <i@creagenics.com>
-Alex Samorukov <samm@os2.kiev.ua>
-Alex Stockinger <alex@atomicjar.com>
-Alex Warhawk <ax.warhawk@gmail.com>
-Alexander Artemenko <svetlyak.40wt@gmail.com>
-Alexander Boyd <alex@opengroove.org>
-Alexander Larsson <alexl@redhat.com>
-Alexander Midlash <amidlash@docker.com>
-Alexander Morozov <lk4d4math@gmail.com>
-Alexander Polakov <plhk@sdf.org>
-Alexander Shopov <ash@kambanaria.org>
-Alexandre Beslic <alexandre.beslic@gmail.com>
-Alexandre Garnier <zigarn@gmail.com>
-Alexandre González <agonzalezro@gmail.com>
-Alexandre Jomin <alexandrejomin@gmail.com>
-Alexandru Sfirlogea <alexandru.sfirlogea@gmail.com>
-Alexei Margasov <alexei38@yandex.ru>
-Alexey Guskov <lexag@mail.ru>
-Alexey Kotlyarov <alexey@infoxchange.net.au>
-Alexey Shamrin <shamrin@gmail.com>
-Alexis Ries <ries.alexis@gmail.com>
-Alexis Thomas <fr.alexisthomas@gmail.com>
-Alfred Landrum <alfred.landrum@docker.com>
-Ali Dehghani <ali.dehghani.g@gmail.com>
-Alicia Lauerman <alicia@eta.im>
-Alihan Demir <alihan_6153@hotmail.com>
-Allen Madsen <blatyo@gmail.com>
-Allen Sun <allensun.shl@alibaba-inc.com>
-almoehi <almoehi@users.noreply.github.com>
-Alvaro Saurin <alvaro.saurin@gmail.com>
-Alvin Deng <alvin.q.deng@utexas.edu>
-Alvin Richards <alvin.richards@docker.com>
-amangoel <amangoel@gmail.com>
-Amen Belayneh <amenbelayneh@gmail.com>
-Ameya Gawde <agawde@mirantis.com>
-Amir Goldstein <amir73il@aquasec.com>
-Amit Bakshi <ambakshi@gmail.com>
-Amit Krishnan <amit.krishnan@oracle.com>
-Amit Shukla <amit.shukla@docker.com>
-Amr Gawish <amr.gawish@gmail.com>
-Amy Lindburg <amy.lindburg@docker.com>
-Anand Patil <anand.prabhakar.patil@gmail.com>
-AnandkumarPatel <anandkumarpatel@gmail.com>
-Anatoly Borodin <anatoly.borodin@gmail.com>
-Anca Iordache <anca.iordache@docker.com>
-Anchal Agrawal <aagrawa4@illinois.edu>
-Anda Xu <anda.xu@docker.com>
-Anders Janmyr <anders@janmyr.com>
-Andre Dublin <81dublin@gmail.com>
-Andre Granovsky <robotciti@live.com>
-Andrea Denisse Gómez <crypto.andrea@protonmail.ch>
-Andrea Luzzardi <aluzzardi@gmail.com>
-Andrea Turli <andrea.turli@gmail.com>
-Andreas Elvers <andreas@work.de>
-Andreas Köhler <andi5.py@gmx.net>
-Andreas Savvides <andreas@editd.com>
-Andreas Tiefenthaler <at@an-ti.eu>
-Andrei Gherzan <andrei@resin.io>
-Andrei Ushakov <aushakov@netflix.com>
-Andrei Vagin <avagin@gmail.com>
-Andrew C. Bodine <acbodine@us.ibm.com>
-Andrew Clay Shafer <andrewcshafer@gmail.com>
-Andrew Duckworth <grillopress@gmail.com>
-Andrew France <andrew@avito.co.uk>
-Andrew Gerrand <adg@golang.org>
-Andrew Guenther <guenther.andrew.j@gmail.com>
-Andrew He <he.andrew.mail@gmail.com>
-Andrew Hsu <andrewhsu@docker.com>
-Andrew Kim <taeyeonkim90@gmail.com>
-Andrew Kuklewicz <kookster@gmail.com>
-Andrew Macgregor <andrew.macgregor@agworld.com.au>
-Andrew Macpherson <hopscotch23@gmail.com>
-Andrew Martin <sublimino@gmail.com>
-Andrew McDonnell <bugs@andrewmcdonnell.net>
-Andrew Munsell <andrew@wizardapps.net>
-Andrew Pennebaker <andrew.pennebaker@gmail.com>
-Andrew Po <absourd.noise@gmail.com>
-Andrew Weiss <andrew.weiss@docker.com>
-Andrew Williams <williams.andrew@gmail.com>
-Andrews Medina <andrewsmedina@gmail.com>
-Andrey Kolomentsev <andrey.kolomentsev@docker.com>
-Andrey Petrov <andrey.petrov@shazow.net>
-Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
-André Martins <aanm90@gmail.com>
-Andy Chambers <anchambers@paypal.com>
-andy diller <dillera@gmail.com>
-Andy Goldstein <agoldste@redhat.com>
-Andy Kipp <andy@rstudio.com>
-Andy Lindeman <alindeman@salesforce.com>
-Andy Rothfusz <github@developersupport.net>
-Andy Smith <github@anarkystic.com>
-Andy Wilson <wilson.andrew.j+github@gmail.com>
-Andy Zhang <andy.zhangtao@hotmail.com>
-Aneesh Kulkarni <askthefactorcamera@gmail.com>
-Anes Hasicic <anes.hasicic@gmail.com>
-Angel Velazquez <angelcar@amazon.com>
-Anil Belur <askb23@gmail.com>
-Anil Madhavapeddy <anil@recoil.org>
-Ankit Jain <ajatkj@yahoo.co.in>
-Ankush Agarwal <ankushagarwal11@gmail.com>
-Anonmily <michelle@michelleliu.io>
-Anran Qiao <anran.qiao@daocloud.io>
-Anshul Pundir <anshul.pundir@docker.com>
-Anthon van der Neut <anthon@mnt.org>
-Anthony Baire <Anthony.Baire@irisa.fr>
-Anthony Bishopric <git@anthonybishopric.com>
-Anthony Dahanne <anthony.dahanne@gmail.com>
-Anthony Sottile <asottile@umich.edu>
-Anton Löfgren <anton.lofgren@gmail.com>
-Anton Nikitin <anton.k.nikitin@gmail.com>
-Anton Polonskiy <anton.polonskiy@gmail.com>
-Anton Tiurin <noxiouz@yandex.ru>
-Antonio Murdaca <antonio.murdaca@gmail.com>
-Antonis Kalipetis <akalipetis@gmail.com>
-Antony Messerli <amesserl@rackspace.com>
-Anuj Bahuguna <anujbahuguna.dev@gmail.com>
-Anuj Varma <anujvarma@thumbtack.com>
-Anusha Ragunathan <anusha.ragunathan@docker.com>
-Anyu Wang <wanganyu@outlook.com>
-apocas <petermdias@gmail.com>
-Arash Deshmeh <adeshmeh@ca.ibm.com>
-arcosx <arcosx@outlook.com>
-ArikaChen <eaglesora@gmail.com>
-Arko Dasgupta <arko@tetrate.io>
-Arnaud Lefebvre <a.lefebvre@outlook.fr>
-Arnaud Porterie <icecrime@gmail.com>
-Arnaud Rebillout <arnaud.rebillout@collabora.com>
-Artem Khramov <akhramov@pm.me>
-Arthur Barr <arthur.barr@uk.ibm.com>
-Arthur Gautier <baloo@gandi.net>
-Artur Meyster <arthurfbi@yahoo.com>
-Arun Gupta <arun.gupta@gmail.com>
-Asad Saeeduddin <masaeedu@gmail.com>
-Asbjørn Enge <asbjorn@hanafjedle.net>
-Austin Vazquez <macedonv@amazon.com>
-averagehuman <averagehuman@users.noreply.github.com>
-Avi Das <andas222@gmail.com>
-Avi Kivity <avi@scylladb.com>
-Avi Miller <avi.miller@oracle.com>
-Avi Vaid <avaid1996@gmail.com>
-ayoshitake <airandfingers@gmail.com>
-Azat Khuyiyakhmetov <shadow_uz@mail.ru>
-Bao Yonglei <baoyonglei@huawei.com>
-Bardia Keyoumarsi <bkeyouma@ucsc.edu>
-Barnaby Gray <barnaby@pickle.me.uk>
-Barry Allard <barry.allard@gmail.com>
-Bartłomiej Piotrowski <b@bpiotrowski.pl>
-Bastiaan Bakker <bbakker@xebia.com>
-Bastien Pascard <bpascard@hotmail.com>
-bdevloed <boris.de.vloed@gmail.com>
-Bearice Ren <bearice@gmail.com>
-Ben Bonnefoy <frenchben@docker.com>
-Ben Firshman <ben@firshman.co.uk>
-Ben Golub <ben.golub@dotcloud.com>
-Ben Gould <ben@bengould.co.uk>
-Ben Hall <ben@benhall.me.uk>
-Ben Langfeld <ben@langfeld.me>
-Ben Lovy <ben@deciduously.com>
-Ben Sargent <ben@brokendigits.com>
-Ben Severson <BenSeverson@users.noreply.github.com>
-Ben Toews <mastahyeti@gmail.com>
-Ben Wiklund <ben@daisyowl.com>
-Benjamin Atkin <ben@benatkin.com>
-Benjamin Baker <Benjamin.baker@utexas.edu>
-Benjamin Boudreau <boudreau.benjamin@gmail.com>
-Benjamin Böhmke <benjamin@boehmke.net>
-Benjamin Wang <wachao@vmware.com>
-Benjamin Yolken <yolken@stripe.com>
-Benny Ng <benny.tpng@gmail.com>
-Benoit Chesneau <bchesneau@gmail.com>
-Bernerd Schaefer <bj.schaefer@gmail.com>
-Bernhard M. Wiedemann <bwiedemann@suse.de>
-Bert Goethals <bert@bertg.be>
-Bertrand Roussel <broussel@sierrawireless.com>
-Bevisy Zhang <binbin36520@gmail.com>
-Bharath Thiruveedula <bharath_ves@hotmail.com>
-Bhiraj Butala <abhiraj.butala@gmail.com>
-Bhumika Bayani <bhumikabayani@gmail.com>
-Bilal Amarni <bilal.amarni@gmail.com>
-Bill Wang <ozbillwang@gmail.com>
-Billy Ridgway <wrridgwa@us.ibm.com>
-Bily Zhang <xcoder@tenxcloud.com>
-Bin Liu <liubin0329@gmail.com>
-Bingshen Wang <bingshen.wbs@alibaba-inc.com>
-Bjorn Neergaard <bjorn@neersighted.com>
-Blake Geno <blakegeno@gmail.com>
-Boaz Shuster <ripcurld.github@gmail.com>
-bobby abbott <ttobbaybbob@gmail.com>
-Bojun Zhu <bojun.zhu@foxmail.com>
-Boqin Qin <bobbqqin@gmail.com>
-Boris Pruessmann <boris@pruessmann.org>
-Boshi Lian <farmer1992@gmail.com>
-Bouke Haarsma <bouke@webatoom.nl>
-Boyd Hemphill <boyd@feedmagnet.com>
-boynux <boynux@gmail.com>
-Bradley Cicenas <bradley.cicenas@gmail.com>
-Bradley Wright <brad@intranation.com>
-Brandon Liu <bdon@bdon.org>
-Brandon Philips <brandon.philips@coreos.com>
-Brandon Rhodes <brandon@rhodesmill.org>
-Brendan Dixon <brendand@microsoft.com>
-Brennan Kinney <5098581+polarathene@users.noreply.github.com>
-Brent Salisbury <brent.salisbury@docker.com>
-Brett Higgins <brhiggins@arbor.net>
-Brett Kochendorfer <brett.kochendorfer@gmail.com>
-Brett Milford <brettmilford@gmail.com>
-Brett Randall <javabrett@gmail.com>
-Brian (bex) Exelbierd <bexelbie@redhat.com>
-Brian Bland <brian.bland@docker.com>
-Brian DeHamer <brian@dehamer.com>
-Brian Dorsey <brian@dorseys.org>
-Brian Flad <bflad417@gmail.com>
-Brian Goff <cpuguy83@gmail.com>
-Brian McCallister <brianm@skife.org>
-Brian Olsen <brian@maven-group.org>
-Brian Schwind <brianmschwind@gmail.com>
-Brian Shumate <brian@couchbase.com>
-Brian Torres-Gil <brian@dralth.com>
-Brian Trump <btrump@yelp.com>
-Brice Jaglin <bjaglin@teads.tv>
-Briehan Lombaard <briehan.lombaard@gmail.com>
-Brielle Broder <bbroder@google.com>
-Bruno Bigras <bigras.bruno@gmail.com>
-Bruno Binet <bruno.binet@gmail.com>
-Bruno Gazzera <bgazzera@paginar.com>
-Bruno Renié <brutasse@gmail.com>
-Bruno Tavares <btavare@thoughtworks.com>
-Bryan Bess <squarejaw@bsbess.com>
-Bryan Boreham <bjboreham@gmail.com>
-Bryan Matsuo <bryan.matsuo@gmail.com>
-Bryan Murphy <bmurphy1976@gmail.com>
-Burke Libbey <burke@libbey.me>
-Byung Kang <byung.kang.ctr@amrdec.army.mil>
-Caleb Spare <cespare@gmail.com>
-Calen Pennington <cale@edx.org>
-Cameron Boehmer <cameron.boehmer@gmail.com>
-Cameron Sparr <gh@sparr.email>
-Cameron Spear <cameronspear@gmail.com>
-Campbell Allen <campbell.allen@gmail.com>
-Candid Dauth <cdauth@cdauth.eu>
-Cao Weiwei <cao.weiwei30@zte.com.cn>
-Carl Henrik Lunde <chlunde@ping.uio.no>
-Carl Loa Odin <carlodin@gmail.com>
-Carl X. Su <bcbcarl@gmail.com>
-Carlo Mion <mion00@gmail.com>
-Carlos Alexandro Becker <caarlos0@gmail.com>
-Carlos de Paula <me@carlosedp.com>
-Carlos Sanchez <carlos@apache.org>
-Carol Fager-Higgins <carol.fager-higgins@docker.com>
-Cary <caryhartline@users.noreply.github.com>
-Casey Bisson <casey.bisson@joyent.com>
-Catalin Pirvu <pirvu.catalin94@gmail.com>
-Ce Gao <ce.gao@outlook.com>
-Cedric Davies <cedricda@microsoft.com>
-Cezar Sa Espinola <cezarsa@gmail.com>
-Chad Swenson <chadswen@gmail.com>
-Chance Zibolski <chance.zibolski@gmail.com>
-Chander Govindarajan <chandergovind@gmail.com>
-Chanhun Jeong <keyolk@gmail.com>
-Chao Wang <wangchao.fnst@cn.fujitsu.com>
-Charles Chan <charleswhchan@users.noreply.github.com>
-Charles Hooper <charles.hooper@dotcloud.com>
-Charles Law <claw@conduce.com>
-Charles Lindsay <chaz@chazomatic.us>
-Charles Merriam <charles.merriam@gmail.com>
-Charles Sarrazin <charles@sarraz.in>
-Charles Smith <charles.smith@docker.com>
-Charlie Drage <charlie@charliedrage.com>
-Charlie Lewis <charliel@lab41.org>
-Chase Bolt <chase.bolt@gmail.com>
-ChaYoung You <yousbe@gmail.com>
-Chee Hau Lim <ch33hau@gmail.com>
-Chen Chao <cc272309126@gmail.com>
-Chen Chuanliang <chen.chuanliang@zte.com.cn>
-Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
-Chen Min <chenmin46@huawei.com>
-Chen Mingjie <chenmingjie0828@163.com>
-Chen Qiu <cheney-90@hotmail.com>
-Cheng-mean Liu <soccerl@microsoft.com>
-Chengfei Shang <cfshang@alauda.io>
-Chengguang Xu <cgxu519@gmx.com>
-Chenyang Yan <memory.yancy@gmail.com>
-chenyuzhu <chenyuzhi@oschina.cn>
-Chetan Birajdar <birajdar.chetan@gmail.com>
-Chewey <prosto-chewey@users.noreply.github.com>
-Chia-liang Kao <clkao@clkao.org>
-Chiranjeevi Tirunagari <vchiranjeeviak.tirunagari@gmail.com>
-chli <chli@freewheel.tv>
-Cholerae Hu <choleraehyq@gmail.com>
-Chris Alfonso <calfonso@redhat.com>
-Chris Armstrong <chris@opdemand.com>
-Chris Dias <cdias@microsoft.com>
-Chris Dituri <csdituri@gmail.com>
-Chris Fordham <chris@fordham-nagy.id.au>
-Chris Gavin <chris@chrisgavin.me>
-Chris Gibson <chris@chrisg.io>
-Chris Khoo <chris.khoo@gmail.com>
-Chris Kreussling (Flatbush Gardener) <xrisfg@gmail.com>
-Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
-Chris McKinnel <chrismckinnel@gmail.com>
-Chris Price <cprice@mirantis.com>
-Chris Seto <chriskseto@gmail.com>
-Chris Snow <chsnow123@gmail.com>
-Chris St. Pierre <chris.a.st.pierre@gmail.com>
-Chris Stivers <chris@stivers.us>
-Chris Swan <chris.swan@iee.org>
-Chris Telfer <ctelfer@docker.com>
-Chris Wahl <github@wahlnetwork.com>
-Chris Weyl <cweyl@alumni.drew.edu>
-Chris White <me@cwprogram.com>
-Christian Becker <christian.becker@sixt.com>
-Christian Berendt <berendt@b1-systems.de>
-Christian Brauner <christian.brauner@ubuntu.com>
-Christian Böhme <developement@boehme3d.de>
-Christian Muehlhaeuser <muesli@gmail.com>
-Christian Persson <saser@live.se>
-Christian Rotzoll <ch.rotzoll@gmail.com>
-Christian Simon <simon@swine.de>
-Christian Stefanescu <st.chris@gmail.com>
-Christoph Ziebuhr <chris@codefrickler.de>
-Christophe Mehay <cmehay@online.net>
-Christophe Troestler <christophe.Troestler@umons.ac.be>
-Christophe Vidal <kriss@krizalys.com>
-Christopher Biscardi <biscarch@sketcht.com>
-Christopher Crone <christopher.crone@docker.com>
-Christopher Currie <codemonkey+github@gmail.com>
-Christopher Jones <tophj@linux.vnet.ibm.com>
-Christopher Latham <sudosurootdev@gmail.com>
-Christopher Rigor <crigor@gmail.com>
-Christy Norman <christy@linux.vnet.ibm.com>
-Chun Chen <ramichen@tencent.com>
-Ciro S. Costa <ciro.costa@usp.br>
-Clayton Coleman <ccoleman@redhat.com>
-Clint Armstrong <clint@clintarmstrong.net>
-Clinton Kitson <clintonskitson@gmail.com>
-clubby789 <jamie@hill-daniel.co.uk>
-Cody Roseborough <crrosebo@amazon.com>
-Coenraad Loubser <coenraad@wish.org.za>
-Colin Dunklau <colin.dunklau@gmail.com>
-Colin Hebert <hebert.colin@gmail.com>
-Colin Panisset <github@clabber.com>
-Colin Rice <colin@daedrum.net>
-Colin Walters <walters@verbum.org>
-Collin Guarino <collin.guarino@gmail.com>
-Colm Hally <colmhally@gmail.com>
-companycy <companycy@gmail.com>
-Conor Evans <coevans@tcd.ie>
-Corbin Coleman <corbin.coleman@docker.com>
-Corey Farrell <git@cfware.com>
-Cory Forsyth <cory.forsyth@gmail.com>
-Cory Snider <csnider@mirantis.com>
-cressie176 <github@stephen-cresswell.net>
-Cristian Ariza <dev@cristianrz.com>
-Cristian Staretu <cristian.staretu@gmail.com>
-cristiano balducci <cristiano.balducci@gmail.com>
-Cristina Yenyxe Gonzalez Garcia <cristina.yenyxe@gmail.com>
-Cruceru Calin-Cristian <crucerucalincristian@gmail.com>
-cui fliter <imcusg@gmail.com>
-CUI Wei <ghostplant@qq.com>
-Cuong Manh Le <cuong.manhle.vn@gmail.com>
-Cyprian Gracz <cyprian.gracz@micro-jumbo.eu>
-Cyril F <cyrilf7x@gmail.com>
-Da McGrady <dabkb@aol.com>
-Daan van Berkel <daan.v.berkel.1980@gmail.com>
-Daehyeok Mun <daehyeok@gmail.com>
-Dafydd Crosby <dtcrsby@gmail.com>
-dalanlan <dalanlan925@gmail.com>
-Damian Smyth <damian@dsau.co>
-Damien Nadé <github@livna.org>
-Damien Nozay <damien.nozay@gmail.com>
-Damjan Georgievski <gdamjan@gmail.com>
-Dan Anolik <dan@anolik.net>
-Dan Buch <d.buch@modcloth.com>
-Dan Cotora <dan@bluevision.ro>
-Dan Feldman <danf@jfrog.com>
-Dan Griffin <dgriffin@peer1.com>
-Dan Hirsch <thequux@upstandinghackers.com>
-Dan Keder <dan.keder@gmail.com>
-Dan Levy <dan@danlevy.net>
-Dan McPherson <dmcphers@redhat.com>
-Dan Plamadeala <cornul11@gmail.com>
-Dan Stine <sw@stinemail.com>
-Dan Williams <me@deedubs.com>
-Dani Hodovic <dani.hodovic@gmail.com>
-Dani Louca <dani.louca@docker.com>
-Daniel Antlinger <d.antlinger@gmx.at>
-Daniel Black <daniel@linux.ibm.com>
-Daniel Dao <dqminh@cloudflare.com>
-Daniel Exner <dex@dragonslave.de>
-Daniel Farrell <dfarrell@redhat.com>
-Daniel Garcia <daniel@danielgarcia.info>
-Daniel Gasienica <daniel@gasienica.ch>
-Daniel Grunwell <mwgrunny@gmail.com>
-Daniel Helfand <helfand.4@gmail.com>
-Daniel Hiltgen <daniel.hiltgen@docker.com>
-Daniel J Walsh <dwalsh@redhat.com>
-Daniel Menet <membership@sontags.ch>
-Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com>
-Daniel Nephin <dnephin@docker.com>
-Daniel Norberg <dano@spotify.com>
-Daniel Nordberg <dnordberg@gmail.com>
-Daniel P. Berrangé <berrange@redhat.com>
-Daniel Robinson <gottagetmac@gmail.com>
-Daniel S <dan.streby@gmail.com>
-Daniel Sweet <danieljsweet@icloud.com>
-Daniel Von Fange <daniel@leancoder.com>
-Daniel Watkins <daniel@daniel-watkins.co.uk>
-Daniel X Moore <yahivin@gmail.com>
-Daniel YC Lin <dlin.tw@gmail.com>
-Daniel Zhang <jmzwcn@gmail.com>
-Daniele Rondina <geaaru@sabayonlinux.org>
-Danny Berger <dpb587@gmail.com>
-Danny Milosavljevic <dannym@scratchpost.org>
-Danny Yates <danny@codeaholics.org>
-Danyal Khaliq <danyal.khaliq@tenpearls.com>
-Darren Coxall <darren@darrencoxall.com>
-Darren Shepherd <darren.s.shepherd@gmail.com>
-Darren Stahl <darst@microsoft.com>
-Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
-Davanum Srinivas <davanum@gmail.com>
-Dave Barboza <dbarboza@datto.com>
-Dave Goodchild <buddhamagnet@gmail.com>
-Dave Henderson <dhenderson@gmail.com>
-Dave MacDonald <mindlapse@gmail.com>
-Dave Tucker <dt@docker.com>
-David Anderson <dave@natulte.net>
-David Bellotti <dbellotti@pivotal.io>
-David Calavera <david.calavera@gmail.com>
-David Chung <david.chung@docker.com>
-David Corking <dmc-source@dcorking.com>
-David Cramer <davcrame@cisco.com>
-David Currie <david_currie@uk.ibm.com>
-David Davis <daviddavis@redhat.com>
-David Dooling <dooling@gmail.com>
-David Gageot <david@gageot.net>
-David Gebler <davidgebler@gmail.com>
-David Glasser <glasser@davidglasser.net>
-David Karlsson <35727626+dvdksn@users.noreply.github.com>
-David Lawrence <david.lawrence@docker.com>
-David Lechner <david@lechnology.com>
-David M. Karr <davidmichaelkarr@gmail.com>
-David Mackey <tdmackey@booleanhaiku.com>
-David Manouchehri <manouchehri@riseup.net>
-David Mat <david@davidmat.com>
-David Mcanulty <github@hellspark.com>
-David McKay <david@rawkode.com>
-David O'Rourke <david@scalefactory.com>
-David P Hilton <david.hilton.p@gmail.com>
-David Pelaez <pelaez89@gmail.com>
-David R. Jenni <david.r.jenni@gmail.com>
-David Röthlisberger <david@rothlis.net>
-David Sheets <dsheets@docker.com>
-David Sissitka <me@dsissitka.com>
-David Trott <github@davidtrott.com>
-David Wang <00107082@163.com>
-David Williamson <david.williamson@docker.com>
-David Xia <dxia@spotify.com>
-David Young <yangboh@cn.ibm.com>
-Davide Ceretti <davide.ceretti@hogarthww.com>
-Dawn Chen <dawnchen@google.com>
-dbdd <wangtong2712@gmail.com>
-dcylabs <dcylabs@gmail.com>
-Debayan De <debayande@users.noreply.github.com>
-Deborah Gertrude Digges <deborah.gertrude.digges@gmail.com>
-deed02392 <georgehafiz@gmail.com>
-Deep Debroy <ddebroy@docker.com>
-Deng Guangxing <dengguangxing@huawei.com>
-Deni Bertovic <deni@kset.org>
-Denis Defreyne <denis@soundcloud.com>
-Denis Gladkikh <denis@gladkikh.email>
-Denis Ollier <larchunix@users.noreply.github.com>
-Dennis Chen <barracks510@gmail.com>
-Dennis Chen <dennis.chen@arm.com>
-Dennis Docter <dennis@d23.nl>
-Derek <crq@kernel.org>
-Derek <crquan@gmail.com>
-Derek Ch <denc716@gmail.com>
-Derek McGowan <derek@mcg.dev>
-Deric Crago <deric.crago@gmail.com>
-Deshi Xiao <dxiao@redhat.com>
-Devon Estes <devon.estes@klarna.com>
-Devvyn Murphy <devvyn@devvyn.com>
-Dharmit Shah <shahdharmit@gmail.com>
-Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
-Dhilip Kumars <dhilip.kumar.s@huawei.com>
-Diego Romero <idiegoromero@gmail.com>
-Diego Siqueira <dieg0@live.com>
-Dieter Reuter <dieter.reuter@me.com>
-Dillon Dixon <dillondixon@gmail.com>
-Dima Stopel <dima@twistlock.com>
-Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
-Dimitris Mandalidis <dimitris.mandalidis@gmail.com>
-Dimitris Rozakis <dimrozakis@gmail.com>
-Dimitry Andric <d.andric@activevideo.com>
-Dinesh Subhraveti <dineshs@altiscale.com>
-Ding Fei <dingfei@stars.org.cn>
-dingwei <dingwei@cmss.chinamobile.com>
-Diogo Monica <diogo@docker.com>
-DiuDiugirl <sophia.wang@pku.edu.cn>
-Djibril Koné <kone.djibril@gmail.com>
-Djordje Lukic <djordje.lukic@docker.com>
-dkumor <daniel@dkumor.com>
-Dmitri Logvinenko <dmitri.logvinenko@gmail.com>
-Dmitri Shuralyov <shurcooL@gmail.com>
-Dmitry Demeshchuk <demeshchuk@gmail.com>
-Dmitry Gusev <dmitry.gusev@gmail.com>
-Dmitry Kononenko <d@dm42.ru>
-Dmitry Sharshakov <d3dx12.xx@gmail.com>
-Dmitry Shyshkin <dmitry@shyshkin.org.ua>
-Dmitry Smirnov <onlyjob@member.fsf.org>
-Dmitry V. Krivenok <krivenok.dmitry@gmail.com>
-Dmitry Vorobev <dimahabr@gmail.com>
-Dmytro Iakovliev <dmytro.iakovliev@zodiacsystems.com>
-docker-unir[bot] <docker-unir[bot]@users.noreply.github.com>
-Dolph Mathews <dolph.mathews@gmail.com>
-Dominic Tubach <dominic.tubach@to.com>
-Dominic Yin <yindongchao@inspur.com>
-Dominik Dingel <dingel@linux.vnet.ibm.com>
-Dominik Finkbeiner <finkes93@gmail.com>
-Dominik Honnef <dominik@honnef.co>
-Don Kirkby <donkirkby@users.noreply.github.com>
-Don Kjer <don.kjer@gmail.com>
-Don Spaulding <donspauldingii@gmail.com>
-Donald Huang <don.hcd@gmail.com>
-Dong Chen <dongluo.chen@docker.com>
-Donghwa Kim <shanytt@gmail.com>
-Donovan Jones <git@gamma.net.nz>
-Dorin Geman <dorin.geman@docker.com>
-Doron Podoleanu <doronp@il.ibm.com>
-Doug Davis <dug@us.ibm.com>
-Doug MacEachern <dougm@vmware.com>
-Doug Tangren <d.tangren@gmail.com>
-Douglas Curtis <dougcurtis1@gmail.com>
-Dr Nic Williams <drnicwilliams@gmail.com>
-dragon788 <dragon788@users.noreply.github.com>
-Dražen Lu�anin <kermit666@gmail.com>
-Drew Erny <derny@mirantis.com>
-Drew Hubl <drew.hubl@gmail.com>
-Dustin Sallings <dustin@spy.net>
-Ed Costello <epc@epcostello.com>
-Edmund Wagner <edmund-wagner@web.de>
-Eiichi Tsukata <devel@etsukata.com>
-Eike Herzbach <eike@herzbach.net>
-Eivin Giske Skaaren <eivinsn@axis.com>
-Eivind Uggedal <eivind@uggedal.com>
-Elan Ruusamäe <glen@pld-linux.org>
-Elango Sivanandam <elango.siva@docker.com>
-Elena Morozova <lelenanam@gmail.com>
-Eli Uriegas <seemethere101@gmail.com>
-Elias Faxö <elias.faxo@tre.se>
-Elias Koromilas <elias.koromilas@gmail.com>
-Elias Probst <mail@eliasprobst.eu>
-Elijah Zupancic <elijah@zupancic.name>
-eluck <mail@eluck.me>
-Elvir Kuric <elvirkuric@gmail.com>
-Emil Davtyan <emil2k@gmail.com>
-Emil Hernvall <emil@quench.at>
-Emily Maier <emily@emilymaier.net>
-Emily Rose <emily@contactvibe.com>
-Emir Ozer <emirozer@yandex.com>
-Eng Zer Jun <engzerjun@gmail.com>
-Enguerran <engcolson@gmail.com>
-Enrico Weigelt, metux IT consult <info@metux.net>
-Eohyung Lee <liquidnuker@gmail.com>
-epeterso <epeterson@breakpoint-labs.com>
-er0k <er0k@er0k.net>
-Eric Barch <barch@tomesoftware.com>
-Eric Curtin <ericcurtin17@gmail.com>
-Eric G. Noriega <enoriega@vizuri.com>
-Eric Hanchrow <ehanchrow@ine.com>
-Eric Lee <thenorthsecedes@gmail.com>
-Eric Mountain <eric.mountain@datadoghq.com>
-Eric Myhre <hash@exultant.us>
-Eric Paris <eparis@redhat.com>
-Eric Rafaloff <erafaloff@gmail.com>
-Eric Rosenberg <ehaydenr@gmail.com>
-Eric Sage <eric.david.sage@gmail.com>
-Eric Soderstrom <ericsoderstrom@gmail.com>
-Eric Yang <windfarer@gmail.com>
-Eric-Olivier Lamey <eo@lamey.me>
-Erica Windisch <erica@windisch.us>
-Erich Cordoba <erich.cm@yandex.com>
-Erik Bray <erik.m.bray@gmail.com>
-Erik Dubbelboer <erik@dubbelboer.com>
-Erik Hollensbe <github@hollensbe.org>
-Erik Inge Bolsø <knan@redpill-linpro.com>
-Erik Kristensen <erik@erikkristensen.com>
-Erik Sipsma <erik@sipsma.dev>
-Erik Sjölund <erik.sjolund@gmail.com>
-Erik St. Martin <alakriti@gmail.com>
-Erik Weathers <erikdw@gmail.com>
-Erno Hopearuoho <erno.hopearuoho@gmail.com>
-Erwin van der Koogh <info@erronis.nl>
-Espen Suenson <mail@espensuenson.dk>
-Ethan Bell <ebgamer29@gmail.com>
-Ethan Mosbaugh <ethan@replicated.com>
-Euan Harris <euan.harris@docker.com>
-Euan Kemp <euan.kemp@coreos.com>
-Eugen Krizo <eugen.krizo@gmail.com>
-Eugene Yakubovich <eugene.yakubovich@coreos.com>
-Evan Allrich <evan@unguku.com>
-Evan Carmi <carmi@users.noreply.github.com>
-Evan Hazlett <ejhazlett@gmail.com>
-Evan Krall <krall@yelp.com>
-Evan Lezar <elezar@nvidia.com>
-Evan Phoenix <evan@fallingsnow.net>
-Evan Wies <evan@neomantra.net>
-Evelyn Xu <evelynhsu21@gmail.com>
-Everett Toews <everett.toews@rackspace.com>
-Evgeniy Makhrov <e.makhrov@corp.badoo.com>
-Evgeny Shmarnev <shmarnev@gmail.com>
-Evgeny Vereshchagin <evvers@ya.ru>
-Ewa Czechowska <ewa@ai-traders.com>
-Eystein Måløy Stenberg <eystein.maloy.stenberg@cfengine.com>
-ezbercih <cem.ezberci@gmail.com>
-Ezra Silvera <ezra@il.ibm.com>
-Fabian Kramm <kramm@covexo.com>
-Fabian Lauer <kontakt@softwareschmiede-saar.de>
-Fabian Raetz <fabian.raetz@gmail.com>
-Fabiano Rosas <farosas@br.ibm.com>
-Fabio Falci <fabiofalci@gmail.com>
-Fabio Kung <fabio.kung@gmail.com>
-Fabio Rapposelli <fabio@vmware.com>
-Fabio Rehm <fgrehm@gmail.com>
-Fabrizio Regini <freegenie@gmail.com>
-Fabrizio Soppelsa <fsoppelsa@mirantis.com>
-Faiz Khan <faizkhan00@gmail.com>
-falmp <chico.lopes@gmail.com>
-Fangming Fang <fangming.fang@arm.com>
-Fangyuan Gao <21551127@zju.edu.cn>
-fanjiyun <fan.jiyun@zte.com.cn>
-Fareed Dudhia <fareeddudhia@googlemail.com>
-Fathi Boudra <fathi.boudra@linaro.org>
-Federico Gimenez <fgimenez@coit.es>
-Felipe Oliveira <felipeweb.programador@gmail.com>
-Felipe Ruhland <felipe.ruhland@gmail.com>
-Felix Abecassis <fabecassis@nvidia.com>
-Felix Geisendörfer <felix@debuggable.com>
-Felix Hupfeld <felix@quobyte.com>
-Felix Rabe <felix@rabe.io>
-Felix Ruess <felix.ruess@gmail.com>
-Felix Schindler <fschindler@weluse.de>
-Feng Yan <fy2462@gmail.com>
-Fengtu Wang <wangfengtu@huawei.com>
-Ferenc Szabo <pragmaticfrank@gmail.com>
-Fernando <fermayo@gmail.com>
-Fero Volar <alian@alian.info>
-Feroz Salam <feroz.salam@sourcegraph.com>
-Ferran Rodenas <frodenas@gmail.com>
-Filipe Brandenburger <filbranden@google.com>
-Filipe Oliveira <contato@fmoliveira.com.br>
-Filipe Pina <hzlu1ot0@duck.com>
-Flavio Castelli <fcastelli@suse.com>
-Flavio Crisciani <flavio.crisciani@docker.com>
-Florian <FWirtz@users.noreply.github.com>
-Florian Klein <florian.klein@free.fr>
-Florian Maier <marsmensch@users.noreply.github.com>
-Florian Noeding <noeding@adobe.com>
-Florian Schmaus <flo@geekplace.eu>
-Florian Weingarten <flo@hackvalue.de>
-Florin Asavoaie <florin.asavoaie@gmail.com>
-Florin Patan <florinpatan@gmail.com>
-fonglh <fonglh@gmail.com>
-Foysal Iqbal <foysal.iqbal.fb@gmail.com>
-Francesc Campoy <campoy@google.com>
-Francesco Degrassi <francesco.degrassi@optionfactory.net>
-Francesco Mari <mari.francesco@gmail.com>
-Francis Chuang <francis.chuang@boostport.com>
-Francisco Carriedo <fcarriedo@gmail.com>
-Francisco Souza <f@souza.cc>
-Frank Groeneveld <frank@ivaldi.nl>
-Frank Herrmann <fgh@4gh.tv>
-Frank Macreery <frank@macreery.com>
-Frank Rosquin <frank.rosquin+github@gmail.com>
-Frank Villaro-Dixon <frank.villarodixon@merkle.com>
-Frank Yang <yyb196@gmail.com>
-Fred Lifton <fred.lifton@docker.com>
-Frederick F. Kautz IV <fkautz@redhat.com>
-Frederico F. de Oliveira <FreddieOliveira@users.noreply.github.com>
-Frederik Loeffert <frederik@zitrusmedia.de>
-Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
-Freek Kalter <freek@kalteronline.org>
-Frieder Bluemle <frieder.bluemle@gmail.com>
-frobnicaty <92033765+frobnicaty@users.noreply.github.com>
-Frédéric Dalleau <frederic.dalleau@docker.com>
-Fu JinLin <withlin@yeah.net>
-Félix Baylac-Jacqué <baylac.felix@gmail.com>
-Félix Cantournet <felix.cantournet@cloudwatt.com>
-Gabe Rosenhouse <gabe@missionst.com>
-Gabor Nagy <mail@aigeruth.hu>
-Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
-Gabriel Goller <gabrielgoller123@gmail.com>
-Gabriel L. Somlo <gsomlo@gmail.com>
-Gabriel Linder <linder.gabriel@gmail.com>
-Gabriel Monroy <gabriel@opdemand.com>
-Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
-Gaetan de Villele <gdevillele@gmail.com>
-Galen Sampson <galen.sampson@gmail.com>
-Gang Qiao <qiaohai8866@gmail.com>
-Gareth Rushgrove <gareth@morethanseven.net>
-Garrett Barboza <garrett@garrettbarboza.com>
-Gary Schaetz <gary@schaetzkc.com>
-Gaurav <gaurav.gosec@gmail.com>
-Gaurav Singh <gaurav1086@gmail.com>
-Gaël PORTAY <gael.portay@savoirfairelinux.com>
-Genki Takiuchi <genki@s21g.com>
-GennadySpb <lipenkov@gmail.com>
-Geoff Levand <geoff@infradead.org>
-Geoffrey Bachelet <grosfrais@gmail.com>
-Geon Kim <geon0250@gmail.com>
-George Kontridze <george@bugsnag.com>
-George MacRorie <gmacr31@gmail.com>
-George Xie <georgexsh@gmail.com>
-Georgi Hristozov <georgi@forkbomb.nl>
-Georgy Yakovlev <gyakovlev@gentoo.org>
-Gereon Frey <gereon.frey@dynport.de>
-German DZ <germ@ndz.com.ar>
-Gert van Valkenhoef <g.h.m.van.valkenhoef@rug.nl>
-Gerwim Feiken <g.feiken@tfe.nl>
-Ghislain Bourgeois <ghislain.bourgeois@gmail.com>
-Giampaolo Mancini <giampaolo@trampolineup.com>
-Gianluca Borello <g.borello@gmail.com>
-Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
-Giovan Isa Musthofa <giovanism@outlook.co.id>
-gissehel <public-devgit-dantus@gissehel.org>
-Giuseppe Mazzotta <gdm85@users.noreply.github.com>
-Giuseppe Scrivano <gscrivan@redhat.com>
-Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
-Gleb M Borisov <borisov.gleb@gmail.com>
-Glyn Normington <gnormington@gopivotal.com>
-GoBella <caili_welcome@163.com>
-Goffert van Gool <goffert@phusion.nl>
-Goldwyn Rodrigues <rgoldwyn@suse.com>
-Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
-Gosuke Miyashita <gosukenator@gmail.com>
-Gou Rao <gou@portworx.com>
-Govinda Fichtner <govinda.fichtner@googlemail.com>
-Grant Millar <rid@cylo.io>
-Grant Reaber <grant.reaber@gmail.com>
-Graydon Hoare <graydon@pobox.com>
-Greg Fausak <greg@tacodata.com>
-Greg Pflaum <gpflaum@users.noreply.github.com>
-Greg Stephens <greg@udon.org>
-Greg Thornton <xdissent@me.com>
-Grzegorz Jaśkiewicz <gj.jaskiewicz@gmail.com>
-Guilhem Lettron <guilhem+github@lettron.fr>
-Guilherme Salgado <gsalgado@gmail.com>
-Guillaume Dufour <gdufour.prestataire@voyages-sncf.com>
-Guillaume J. Charmes <guillaume.charmes@docker.com>
-Gunadhya S. <6939749+gunadhya@users.noreply.github.com>
-Guoqiang QI <guoqiang.qi1@gmail.com>
-guoxiuyan <guoxiuyan@huawei.com>
-Guri <odg0318@gmail.com>
-Gurjeet Singh <gurjeet@singh.im>
-Guruprasad <lgp171188@gmail.com>
-Gustav Sinder <gustav.sinder@gmail.com>
-gwx296173 <gaojing3@huawei.com>
-Günter Zöchbauer <guenter@gzoechbauer.com>
-Haichao Yang <yang.haichao@zte.com.cn>
-haikuoliu <haikuo@amazon.com>
-haining.cao <haining.cao@daocloud.io>
-Hakan Özler <hakan.ozler@kodcu.com>
-Hamish Hutchings <moredhel@aoeu.me>
-Hannes Ljungberg <hannes@5monkeys.se>
-Hans Kristian Flaatten <hans@starefossen.com>
-Hans Rødtang <hansrodtang@gmail.com>
-Hao Shu Wei <haoshuwei24@gmail.com>
-Hao Zhang <21521210@zju.edu.cn>
-Harald Albers <github@albersweb.de>
-Harald Niesche <harald@niesche.de>
-Harley Laue <losinggeneration@gmail.com>
-Harold Cooper <hrldcpr@gmail.com>
-Harrison Turton <harrisonturton@gmail.com>
-Harry Zhang <harryz@hyper.sh>
-Harshal Patil <harshal.patil@in.ibm.com>
-Harshal Patil <harshalp@linux.vnet.ibm.com>
-He Simei <hesimei@zju.edu.cn>
-He Xiaoxi <tossmilestone@gmail.com>
-He Xin <he_xinworld@126.com>
-heartlock <21521209@zju.edu.cn>
-Hector Castro <hectcastro@gmail.com>
-Helen Xie <chenjg@harmonycloud.cn>
-Henning Sprang <henning.sprang@gmail.com>
-Hiroshi Hatake <hatake@clear-code.com>
-Hiroyuki Sasagawa <hs19870702@gmail.com>
-Hobofan <goisser94@gmail.com>
-Hollie Teal <hollie@docker.com>
-Hong Xu <hong@topbug.net>
-Hongbin Lu <hongbin034@gmail.com>
-Hongxu Jia <hongxu.jia@windriver.com>
-Honza Pokorny <me@honza.ca>
-Hsing-Hui Hsu <hsinghui@amazon.com>
-Hsing-Yu (David) Chen <davidhsingyuchen@gmail.com>
-hsinko <21551195@zju.edu.cn>
-Hu Keping <hukeping@huawei.com>
-Hu Tao <hutao@cn.fujitsu.com>
-Huajin Tong <fliterdashen@gmail.com>
-huang-jl <1046678590@qq.com>
-HuanHuan Ye <logindaveye@gmail.com>
-Huanzhong Zhang <zhanghuanzhong90@gmail.com>
-Huayi Zhang <irachex@gmail.com>
-Hugo Barrera <hugo@barrera.io>
-Hugo Duncan <hugo@hugoduncan.org>
-Hugo Marisco <0x6875676f@gmail.com>
-Hui Kang <hkang.sunysb@gmail.com>
-Hunter Blanks <hunter@twilio.com>
-huqun <huqun@zju.edu.cn>
-Huu Nguyen <huu@prismskylabs.com>
-Hyeongkyu Lee <hyeongkyu.lee@navercorp.com>
-Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
-Iago López Galeiras <iago@kinvolk.io>
-Ian Bishop <ianbishop@pace7.com>
-Ian Bull <irbull@gmail.com>
-Ian Calvert <ianjcalvert@gmail.com>
-Ian Campbell <ian.campbell@docker.com>
-Ian Chen <ianre657@gmail.com>
-Ian Lee <IanLee1521@gmail.com>
-Ian Main <imain@redhat.com>
-Ian Philpot <ian.philpot@microsoft.com>
-Ian Truslove <ian.truslove@gmail.com>
-Iavael <iavaelooeyt@gmail.com>
-Icaro Seara <icaro.seara@gmail.com>
-Ignacio Capurro <icapurrofagian@gmail.com>
-Igor Dolzhikov <bluesriverz@gmail.com>
-Igor Karpovich <i.karpovich@currencysolutions.com>
-Iliana Weller <iweller@amazon.com>
-Ilkka Laukkanen <ilkka@ilkka.io>
-Illia Antypenko <ilya@antipenko.pp.ua>
-Illo Abdulrahim <abdulrahim.illo@nokia.com>
-Ilya Dmitrichenko <errordeveloper@gmail.com>
-Ilya Gusev <mail@igusev.ru>
-Ilya Khlopotov <ilya.khlopotov@gmail.com>
-imre Fitos <imre.fitos+github@gmail.com>
-inglesp <peter.inglesby@gmail.com>
-Ingo Gottwald <in.gottwald@gmail.com>
-Innovimax <innovimax@gmail.com>
-Isaac Dupree <antispam@idupree.com>
-Isabel Jimenez <contact.isabeljimenez@gmail.com>
-Isaiah Grace <irgkenya4@gmail.com>
-Isao Jonas <isao.jonas@gmail.com>
-Iskander Sharipov <quasilyte@gmail.com>
-Ivan Babrou <ibobrik@gmail.com>
-Ivan Fraixedes <ifcdev@gmail.com>
-Ivan Grcic <igrcic@gmail.com>
-Ivan Markin <sw@nogoegst.net>
-J Bruni <joaohbruni@yahoo.com.br>
-J. Nunn <jbnunn@gmail.com>
-Jack Danger Canty <jackdanger@squareup.com>
-Jack Laxson <jackjrabbit@gmail.com>
-Jacob Atzen <jacob@jacobatzen.dk>
-Jacob Edelman <edelman.jd@gmail.com>
-Jacob Tomlinson <jacob@tom.linson.uk>
-Jacob Vallejo <jakeev@amazon.com>
-Jacob Wen <jian.w.wen@oracle.com>
-Jaime Cepeda <jcepedavillamayor@gmail.com>
-Jaivish Kothari <janonymous.codevulture@gmail.com>
-Jake Champlin <jake.champlin.27@gmail.com>
-Jake Moshenko <jake@devtable.com>
-Jake Sanders <jsand@google.com>
-Jakub Drahos <jdrahos@pulsepoint.com>
-Jakub Guzik <jakubmguzik@gmail.com>
-James Allen <jamesallen0108@gmail.com>
-James Carey <jecarey@us.ibm.com>
-James Carr <james.r.carr@gmail.com>
-James DeFelice <james.defelice@ishisystems.com>
-James Harrison Fisher <jameshfisher@gmail.com>
-James Kyburz <james.kyburz@gmail.com>
-James Kyle <james@jameskyle.org>
-James Lal <james@lightsofapollo.com>
-James Mills <prologic@shortcircuit.net.au>
-James Nesbitt <jnesbitt@mirantis.com>
-James Nugent <james@jen20.com>
-James Sanders <james3sanders@gmail.com>
-James Turnbull <james@lovedthanlost.net>
-James Watkins-Harvey <jwatkins@progi-media.com>
-Jamie Hannaford <jamie@limetree.org>
-Jamshid Afshar <jafshar@yahoo.com>
-Jan Breig <git@pygos.space>
-Jan Chren <dev.rindeal@gmail.com>
-Jan Garcia <github-public@n-garcia.com>
-Jan Götte <jaseg@jaseg.net>
-Jan Keromnes <janx@linux.com>
-Jan Koprowski <jan.koprowski@gmail.com>
-Jan Pazdziora <jpazdziora@redhat.com>
-Jan Toebes <jan@toebes.info>
-Jan-Gerd Tenberge <janten@gmail.com>
-Jan-Jaap Driessen <janjaapdriessen@gmail.com>
-Jana Radhakrishnan <mrjana@docker.com>
-Jannick Fahlbusch <git@jf-projects.de>
-Januar Wayong <januar@gmail.com>
-Jared Biel <jared.biel@bolderthinking.com>
-Jared Hocutt <jaredh@netapp.com>
-Jaroslav Jindrak <dzejrou@gmail.com>
-Jaroslaw Zabiello <hipertracker@gmail.com>
-Jasmine Hegman <jasmine@jhegman.com>
-Jason A. Donenfeld <Jason@zx2c4.com>
-Jason Divock <jdivock@gmail.com>
-Jason Giedymin <jasong@apache.org>
-Jason Green <Jason.Green@AverInformatics.Com>
-Jason Hall <imjasonh@gmail.com>
-Jason Heiss <jheiss@aput.net>
-Jason Livesay <ithkuil@gmail.com>
-Jason McVetta <jason.mcvetta@gmail.com>
-Jason Plum <jplum@devonit.com>
-Jason Shepherd <jason@jasonshepherd.net>
-Jason Smith <jasonrichardsmith@gmail.com>
-Jason Sommer <jsdirv@gmail.com>
-Jason Stangroome <jason@codeassassin.com>
-Javier Bassi <javierbassi@gmail.com>
-jaxgeller <jacksongeller@gmail.com>
-Jay <teguhwpurwanto@gmail.com>
-Jay Kamat <github@jgkamat.33mail.com>
-Jay Lim <jay@imjching.com>
-Jean Rouge <rougej+github@gmail.com>
-Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
-Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
-Jean-Christophe Berthon <huygens@berthon.eu>
-Jean-Michel Rouet <jm.rouet@gmail.com>
-Jean-Paul Calderone <exarkun@twistedmatrix.com>
-Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
-Jean-Tiare Le Bigot <jt@yadutaf.fr>
-Jeeva S. Chelladhurai <sjeeva@gmail.com>
-Jeff Anderson <jeff@docker.com>
-Jeff Hajewski <jeff.hajewski@gmail.com>
-Jeff Johnston <jeff.johnston.mn@gmail.com>
-Jeff Lindsay <progrium@gmail.com>
-Jeff Mickey <j@codemac.net>
-Jeff Minard <jeff@creditkarma.com>
-Jeff Nickoloff <jeff.nickoloff@gmail.com>
-Jeff Silberman <jsilberm@gmail.com>
-Jeff Welch <whatthejeff@gmail.com>
-Jeff Zvier <zvier20@gmail.com>
-Jeffrey Bolle <jeffreybolle@gmail.com>
-Jeffrey Morgan <jmorganca@gmail.com>
-Jeffrey van Gogh <jvg@google.com>
-Jenny Gebske <jennifer@gebske.de>
-Jeongseok Kang <piono623@naver.com>
-Jeremy Chambers <jeremy@thehipbot.com>
-Jeremy Grosser <jeremy@synack.me>
-Jeremy Huntwork <jhuntwork@lightcubesolutions.com>
-Jeremy Price <jprice.rhit@gmail.com>
-Jeremy Qian <vanpire110@163.com>
-Jeremy Unruh <jeremybunruh@gmail.com>
-Jeremy Yallop <yallop@docker.com>
-Jeroen Franse <jeroenfranse@gmail.com>
-Jeroen Jacobs <github@jeroenj.be>
-Jesse Dearing <jesse.dearing@gmail.com>
-Jesse Dubay <jesse@thefortytwo.net>
-Jessica Frazelle <jess@oxide.computer>
-Jeyanthinath Muthuram <jeyanthinath10@gmail.com>
-Jezeniel Zapanta <jpzapanta22@gmail.com>
-Jhon Honce <jhonce@redhat.com>
-Ji.Zhilong <zhilongji@gmail.com>
-Jian Liao <jliao@alauda.io>
-Jian Zeng <anonymousknight96@gmail.com>
-Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
-Jiang Jinyang <jjyruby@gmail.com>
-Jianyong Wu <jianyong.wu@arm.com>
-Jie Luo <luo612@zju.edu.cn>
-Jie Ma <jienius@outlook.com>
-Jihyun Hwang <jhhwang@telcoware.com>
-Jilles Oldenbeuving <ojilles@gmail.com>
-Jim Alateras <jima@comware.com.au>
-Jim Carroll <jim.carroll@docker.com>
-Jim Ehrismann <jim.ehrismann@docker.com>
-Jim Galasyn <jim.galasyn@docker.com>
-Jim Lin <b04705003@ntu.edu.tw>
-Jim Minter <jminter@redhat.com>
-Jim Perrin <jperrin@centos.org>
-Jimmy Cuadra <jimmy@jimmycuadra.com>
-Jimmy Puckett <jimmy.puckett@spinen.com>
-Jimmy Song <rootsongjc@gmail.com>
-Jinsoo Park <cellpjs@gmail.com>
-Jintao Zhang <zhangjintao9020@gmail.com>
-Jiri Appl <jiria@microsoft.com>
-Jiri Popelka <jpopelka@redhat.com>
-Jiuyue Ma <majiuyue@huawei.com>
-Jiří Župka <jzupka@redhat.com>
-Joakim Roubert <joakim.roubert@axis.com>
-Joao Fernandes <joao.fernandes@docker.com>
-Joao Trindade <trindade.joao@gmail.com>
-Joe Beda <joe.github@bedafamily.com>
-Joe Doliner <jdoliner@pachyderm.io>
-Joe Ferguson <joe@infosiftr.com>
-Joe Gordon <joe.gordon0@gmail.com>
-Joe Shaw <joe@joeshaw.org>
-Joe Van Dyk <joe@tanga.com>
-Joel Friedly <joelfriedly@gmail.com>
-Joel Handwell <joelhandwell@gmail.com>
-Joel Hansson <joel.hansson@ecraft.com>
-Joel Wurtz <jwurtz@jolicode.com>
-Joey Geiger <jgeiger@gmail.com>
-Joey Geiger <jgeiger@users.noreply.github.com>
-Joey Gibson <joey@joeygibson.com>
-Joffrey F <joffrey@docker.com>
-Johan Euphrosine <proppy@google.com>
-Johan Rydberg <johan.rydberg@gmail.com>
-Johanan Lieberman <johanan.lieberman@gmail.com>
-Johannes 'fish' Ziemke <github@freigeist.org>
-John Costa <john.costa@gmail.com>
-John Feminella <jxf@jxf.me>
-John Gardiner Myers <jgmyers@proofpoint.com>
-John Gossman <johngos@microsoft.com>
-John Harris <john@johnharris.io>
-John Howard <github@lowenna.com>
-John Laswell <john.n.laswell@gmail.com>
-John Maguire <jmaguire@duosecurity.com>
-John Mulhausen <john@docker.com>
-John OBrien III <jobrieniii@yahoo.com>
-John Starks <jostarks@microsoft.com>
-John Stephens <johnstep@docker.com>
-John Tims <john.k.tims@gmail.com>
-John V. Martinez <jvmatl@gmail.com>
-John Warwick <jwarwick@gmail.com>
-John Willis <john.willis@docker.com>
-Jon Johnson <jonjohnson@google.com>
-Jon Surrell <jon.surrell@gmail.com>
-Jon Wedaman <jweede@gmail.com>
-Jonas Dohse <jonas@dohse.ch>
-Jonas Heinrich <Jonas@JonasHeinrich.com>
-Jonas Pfenniger <jonas@pfenniger.name>
-Jonathan A. Schweder <jonathanschweder@gmail.com>
-Jonathan A. Sternberg <jonathansternberg@gmail.com>
-Jonathan Boulle <jonathanboulle@gmail.com>
-Jonathan Camp <jonathan@irondojo.com>
-Jonathan Choy <jonathan.j.choy@gmail.com>
-Jonathan Dowland <jon+github@alcopop.org>
-Jonathan Lebon <jlebon@redhat.com>
-Jonathan Lomas <jonathan@floatinglomas.ca>
-Jonathan McCrohan <jmccrohan@gmail.com>
-Jonathan Mueller <j.mueller@apoveda.ch>
-Jonathan Pares <jonathanpa@users.noreply.github.com>
-Jonathan Rudenberg <jonathan@titanous.com>
-Jonathan Stoppani <jonathan.stoppani@divio.com>
-Jonh Wendell <jonh.wendell@redhat.com>
-Joni Sar <yoni@cocycles.com>
-Joost Cassee <joost@cassee.net>
-Jordan Arentsen <blissdev@gmail.com>
-Jordan Jennings <jjn2009@gmail.com>
-Jordan Sissel <jls@semicomplete.com>
-Jordi Massaguer Pla <jmassaguerpla@suse.de>
-Jorge Marin <chipironcin@users.noreply.github.com>
-Jorit Kleine-Möllhoff <joppich@bricknet.de>
-Jose Diaz-Gonzalez <email@josediazgonzalez.com>
-Joseph Anthony Pasquale Holsten <joseph@josephholsten.com>
-Joseph Hager <ajhager@gmail.com>
-Joseph Kern <jkern@semafour.net>
-Joseph Rothrock <rothrock@rothrock.org>
-Josh <jokajak@gmail.com>
-Josh Bodah <jb3689@yahoo.com>
-Josh Bonczkowski <josh.bonczkowski@gmail.com>
-Josh Chorlton <jchorlton@gmail.com>
-Josh Eveleth <joshe@opendns.com>
-Josh Hawn <josh.hawn@docker.com>
-Josh Horwitz <horwitz@addthis.com>
-Josh Poimboeuf <jpoimboe@redhat.com>
-Josh Soref <jsoref@gmail.com>
-Josh Wilson <josh.wilson@fivestars.com>
-Josiah Kiehl <jkiehl@riotgames.com>
-José Tomás Albornoz <jojo@eljojo.net>
-Joyce Jang <mail@joycejang.com>
-JP <jpellerin@leapfrogonline.com>
-Julian Taylor <jtaylor.debian@googlemail.com>
-Julien Barbier <write0@gmail.com>
-Julien Bisconti <veggiemonk@users.noreply.github.com>
-Julien Bordellier <julienbordellier@gmail.com>
-Julien Dubois <julien.dubois@gmail.com>
-Julien Kassar <github@kassisol.com>
-Julien Maitrehenry <julien.maitrehenry@me.com>
-Julien Pervillé <julien.perville@perfect-memory.com>
-Julien Pivotto <roidelapluie@inuits.eu>
-Julio Guerra <julio@sqreen.com>
-Julio Montes <imc.coder@gmail.com>
-Jun Du <dujun5@huawei.com>
-Jun-Ru Chang <jrjang@gmail.com>
-junxu <xujun@cmss.chinamobile.com>
-Jussi Nummelin <jussi.nummelin@gmail.com>
-Justas Brazauskas <brazauskasjustas@gmail.com>
-Justen Martin <jmart@the-coder.com>
-Justin Chadwell <me@jedevc.com>
-Justin Cormack <justin.cormack@docker.com>
-Justin Force <justin.force@gmail.com>
-Justin Keller <85903732+jk-vb@users.noreply.github.com>
-Justin Menga <justin.menga@gmail.com>
-Justin Plock <jplock@users.noreply.github.com>
-Justin Simonelis <justin.p.simonelis@gmail.com>
-Justin Terry <juterry@microsoft.com>
-Justyn Temme <justyntemme@gmail.com>
-Jyrki Puttonen <jyrkiput@gmail.com>
-Jérémy Leherpeur <amenophis@leherpeur.net>
-Jérôme Petazzoni <jerome.petazzoni@docker.com>
-Jörg Thalheim <joerg@higgsboson.tk>
-K. Heller <pestophagous@gmail.com>
-Kai Blin <kai@samba.org>
-Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
-Kaijie Chen <chen@kaijie.org>
-Kamil Domański <kamil@domanski.co>
-Kamjar Gerami <kami.gerami@gmail.com>
-Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
-Kara Alexandra <kalexandra@us.ibm.com>
-Karan Lyons <karan@karanlyons.com>
-Kareem Khazem <karkhaz@karkhaz.com>
-kargakis <kargakis@users.noreply.github.com>
-Karl Grzeszczak <karlgrz@gmail.com>
-Karol Duleba <mr.fuxi@gmail.com>
-Karthik Karanth <karanth.karthik@gmail.com>
-Karthik Nayak <karthik.188@gmail.com>
-Kasper Fabæch Brandt <poizan@poizan.dk>
-Kate Heddleston <kate.heddleston@gmail.com>
-Katie McLaughlin <katie@glasnt.com>
-Kato Kazuyoshi <kato.kazuyoshi@gmail.com>
-Katrina Owen <katrina.owen@gmail.com>
-Kawsar Saiyeed <kawsar.saiyeed@projiris.com>
-Kay Yan <kay.yan@daocloud.io>
-kayrus <kay.diam@gmail.com>
-Kazuhiro Sera <seratch@gmail.com>
-Kazuyoshi Kato <katokazu@amazon.com>
-Ke Li <kel@splunk.com>
-Ke Xu <leonhartx.k@gmail.com>
-Kei Ohmura <ohmura.kei@gmail.com>
-Keith Hudgins <greenman@greenman.org>
-Keli Hu <dev@keli.hu>
-Ken Bannister <kb2ma@runbox.com>
-Ken Cochrane <kencochrane@gmail.com>
-Ken Herner <kherner@progress.com>
-Ken ICHIKAWA <ichikawa.ken@jp.fujitsu.com>
-Ken Reese <krrgithub@gmail.com>
-Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
-Kenjiro Nakayama <nakayamakenjiro@gmail.com>
-Kent Johnson <kentoj@gmail.com>
-Kenta Tada <Kenta.Tada@sony.com>
-Kevin "qwazerty" Houdebert <kevin.houdebert@gmail.com>
-Kevin Alvarez <github@crazymax.dev>
-Kevin Burke <kev@inburke.com>
-Kevin Clark <kevin.clark@gmail.com>
-Kevin Feyrer <kevin.feyrer@btinternet.com>
-Kevin J. Lynagh <kevin@keminglabs.com>
-Kevin Jing Qiu <kevin@idempotent.ca>
-Kevin Kern <kaiwentan@harmonycloud.cn>
-Kevin Menard <kevin@nirvdrum.com>
-Kevin Meredith <kevin.m.meredith@gmail.com>
-Kevin P. Kucharczyk <kevinkucharczyk@gmail.com>
-Kevin Parsons <kevpar@microsoft.com>
-Kevin Richardson <kevin@kevinrichardson.co>
-Kevin Shi <kshi@andrew.cmu.edu>
-Kevin Wallace <kevin@pentabarf.net>
-Kevin Yap <me@kevinyap.ca>
-Keyvan Fatehi <keyvanfatehi@gmail.com>
-kies <lleelm@gmail.com>
-Kim BKC Carlbacker <kim.carlbacker@gmail.com>
-Kim Eik <kim@heldig.org>
-Kimbro Staken <kstaken@kstaken.com>
-Kir Kolyshkin <kolyshkin@gmail.com>
-Kiran Gangadharan <kiran.daredevil@gmail.com>
-Kirill SIbirev <l0kix2@gmail.com>
-Kirk Easterson <kirk.easterson@gmail.com>
-knappe <tyler.knappe@gmail.com>
-Kohei Tsuruta <coheyxyz@gmail.com>
-Koichi Shiraishi <k@zchee.io>
-Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
-Konrad Ponichtera <konpon96@gmail.com>
-Konstantin Gribov <grossws@gmail.com>
-Konstantin L <sw.double@gmail.com>
-Konstantin Pelykh <kpelykh@zettaset.com>
-Kostadin Plachkov <k.n.plachkov@gmail.com>
-kpcyrd <git@rxv.cc>
-Krasi Georgiev <krasi@vip-consult.solutions>
-Krasimir Georgiev <support@vip-consult.co.uk>
-Kris-Mikael Krister <krismikael@protonmail.com>
-Kristian Haugene <kristian.haugene@capgemini.com>
-Kristina Zabunova <triara.xiii@gmail.com>
-Krystian Wojcicki <kwojcicki@sympatico.ca>
-Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
-Kunal Tyagi <tyagi.kunal@live.com>
-Kyle Conroy <kyle.j.conroy@gmail.com>
-Kyle Linden <linden.kyle@gmail.com>
-Kyle Squizzato <ksquizz@gmail.com>
-Kyle Wuolle <kyle.wuolle@gmail.com>
-kyu <leehk1227@gmail.com>
-Lachlan Coote <lcoote@vmware.com>
-Lai Jiangshan <jiangshanlai@gmail.com>
-Lajos Papp <lajos.papp@sequenceiq.com>
-Lakshan Perera <lakshan@laktek.com>
-Lalatendu Mohanty <lmohanty@redhat.com>
-Lance Chen <cyen0312@gmail.com>
-Lance Kinley <lkinley@loyaltymethods.com>
-Lars Butler <Lars.Butler@gmail.com>
-Lars Kellogg-Stedman <lars@redhat.com>
-Lars R. Damerow <lars@pixar.com>
-Lars-Magnus Skog <ralphtheninja@riseup.net>
-Laszlo Meszaros <lacienator@gmail.com>
-Laura Brehm <laurabrehm@hey.com>
-Laura Frank <ljfrank@gmail.com>
-Laurent Bernaille <laurent.bernaille@datadoghq.com>
-Laurent Erignoux <lerignoux@gmail.com>
-Laurie Voss <github@seldo.com>
-Leandro Motta Barros <lmb@stackedboxes.org>
-Leandro Siqueira <leandro.siqueira@gmail.com>
-Lee Calcote <leecalcote@gmail.com>
-Lee Chao <932819864@qq.com>
-Lee, Meng-Han <sunrisedm4@gmail.com>
-Lei Gong <lgong@alauda.io>
-Lei Jitang <leijitang@huawei.com>
-Leiiwang <u2takey@gmail.com>
-Len Weincier <len@cloudafrica.net>
-Lennie <github@consolejunkie.net>
-Leo Gallucci <elgalu3@gmail.com>
-Leonardo Nodari <me@leonardonodari.it>
-Leonardo Taccari <leot@NetBSD.org>
-Leszek Kowalski <github@leszekkowalski.pl>
-Levi Blackstone <levi.blackstone@rackspace.com>
-Levi Gross <levi@levigross.com>
-Levi Harrison <levisamuelharrison@gmail.com>
-Lewis Daly <lewisdaly@me.com>
-Lewis Marshall <lewis@lmars.net>
-Lewis Peckover <lew+github@lew.io>
-Li Yi <denverdino@gmail.com>
-Liam Macgillavry <liam@kumina.nl>
-Liana Lo <liana.lixia@gmail.com>
-Liang Mingqiang <mqliang.zju@gmail.com>
-Liang-Chi Hsieh <viirya@gmail.com>
-liangwei <liangwei14@huawei.com>
-Liao Qingwei <liaoqingwei@huawei.com>
-Lifubang <lifubang@acmcoder.com>
-Lihua Tang <lhtang@alauda.io>
-Lily Guo <lily.guo@docker.com>
-limeidan <limeidan@loongson.cn>
-Lin Lu <doraalin@163.com>
-LingFaKe <lingfake@huawei.com>
-Linus Heckemann <lheckemann@twig-world.com>
-Liran Tal <liran.tal@gmail.com>
-Liron Levin <liron@twistlock.com>
-Liu Bo <bo.li.liu@oracle.com>
-Liu Hua <sdu.liu@huawei.com>
-liwenqi <vikilwq@zju.edu.cn>
-lixiaobing10051267 <li.xiaobing1@zte.com.cn>
-Liz Zhang <lizzha@microsoft.com>
-LIZAO LI <lzlarryli@gmail.com>
-Lizzie Dixon <_@lizzie.io>
-Lloyd Dewolf <foolswisdom@gmail.com>
-Lokesh Mandvekar <lsm5@fedoraproject.org>
-longliqiang88 <394564827@qq.com>
-Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
-Lorenzo Fontana <fontanalorenz@gmail.com>
-Lotus Fenn <fenn.lotus@gmail.com>
-Louis Delossantos <ldelossa.ld@gmail.com>
-Louis Opter <kalessin@kalessin.fr>
-Luboslav Pivarc <lpivarc@redhat.com>
-Luca Favatella <luca.favatella@erlang-solutions.com>
-Luca Marturana <lucamarturana@gmail.com>
-Luca Orlandi <luca.orlandi@gmail.com>
-Luca-Bogdan Grigorescu <Luca-Bogdan Grigorescu>
-Lucas Chan <lucas-github@lucaschan.com>
-Lucas Chi <lucas@teacherspayteachers.com>
-Lucas Molas <lmolas@fundacionsadosky.org.ar>
-Lucas Silvestre <lukas.silvestre@gmail.com>
-Luciano Mores <leslau@gmail.com>
-Luis Henrique Mulinari <luis.mulinari@gmail.com>
-Luis Martínez de Bartolomé Izquierdo <lmartinez@biicode.com>
-Luiz Svoboda <luizek@gmail.com>
-Lukas Heeren <lukas-heeren@hotmail.com>
-Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
-lukaspustina <lukas.pustina@centerdevice.com>
-Lukasz Zajaczkowski <Lukasz.Zajaczkowski@ts.fujitsu.com>
-Luke Marsden <me@lukemarsden.net>
-Lyn <energylyn@zju.edu.cn>
-Lynda O'Leary <lyndaoleary29@gmail.com>
-Lénaïc Huard <lhuard@amadeus.com>
-Ma Müller <mueller-ma@users.noreply.github.com>
-Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
-Mabin <bin.ma@huawei.com>
-Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
-Madhav Puri <madhav.puri@gmail.com>
-Madhu Venugopal <mavenugo@gmail.com>
-Mageee <fangpuyi@foxmail.com>
-Mahesh Tiyyagura <tmahesh@gmail.com>
-malnick <malnick@gmail..com>
-Malte Janduda <mail@janduda.net>
-Manfred Touron <m@42.am>
-Manfred Zabarauskas <manfredas@zabarauskas.com>
-Manjunath A Kumatagi <mkumatag@in.ibm.com>
-Mansi Nahar <mmn4185@rit.edu>
-Manuel Meurer <manuel@krautcomputing.com>
-Manuel Rüger <manuel@rueg.eu>
-Manuel Woelker <github@manuel.woelker.org>
-mapk0y <mapk0y@gmail.com>
-Marat Radchenko <marat@slonopotamus.org>
-Marc Abramowitz <marc@marc-abramowitz.com>
-Marc Kuo <kuomarc2@gmail.com>
-Marc Tamsky <mtamsky@gmail.com>
-Marcel Edmund Franke <marcel.edmund.franke@gmail.com>
-Marcelo Horacio Fortino <info@fortinux.com>
-Marcelo Salazar <chelosalazar@gmail.com>
-Marco Hennings <marco.hennings@freiheit.com>
-Marcus Cobden <mcobden@cisco.com>
-Marcus Farkas <toothlessgear@finitebox.com>
-Marcus Linke <marcus.linke@gmx.de>
-Marcus Martins <marcus@docker.com>
-Marcus Ramberg <marcus@nordaaker.com>
-Marek Goldmann <marek.goldmann@gmail.com>
-Marian Marinov <mm@yuhu.biz>
-Marianna Tessel <mtesselh@gmail.com>
-Mario Loriedo <mario.loriedo@gmail.com>
-Marius Gundersen <me@mariusgundersen.net>
-Marius Sturm <marius@graylog.com>
-Marius Voila <marius.voila@gmail.com>
-Mark Allen <mrallen1@yahoo.com>
-Mark Feit <mfeit@internet2.edu>
-Mark Jeromin <mark.jeromin@sysfrog.net>
-Mark McGranaghan <mmcgrana@gmail.com>
-Mark McKinstry <mmckinst@umich.edu>
-Mark Milstein <mark@epiloque.com>
-Mark Oates <fl0yd@me.com>
-Mark Parker <godefroi@users.noreply.github.com>
-Mark Vainomaa <mikroskeem@mikroskeem.eu>
-Mark West <markewest@gmail.com>
-Markan Patel <mpatel678@gmail.com>
-Marko Mikulicic <mmikulicic@gmail.com>
-Marko Tibold <marko@tibold.nl>
-Markus Fix <lispmeister@gmail.com>
-Markus Kortlang <hyp3rdino@googlemail.com>
-Martijn Dwars <ikben@martijndwars.nl>
-Martijn van Oosterhout <kleptog@svana.org>
-Martin Braun <braun@neuroforge.de>
-Martin Dojcak <martin.dojcak@lablabs.io>
-Martin Honermeyer <maze@strahlungsfrei.de>
-Martin Jirku <martin@jirku.sk>
-Martin Kelly <martin@surround.io>
-Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
-Martin Muzatko <martin@happy-css.com>
-Martin Redmond <redmond.martin@gmail.com>
-Maru Newby <mnewby@thesprawl.net>
-Mary Anthony <mary.anthony@docker.com>
-Masahito Zembutsu <zembutsu@users.noreply.github.com>
-Masato Ohba <over.rye@gmail.com>
-Masayuki Morita <minamijoyo@gmail.com>
-Mason Malone <mason.malone@gmail.com>
-Mateusz Sulima <sulima.mateusz@gmail.com>
-Mathias Monnerville <mathias@monnerville.com>
-Mathieu Champlon <mathieu.champlon@docker.com>
-Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
-Mathieu Parent <math.parent@gmail.com>
-Mathieu Paturel <mathieu.paturel@gmail.com>
-Matt Apperson <me@mattapperson.com>
-Matt Bachmann <bachmann.matt@gmail.com>
-Matt Bajor <matt@notevenremotelydorky.com>
-Matt Bentley <matt.bentley@docker.com>
-Matt Haggard <haggardii@gmail.com>
-Matt Hoyle <matt@deployable.co>
-Matt McCormick <matt.mccormick@kitware.com>
-Matt Moore <mattmoor@google.com>
-Matt Morrison <3maven@gmail.com>
-Matt Richardson <matt@redgumtech.com.au>
-Matt Rickard <mrick@google.com>
-Matt Robenolt <matt@ydekproductions.com>
-Matt Schurenko <matt.schurenko@gmail.com>
-Matt Williams <mattyw@me.com>
-Matthew Heon <mheon@redhat.com>
-Matthew Lapworth <matthewl@bit-shift.net>
-Matthew Mayer <matthewkmayer@gmail.com>
-Matthew Mosesohn <raytrac3r@gmail.com>
-Matthew Mueller <mattmuelle@gmail.com>
-Matthew Riley <mattdr@google.com>
-Matthias Klumpp <matthias@tenstral.net>
-Matthias Kühnle <git.nivoc@neverbox.com>
-Matthias Rampke <mr@soundcloud.com>
-Matthieu Fronton <m@tthieu.fr>
-Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
-Mattias Jernberg <nostrad@gmail.com>
-Mauricio Garavaglia <mauricio@medallia.com>
-mauriyouth <mauriyouth@gmail.com>
-Max Harmathy <max.harmathy@web.de>
-Max Shytikov <mshytikov@gmail.com>
-Max Timchenko <maxvt@pagerduty.com>
-Maxim Fedchyshyn <sevmax@gmail.com>
-Maxim Ivanov <ivanov.maxim@gmail.com>
-Maxim Kulkin <mkulkin@mirantis.com>
-Maxim Treskin <zerthurd@gmail.com>
-Maxime Petazzoni <max@signalfuse.com>
-Maximiliano Maccanti <maccanti@amazon.com>
-Maxwell <csuhp007@gmail.com>
-Meaglith Ma <genedna@gmail.com>
-meejah <meejah@meejah.ca>
-Megan Kostick <mkostick@us.ibm.com>
-Mehul Kar <mehul.kar@gmail.com>
-Mei ChunTao <mei.chuntao@zte.com.cn>
-Mengdi Gao <usrgdd@gmail.com>
-Menghui Chen <menghui.chen@alibaba-inc.com>
-Mert Yazıcıoğlu <merty@users.noreply.github.com>
-mgniu <mgniu@dataman-inc.com>
-Micah Zoltu <micah@newrelic.com>
-Michael A. Smith <michael@smith-li.com>
-Michael Beskin <mrbeskin@gmail.com>
-Michael Bridgen <mikeb@squaremobius.net>
-Michael Brown <michael@netdirect.ca>
-Michael Chiang <mchiang@docker.com>
-Michael Crosby <crosbymichael@gmail.com>
-Michael Currie <mcurrie@bruceforceresearch.com>
-Michael Friis <friism@gmail.com>
-Michael Gorsuch <gorsuch@github.com>
-Michael Grauer <michael.grauer@kitware.com>
-Michael Holzheu <holzheu@linux.vnet.ibm.com>
-Michael Hudson-Doyle <michael.hudson@canonical.com>
-Michael Huettermann <michael@huettermann.net>
-Michael Irwin <mikesir87@gmail.com>
-Michael Kebe <michael.kebe@hkm.de>
-Michael Kuehn <micha@kuehn.io>
-Michael Käufl <docker@c.michael-kaeufl.de>
-Michael Neale <michael.neale@gmail.com>
-Michael Nussbaum <michael.nussbaum@getbraintree.com>
-Michael Prokop <github@michael-prokop.at>
-Michael Scharf <github@scharf.gr>
-Michael Spetsiotis <michael_spets@hotmail.com>
-Michael Stapelberg <michael+gh@stapelberg.de>
-Michael Steinert <mike.steinert@gmail.com>
-Michael Thies <michaelthies78@gmail.com>
-Michael Weidmann <michaelweidmann@web.de>
-Michael West <mwest@mdsol.com>
-Michael Zhao <michael.zhao@arm.com>
-Michal Fojtik <mfojtik@redhat.com>
-Michal Gebauer <mishak@mishak.net>
-Michal Jemala <michal.jemala@gmail.com>
-Michal Kostrzewa <michal.kostrzewa@codilime.com>
-Michal Minář <miminar@redhat.com>
-Michal Rostecki <mrostecki@opensuse.org>
-Michal Wieczorek <wieczorek-michal@wp.pl>
-Michaël Pailloncy <mpapo.dev@gmail.com>
-Michał Czeraszkiewicz <czerasz@gmail.com>
-Michał Gryko <github@odkurzacz.org>
-Michał Kosek <mihao@users.noreply.github.com>
-Michiel de Jong <michiel@unhosted.org>
-Mickaël Fortunato <morsi.morsicus@gmail.com>
-Mickaël Remars <mickael@remars.com>
-Miguel Angel Fernández <elmendalerenda@gmail.com>
-Miguel Morales <mimoralea@gmail.com>
-Miguel Perez <miguel@voyat.com>
-Mihai Borobocea <MihaiBorob@gmail.com>
-Mihuleacc Sergiu <mihuleac.sergiu@gmail.com>
-Mikael Davranche <mikael.davranche@corp.ovh.com>
-Mike Brown <brownwm@us.ibm.com>
-Mike Bush <mpbush@gmail.com>
-Mike Casas <mkcsas0@gmail.com>
-Mike Chelen <michael.chelen@gmail.com>
-Mike Danese <mikedanese@google.com>
-Mike Dillon <mike@embody.org>
-Mike Dougherty <mike.dougherty@docker.com>
-Mike Estes <mike.estes@logos.com>
-Mike Gaffney <mike@uberu.com>
-Mike Goelzer <mike.goelzer@docker.com>
-Mike Leone <mleone896@gmail.com>
-Mike Lundy <mike@fluffypenguin.org>
-Mike MacCana <mike.maccana@gmail.com>
-Mike Naberezny <mike@naberezny.com>
-Mike Snitzer <snitzer@redhat.com>
-Mike Sul <mike.sul@foundries.io>
-mikelinjie <294893458@qq.com>
-Mikhail Sobolev <mss@mawhrin.net>
-Miklos Szegedi <miklos.szegedi@cloudera.com>
-Milas Bowman <devnull@milas.dev>
-Milind Chawre <milindchawre@gmail.com>
-Miloslav Trma� <mitr@redhat.com>
-mingqing <limingqing@cyou-inc.com>
-Mingzhen Feng <fmzhen@zju.edu.cn>
-Misty Stanley-Jones <misty@docker.com>
-Mitch Capper <mitch.capper@gmail.com>
-Mizuki Urushida <z11111001011@gmail.com>
-mlarcher <github@ringabell.org>
-Mohammad Banikazemi <MBanikazemi@gmail.com>
-Mohammad Nasirifar <farnasirim@gmail.com>
-Mohammed Aaqib Ansari <maaquib@gmail.com>
-Mohd Sadiq <mohdsadiq058@gmail.com>
-Mohit Soni <mosoni@ebay.com>
-Moorthy RS <rsmoorthy@gmail.com>
-Morgan Bauer <mbauer@us.ibm.com>
-Morgante Pell <morgante.pell@morgante.net>
-Morgy93 <thomas@ulfertsprygoda.de>
-Morten Siebuhr <sbhr@sbhr.dk>
-Morton Fox <github@qslw.com>
-Moysés Borges <moysesb@gmail.com>
-mrfly <mr.wrfly@gmail.com>
-Mrunal Patel <mrunalp@gmail.com>
-Muayyad Alsadi <alsadi@gmail.com>
-Muhammad Zohaib Aslam <zohaibse011@gmail.com>
-Mustafa Akın <mustafa91@gmail.com>
-Muthukumar R <muthur@gmail.com>
-Máximo Cuadros <mcuadros@gmail.com>
-Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
-Nace Oroz <orkica@gmail.com>
-Nahum Shalman <nshalman@omniti.com>
-Nakul Pathak <nakulpathak3@hotmail.com>
-Nalin Dahyabhai <nalin@redhat.com>
-Nan Monnand Deng <monnand@gmail.com>
-Naoki Orii <norii@cs.cmu.edu>
-Natalie Parker <nparker@omnifone.com>
-Natanael Copa <natanael.copa@docker.com>
-Natasha Jarus <linuxmercedes@gmail.com>
-Nate Brennand <nate.brennand@clever.com>
-Nate Eagleson <nate@nateeag.com>
-Nate Jones <nate@endot.org>
-Nathan Carlson <carl4403@umn.edu>
-Nathan Herald <me@nathanherald.com>
-Nathan Hsieh <hsieh.nathan@gmail.com>
-Nathan Kleyn <nathan@nathankleyn.com>
-Nathan LeClaire <nathan.leclaire@docker.com>
-Nathan McCauley <nathan.mccauley@docker.com>
-Nathan Williams <nathan@teamtreehouse.com>
-Naveed Jamil <naveed.jamil@tenpearls.com>
-Neal McBurnett <neal@mcburnett.org>
-Neil Horman <nhorman@tuxdriver.com>
-Neil Peterson <neilpeterson@outlook.com>
-Nelson Chen <crazysim@gmail.com>
-Neyazul Haque <nuhaque@gmail.com>
-Nghia Tran <nghia@google.com>
-Niall O'Higgins <niallo@unworkable.org>
-Nicholas E. Rabenau <nerab@gmx.at>
-Nick Adcock <nick.adcock@docker.com>
-Nick DeCoursin <n.decoursin@foodpanda.com>
-Nick Irvine <nfirvine@nfirvine.com>
-Nick Neisen <nwneisen@gmail.com>
-Nick Parker <nikaios@gmail.com>
-Nick Payne <nick@kurai.co.uk>
-Nick Russo <nicholasjamesrusso@gmail.com>
-Nick Santos <nick.santos@docker.com>
-Nick Stenning <nick.stenning@digital.cabinet-office.gov.uk>
-Nick Stinemates <nick@stinemates.org>
-Nick Wood <nwood@microsoft.com>
-NickrenREN <yuquan.ren@easystack.cn>
-Nicola Kabar <nicolaka@gmail.com>
-Nicolas Borboën <ponsfrilus@gmail.com>
-Nicolas De Loof <nicolas.deloof@gmail.com>
-Nicolas Dudebout <nicolas.dudebout@gatech.edu>
-Nicolas Goy <kuon@goyman.com>
-Nicolas Kaiser <nikai@nikai.net>
-Nicolas Sterchele <sterchele.nicolas@gmail.com>
-Nicolas V Castet <nvcastet@us.ibm.com>
-Nicolás Hock Isaza <nhocki@gmail.com>
-Niel Drummond <niel@drummond.lu>
-Nigel Poulton <nigelpoulton@hotmail.com>
-Nik Nyby <nikolas@gnu.org>
-Nikhil Chawla <chawlanikhil24@gmail.com>
-NikolaMandic <mn080202@gmail.com>
-Nikolas Garofil <nikolas.garofil@uantwerpen.be>
-Nikolay Edigaryev <edigaryev@gmail.com>
-Nikolay Milovanov <nmil@itransformers.net>
-ningmingxiao <ning.mingxiao@zte.com.cn>
-Nirmal Mehta <nirmalkmehta@gmail.com>
-Nishant Totla <nishanttotla@gmail.com>
-NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
-Noah Meyerhans <nmeyerha@amazon.com>
-Noah Treuhaft <noah.treuhaft@docker.com>
-NobodyOnSE <ich@sektor.selfip.com>
-noducks <onemannoducks@gmail.com>
-Nolan Darilek <nolan@thewordnerd.info>
-Nolan Miles <nolanpmiles@gmail.com>
-Noriki Nakamura <noriki.nakamura@miraclelinux.com>
-nponeccop <andy.melnikov@gmail.com>
-Nurahmadie <nurahmadie@gmail.com>
-Nuutti Kotivuori <naked@iki.fi>
-nzwsch <hi@nzwsch.com>
-O.S. Tezer <ostezer@gmail.com>
-objectified <objectified@gmail.com>
-Odin Ugedal <odin@ugedal.com>
-Oguz Bilgic <fisyonet@gmail.com>
-Oh Jinkyun <tintypemolly@gmail.com>
-Ohad Schneider <ohadschn@users.noreply.github.com>
-ohmystack <jun.jiang02@ele.me>
-Ole Reifschneider <mail@ole-reifschneider.de>
-Oliver Neal <ItsVeryWindy@users.noreply.github.com>
-Oliver Reason <oli@overrateddev.co>
-Olivier Gambier <dmp42@users.noreply.github.com>
-Olle Jonsson <olle.jonsson@gmail.com>
-Olli Janatuinen <olli.janatuinen@gmail.com>
-Olly Pomeroy <oppomeroy@gmail.com>
-Omri Shiv <Omri.Shiv@teradata.com>
-Onur Filiz <onur.filiz@microsoft.com>
-Oriol Francès <oriolfa@gmail.com>
-Oscar Bonilla <6f6231@gmail.com>
-oscar.chen <2972789494@qq.com>
-Oskar Niburski <oskarniburski@gmail.com>
-Otto Kekäläinen <otto@seravo.fi>
-Ouyang Liduo <oyld0210@163.com>
-Ovidio Mallo <ovidio.mallo@gmail.com>
-Panagiotis Moustafellos <pmoust@elastic.co>
-Paolo G. Giarrusso <p.giarrusso@gmail.com>
-Pascal <pascalgn@users.noreply.github.com>
-Pascal Bach <pascal.bach@siemens.com>
-Pascal Borreli <pascal@borreli.com>
-Pascal Hartig <phartig@rdrei.net>
-Patrick Böänziger <patrick.baenziger@bsi-software.com>
-Patrick Devine <patrick.devine@docker.com>
-Patrick Haas <patrickhaas@google.com>
-Patrick Hemmer <patrick.hemmer@gmail.com>
-Patrick Stapleton <github@gdi2290.com>
-Patrik Cyvoct <patrik@ptrk.io>
-pattichen <craftsbear@gmail.com>
-Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
-Paul <paul9869@gmail.com>
-paul <paul@inkling.com>
-Paul Annesley <paul@annesley.cc>
-Paul Bellamy <paul.a.bellamy@gmail.com>
-Paul Bowsher <pbowsher@globalpersonals.co.uk>
-Paul Furtado <pfurtado@hubspot.com>
-Paul Hammond <paul@paulhammond.org>
-Paul Jimenez <pj@place.org>
-Paul Kehrer <paul.l.kehrer@gmail.com>
-Paul Lietar <paul@lietar.net>
-Paul Liljenberg <liljenberg.paul@gmail.com>
-Paul Morie <pmorie@gmail.com>
-Paul Nasrat <pnasrat@gmail.com>
-Paul Seiffert <paul.seiffert@jimdo.com>
-Paul Weaver <pauweave@cisco.com>
-Paulo Gomes <pjbgf@linux.com>
-Paulo Ribeiro <paigr.io@gmail.com>
-Pavel Lobashov <ShockwaveNN@gmail.com>
-Pavel Matěja <pavel@verotel.cz>
-Pavel Pletenev <cpp.create@gmail.com>
-Pavel Pospisil <pospispa@gmail.com>
-Pavel Sutyrin <pavel.sutyrin@gmail.com>
-Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
-Pavlos Ratis <dastergon@gentoo.org>
-Pavol Vargovcik <pallly.vargovcik@gmail.com>
-Pawel Konczalski <mail@konczalski.de>
-Paweł Gronowski <pawel.gronowski@docker.com>
-payall4u <payall4u@qq.com>
-Peeyush Gupta <gpeeyush@linux.vnet.ibm.com>
-Peggy Li <peggyli.224@gmail.com>
-Pei Su <sillyousu@gmail.com>
-Peng Tao <bergwolf@gmail.com>
-Penghan Wang <ph.wang@daocloud.io>
-Per Weijnitz <per.weijnitz@gmail.com>
-perhapszzy@sina.com <perhapszzy@sina.com>
-Pete Woods <pete.woods@circleci.com>
-Peter Bourgon <peter@bourgon.org>
-Peter Braden <peterbraden@peterbraden.co.uk>
-Peter Bücker <peter.buecker@pressrelations.de>
-Peter Choi <phkchoi89@gmail.com>
-Peter Dave Hello <hsu@peterdavehello.org>
-Peter Edge <peter.edge@gmail.com>
-Peter Ericson <pdericson@gmail.com>
-Peter Esbensen <pkesbensen@gmail.com>
-Peter Jaffe <pjaffe@nevo.com>
-Peter Kang <peter@spell.run>
-Peter Malmgren <ptmalmgren@gmail.com>
-Peter Salvatore <peter@psftw.com>
-Peter Volpe <petervo@redhat.com>
-Peter Waller <p@pwaller.net>
-Petr Švihlík <svihlik.petr@gmail.com>
-Petros Angelatos <petrosagg@gmail.com>
-Phil <underscorephil@gmail.com>
-Phil Estes <estesp@gmail.com>
-Phil Sphicas <phil.sphicas@att.com>
-Phil Spitler <pspitler@gmail.com>
-Philip Alexander Etling <paetling@gmail.com>
-Philip K. Warren <pkwarren@gmail.com>
-Philip Monroe <phil@philmonroe.com>
-Philipp Fruck <dev@p-fruck.de>
-Philipp Gillé <philipp.gille@gmail.com>
-Philipp Wahala <philipp.wahala@gmail.com>
-Philipp Weissensteiner <mail@philippweissensteiner.com>
-Phillip Alexander <git@phillipalexander.io>
-phineas <phin@phineas.io>
-pidster <pid@pidster.com>
-Piergiuliano Bossi <pgbossi@gmail.com>
-Pierre <py@poujade.org>
-Pierre Carrier <pierre@meteor.com>
-Pierre Dal-Pra <dalpra.pierre@gmail.com>
-Pierre Wacrenier <pierre.wacrenier@gmail.com>
-Pierre-Alain RIVIERE <pariviere@ippon.fr>
-Piotr Bogdan <ppbogdan@gmail.com>
-Piotr Karbowski <piotr.karbowski@protonmail.ch>
-Porjo <porjo38@yahoo.com.au>
-Poul Kjeldager Sørensen <pks@s-innovations.net>
-Pradeep Chhetri <pradeep@indix.com>
-Pradip Dhara <pradipd@microsoft.com>
-Pradipta Kr. Banerjee <bpradip@in.ibm.com>
-Prasanna Gautam <prasannagautam@gmail.com>
-Pratik Karki <prertik@outlook.com>
-Prayag Verma <prayag.verma@gmail.com>
-Priya Wadhwa <priyawadhwa@google.com>
-Projjol Banerji <probaner23@gmail.com>
-Przemek Hejman <przemyslaw.hejman@gmail.com>
-Puneet Pruthi <puneet.pruthi@oracle.com>
-Pure White <daniel48@126.com>
-pysqz <randomq@126.com>
-Qiang Huang <h.huangqiang@huawei.com>
-Qin TianHuan <tianhuan@bingotree.cn>
-Qinglan Peng <qinglanpeng@zju.edu.cn>
-Quan Tian <tianquan@cloudin.cn>
-qudongfang <qudongfang@gmail.com>
-Quentin Brossard <qbrossard@gmail.com>
-Quentin Perez <qperez@ocs.online.net>
-Quentin Tayssier <qtayssier@gmail.com>
-r0n22 <cameron.regan@gmail.com>
-Rachit Sharma <rachitsharma613@gmail.com>
-Radostin Stoyanov <rstoyanov1@gmail.com>
-Rafal Jeczalik <rjeczalik@gmail.com>
-Rafe Colton <rafael.colton@gmail.com>
-Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
-Raghuram Devarakonda <draghuram@gmail.com>
-Raja Sami <raja.sami@tenpearls.com>
-Rajat Pandit <rp@rajatpandit.com>
-Rajdeep Dua <dua_rajdeep@yahoo.com>
-Ralf Sippl <ralf.sippl@gmail.com>
-Ralle <spam@rasmusa.net>
-Ralph Bean <rbean@redhat.com>
-Ramkumar Ramachandra <artagnon@gmail.com>
-Ramon Brooker <rbrooker@aetherealmind.com>
-Ramon van Alteren <ramon@vanalteren.nl>
-RaviTeja Pothana <ravi-teja@live.com>
-Ray Tsang <rayt@google.com>
-ReadmeCritic <frankensteinbot@gmail.com>
-realityone <realityone@me.com>
-Recursive Madman <recursive.madman@gmx.de>
-Reficul <xuzhenglun@gmail.com>
-Regan McCooey <rmccooey27@aol.com>
-Remi Rampin <remirampin@gmail.com>
-Remy Suen <remy.suen@gmail.com>
-Renato Riccieri Santos Zannon <renato.riccieri@gmail.com>
-Renaud Gaubert <rgaubert@nvidia.com>
-Rhys Hiltner <rhys@twitch.tv>
-Ri Xu <xuri.me@gmail.com>
-Ricardo N Feliciano <FelicianoTech@gmail.com>
-Rich Horwood <rjhorwood@apple.com>
-Rich Moyse <rich@moyse.us>
-Rich Seymour <rseymour@gmail.com>
-Richard Burnison <rburnison@ebay.com>
-Richard Hansen <rhansen@rhansen.org>
-Richard Harvey <richard@squarecows.com>
-Richard Mathie <richard.mathie@amey.co.uk>
-Richard Metzler <richard@paadee.com>
-Richard Scothern <richard.scothern@gmail.com>
-Richo Healey <richo@psych0tik.net>
-Rick Bradley <rick@users.noreply.github.com>
-Rick van de Loo <rickvandeloo@gmail.com>
-Rick Wieman <git@rickw.nl>
-Rik Nijessen <rik@keefo.nl>
-Riku Voipio <riku.voipio@linaro.org>
-Riley Guerin <rileytg.dev@gmail.com>
-Ritesh H Shukla <sritesh@vmware.com>
-Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
-Rob Cowsill <42620235+rcowsill@users.noreply.github.com>
-Rob Gulewich <rgulewich@netflix.com>
-Rob Murray <rob.murray@docker.com>
-Rob Vesse <rvesse@dotnetrdf.org>
-Robert Bachmann <rb@robertbachmann.at>
-Robert Bittle <guywithnose@gmail.com>
-Robert Obryk <robryk@gmail.com>
-Robert Schneider <mail@shakeme.info>
-Robert Shade <robert.shade@gmail.com>
-Robert Stern <lexandro2000@gmail.com>
-Robert Terhaar <rterhaar@atlanticdynamic.com>
-Robert Wallis <smilingrob@gmail.com>
-Robert Wang <robert@arctic.tw>
-Roberto G. Hashioka <roberto.hashioka@docker.com>
-Roberto Muñoz Fernández <robertomf@gmail.com>
-Robin Naundorf <r.naundorf@fh-muenster.de>
-Robin Schneider <ypid@riseup.net>
-Robin Speekenbrink <robin@kingsquare.nl>
-Robin Thoni <robin@rthoni.com>
-robpc <rpcann@gmail.com>
-Rodolfo Carvalho <rhcarvalho@gmail.com>
-Rodrigo Campos <rodrigo@kinvolk.io>
-Rodrigo Vaz <rodrigo.vaz@gmail.com>
-Roel Van Nyen <roel.vannyen@gmail.com>
-Roger Peppe <rogpeppe@gmail.com>
-Rohit Jnagal <jnagal@google.com>
-Rohit Kadam <rohit.d.kadam@gmail.com>
-Rohit Kapur <rkapur@flatiron.com>
-Rojin George <rojingeorge@huawei.com>
-Roland Huß <roland@jolokia.org>
-Roland Kammerer <roland.kammerer@linbit.com>
-Roland Moriz <rmoriz@users.noreply.github.com>
-Roma Sokolov <sokolov.r.v@gmail.com>
-Roman Dudin <katrmr@gmail.com>
-Roman Mazur <roman@balena.io>
-Roman Strashkin <roman.strashkin@gmail.com>
-Roman Volosatovs <roman.volosatovs@docker.com>
-Roman Zabaluev <gpg@haarolean.dev>
-Ron Smits <ron.smits@gmail.com>
-Ron Williams <ron.a.williams@gmail.com>
-Rong Gao <gaoronggood@163.com>
-Rong Zhang <rongzhang@alauda.io>
-Rongxiang Song <tinysong1226@gmail.com>
-Rony Weng <ronyweng@synology.com>
-root <docker-dummy@example.com>
-root <root@lxdebmas.marist.edu>
-root <root@ubuntu-14.04-amd64-vbox>
-root <root@webm215.cluster016.ha.ovh.net>
-Rory Hunter <roryhunter2@gmail.com>
-Rory McCune <raesene@gmail.com>
-Ross Boucher <rboucher@gmail.com>
-Rovanion Luckey <rovanion.luckey@gmail.com>
-Roy Reznik <roy@wiz.io>
-Royce Remer <royceremer@gmail.com>
-Rozhnov Alexandr <nox73@ya.ru>
-Rudolph Gottesheim <r.gottesheim@loot.at>
-Rui Cao <ruicao@alauda.io>
-Rui Lopes <rgl@ruilopes.com>
-Ruilin Li <liruilin4@huawei.com>
-Runshen Zhu <runshen.zhu@gmail.com>
-Russ Magee <rmagee@gmail.com>
-Ryan Abrams <rdabrams@gmail.com>
-Ryan Anderson <anderson.ryanc@gmail.com>
-Ryan Aslett <github@mixologic.com>
-Ryan Barry <rbarry@mirantis.com>
-Ryan Belgrave <rmb1993@gmail.com>
-Ryan Campbell <campbellr@gmail.com>
-Ryan Detzel <ryan.detzel@gmail.com>
-Ryan Fowler <rwfowler@gmail.com>
-Ryan Liu <ryanlyy@me.com>
-Ryan McLaughlin <rmclaughlin@insidesales.com>
-Ryan O'Donnell <odonnellryanc@gmail.com>
-Ryan Seto <ryanseto@yak.net>
-Ryan Shea <sheabot03@gmail.com>
-Ryan Simmen <ryan.simmen@gmail.com>
-Ryan Stelly <ryan.stelly@live.com>
-Ryan Thomas <rthomas@atlassian.com>
-Ryan Trauntvein <rtrauntvein@novacoast.com>
-Ryan Wallner <ryan.wallner@clusterhq.com>
-Ryan Zhang <ryan.zhang@docker.com>
-ryancooper7 <ryan.cooper7@gmail.com>
-RyanDeng <sheldon.d1018@gmail.com>
-Ryo Nakao <nakabonne@gmail.com>
-Ryoga Saito <contact@proelbtn.com>
-Régis Behmo <regis@behmo.com>
-Rémy Greinhofer <remy.greinhofer@livelovely.com>
-s. rannou <mxs@sbrk.org>
-Sabin Basyal <sabin.basyal@gmail.com>
-Sachin Joshi <sachin_jayant_joshi@hotmail.com>
-Sagar Hani <sagarhani33@gmail.com>
-Sainath Grandhi <sainath.grandhi@intel.com>
-Sakeven Jiang <jc5930@sina.cn>
-Salahuddin Khan <salah@docker.com>
-Sally O'Malley <somalley@redhat.com>
-Sam Abed <sam.abed@gmail.com>
-Sam Alba <sam.alba@gmail.com>
-Sam Bailey <cyprix@cyprix.com.au>
-Sam J Sharpe <sam.sharpe@digital.cabinet-office.gov.uk>
-Sam Neirinck <sam@samneirinck.com>
-Sam Reis <sreis@atlassian.com>
-Sam Rijs <srijs@airpost.net>
-Sam Thibault <sam.thibault@docker.com>
-Sam Whited <sam@samwhited.com>
-Sambuddha Basu <sambuddhabasu1@gmail.com>
-Sami Wagiaalla <swagiaal@redhat.com>
-Samuel Andaya <samuel@andaya.net>
-Samuel Dion-Girardeau <samuel.diongirardeau@gmail.com>
-Samuel Karp <me@samuelkarp.com>
-Samuel PHAN <samuel-phan@users.noreply.github.com>
-sanchayanghosh <sanchayanghosh@outlook.com>
-Sandeep Bansal <sabansal@microsoft.com>
-Sankar சங�கர� <sankar.curiosity@gmail.com>
-Sanket Saurav <sanketsaurav@gmail.com>
-Santhosh Manohar <santhosh@docker.com>
-sapphiredev <se.imas.kr@gmail.com>
-Sargun Dhillon <sargun@netflix.com>
-Sascha Andres <sascha.andres@outlook.com>
-Sascha Grunert <sgrunert@suse.com>
-SataQiu <qiushida@beyondcent.com>
-Satnam Singh <satnam@raintown.org>
-Satoshi Amemiya <satoshi_amemiya@voyagegroup.com>
-Satoshi Tagomori <tagomoris@gmail.com>
-Scott Bessler <scottbessler@gmail.com>
-Scott Collier <emailscottcollier@gmail.com>
-Scott Johnston <scott@docker.com>
-Scott Moser <smoser@brickies.net>
-Scott Percival <scottp@lastyard.com>
-Scott Stamp <scottstamp851@gmail.com>
-Scott Walls <sawalls@umich.edu>
-sdreyesg <sdreyesg@gmail.com>
-Sean Christopherson <sean.j.christopherson@intel.com>
-Sean Cronin <seancron@gmail.com>
-Sean Lee <seanlee@tw.ibm.com>
-Sean McIntyre <s.mcintyre@xverba.ca>
-Sean OMeara <sean@chef.io>
-Sean P. Kane <skane@newrelic.com>
-Sean Rodman <srodman7689@gmail.com>
-Sebastiaan van Steenis <mail@superseb.nl>
-Sebastiaan van Stijn <github@gone.nl>
-Sebastian Höffner <sebastian.hoeffner@mevis.fraunhofer.de>
-Sebastian Radloff <sradloff23@gmail.com>
-Sebastian Thomschke <sebthom@users.noreply.github.com>
-Sebastien Goasguen <runseb@gmail.com>
-Senthil Kumar Selvaraj <senthil.thecoder@gmail.com>
-Senthil Kumaran <senthil@uthcode.com>
-SeongJae Park <sj38.park@gmail.com>
-Seongyeol Lim <seongyeol37@gmail.com>
-Serge Hallyn <serge.hallyn@ubuntu.com>
-Sergey Alekseev <sergey.alekseev.minsk@gmail.com>
-Sergey Evstifeev <sergey.evstifeev@gmail.com>
-Sergii Kabashniuk <skabashnyuk@codenvy.com>
-Sergio Lopez <slp@redhat.com>
-Serhat Gülçiçek <serhat25@gmail.com>
-Serhii Nakon <serhii.n@thescimus.com>
-SeungUkLee <lsy931106@gmail.com>
-Sevki Hasirci <s@sevki.org>
-Shane Canon <scanon@lbl.gov>
-Shane da Silva <shane@dasilva.io>
-Shaun Kaasten <shaunk@gmail.com>
-shaunol <shaunol@gmail.com>
-Shawn Landden <shawn@churchofgit.com>
-Shawn Siefkas <shawn.siefkas@meredith.com>
-shawnhe <shawnhe@shawnhedeMacBook-Pro.local>
-Shayan Pooya <shayan@liveve.org>
-Shayne Wang <shaynexwang@gmail.com>
-Shekhar Gulati <shekhargulati84@gmail.com>
-Sheng Yang <sheng@yasker.org>
-Shengbo Song <thomassong@tencent.com>
-Shengjing Zhu <zhsj@debian.org>
-Shev Yan <yandong_8212@163.com>
-Shih-Yuan Lee <fourdollars@gmail.com>
-Shihao Xia <charlesxsh@hotmail.com>
-Shijiang Wei <mountkin@gmail.com>
-Shijun Qin <qinshijun16@mails.ucas.ac.cn>
-Shishir Mahajan <shishir.mahajan@redhat.com>
-Shoubhik Bose <sbose78@gmail.com>
-Shourya Sarcar <shourya.sarcar@gmail.com>
-Shu-Wai Chow <shu-wai.chow@seattlechildrens.org>
-shuai-z <zs.broccoli@gmail.com>
-Shukui Yang <yangshukui@huawei.com>
-Sian Lerk Lau <kiawin@gmail.com>
-Siarhei Rasiukevich <s_rasiukevich@wargaming.net>
-Sidhartha Mani <sidharthamn@gmail.com>
-sidharthamani <sid@rancher.com>
-Silas Sewell <silas@sewell.org>
-Silvan Jegen <s.jegen@gmail.com>
-Simão Reis <smnrsti@gmail.com>
-Simon Barendse <simon.barendse@gmail.com>
-Simon Eskildsen <sirup@sirupsen.com>
-Simon Ferquel <simon.ferquel@docker.com>
-Simon Leinen <simon.leinen@gmail.com>
-Simon Menke <simon.menke@gmail.com>
-Simon Taranto <simon.taranto@gmail.com>
-Simon Vikstrom <pullreq@devsn.se>
-Sindhu S <sindhus@live.in>
-Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
-skanehira <sho19921005@gmail.com>
-Smark Meng <smark@freecoop.net>
-Solganik Alexander <solganik@gmail.com>
-Solomon Hykes <solomon@docker.com>
-Song Gao <song@gao.io>
-Soshi Katsuta <soshi.katsuta@gmail.com>
-Sotiris Salloumis <sotiris.salloumis@gmail.com>
-Soulou <leo@unbekandt.eu>
-Spencer Brown <spencer@spencerbrown.org>
-Spencer Smith <robertspencersmith@gmail.com>
-Spike Curtis <spike.curtis@metaswitch.com>
-Sridatta Thatipamala <sthatipamala@gmail.com>
-Sridhar Ratnakumar <sridharr@activestate.com>
-Srini Brahmaroutu <srbrahma@us.ibm.com>
-Srinivasan Srivatsan <srinivasan.srivatsan@hpe.com>
-Staf Wagemakers <staf@wagemakers.be>
-Stanislav Bondarenko <stanislav.bondarenko@gmail.com>
-Stanislav Levin <slev@altlinux.org>
-Steeve Morin <steeve.morin@gmail.com>
-Stefan Berger <stefanb@linux.vnet.ibm.com>
-Stefan Gehrig <stefan.gehrig.hn@googlemail.com>
-Stefan J. Wernli <swernli@microsoft.com>
-Stefan Praszalowicz <stefan@greplin.com>
-Stefan S. <tronicum@user.github.com>
-Stefan Scherer <stefan.scherer@docker.com>
-Stefan Staudenmeyer <doerte@instana.com>
-Stefan Weil <sw@weilnetz.de>
-Steffen Butzer <steffen.butzer@outlook.com>
-Stephan Henningsen <stephan-henningsen@users.noreply.github.com>
-Stephan Spindler <shutefan@gmail.com>
-Stephen Benjamin <stephen@redhat.com>
-Stephen Crosby <stevecrozz@gmail.com>
-Stephen Day <stevvooe@gmail.com>
-Stephen Drake <stephen@xenolith.net>
-Stephen Rust <srust@blockbridge.com>
-Steve Desmond <steve@vtsv.ca>
-Steve Dougherty <steve@asksteved.com>
-Steve Durrheimer <s.durrheimer@gmail.com>
-Steve Francia <steve.francia@gmail.com>
-Steve Koch <stevekochscience@gmail.com>
-Steven Burgess <steven.a.burgess@hotmail.com>
-Steven Erenst <stevenerenst@gmail.com>
-Steven Hartland <steven.hartland@multiplay.co.uk>
-Steven Iveson <sjiveson@outlook.com>
-Steven Merrill <steven.merrill@gmail.com>
-Steven Richards <steven@axiomzen.co>
-Steven Taylor <steven.taylor@me.com>
-Ste�phane Este-Gracias <sestegra@gmail.com>
-Stig Larsson <stig@larsson.dev>
-Su Wang <su.wang@docker.com>
-Subhajit Ghosh <isubuz.g@gmail.com>
-Sujith Haridasan <sujith.h@gmail.com>
-Sun Gengze <690388648@qq.com>
-Sun Jianbo <wonderflow.sun@gmail.com>
-Sune Keller <sune.keller@gmail.com>
-Sunny Gogoi <indiasuny000@gmail.com>
-Suryakumar Sudar <surya.trunks@gmail.com>
-Sven Dowideit <SvenDowideit@home.org.au>
-Swapnil Daingade <swapnil.daingade@gmail.com>
-Sylvain Baubeau <lebauce@gmail.com>
-Sylvain Bellemare <sylvain@ascribe.io>
-Sébastien <sebastien@yoozio.com>
-Sébastien HOUZÉ <cto@verylastroom.com>
-Sébastien Luttringer <seblu@seblu.net>
-Sébastien Stormacq <sebsto@users.noreply.github.com>
-Sören Tempel <soeren+git@soeren-tempel.net>
-Tabakhase <mail@tabakhase.com>
-Tadej Janež <tadej.j@nez.si>
-Takuto Sato <tockn.jp@gmail.com>
-tang0th <tang0th@gmx.com>
-Tangi Colin <tangicolin@gmail.com>
-Tatsuki Sugiura <sugi@nemui.org>
-Tatsushi Inagaki <e29253@jp.ibm.com>
-Taylan Isikdemir <taylani@google.com>
-Taylor Jones <monitorjbl@gmail.com>
-Ted M. Young <tedyoung@gmail.com>
-Tehmasp Chaudhri <tehmasp@gmail.com>
-Tejaswini Duggaraju <naduggar@microsoft.com>
-Tejesh Mehta <tejesh.mehta@gmail.com>
-Terry Chu <zue.hterry@gmail.com>
-terryding77 <550147740@qq.com>
-Thatcher Peskens <thatcher@docker.com>
-theadactyl <thea.lamkin@gmail.com>
-Thell 'Bo' Fowler <thell@tbfowler.name>
-Thermionix <bond711@gmail.com>
-Thiago Alves Silva <thiago.alves@aurea.com>
-Thijs Terlouw <thijsterlouw@gmail.com>
-Thomas Bikeev <thomas.bikeev@mac.com>
-Thomas Frössman <thomasf@jossystem.se>
-Thomas Gazagnaire <thomas@gazagnaire.org>
-Thomas Graf <tgraf@suug.ch>
-Thomas Grainger <tagrain@gmail.com>
-Thomas Hansen <thomas.hansen@gmail.com>
-Thomas Ledos <thomas.ledos92@gmail.com>
-Thomas Leonard <thomas.leonard@docker.com>
-Thomas Léveil <thomasleveil@gmail.com>
-Thomas Orozco <thomas@orozco.fr>
-Thomas Riccardi <riccardi@systran.fr>
-Thomas Schroeter <thomas@cliqz.com>
-Thomas Sjögren <konstruktoid@users.noreply.github.com>
-Thomas Swift <tgs242@gmail.com>
-Thomas Tanaka <thomas.tanaka@oracle.com>
-Thomas Texier <sharkone@en-mousse.org>
-Ti Zhou <tizhou1986@gmail.com>
-Tiago Seabra <tlgs@users.noreply.github.com>
-Tianon Gravi <admwiggin@gmail.com>
-Tianyi Wang <capkurmagati@gmail.com>
-Tibor Vass <teabee89@gmail.com>
-Tiffany Jernigan <tiffany.f.j@gmail.com>
-Tiffany Low <tiffany@box.com>
-Till Claassen <pixelistik@users.noreply.github.com>
-Till Wegmüller <toasterson@gmail.com>
-Tim <elatllat@gmail.com>
-Tim Bart <tim@fewagainstmany.com>
-Tim Bosse <taim@bosboot.org>
-Tim Dettrick <t.dettrick@uq.edu.au>
-Tim Düsterhus <tim@bastelstu.be>
-Tim Hockin <thockin@google.com>
-Tim Potter <tpot@hpe.com>
-Tim Ruffles <oi@truffles.me.uk>
-Tim Smith <timbot@google.com>
-Tim Terhorst <mynamewastaken+git@gmail.com>
-Tim Wagner <tim.wagner@freenet.ag>
-Tim Wang <timwangdev@gmail.com>
-Tim Waugh <twaugh@redhat.com>
-Tim Wraight <tim.wraight@tangentlabs.co.uk>
-Tim Zju <21651152@zju.edu.cn>
-timchenxiaoyu <837829664@qq.com>
-timfeirg <kkcocogogo@gmail.com>
-Timo Rothenpieler <timo@rothenpieler.org>
-Timothy Hobbs <timothyhobbs@seznam.cz>
-tjwebb123 <tjwebb123@users.noreply.github.com>
-tobe <tobegit3hub@gmail.com>
-Tobias Bieniek <Tobias.Bieniek@gmx.de>
-Tobias Bradtke <webwurst@gmail.com>
-Tobias Gesellchen <tobias@gesellix.de>
-Tobias Klauser <tklauser@distanz.ch>
-Tobias Munk <schmunk@usrbin.de>
-Tobias Pfandzelter <tobias@pfandzelter.com>
-Tobias Schmidt <ts@soundcloud.com>
-Tobias Schwab <tobias.schwab@dynport.de>
-Todd Crane <todd@toddcrane.com>
-Todd Lunter <tlunter@gmail.com>
-Todd Whiteman <todd.whiteman@joyent.com>
-Toli Kuznets <toli@docker.com>
-Tom Barlow <tomwbarlow@gmail.com>
-Tom Booth <tombooth@gmail.com>
-Tom Denham <tom@tomdee.co.uk>
-Tom Fotherby <tom+github@peopleperhour.com>
-Tom Howe <tom.howe@enstratius.com>
-Tom Hulihan <hulihan.tom159@gmail.com>
-Tom Maaswinkel <tom.maaswinkel@12wiki.eu>
-Tom Parker <palfrey@tevp.net>
-Tom Sweeney <tsweeney@redhat.com>
-Tom Wilkie <tom.wilkie@gmail.com>
-Tom X. Tobin <tomxtobin@tomxtobin.com>
-Tom Zhao <zlwangel@gmail.com>
-Tomas Janousek <tomi@nomi.cz>
-Tomas Kral <tomas.kral@gmail.com>
-Tomas Tomecek <ttomecek@redhat.com>
-Tomasz Kopczynski <tomek@kopczynski.net.pl>
-Tomasz Lipinski <tlipinski@users.noreply.github.com>
-Tomasz Nurkiewicz <nurkiewicz@gmail.com>
-Tomek Mańko <tomek.manko@railgun-solutions.com>
-Tommaso Visconti <tommaso.visconti@gmail.com>
-Tomoya Tabuchi <t@tomoyat1.com>
-Tomáš Hr�ka <thrcka@redhat.com>
-tonic <tonicbupt@gmail.com>
-Tonny Xu <tonny.xu@gmail.com>
-Tony Abboud <tdabboud@hotmail.com>
-Tony Daws <tony@daws.ca>
-Tony Miller <mcfiredrill@gmail.com>
-toogley <toogley@mailbox.org>
-Torstein Husebø <torstein@huseboe.net>
-Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Tõnis Tiigi <tonistiigi@gmail.com>
-Trace Andreason <tandreason@gmail.com>
-tracylihui <793912329@qq.com>
-Trapier Marshall <tmarshall@mirantis.com>
-Travis Cline <travis.cline@gmail.com>
-Travis Thieman <travis.thieman@gmail.com>
-Trent Ogren <tedwardo2@gmail.com>
-Trevor <trevinwoodstock@gmail.com>
-Trevor Pounds <trevor.pounds@gmail.com>
-Trevor Sullivan <pcgeek86@gmail.com>
-Trishna Guha <trishnaguha17@gmail.com>
-Tristan Carel <tristan@cogniteev.com>
-Troy Denton <trdenton@gmail.com>
-Tudor Brindus <me@tbrindus.ca>
-Ty Alexander <ty.alexander@sendgrid.com>
-Tycho Andersen <tycho@docker.com>
-Tyler Brock <tyler.brock@gmail.com>
-Tyler Brown <tylers.pile@gmail.com>
-Tzu-Jung Lee <roylee17@gmail.com>
-uhayate <uhayate.gong@daocloud.io>
-Ulysse Carion <ulyssecarion@gmail.com>
-Umesh Yadav <umesh4257@gmail.com>
-Utz Bacher <utz.bacher@de.ibm.com>
-vagrant <vagrant@ubuntu-14.04-amd64-vbox>
-Vaidas Jablonskis <jablonskis@gmail.com>
-Valentin Kulesh <valentin.kulesh@virtuozzo.com>
-vanderliang <lansheng@meili-inc.com>
-Velko Ivanov <vivanov@deeperplane.com>
-Veres Lajos <vlajos@gmail.com>
-Victor Algaze <valgaze@gmail.com>
-Victor Coisne <victor.coisne@dotcloud.com>
-Victor Costan <costan@gmail.com>
-Victor I. Wood <viw@t2am.com>
-Victor Lyuboslavsky <victor@victoreda.com>
-Victor Marmol <vmarmol@google.com>
-Victor Palma <palma.victor@gmail.com>
-Victor Vieux <victor.vieux@docker.com>
-Victoria Bialas <victoria.bialas@docker.com>
-Vijaya Kumar K <vijayak@caviumnetworks.com>
-Vikas Choudhary <choudharyvikas16@gmail.com>
-Vikram bir Singh <vsingh@mirantis.com>
-Viktor Stanchev <me@viktorstanchev.com>
-Viktor Vojnovski <viktor.vojnovski@amadeus.com>
-VinayRaghavanKS <raghavan.vinay@gmail.com>
-Vincent Batts <vbatts@redhat.com>
-Vincent Bernat <vincent@bernat.ch>
-Vincent Boulineau <vincent.boulineau@datadoghq.com>
-Vincent Demeester <vincent.demeester@docker.com>
-Vincent Giersch <vincent.giersch@ovh.net>
-Vincent Mayers <vincent.mayers@inbloom.org>
-Vincent Woo <me@vincentwoo.com>
-Vinod Kulkarni <vinod.kulkarni@gmail.com>
-Vishal Doshi <vishal.doshi@gmail.com>
-Vishnu Kannan <vishnuk@google.com>
-Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
-Vitor Anjos <bartier@users.noreply.github.com>
-Vitor Monteiro <vmrmonteiro@gmail.com>
-Vivek Agarwal <me@vivek.im>
-Vivek Dasgupta <vdasgupt@redhat.com>
-Vivek Goyal <vgoyal@redhat.com>
-Vladimir Bulyga <xx@ccxx.cc>
-Vladimir Kirillov <proger@wilab.org.ua>
-Vladimir Pouzanov <farcaller@google.com>
-Vladimir Rutsky <altsysrq@gmail.com>
-Vladimir Varankin <nek.narqo+git@gmail.com>
-VladimirAus <v_roudakov@yahoo.com>
-Vladislav Kolesnikov <vkolesnikov@beget.ru>
-Vlastimil Zeman <vlastimil.zeman@diffblue.com>
-Vojtech Vitek (V-Teq) <vvitek@redhat.com>
-voloder <110066198+voloder@users.noreply.github.com>
-Walter Leibbrandt <github@wrl.co.za>
-Walter Stanish <walter@pratyeka.org>
-Wang Chao <chao.wang@ucloud.cn>
-Wang Guoliang <liangcszzu@163.com>
-Wang Jie <wangjie5@chinaskycloud.com>
-Wang Long <long.wanglong@huawei.com>
-Wang Ping <present.wp@icloud.com>
-Wang Xing <hzwangxing@corp.netease.com>
-Wang Yuexiao <wang.yuexiao@zte.com.cn>
-Wang Yumu <37442693@qq.com>
-wanghuaiqing <wanghuaiqing@loongson.cn>
-Ward Vandewege <ward@jhvc.com>
-WarheadsSE <max@warheads.net>
-Wassim Dhif <wassimdhif@gmail.com>
-Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
-Wayne Chang <wayne@neverfear.org>
-Wayne Song <wsong@docker.com>
-Weerasak Chongnguluam <singpor@gmail.com>
-Wei Fu <fuweid89@gmail.com>
-Wei Wu <wuwei4455@gmail.com>
-Wei-Ting Kuo <waitingkuo0527@gmail.com>
-weipeng <weipeng@tuscloud.io>
-weiyan <weiyan3@huawei.com>
-Weiyang Zhu <cnresonant@gmail.com>
-Wen Cheng Ma <wenchma@cn.ibm.com>
-Wendel Fleming <wfleming@usc.edu>
-Wenjun Tang <tangwj2@lenovo.com>
-Wenkai Yin <yinw@vmware.com>
-wenlxie <wenlxie@ebay.com>
-Wenxuan Zhao <viz@linux.com>
-Wenyu You <21551128@zju.edu.cn>
-Wenzhi Liang <wenzhi.liang@gmail.com>
-Wes Morgan <cap10morgan@gmail.com>
-Wesley Pettit <wppttt@amazon.com>
-Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
-Wiktor Kwapisiewicz <wiktor@metacode.biz>
-Will Dietz <w@wdtz.org>
-Will Rouesnel <w.rouesnel@gmail.com>
-Will Weaver <monkey@buildingbananas.com>
-willhf <willhf@gmail.com>
-William Delanoue <william.delanoue@gmail.com>
-William Henry <whenry@redhat.com>
-William Hubbs <w.d.hubbs@gmail.com>
-William Martin <wmartin@pivotal.io>
-William Riancho <wr.wllm@gmail.com>
-William Thurston <thurstw@amazon.com>
-Wilson Júnior <wilsonpjunior@gmail.com>
-Wing-Kam Wong <wingkwong.code@gmail.com>
-WiseTrem <shepelyov.g@gmail.com>
-Wolfgang Nagele <mail@wnagele.com>
-Wolfgang Powisch <powo@powo.priv.at>
-Wonjun Kim <wonjun.kim@navercorp.com>
-WuLonghui <wlh6666@qq.com>
-xamyzhao <x.amy.zhao@gmail.com>
-Xia Wu <xwumzn@amazon.com>
-Xian Chaobo <xianchaobo@huawei.com>
-Xianglin Gao <xlgao@zju.edu.cn>
-Xianjie <guxianjie@gmail.com>
-Xianlu Bird <xianlubird@gmail.com>
-Xiao YongBiao <xyb4638@gmail.com>
-Xiao Zhang <xiaozhang0210@hotmail.com>
-XiaoBing Jiang <s7v7nislands@gmail.com>
-Xiaodong Liu <liuxiaodong@loongson.cn>
-Xiaodong Zhang <a4012017@sina.com>
-Xiaohua Ding <xiao_hua_ding@sina.cn>
-Xiaoxi He <xxhe@alauda.io>
-Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
-Xiaoyu Zhang <zhang.xiaoyu33@zte.com.cn>
-xichengliudui <1693291525@qq.com>
-xiekeyang <xiekeyang@huawei.com>
-Ximo Guanter Gonzálbez <joaquin.guantergonzalbez@telefonica.com>
-xin.li <xin.li@daocloud.io>
-Xinbo Weng <xihuanbo_0521@zju.edu.cn>
-Xinfeng Liu <XinfengLiu@icloud.com>
-Xinzi Zhou <imdreamrunner@gmail.com>
-Xiuming Chen <cc@cxm.cc>
-Xuecong Liao <satorulogic@gmail.com>
-xuzhaokui <cynicholas@gmail.com>
-Yadnyawalkya Tale <ytale@redhat.com>
-Yahya <ya7yaz@gmail.com>
-yalpul <yalpul@gmail.com>
-YAMADA Tsuyoshi <tyamada@minimum2scp.org>
-Yamasaki Masahide <masahide.y@gmail.com>
-Yamazaki Masashi <masi19bw@gmail.com>
-Yan Feng <yanfeng2@huawei.com>
-Yan Zhu <yanzhu@alauda.io>
-Yang Bai <hamo.by@gmail.com>
-Yang Li <idealhack@gmail.com>
-Yang Pengfei <yangpengfei4@huawei.com>
-yangchenliang <yangchenliang@huawei.com>
-Yann Autissier <yann.autissier@gmail.com>
-Yanqiang Miao <miao.yanqiang@zte.com.cn>
-Yao Zaiyong <yaozaiyong@hotmail.com>
-Yash Murty <yashmurty@gmail.com>
-Yassine Tijani <yasstij11@gmail.com>
-Yasunori Mahata <nori@mahata.net>
-Yazhong Liu <yorkiefixer@gmail.com>
-Yestin Sun <sunyi0804@gmail.com>
-Yi EungJun <eungjun.yi@navercorp.com>
-Yibai Zhang <xm1994@gmail.com>
-Yihang Ho <hoyihang5@gmail.com>
-Ying Li <ying.li@docker.com>
-Yohei Ueda <yohei@jp.ibm.com>
-Yong Tang <yong.tang.github@outlook.com>
-Yongxin Li <yxli@alauda.io>
-Yongzhi Pan <panyongzhi@gmail.com>
-Yosef Fertel <yfertel@gmail.com>
-You-Sheng Yang (楊有�) <vicamo@gmail.com>
-youcai <omegacoleman@gmail.com>
-Youcef YEKHLEF <yyekhlef@gmail.com>
-Youfu Zhang <zhangyoufu@gmail.com>
-Yu Changchun <yuchangchun1@huawei.com>
-Yu Chengxia <yuchengxia@huawei.com>
-Yu Peng <yu.peng36@zte.com.cn>
-Yu-Ju Hong <yjhong@google.com>
-Yuan Sun <sunyuan3@huawei.com>
-Yuanhong Peng <pengyuanhong@huawei.com>
-Yue Zhang <zy675793960@yeah.net>
-Yufei Xiong <yufei.xiong@qq.com>
-Yuhao Fang <fangyuhao@gmail.com>
-Yuichiro Kaneko <spiketeika@gmail.com>
-YujiOshima <yuji.oshima0x3fd@gmail.com>
-Yunxiang Huang <hyxqshk@vip.qq.com>
-Yurii Rashkovskii <yrashk@gmail.com>
-Yusuf Tarık Günaydın <yusuf_tarik@hotmail.com>
-Yves Blusseau <90z7oey02@sneakemail.com>
-Yves Junqueira <yves.junqueira@gmail.com>
-Zac Dover <zdover@redhat.com>
-Zach Borboa <zachborboa@gmail.com>
-Zach Gershman <zachgersh@gmail.com>
-Zachary Jaffee <zjaffee@us.ibm.com>
-Zain Memon <zain@inzain.net>
-Zaiste! <oh@zaiste.net>
-Zane DeGraffenried <zane.deg@gmail.com>
-Zefan Li <lizefan@huawei.com>
-Zen Lin(Zhinan Lin) <linzhinan@huawei.com>
-Zhang Kun <zkazure@gmail.com>
-Zhang Wei <zhangwei555@huawei.com>
-Zhang Wentao <zhangwentao234@huawei.com>
-zhangguanzhang <zhangguanzhang@qq.com>
-ZhangHang <stevezhang2014@gmail.com>
-zhangxianwei <xianwei.zw@alibaba-inc.com>
-Zhenan Ye <21551168@zju.edu.cn>
-zhenghenghuo <zhenghenghuo@zju.edu.cn>
-Zhenhai Gao <gaozh1988@live.com>
-Zhenkun Bi <bi.zhenkun@zte.com.cn>
-ZhiPeng Lu <lu.zhipeng@zte.com.cn>
-zhipengzuo <zuozhipeng@baidu.com>
-Zhou Hao <zhouhao@cn.fujitsu.com>
-Zhoulin Xie <zhoulin.xie@daocloud.io>
-Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
-Zhu Kunjia <zhu.kunjia@zte.com.cn>
-Zhuoyun Wei <wzyboy@wzyboy.org>
-Ziheng Liu <lzhfromustc@gmail.com>
-Zilin Du <zilin.du@gmail.com>
-zimbatm <zimbatm@zimbatm.com>
-Ziming Dong <bnudzm@foxmail.com>
-ZJUshuaizhou <21551191@zju.edu.cn>
-zmarouf <zeid.marouf@gmail.com>
-Zoltan Tombol <zoltan.tombol@gmail.com>
-Zou Yu <zouyu7@huawei.com>
-zqh <zqhxuyuan@gmail.com>
-Zuhayr Elahi <zuhayr.elahi@docker.com>
-Zunayed Ali <zunayed@gmail.com>
-�lvaro Lázaro <alvaro.lazaro.g@gmail.com>
-�tila Camurça Alves <camurca.home@gmail.com>
-��白 <296015668@qq.com>
-尹�峰 <jifeng.yin@gmail.com>
-屈� <qujun@tiduyun.com>
-�俊� <paco.xu@daocloud.io>
-慕陶 <jihui.xjh@alibaba-inc.com>
-�通 <yufeng.pyf@alibaba-inc.com>
-黄艳红00139573 <huang.yanhong@zte.com.cn>
-정재� <jjy600901@gmail.com>
diff --git a/vendor/github.com/docker/docker/LICENSE b/vendor/github.com/docker/docker/LICENSE
deleted file mode 100644
index 6d8d58fb676..00000000000
--- a/vendor/github.com/docker/docker/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        https://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2013-2018 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       https://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/docker/docker/NOTICE b/vendor/github.com/docker/docker/NOTICE
deleted file mode 100644
index 58b19b6d15b..00000000000
--- a/vendor/github.com/docker/docker/NOTICE
+++ /dev/null
@@ -1,19 +0,0 @@
-Docker
-Copyright 2012-2017 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (https://www.docker.com).
-
-This product contains software (https://github.com/creack/pty) developed
-by Keith Rarick, licensed under the MIT License.
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws.
-
-For more information, please see https://www.bis.doc.gov
-
-See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir.go b/vendor/github.com/docker/docker/pkg/homedir/homedir.go
deleted file mode 100644
index c0ab3f5bf35..00000000000
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package homedir
-
-import (
-	"os"
-	"os/user"
-	"runtime"
-)
-
-// Get returns the home directory of the current user with the help of
-// environment variables depending on the target operating system.
-// Returned path should be used with "path/filepath" to form new paths.
-//
-// On non-Windows platforms, it falls back to nss lookups, if the home
-// directory cannot be obtained from environment-variables.
-//
-// If linking statically with cgo enabled against glibc, ensure the
-// osusergo build tag is used.
-//
-// If needing to do nss lookups, do not disable cgo or set osusergo.
-func Get() string {
-	home, _ := os.UserHomeDir()
-	if home == "" && runtime.GOOS != "windows" {
-		if u, err := user.Current(); err == nil {
-			return u.HomeDir
-		}
-	}
-	return home
-}
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
deleted file mode 100644
index ded1c7c8c61..00000000000
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go
+++ /dev/null
@@ -1,105 +0,0 @@
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// GetRuntimeDir returns XDG_RUNTIME_DIR.
-// XDG_RUNTIME_DIR is typically configured via pam_systemd.
-// GetRuntimeDir returns non-nil error if XDG_RUNTIME_DIR is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetRuntimeDir() (string, error) {
-	if xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR"); xdgRuntimeDir != "" {
-		return xdgRuntimeDir, nil
-	}
-	return "", errors.New("could not get XDG_RUNTIME_DIR")
-}
-
-// StickRuntimeDirContents sets the sticky bit on files that are under
-// XDG_RUNTIME_DIR, so that the files won't be periodically removed by the system.
-//
-// StickyRuntimeDir returns slice of sticked files.
-// StickyRuntimeDir returns nil error if XDG_RUNTIME_DIR is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func StickRuntimeDirContents(files []string) ([]string, error) {
-	runtimeDir, err := GetRuntimeDir()
-	if err != nil {
-		// ignore error if runtimeDir is empty
-		return nil, nil
-	}
-	runtimeDir, err = filepath.Abs(runtimeDir)
-	if err != nil {
-		return nil, err
-	}
-	var sticked []string
-	for _, f := range files {
-		f, err = filepath.Abs(f)
-		if err != nil {
-			return sticked, err
-		}
-		if strings.HasPrefix(f, runtimeDir+"/") {
-			if err = stick(f); err != nil {
-				return sticked, err
-			}
-			sticked = append(sticked, f)
-		}
-	}
-	return sticked, nil
-}
-
-func stick(f string) error {
-	st, err := os.Stat(f)
-	if err != nil {
-		return err
-	}
-	m := st.Mode()
-	m |= os.ModeSticky
-	return os.Chmod(f, m)
-}
-
-// GetDataHome returns XDG_DATA_HOME.
-// GetDataHome returns $HOME/.local/share and nil error if XDG_DATA_HOME is not set.
-// If HOME and XDG_DATA_HOME are not set, getpwent(3) is consulted to determine the users home directory.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetDataHome() (string, error) {
-	if xdgDataHome := os.Getenv("XDG_DATA_HOME"); xdgDataHome != "" {
-		return xdgDataHome, nil
-	}
-	home := Get()
-	if home == "" {
-		return "", errors.New("could not get either XDG_DATA_HOME or HOME")
-	}
-	return filepath.Join(home, ".local", "share"), nil
-}
-
-// GetConfigHome returns XDG_CONFIG_HOME.
-// GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
-// If HOME and XDG_CONFIG_HOME are not set, getpwent(3) is consulted to determine the users home directory.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetConfigHome() (string, error) {
-	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
-		return xdgConfigHome, nil
-	}
-	home := Get()
-	if home == "" {
-		return "", errors.New("could not get either XDG_CONFIG_HOME or HOME")
-	}
-	return filepath.Join(home, ".config"), nil
-}
-
-// GetLibHome returns $HOME/.local/lib
-// If HOME is not set, getpwent(3) is consulted to determine the users home directory.
-func GetLibHome() (string, error) {
-	home := Get()
-	if home == "" {
-		return "", errors.New("could not get HOME")
-	}
-	return filepath.Join(home, ".local/lib"), nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go
deleted file mode 100644
index 4eeb26b5dca..00000000000
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go
+++ /dev/null
@@ -1,32 +0,0 @@
-//go:build !linux
-
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"errors"
-)
-
-// GetRuntimeDir is unsupported on non-linux system.
-func GetRuntimeDir() (string, error) {
-	return "", errors.New("homedir.GetRuntimeDir() is not supported on this system")
-}
-
-// StickRuntimeDirContents is unsupported on non-linux system.
-func StickRuntimeDirContents(files []string) ([]string, error) {
-	return nil, errors.New("homedir.StickRuntimeDirContents() is not supported on this system")
-}
-
-// GetDataHome is unsupported on non-linux system.
-func GetDataHome() (string, error) {
-	return "", errors.New("homedir.GetDataHome() is not supported on this system")
-}
-
-// GetConfigHome is unsupported on non-linux system.
-func GetConfigHome() (string, error) {
-	return "", errors.New("homedir.GetConfigHome() is not supported on this system")
-}
-
-// GetLibHome is unsupported on non-linux system.
-func GetLibHome() (string, error) {
-	return "", errors.New("homedir.GetLibHome() is not supported on this system")
-}
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/pusher.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/pusher.go
index 1c07bd47594..332d8ca0ad5 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/pusher.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/pusher.go
@@ -125,6 +125,20 @@ func (p *Pusher) writer(ctx context.Context, repo name.Repository, o *options) (
 	return rw, rw.init(ctx)
 }
 
+func (p *Pusher) Put(ctx context.Context, ref name.Reference, t Taggable) error {
+	w, err := p.writer(ctx, ref.Context(), p.o)
+	if err != nil {
+		return err
+	}
+
+	m, err := taggableToManifest(t)
+	if err != nil {
+		return err
+	}
+
+	return w.commitManifest(ctx, ref, m)
+}
+
 func (p *Pusher) Push(ctx context.Context, ref name.Reference, t Taggable) error {
 	w, err := p.writer(ctx, ref.Context(), p.o)
 	if err != nil {
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/referrers.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/referrers.go
index e30ca57ed80..48e3835f9c0 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/referrers.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/referrers.go
@@ -66,7 +66,7 @@ func (f *fetcher) fetchReferrers(ctx context.Context, filter map[string]string,
 	}
 
 	var b []byte
-	if resp.StatusCode == http.StatusOK {
+	if resp.StatusCode == http.StatusOK && resp.Header.Get("Content-Type") == string(types.OCIImageIndex) {
 		b, err = io.ReadAll(resp.Body)
 		if err != nil {
 			return nil, err
diff --git a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
index b730dbb054f..1167cb793ac 100644
--- a/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
+++ b/vendor/github.com/google/go-containerregistry/pkg/v1/remote/write.go
@@ -45,14 +45,7 @@ type Taggable interface {
 
 // Write pushes the provided img to the specified image reference.
 func Write(ref name.Reference, img v1.Image, options ...Option) (rerr error) {
-	o, err := makeOptions(options...)
-	if err != nil {
-		return err
-	}
-	if o.progress != nil {
-		defer func() { o.progress.Close(rerr) }()
-	}
-	return newPusher(o).Push(o.context, ref, img)
+	return Push(ref, img, options...)
 }
 
 // writer writes the elements of an image to a remote image reference.
@@ -656,14 +649,7 @@ func scopesForUploadingImage(repo name.Repository, layers []v1.Layer) []string {
 // WriteIndex will attempt to push all of the referenced manifests before
 // attempting to push the ImageIndex, to retain referential integrity.
 func WriteIndex(ref name.Reference, ii v1.ImageIndex, options ...Option) (rerr error) {
-	o, err := makeOptions(options...)
-	if err != nil {
-		return err
-	}
-	if o.progress != nil {
-		defer func() { o.progress.Close(rerr) }()
-	}
-	return newPusher(o).Push(o.context, ref, ii)
+	return Push(ref, ii, options...)
 }
 
 // WriteLayer uploads the provided Layer to the specified repo.
@@ -709,5 +695,17 @@ func Put(ref name.Reference, t Taggable, options ...Option) error {
 	if err != nil {
 		return err
 	}
+	return newPusher(o).Put(o.context, ref, t)
+}
+
+// Push uploads the given Taggable to the specified reference.
+func Push(ref name.Reference, t Taggable, options ...Option) (rerr error) {
+	o, err := makeOptions(options...)
+	if err != nil {
+		return err
+	}
+	if o.progress != nil {
+		defer func() { o.progress.Close(rerr) }()
+	}
 	return newPusher(o).Push(o.context, ref, t)
 }
diff --git a/vendor/github.com/jellydator/ttlcache/v3/README.md b/vendor/github.com/jellydator/ttlcache/v3/README.md
index 3a557b030d9..a17cb243718 100644
--- a/vendor/github.com/jellydator/ttlcache/v3/README.md
+++ b/vendor/github.com/jellydator/ttlcache/v3/README.md
@@ -10,7 +10,8 @@
 - Type parameters
 - Item expiration and automatic deletion
 - Automatic expiration time extension on each `Get` call
-- `Loader` interface that may be used to load/lazily initialize missing cache 
+- `Loader` interface that may be used to load/lazily initialize missing cache
+- Thread Safe
 items
 - Event handlers (insertion and eviction)
 - Metrics
diff --git a/vendor/github.com/jellydator/ttlcache/v3/cache.go b/vendor/github.com/jellydator/ttlcache/v3/cache.go
index 1ad3afbece4..1b9e72ef015 100644
--- a/vendor/github.com/jellydator/ttlcache/v3/cache.go
+++ b/vendor/github.com/jellydator/ttlcache/v3/cache.go
@@ -133,7 +133,7 @@ func (c *Cache[K, V]) set(key K, value V, ttl time.Duration) *Item[K, V] {
 		ttl = c.options.ttl
 	}
 
-	elem := c.get(key, false)
+	elem := c.get(key, false, true)
 	if elem != nil {
 		// update/overwrite an existing item
 		item := elem.Value.(*Item[K, V])
@@ -176,14 +176,14 @@ func (c *Cache[K, V]) set(key K, value V, ttl time.Duration) *Item[K, V] {
 // It returns nil if the item is not found or is expired.
 // Not safe for concurrent use by multiple goroutines without additional
 // locking.
-func (c *Cache[K, V]) get(key K, touch bool) *list.Element {
+func (c *Cache[K, V]) get(key K, touch bool, includeExpired bool) *list.Element {
 	elem := c.items.values[key]
 	if elem == nil {
 		return nil
 	}
 
 	item := elem.Value.(*Item[K, V])
-	if item.isExpiredUnsafe() {
+	if !includeExpired && item.isExpiredUnsafe() {
 		return nil
 	}
 
@@ -218,7 +218,7 @@ func (c *Cache[K, V]) getWithOpts(key K, lockAndLoad bool, opts ...Option[K, V])
 		c.items.mu.Lock()
 	}
 
-	elem := c.get(key, !getOpts.disableTouchOnHit)
+	elem := c.get(key, !getOpts.disableTouchOnHit, false)
 
 	if lockAndLoad {
 		c.items.mu.Unlock()
@@ -339,8 +339,8 @@ func (c *Cache[K, V]) Has(key K) bool {
 	c.items.mu.RLock()
 	defer c.items.mu.RUnlock()
 
-	_, ok := c.items.values[key]
-	return ok
+	elem, ok := c.items.values[key]
+	return ok && !elem.Value.(*Item[K, V]).isExpiredUnsafe()
 }
 
 // GetOrSet retrieves an item from the cache by the provided key.
@@ -436,26 +436,66 @@ func (c *Cache[K, V]) DeleteExpired() {
 // If the item is not found, the method is no-op.
 func (c *Cache[K, V]) Touch(key K) {
 	c.items.mu.Lock()
-	c.get(key, true)
+	c.get(key, true, false)
 	c.items.mu.Unlock()
 }
 
-// Len returns the total number of items in the cache.
+// Len returns the number of unexpired items in the cache.
 func (c *Cache[K, V]) Len() int {
 	c.items.mu.RLock()
 	defer c.items.mu.RUnlock()
 
-	return len(c.items.values)
+	total := c.items.expQueue.Len()
+	if total == 0 {
+		return 0
+	}
+
+	// search the heap-based expQueue by BFS
+	countExpired := func() int {
+		var (
+			q   []int
+			res int
+		)
+
+		item := c.items.expQueue[0].Value.(*Item[K, V])
+		if !item.isExpiredUnsafe() {
+			return res
+		}
+
+		q = append(q, 0)
+		for len(q) > 0 {
+			pop := q[0]
+			q = q[1:]
+			res++
+
+			for i := 1; i <= 2; i++ {
+				idx := 2*pop + i
+				if idx >= total {
+					break
+				}
+
+				item = c.items.expQueue[idx].Value.(*Item[K, V])
+				if item.isExpiredUnsafe() {
+					q = append(q, idx)
+				}
+			}
+		}
+		return res
+	}
+
+	return total - countExpired()
 }
 
-// Keys returns all keys currently present in the cache.
+// Keys returns all unexpired keys in the cache.
 func (c *Cache[K, V]) Keys() []K {
 	c.items.mu.RLock()
 	defer c.items.mu.RUnlock()
 
-	res := make([]K, 0, len(c.items.values))
-	for k := range c.items.values {
-		res = append(res, k)
+	res := make([]K, 0)
+	for k, elem := range c.items.values {
+		if !elem.Value.(*Item[K, V]).isExpiredUnsafe() {
+			res = append(res, k)
+		}
 	}
 
 	return res
@@ -467,18 +507,18 @@ func (c *Cache[K, V]) Items() map[K]*Item[K, V] {
 	c.items.mu.RLock()
 	defer c.items.mu.RUnlock()
 
-	items := make(map[K]*Item[K, V], len(c.items.values))
-	for k := range c.items.values {
-		item := c.get(k, false)
-		if item != nil {
-			items[k] = item.Value.(*Item[K, V])
+	items := make(map[K]*Item[K, V])
+	for k, elem := range c.items.values {
+		item := elem.Value.(*Item[K, V])
+		if item != nil && !item.isExpiredUnsafe() {
+			items[k] = item
 		}
 	}
 
 	return items
 }
 
-// Range calls fn for each item present in the cache. If fn returns false,
+// Range calls fn for each unexpired item in the cache. If fn returns false,
 // Range stops the iteration.
 func (c *Cache[K, V]) Range(fn func(item *Item[K, V]) bool) {
 	c.items.mu.RLock()
@@ -491,9 +531,10 @@ func (c *Cache[K, V]) Range(fn func(item *Item[K, V]) bool) {
 
 	for item := c.items.lru.Front(); item != c.items.lru.Back().Next(); item = item.Next() {
 		i := item.Value.(*Item[K, V])
+		expired := i.isExpiredUnsafe()
 		c.items.mu.RUnlock()
 
-		if !fn(i) {
+		if !expired && !fn(i) {
 			return
 		}
 
@@ -503,6 +544,32 @@ func (c *Cache[K, V]) Range(fn func(item *Item[K, V]) bool) {
 	}
 }
 
+// RangeBackwards calls fn for each unexpired item in the cache in reverse order.
+// If fn returns false, RangeBackwards stops the iteration.
+func (c *Cache[K, V]) RangeBackwards(fn func(item *Item[K, V]) bool) {
+	c.items.mu.RLock()
+
+	// Check if cache is empty
+	if c.items.lru.Len() == 0 {
+		c.items.mu.RUnlock()
+		return
+	}
+
+	for item := c.items.lru.Back(); item != c.items.lru.Front().Prev(); item = item.Prev() {
+		i := item.Value.(*Item[K, V])
+		expired := i.isExpiredUnsafe()
+		c.items.mu.RUnlock()
+
+		if !expired && !fn(i) {
+			return
+		}
+
+		if item.Prev() != nil {
+			c.items.mu.RLock()
+		}
+	}
+}
+
 // Metrics returns the metrics of the cache.
 func (c *Cache[K, V]) Metrics() Metrics {
 	c.metricsMu.RLock()
diff --git a/vendor/github.com/letsencrypt/boulder/core/challenges.go b/vendor/github.com/letsencrypt/boulder/core/challenges.go
index 1d7e2408d51..d5e7a87295e 100644
--- a/vendor/github.com/letsencrypt/boulder/core/challenges.go
+++ b/vendor/github.com/letsencrypt/boulder/core/challenges.go
@@ -10,27 +10,23 @@ func newChallenge(challengeType AcmeChallenge, token string) Challenge {
 	}
 }
 
-// HTTPChallenge01 constructs a random http-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// HTTPChallenge01 constructs a http-01 challenge.
 func HTTPChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeHTTP01, token)
 }
 
-// DNSChallenge01 constructs a random dns-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// DNSChallenge01 constructs a dns-01 challenge.
 func DNSChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeDNS01, token)
 }
 
-// TLSALPNChallenge01 constructs a random tls-alpn-01 challenge. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// TLSALPNChallenge01 constructs a tls-alpn-01 challenge.
 func TLSALPNChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeTLSALPN01, token)
 }
 
-// NewChallenge constructs a random challenge of the given kind. It returns an
-// error if the challenge type is unrecognized. If token is empty a random token
-// will be generated, otherwise the provided token is used.
+// NewChallenge constructs a challenge of the given kind. It returns an
+// error if the challenge type is unrecognized.
 func NewChallenge(kind AcmeChallenge, token string) (Challenge, error) {
 	switch kind {
 	case ChallengeTypeHTTP01:
diff --git a/vendor/github.com/letsencrypt/boulder/core/interfaces.go b/vendor/github.com/letsencrypt/boulder/core/interfaces.go
index 003329c3f55..59b55a3f4b8 100644
--- a/vendor/github.com/letsencrypt/boulder/core/interfaces.go
+++ b/vendor/github.com/letsencrypt/boulder/core/interfaces.go
@@ -7,7 +7,7 @@ import (
 // PolicyAuthority defines the public interface for the Boulder PA
 // TODO(#5891): Move this interface to a more appropriate location.
 type PolicyAuthority interface {
-	WillingToIssueWildcards([]identifier.ACMEIdentifier) error
+	WillingToIssue([]string) error
 	ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(AcmeChallenge) bool
 	CheckAuthz(*Authorization) error
diff --git a/vendor/github.com/letsencrypt/boulder/core/objects.go b/vendor/github.com/letsencrypt/boulder/core/objects.go
index b52f0f5e0ab..c01f551abd8 100644
--- a/vendor/github.com/letsencrypt/boulder/core/objects.go
+++ b/vendor/github.com/letsencrypt/boulder/core/objects.go
@@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-jose/go-jose/v4"
 	"golang.org/x/crypto/ocsp"
-	"gopkg.in/go-jose/go-jose.v2"
 
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
@@ -119,7 +119,7 @@ type Registration struct {
 }
 
 // ValidationRecord represents a validation attempt against a specific URL/hostname
-// and the IP addresses that were resolved and used
+// and the IP addresses that were resolved and used.
 type ValidationRecord struct {
 	// SimpleHTTP only
 	URL string `json:"url,omitempty"`
@@ -144,20 +144,17 @@ type ValidationRecord struct {
 	//   ...
 	// }
 	AddressesTried []net.IP `json:"addressesTried,omitempty"`
-}
-
-func looksLikeKeyAuthorization(str string) error {
-	parts := strings.Split(str, ".")
-	if len(parts) != 2 {
-		return fmt.Errorf("Invalid key authorization: does not look like a key authorization")
-	} else if !LooksLikeAToken(parts[0]) {
-		return fmt.Errorf("Invalid key authorization: malformed token")
-	} else if !LooksLikeAToken(parts[1]) {
-		// Thumbprints have the same syntax as tokens in boulder
-		// Both are base64-encoded and 32 octets
-		return fmt.Errorf("Invalid key authorization: malformed key thumbprint")
-	}
-	return nil
+	// ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the
+	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
+	// instead look like A:host:port or AAAA:host:port
+	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
+	// UsedRSAKEX is a *temporary* addition to the validation record, so we can
+	// see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01
+	// validation are only willing to negotiate RSA key exchange mechanisms. The
+	// field is not included in the serialized json to avoid cluttering the
+	// database and log lines.
+	// TODO(#7321): Remove this when we have collected sufficient data.
+	UsedRSAKEX bool `json:"-"`
 }
 
 // Challenge is an aggregate of all data needed for any challenges.
@@ -166,38 +163,38 @@ func looksLikeKeyAuthorization(str string) error {
 // challenge, we just throw all the elements into one bucket,
 // together with the common metadata elements.
 type Challenge struct {
-	// The type of challenge
+	// Type is the type of challenge encoded in this object.
 	Type AcmeChallenge `json:"type"`
 
-	// The status of this challenge
-	Status AcmeStatus `json:"status,omitempty"`
+	// URL is the URL to which a response can be posted. Required for all types.
+	URL string `json:"url,omitempty"`
 
-	// Contains the error that occurred during challenge validation, if any
-	Error *probs.ProblemDetails `json:"error,omitempty"`
+	// Status is the status of this challenge. Required for all types.
+	Status AcmeStatus `json:"status,omitempty"`
 
-	// A URI to which a response can be POSTed
-	URI string `json:"uri,omitempty"`
+	// Validated is the time at which the server validated the challenge. Required
+	// if status is valid.
+	Validated *time.Time `json:"validated,omitempty"`
 
-	// For the V2 API the "URI" field is deprecated in favour of URL.
-	URL string `json:"url,omitempty"`
+	// Error contains the error that occurred during challenge validation, if any.
+	// If set, the Status must be "invalid".
+	Error *probs.ProblemDetails `json:"error,omitempty"`
 
-	// Used by http-01, tls-sni-01, tls-alpn-01 and dns-01 challenges
+	// Token is a random value that uniquely identifies the challenge. It is used
+	// by all current challenges (http-01, tls-alpn-01, and dns-01).
 	Token string `json:"token,omitempty"`
 
-	// The expected KeyAuthorization for validation of the challenge. Populated by
-	// the RA prior to passing the challenge to the VA. For legacy reasons this
-	// field is called "ProvidedKeyAuthorization" because it was initially set by
-	// the content of the challenge update POST from the client. It is no longer
-	// set that way and should be renamed to "KeyAuthorization".
-	// TODO(@cpu): Rename `ProvidedKeyAuthorization` to `KeyAuthorization`.
+	// ProvidedKeyAuthorization used to carry the expected key authorization from
+	// the RA to the VA. However, since this field is never presented to the user
+	// via the ACME API, it should not be on this type.
+	//
+	// Deprecated: use vapb.PerformValidationRequest.ExpectedKeyAuthorization instead.
+	// TODO(#7514): Remove this.
 	ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`
 
 	// Contains information about URLs used or redirected to and IPs resolved and
 	// used
 	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
-	// The time at which the server validated the challenge. Required by
-	// RFC8555 if status is valid.
-	Validated *time.Time `json:"validated,omitempty"`
 }
 
 // ExpectedKeyAuthorization computes the expected KeyAuthorization value for
@@ -225,6 +222,8 @@ func (ch Challenge) RecordsSane() bool {
 	switch ch.Type {
 	case ChallengeTypeHTTP01:
 		for _, rec := range ch.ValidationRecord {
+			// TODO(#7140): Add a check for ResolverAddress == "" only after the
+			// core.proto change has been deployed.
 			if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || rec.AddressUsed == nil ||
 				len(rec.AddressesResolved) == 0 {
 				return false
@@ -237,6 +236,8 @@ func (ch Challenge) RecordsSane() bool {
 		if ch.ValidationRecord[0].URL != "" {
 			return false
 		}
+		// TODO(#7140): Add a check for ResolverAddress == "" only after the
+		// core.proto change has been deployed.
 		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" ||
 			ch.ValidationRecord[0].AddressUsed == nil || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
@@ -245,6 +246,8 @@ func (ch Challenge) RecordsSane() bool {
 		if len(ch.ValidationRecord) > 1 {
 			return false
 		}
+		// TODO(#7140): Add a check for ResolverAddress == "" only after the
+		// core.proto change has been deployed.
 		if ch.ValidationRecord[0].Hostname == "" {
 			return false
 		}
@@ -256,43 +259,18 @@ func (ch Challenge) RecordsSane() bool {
 	return true
 }
 
-// CheckConsistencyForClientOffer checks the fields of a challenge object before it is
-// given to the client.
-func (ch Challenge) CheckConsistencyForClientOffer() error {
-	err := ch.checkConsistency()
-	if err != nil {
-		return err
-	}
-
-	// Before completion, the key authorization field should be empty
-	if ch.ProvidedKeyAuthorization != "" {
-		return fmt.Errorf("A response to this challenge was already submitted.")
-	}
-	return nil
-}
-
-// CheckConsistencyForValidation checks the fields of a challenge object before it is
-// given to the VA.
-func (ch Challenge) CheckConsistencyForValidation() error {
-	err := ch.checkConsistency()
-	if err != nil {
-		return err
-	}
-
-	// If the challenge is completed, then there should be a key authorization
-	return looksLikeKeyAuthorization(ch.ProvidedKeyAuthorization)
-}
-
-// checkConsistency checks the sanity of a challenge object before issued to the client.
-func (ch Challenge) checkConsistency() error {
+// CheckPending ensures that a challenge object is pending and has a token.
+// This is used before offering the challenge to the client, and before actually
+// validating a challenge.
+func (ch Challenge) CheckPending() error {
 	if ch.Status != StatusPending {
-		return fmt.Errorf("The challenge is not pending.")
+		return fmt.Errorf("challenge is not pending")
 	}
 
-	// There always needs to be a token
-	if !LooksLikeAToken(ch.Token) {
-		return fmt.Errorf("The token is missing.")
+	if !looksLikeAToken(ch.Token) {
+		return fmt.Errorf("token is missing or malformed")
 	}
+
 	return nil
 }
 
@@ -483,6 +461,12 @@ type SuggestedWindow struct {
 	End   time.Time `json:"end"`
 }
 
+// IsWithin returns true if the given time is within the suggested window,
+// inclusive of the start time and exclusive of the end time.
+func (window SuggestedWindow) IsWithin(now time.Time) bool {
+	return !now.Before(window.Start) && now.Before(window.End)
+}
+
 // RenewalInfo is a type which is exposed to clients which query the renewalInfo
 // endpoint specified in draft-aaron-ari.
 type RenewalInfo struct {
diff --git a/vendor/github.com/letsencrypt/boulder/core/util.go b/vendor/github.com/letsencrypt/boulder/core/util.go
index d7fe0266895..641521f1699 100644
--- a/vendor/github.com/letsencrypt/boulder/core/util.go
+++ b/vendor/github.com/letsencrypt/boulder/core/util.go
@@ -25,7 +25,9 @@ import (
 	"time"
 	"unicode"
 
-	"gopkg.in/go-jose/go-jose.v2"
+	"github.com/go-jose/go-jose/v4"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 const Unspecified = "Unspecified"
@@ -74,9 +76,9 @@ func NewToken() string {
 
 var tokenFormat = regexp.MustCompile(`^[\w-]{43}$`)
 
-// LooksLikeAToken checks whether a string represents a 32-octet value in
+// looksLikeAToken checks whether a string represents a 32-octet value in
 // the URL-safe base64 alphabet.
-func LooksLikeAToken(token string) bool {
+func looksLikeAToken(token string) bool {
 	return tokenFormat.MatchString(token)
 }
 
@@ -92,8 +94,7 @@ func Fingerprint256(data []byte) string {
 
 type Sha256Digest [sha256.Size]byte
 
-// KeyDigest produces a Base64-encoded SHA256 digest of a
-// provided public key.
+// KeyDigest produces the SHA256 digest of a provided public key.
 func KeyDigest(key crypto.PublicKey) (Sha256Digest, error) {
 	switch t := key.(type) {
 	case *jose.JSONWebKey:
@@ -212,10 +213,83 @@ func IsAnyNilOrZero(vals ...interface{}) bool {
 		switch v := val.(type) {
 		case nil:
 			return true
+		case bool:
+			if !v {
+				return true
+			}
+		case string:
+			if v == "" {
+				return true
+			}
+		case []string:
+			if len(v) == 0 {
+				return true
+			}
+		case byte:
+			// Byte is an alias for uint8 and will cover that case.
+			if v == 0 {
+				return true
+			}
 		case []byte:
 			if len(v) == 0 {
 				return true
 			}
+		case int:
+			if v == 0 {
+				return true
+			}
+		case int8:
+			if v == 0 {
+				return true
+			}
+		case int16:
+			if v == 0 {
+				return true
+			}
+		case int32:
+			if v == 0 {
+				return true
+			}
+		case int64:
+			if v == 0 {
+				return true
+			}
+		case uint:
+			if v == 0 {
+				return true
+			}
+		case uint16:
+			if v == 0 {
+				return true
+			}
+		case uint32:
+			if v == 0 {
+				return true
+			}
+		case uint64:
+			if v == 0 {
+				return true
+			}
+		case float32:
+			if v == 0 {
+				return true
+			}
+		case float64:
+			if v == 0 {
+				return true
+			}
+		case time.Time:
+			if v.IsZero() {
+				return true
+			}
+		case *timestamppb.Timestamp:
+			if v == nil || v.AsTime().IsZero() {
+				return true
+			}
+		case *durationpb.Duration:
+			if v == nil || v.AsDuration() == time.Duration(0) {
+				return true
+			}
 		default:
 			if reflect.ValueOf(v).IsZero() {
 				return true
diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go b/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
index 087a0181232..04a075d35bb 100644
--- a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
+++ b/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
@@ -39,6 +39,9 @@ var (
 )
 
 type Config struct {
+	// AllowedKeys enables or disables specific key algorithms and sizes. If
+	// nil, defaults to just those keys allowed by the Let's Encrypt CPS.
+	AllowedKeys *AllowedKeys
 	// WeakKeyFile is the path to a JSON file containing truncated modulus hashes
 	// of known weak RSA keys. If this config value is empty, then RSA modulus
 	// hash checking will be disabled.
@@ -54,6 +57,40 @@ type Config struct {
 	FermatRounds int
 }
 
+// AllowedKeys is a map of six specific key algorithm and size combinations to
+// booleans indicating whether keys of that type are considered good.
+type AllowedKeys struct {
+	// Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple
+	// of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes
+	// Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which
+	// have a known method to easily compute their private key, such as Debian Weak
+	// Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at
+	// common key sizes, so we restrict all issuance to those common key sizes.
+	RSA2048 bool
+	RSA3072 bool
+	RSA4096 bool
+	// Baseline Requirements, Section 6.1.5 requires that ECDSA keys be valid
+	// points on the NIST P-256, P-384, or P-521 elliptic curves.
+	ECDSAP256 bool
+	ECDSAP384 bool
+	ECDSAP521 bool
+}
+
+// LetsEncryptCPS encodes the five key algorithms and sizes allowed by the Let's
+// Encrypt CPS CV-SSL Subscriber Certificate Profile: RSA 2048, RSA 3076, RSA
+// 4096, ECDSA 256 and ECDSA P384.
+// https://github.com/letsencrypt/cp-cps/blob/main/CP-CPS.md#dv-ssl-subscriber-certificate
+// If this is ever changed, the CP/CPS MUST be changed first.
+func LetsEncryptCPS() AllowedKeys {
+	return AllowedKeys{
+		RSA2048:   true,
+		RSA3072:   true,
+		RSA4096:   true,
+		ECDSAP256: true,
+		ECDSAP384: true,
+	}
+}
+
 // ErrBadKey represents an error with a key. It is distinct from the various
 // ways in which an ACME request can have an erroneous key (BadPublicKeyError,
 // BadCSRError) because this library is used to check both JWS signing keys and
@@ -74,28 +111,29 @@ type BlockedKeyCheckFunc func(ctx context.Context, keyHash []byte) (bool, error)
 // KeyPolicy determines which types of key may be used with various boulder
 // operations.
 type KeyPolicy struct {
-	AllowRSA           bool // Whether RSA keys should be allowed.
-	AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed.
-	AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed.
-	weakRSAList        *WeakRSAKeys
-	blockedList        *blockedKeys
-	fermatRounds       int
-	blockedCheck       BlockedKeyCheckFunc
+	allowedKeys  AllowedKeys
+	weakRSAList  *WeakRSAKeys
+	blockedList  *blockedKeys
+	fermatRounds int
+	blockedCheck BlockedKeyCheckFunc
 }
 
-// NewKeyPolicy returns a KeyPolicy that allows RSA, ECDSA256 and ECDSA384.
-// weakKeyFile contains the path to a JSON file containing truncated modulus
-// hashes of known weak RSA keys. If this argument is empty RSA modulus hash
-// checking will be disabled. blockedKeyFile contains the path to a YAML file
-// containing Base64 encoded SHA256 hashes of pkix subject public keys that
-// should be blocked. If this argument is empty then no blocked key checking is
-// performed.
-func NewKeyPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {
+// NewPolicy returns a key policy based on the given configuration, with sane
+// defaults. If the config's AllowedKeys is nil, the LetsEncryptCPS AllowedKeys
+// is used. If the config's WeakKeyFile or BlockedKeyFile paths are empty, those
+// checks are disabled. If the config's FermatRounds is 0, Fermat Factorization
+// is disabled.
+func NewPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {
+	if config == nil {
+		config = &Config{}
+	}
 	kp := KeyPolicy{
-		AllowRSA:           true,
-		AllowECDSANISTP256: true,
-		AllowECDSANISTP384: true,
-		blockedCheck:       bkc,
+		blockedCheck: bkc,
+	}
+	if config.AllowedKeys == nil {
+		kp.allowedKeys = LetsEncryptCPS()
+	} else {
+		kp.allowedKeys = *config.AllowedKeys
 	}
 	if config.WeakKeyFile != "" {
 		keyList, err := LoadWeakRSASuffixes(config.WeakKeyFile)
@@ -264,44 +302,30 @@ func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {
 	// Simply use a whitelist for now.
 	params := c.Params()
 	switch {
-	case policy.AllowECDSANISTP256 && params == elliptic.P256().Params():
+	case policy.allowedKeys.ECDSAP256 && params == elliptic.P256().Params():
+		return nil
+	case policy.allowedKeys.ECDSAP384 && params == elliptic.P384().Params():
 		return nil
-	case policy.AllowECDSANISTP384 && params == elliptic.P384().Params():
+	case policy.allowedKeys.ECDSAP521 && params == elliptic.P521().Params():
 		return nil
 	default:
 		return badKey("ECDSA curve %v not allowed", params.Name)
 	}
 }
 
-// Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple
-// of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes
-// Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which
-// have a known method to easily compute their private key, such as Debian Weak
-// Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at
-// common key sizes, so we restrict all issuance to those common key sizes.
-var acceptableRSAKeySizes = map[int]bool{
-	2048: true,
-	3072: true,
-	4096: true,
-}
-
 // GoodKeyRSA determines if a RSA pubkey meets our requirements
-func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) (err error) {
-	if !policy.AllowRSA {
-		return badKey("RSA keys are not allowed")
+func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) error {
+	modulus := key.N
+
+	err := policy.goodRSABitLen(key)
+	if err != nil {
+		return err
 	}
+
 	if policy.weakRSAList != nil && policy.weakRSAList.Known(key) {
 		return badKey("key is on a known weak RSA key list")
 	}
 
-	modulus := key.N
-
-	// See comment on acceptableRSAKeySizes above.
-	modulusBitLen := modulus.BitLen()
-	if !acceptableRSAKeySizes[modulusBitLen] {
-		return badKey("key size not supported: %d", modulusBitLen)
-	}
-
 	// Rather than support arbitrary exponents, which significantly increases
 	// the size of the key space we allow, we restrict E to the defacto standard
 	// RSA exponent 65537. There is no specific standards document that specifies
@@ -341,6 +365,21 @@ func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) (err error) {
 	return nil
 }
 
+func (policy *KeyPolicy) goodRSABitLen(key *rsa.PublicKey) error {
+	// See comment on AllowedKeys above.
+	modulusBitLen := key.N.BitLen()
+	switch {
+	case modulusBitLen == 2048 && policy.allowedKeys.RSA2048:
+		return nil
+	case modulusBitLen == 3072 && policy.allowedKeys.RSA3072:
+		return nil
+	case modulusBitLen == 4096 && policy.allowedKeys.RSA4096:
+		return nil
+	default:
+		return badKey("key size not supported: %d", modulusBitLen)
+	}
+}
+
 // Returns true iff integer i is divisible by any of the primes in smallPrimes.
 //
 // Short circuits; execution time is dependent on i. Do not use this on secret
@@ -400,7 +439,7 @@ func checkPrimeFactorsTooClose(n *big.Int, rounds int) error {
 	b2 := new(big.Int)
 	b2.Mul(a, a).Sub(b2, n)
 
-	for i := 0; i < rounds; i++ {
+	for range rounds {
 		// To see if b2 is a perfect square, we take its square root, square that,
 		// and check to see if we got the same result back.
 		bb.Sqrt(b2).Mul(bb, bb)
diff --git a/vendor/github.com/letsencrypt/boulder/probs/probs.go b/vendor/github.com/letsencrypt/boulder/probs/probs.go
index 2cc766237dc..ec6c272ae52 100644
--- a/vendor/github.com/letsencrypt/boulder/probs/probs.go
+++ b/vendor/github.com/letsencrypt/boulder/probs/probs.go
@@ -20,6 +20,8 @@ const (
 	BadRevocationReasonProblem   = ProblemType("badRevocationReason")
 	BadSignatureAlgorithmProblem = ProblemType("badSignatureAlgorithm")
 	CAAProblem                   = ProblemType("caa")
+	// ConflictProblem is a problem type that is not defined in RFC8555.
+	ConflictProblem              = ProblemType("conflict")
 	ConnectionProblem            = ProblemType("connection")
 	DNSProblem                   = ProblemType("dns")
 	InvalidContactProblem        = ProblemType("invalidContact")
@@ -290,11 +292,11 @@ func Canceled(detail string, a ...any) *ProblemDetails {
 	}
 }
 
-// Conflict returns a ProblemDetails with a MalformedProblem and a 409 Conflict
+// Conflict returns a ProblemDetails with a ConflictProblem and a 409 Conflict
 // status code.
 func Conflict(detail string) *ProblemDetails {
 	return &ProblemDetails{
-		Type:       MalformedProblem,
+		Type:       ConflictProblem,
 		Detail:     detail,
 		HTTPStatus: http.StatusConflict,
 	}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
index 06282ce79c6..a199b36b4fa 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go
@@ -1,20 +1,11 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
 import (
+	"google.golang.org/grpc/stats"
+
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
@@ -31,18 +22,26 @@ const (
 	GRPCStatusCodeKey = attribute.Key("rpc.grpc.status_code")
 )
 
-// Filter is a predicate used to determine whether a given request in
-// interceptor info should be traced. A Filter must return true if
+// InterceptorFilter is a predicate used to determine whether a given request in
+// interceptor info should be instrumented. A InterceptorFilter must return true if
 // the request should be traced.
-type Filter func(*InterceptorInfo) bool
+//
+// Deprecated: Use stats handlers instead.
+type InterceptorFilter func(*InterceptorInfo) bool
+
+// Filter is a predicate used to determine whether a given request in
+// should be instrumented by the attatched RPC tag info.
+// A Filter must return true if the request should be instrumented.
+type Filter func(*stats.RPCTagInfo) bool
 
 // config is a group of options for this instrumentation.
 type config struct {
-	Filter           Filter
-	Propagators      propagation.TextMapPropagator
-	TracerProvider   trace.TracerProvider
-	MeterProvider    metric.MeterProvider
-	SpanStartOptions []trace.SpanStartOption
+	Filter            Filter
+	InterceptorFilter InterceptorFilter
+	Propagators       propagation.TextMapPropagator
+	TracerProvider    trace.TracerProvider
+	MeterProvider     metric.MeterProvider
+	SpanStartOptions  []trace.SpanStartOption
 
 	ReceivedEvent bool
 	SentEvent     bool
@@ -163,15 +162,30 @@ func (o tracerProviderOption) apply(c *config) {
 // WithInterceptorFilter returns an Option to use the request filter.
 //
 // Deprecated: Use stats handlers instead.
-func WithInterceptorFilter(f Filter) Option {
+func WithInterceptorFilter(f InterceptorFilter) Option {
 	return interceptorFilterOption{f: f}
 }
 
 type interceptorFilterOption struct {
-	f Filter
+	f InterceptorFilter
 }
 
 func (o interceptorFilterOption) apply(c *config) {
+	if o.f != nil {
+		c.InterceptorFilter = o.f
+	}
+}
+
+// WithFilter returns an Option to use the request filter.
+func WithFilter(f Filter) Option {
+	return filterOption{f: f}
+}
+
+type filterOption struct {
+	f Filter
+}
+
+func (o filterOption) apply(c *config) {
 	if o.f != nil {
 		c.Filter = o.f
 	}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/doc.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/doc.go
index 958dcd87a4c..b8b836b00fb 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/doc.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/doc.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 /*
 Package otelgrpc is the instrumentation library for [google.golang.org/grpc].
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
index 3b487a93623..7f19058e4c4 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
@@ -59,7 +48,7 @@ var (
 )
 
 // UnaryClientInterceptor returns a grpc.UnaryClientInterceptor suitable
-// for use in a grpc.Dial call.
+// for use in a grpc.NewClient call.
 //
 // Deprecated: Use [NewClientHandler] instead.
 func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor {
@@ -81,7 +70,7 @@ func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor {
 			Method: method,
 			Type:   UnaryClient,
 		}
-		if cfg.Filter != nil && !cfg.Filter(i) {
+		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
 			return invoker(ctx, method, req, reply, cc, callOpts...)
 		}
 
@@ -196,7 +185,7 @@ func (w *clientStream) CloseSend() error {
 	return err
 }
 
-func wrapClientStream(ctx context.Context, s grpc.ClientStream, desc *grpc.StreamDesc, span trace.Span, cfg *config) *clientStream {
+func wrapClientStream(s grpc.ClientStream, desc *grpc.StreamDesc, span trace.Span, cfg *config) *clientStream {
 	return &clientStream{
 		ClientStream:  s,
 		span:          span,
@@ -219,7 +208,7 @@ func (w *clientStream) endSpan(err error) {
 }
 
 // StreamClientInterceptor returns a grpc.StreamClientInterceptor suitable
-// for use in a grpc.Dial call.
+// for use in a grpc.NewClient call.
 //
 // Deprecated: Use [NewClientHandler] instead.
 func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
@@ -241,7 +230,7 @@ func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
 			Method: method,
 			Type:   StreamClient,
 		}
-		if cfg.Filter != nil && !cfg.Filter(i) {
+		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
 			return streamer(ctx, desc, cc, method, callOpts...)
 		}
 
@@ -270,7 +259,7 @@ func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
 			span.End()
 			return s, err
 		}
-		stream := wrapClientStream(ctx, s, desc, span, cfg)
+		stream := wrapClientStream(s, desc, span, cfg)
 		return stream, nil
 	}
 }
@@ -296,7 +285,7 @@ func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
 			UnaryServerInfo: info,
 			Type:            UnaryServer,
 		}
-		if cfg.Filter != nil && !cfg.Filter(i) {
+		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
 			return handler(ctx, req)
 		}
 
@@ -422,7 +411,7 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
 			StreamServerInfo: info,
 			Type:             StreamServer,
 		}
-		if cfg.Filter != nil && !cfg.Filter(i) {
+		if cfg.InterceptorFilter != nil && !cfg.InterceptorFilter(i) {
 			return handler(srv, wrapServerStream(ctx, ss, cfg))
 		}
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptorinfo.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptorinfo.go
index f6116946bfd..b62f7cd7c46 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptorinfo.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptorinfo.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
index cf32a9e978c..bef07b7a3ca 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package internal // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
index f585fb6ae0c..3aa37915df2 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go
index b65fab308f3..409c621b74c 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
index 73d2b8b6b27..fad58733fec 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
@@ -38,6 +27,7 @@ type gRPCContext struct {
 	messagesReceived int64
 	messagesSent     int64
 	metricAttrs      []attribute.KeyValue
+	record           bool
 }
 
 type serverHandler struct {
@@ -77,6 +67,10 @@ func (h *serverHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) cont
 
 	gctx := gRPCContext{
 		metricAttrs: attrs,
+		record:      true,
+	}
+	if h.config.Filter != nil {
+		gctx.record = h.config.Filter(info)
 	}
 	return context.WithValue(ctx, gRPCContextKey{}, &gctx)
 }
@@ -113,6 +107,10 @@ func (h *clientHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) cont
 
 	gctx := gRPCContext{
 		metricAttrs: attrs,
+		record:      true,
+	}
+	if h.config.Filter != nil {
+		gctx.record = h.config.Filter(info)
 	}
 
 	return inject(context.WithValue(ctx, gRPCContextKey{}, &gctx), h.config.Propagators)
@@ -141,6 +139,9 @@ func (c *config) handleRPC(ctx context.Context, rs stats.RPCStats, isServer bool
 
 	gctx, _ := ctx.Value(gRPCContextKey{}).(*gRPCContext)
 	if gctx != nil {
+		if !gctx.record {
+			return
+		}
 		metricAttrs = make([]attribute.KeyValue, 0, len(gctx.metricAttrs)+1)
 		metricAttrs = append(metricAttrs, gctx.metricAttrs...)
 	}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
index d633c4bef0c..3f9cfda5413 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go
@@ -1,22 +1,11 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelgrpc // import "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 
 // Version is the current release version of the gRPC instrumentation.
 func Version() string {
-	return "0.49.0"
+	return "0.52.0"
 	// This string is updated by the pre_release.sh script during release
 }
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/client.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/client.go
index 92b8cf73c97..deea149645c 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/client.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/client.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/common.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/common.go
index cabf645a5b5..214acaf581e 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/common.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/common.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
index a1b5b5e5aa8..c1015a9eccf 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/doc.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/doc.go
index 38c7f01c71a..56b24b982ae 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/doc.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/doc.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 // Package otelhttp provides an http.Handler and functions that are intended
 // to be used to add tracing by wrapping existing handlers (with Handler) and
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
index 1fc15019e65..c64f8beca71 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
@@ -1,32 +1,19 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
 import (
-	"io"
 	"net/http"
 	"time"
 
 	"github.com/felixge/httpsnoop"
 
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 	"go.opentelemetry.io/otel"
-	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
 	"go.opentelemetry.io/otel/propagation"
-	semconv "go.opentelemetry.io/otel/semconv/v1.20.0"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -46,6 +33,7 @@ type middleware struct {
 	publicEndpoint    bool
 	publicEndpointFn  func(*http.Request) bool
 
+	traceSemconv         semconv.HTTPServer
 	requestBytesCounter  metric.Int64Counter
 	responseBytesCounter metric.Int64Counter
 	serverLatencyMeasure metric.Float64Histogram
@@ -67,6 +55,8 @@ func NewHandler(handler http.Handler, operation string, opts ...Option) http.Han
 func NewMiddleware(operation string, opts ...Option) func(http.Handler) http.Handler {
 	h := middleware{
 		operation: operation,
+
+		traceSemconv: semconv.NewHTTPServer(),
 	}
 
 	defaultOpts := []Option{
@@ -143,12 +133,9 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 
 	ctx := h.propagators.Extract(r.Context(), propagation.HeaderCarrier(r.Header))
 	opts := []trace.SpanStartOption{
-		trace.WithAttributes(semconvutil.HTTPServerRequest(h.server, r)...),
-	}
-	if h.server != "" {
-		hostAttr := semconv.NetHostName(h.server)
-		opts = append(opts, trace.WithAttributes(hostAttr))
+		trace.WithAttributes(h.traceSemconv.RequestTraceAttrs(h.server, r)...),
 	}
+
 	opts = append(opts, h.spanStartOptions...)
 	if h.publicEndpoint || (h.publicEndpointFn != nil && h.publicEndpointFn(r.WithContext(ctx))) {
 		opts = append(opts, trace.WithNewRoot())
@@ -224,7 +211,14 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 
 	next.ServeHTTP(w, r.WithContext(ctx))
 
-	setAfterServeAttributes(span, bw.read.Load(), rww.written, rww.statusCode, bw.err, rww.err)
+	span.SetStatus(semconv.ServerStatus(rww.statusCode))
+	span.SetAttributes(h.traceSemconv.ResponseTraceAttrs(semconv.ResponseTelemetry{
+		StatusCode: rww.statusCode,
+		ReadBytes:  bw.read.Load(),
+		ReadError:  bw.err,
+		WriteBytes: rww.written,
+		WriteError: rww.err,
+	})...)
 
 	// Add metrics
 	attributes := append(labeler.Get(), semconvutil.HTTPServerRequestMetrics(h.server, r)...)
@@ -241,37 +235,11 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 	h.serverLatencyMeasure.Record(ctx, elapsedTime, o)
 }
 
-func setAfterServeAttributes(span trace.Span, read, wrote int64, statusCode int, rerr, werr error) {
-	attributes := []attribute.KeyValue{}
-
-	// TODO: Consider adding an event after each read and write, possibly as an
-	// option (defaulting to off), so as to not create needlessly verbose spans.
-	if read > 0 {
-		attributes = append(attributes, ReadBytesKey.Int64(read))
-	}
-	if rerr != nil && rerr != io.EOF {
-		attributes = append(attributes, ReadErrorKey.String(rerr.Error()))
-	}
-	if wrote > 0 {
-		attributes = append(attributes, WroteBytesKey.Int64(wrote))
-	}
-	if statusCode > 0 {
-		attributes = append(attributes, semconv.HTTPStatusCode(statusCode))
-	}
-	span.SetStatus(semconvutil.HTTPServerStatus(statusCode))
-
-	if werr != nil && werr != io.EOF {
-		attributes = append(attributes, WriteErrorKey.String(werr.Error()))
-	}
-	span.SetAttributes(attributes...)
-}
-
 // WithRouteTag annotates spans and metrics with the provided route name
 // with HTTP route attribute.
 func WithRouteTag(route string, h http.Handler) http.Handler {
+	attr := semconv.NewHTTPServer().Route(route)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		attr := semconv.HTTPRouteKey.String(route)
-
 		span := trace.SpanFromContext(r.Context())
 		span.SetAttributes(attr)
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
new file mode 100644
index 00000000000..9be3feef29e
--- /dev/null
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
@@ -0,0 +1,69 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
+
+import (
+	"fmt"
+	"net/http"
+
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
+)
+
+type ResponseTelemetry struct {
+	StatusCode int
+	ReadBytes  int64
+	ReadError  error
+	WriteBytes int64
+	WriteError error
+}
+
+type HTTPServer interface {
+	// RequestTraceAttrs returns trace attributes for an HTTP request received by a
+	// server.
+	//
+	// The server must be the primary server name if it is known. For example this
+	// would be the ServerName directive
+	// (https://httpd.apache.org/docs/2.4/mod/core.html#servername) for an Apache
+	// server, and the server_name directive
+	// (http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name) for an
+	// nginx server. More generically, the primary server name would be the host
+	// header value that matches the default virtual host of an HTTP server. It
+	// should include the host identifier and if a port is used to route to the
+	// server that port identifier should be included as an appropriate port
+	// suffix.
+	//
+	// If the primary server name is not known, server should be an empty string.
+	// The req Host will be used to determine the server instead.
+	RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue
+
+	// ResponseTraceAttrs returns trace attributes for telemetry from an HTTP response.
+	//
+	// If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
+	ResponseTraceAttrs(ResponseTelemetry) []attribute.KeyValue
+
+	// Route returns the attribute for the route.
+	Route(string) attribute.KeyValue
+}
+
+// var warnOnce = sync.Once{}
+
+func NewHTTPServer() HTTPServer {
+	// TODO (#5331): Detect version based on environment variable OTEL_HTTP_CLIENT_COMPATIBILITY_MODE.
+	// TODO (#5331): Add warning of use of a deprecated version of Semantic Versions.
+	return oldHTTPServer{}
+}
+
+// ServerStatus returns a span status code and message for an HTTP status code
+// value returned by a server. Status codes in the 400-499 range are not
+// returned as errors.
+func ServerStatus(code int) (codes.Code, string) {
+	if code < 100 || code >= 600 {
+		return codes.Error, fmt.Sprintf("Invalid HTTP status code %d", code)
+	}
+	if code >= 500 {
+		return codes.Error, ""
+	}
+	return codes.Unset, ""
+}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
new file mode 100644
index 00000000000..c92076bc3d9
--- /dev/null
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
@@ -0,0 +1,49 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
+
+import (
+	"net"
+	"strconv"
+	"strings"
+)
+
+// splitHostPort splits a network address hostport of the form "host",
+// "host%zone", "[host]", "[host%zone], "host:port", "host%zone:port",
+// "[host]:port", "[host%zone]:port", or ":port" into host or host%zone and
+// port.
+//
+// An empty host is returned if it is not provided or unparsable. A negative
+// port is returned if it is not provided or unparsable.
+func splitHostPort(hostport string) (host string, port int) {
+	port = -1
+
+	if strings.HasPrefix(hostport, "[") {
+		addrEnd := strings.LastIndex(hostport, "]")
+		if addrEnd < 0 {
+			// Invalid hostport.
+			return
+		}
+		if i := strings.LastIndex(hostport[addrEnd:], ":"); i < 0 {
+			host = hostport[1:addrEnd]
+			return
+		}
+	} else {
+		if i := strings.LastIndex(hostport, ":"); i < 0 {
+			host = hostport
+			return
+		}
+	}
+
+	host, pStr, err := net.SplitHostPort(hostport)
+	if err != nil {
+		return
+	}
+
+	p, err := strconv.ParseUint(pStr, 10, 16)
+	if err != nil {
+		return
+	}
+	return host, int(p)
+}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
new file mode 100644
index 00000000000..d753083b7b4
--- /dev/null
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
@@ -0,0 +1,75 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
+
+import (
+	"io"
+	"net/http"
+
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
+	"go.opentelemetry.io/otel/attribute"
+	semconv "go.opentelemetry.io/otel/semconv/v1.20.0"
+)
+
+type oldHTTPServer struct{}
+
+var _ HTTPServer = oldHTTPServer{}
+
+// RequestTraceAttrs returns trace attributes for an HTTP request received by a
+// server.
+//
+// The server must be the primary server name if it is known. For example this
+// would be the ServerName directive
+// (https://httpd.apache.org/docs/2.4/mod/core.html#servername) for an Apache
+// server, and the server_name directive
+// (http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name) for an
+// nginx server. More generically, the primary server name would be the host
+// header value that matches the default virtual host of an HTTP server. It
+// should include the host identifier and if a port is used to route to the
+// server that port identifier should be included as an appropriate port
+// suffix.
+//
+// If the primary server name is not known, server should be an empty string.
+// The req Host will be used to determine the server instead.
+func (o oldHTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
+	return semconvutil.HTTPServerRequest(server, req)
+}
+
+// ResponseTraceAttrs returns trace attributes for telemetry from an HTTP response.
+//
+// If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
+func (o oldHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
+	attributes := []attribute.KeyValue{}
+
+	if resp.ReadBytes > 0 {
+		attributes = append(attributes, semconv.HTTPRequestContentLength(int(resp.ReadBytes)))
+	}
+	if resp.ReadError != nil && resp.ReadError != io.EOF {
+		// This is not in the semantic conventions, but is historically provided
+		attributes = append(attributes, attribute.String("http.read_error", resp.ReadError.Error()))
+	}
+	if resp.WriteBytes > 0 {
+		attributes = append(attributes, semconv.HTTPResponseContentLength(int(resp.WriteBytes)))
+	}
+	if resp.StatusCode > 0 {
+		attributes = append(attributes, semconv.HTTPStatusCode(resp.StatusCode))
+	}
+	if resp.WriteError != nil && resp.WriteError != io.EOF {
+		// This is not in the semantic conventions, but is historically provided
+		attributes = append(attributes, attribute.String("http.write_error", resp.WriteError.Error()))
+	}
+
+	return attributes
+}
+
+// Route returns the attribute for the route.
+func (o oldHTTPServer) Route(route string) attribute.KeyValue {
+	return semconv.HTTPRoute(route)
+}
+
+// HTTPStatusCode returns the attribute for the HTTP status code.
+// This is a temporary function needed by metrics.  This will be removed when MetricsRequest is added.
+func HTTPStatusCode(status int) attribute.KeyValue {
+	return semconv.HTTPStatusCode(status)
+}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/gen.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/gen.go
index edf4ce3d315..7aa5f99e815 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/gen.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/gen.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package semconvutil // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
index 0efd5261f62..a73bb06e90e 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
@@ -2,18 +2,7 @@
 // source: internal/shared/semconvutil/httpconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package semconvutil // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
index d3a06e0cada..d5c0093fc47 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
@@ -2,17 +2,7 @@
 // source: internal/shared/semconvutil/netconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package semconvutil // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
index 26a51a18050..1548b2db636 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
index 43e937a67a6..8a25e586574 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
index 35254e888fb..22e485dd7d3 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
@@ -1,22 +1,11 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
 // Version is the current release version of the otelhttp instrumentation.
 func Version() string {
-	return "0.49.0"
+	return "0.52.0"
 	// This string is updated by the pre_release.sh script during release
 }
 
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/wrap.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/wrap.go
index 2852ec97171..2f4cc124dc6 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/wrap.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/wrap.go
@@ -1,16 +1,5 @@
 // Copyright The OpenTelemetry Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
diff --git a/vendor/golang.org/x/exp/slices/cmp.go b/vendor/golang.org/x/exp/slices/cmp.go
new file mode 100644
index 00000000000..fbf1934a061
--- /dev/null
+++ b/vendor/golang.org/x/exp/slices/cmp.go
@@ -0,0 +1,44 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package slices
+
+import "golang.org/x/exp/constraints"
+
+// min is a version of the predeclared function from the Go 1.21 release.
+func min[T constraints.Ordered](a, b T) T {
+	if a < b || isNaN(a) {
+		return a
+	}
+	return b
+}
+
+// max is a version of the predeclared function from the Go 1.21 release.
+func max[T constraints.Ordered](a, b T) T {
+	if a > b || isNaN(a) {
+		return a
+	}
+	return b
+}
+
+// cmpLess is a copy of cmp.Less from the Go 1.21 release.
+func cmpLess[T constraints.Ordered](x, y T) bool {
+	return (isNaN(x) && !isNaN(y)) || x < y
+}
+
+// cmpCompare is a copy of cmp.Compare from the Go 1.21 release.
+func cmpCompare[T constraints.Ordered](x, y T) int {
+	xNaN := isNaN(x)
+	yNaN := isNaN(y)
+	if xNaN && yNaN {
+		return 0
+	}
+	if xNaN || x < y {
+		return -1
+	}
+	if yNaN || x > y {
+		return +1
+	}
+	return 0
+}
diff --git a/vendor/golang.org/x/exp/slices/slices.go b/vendor/golang.org/x/exp/slices/slices.go
index 2540bd68255..5e8158bba86 100644
--- a/vendor/golang.org/x/exp/slices/slices.go
+++ b/vendor/golang.org/x/exp/slices/slices.go
@@ -3,23 +3,20 @@
 // license that can be found in the LICENSE file.
 
 // Package slices defines various functions useful with slices of any type.
-// Unless otherwise specified, these functions all apply to the elements
-// of a slice at index 0 <= i < len(s).
-//
-// Note that the less function in IsSortedFunc, SortFunc, SortStableFunc requires a
-// strict weak ordering (https://en.wikipedia.org/wiki/Weak_ordering#Strict_weak_orderings),
-// or the sorting may fail to sort correctly. A common case is when sorting slices of
-// floating-point numbers containing NaN values.
 package slices
 
-import "golang.org/x/exp/constraints"
+import (
+	"unsafe"
+
+	"golang.org/x/exp/constraints"
+)
 
 // Equal reports whether two slices are equal: the same length and all
 // elements equal. If the lengths are different, Equal returns false.
 // Otherwise, the elements are compared in increasing index order, and the
 // comparison stops at the first unequal pair.
 // Floating point NaNs are not considered equal.
-func Equal[E comparable](s1, s2 []E) bool {
+func Equal[S ~[]E, E comparable](s1, s2 S) bool {
 	if len(s1) != len(s2) {
 		return false
 	}
@@ -31,12 +28,12 @@ func Equal[E comparable](s1, s2 []E) bool {
 	return true
 }
 
-// EqualFunc reports whether two slices are equal using a comparison
+// EqualFunc reports whether two slices are equal using an equality
 // function on each pair of elements. If the lengths are different,
 // EqualFunc returns false. Otherwise, the elements are compared in
 // increasing index order, and the comparison stops at the first index
 // for which eq returns false.
-func EqualFunc[E1, E2 any](s1 []E1, s2 []E2, eq func(E1, E2) bool) bool {
+func EqualFunc[S1 ~[]E1, S2 ~[]E2, E1, E2 any](s1 S1, s2 S2, eq func(E1, E2) bool) bool {
 	if len(s1) != len(s2) {
 		return false
 	}
@@ -49,45 +46,37 @@ func EqualFunc[E1, E2 any](s1 []E1, s2 []E2, eq func(E1, E2) bool) bool {
 	return true
 }
 
-// Compare compares the elements of s1 and s2.
-// The elements are compared sequentially, starting at index 0,
+// Compare compares the elements of s1 and s2, using [cmp.Compare] on each pair
+// of elements. The elements are compared sequentially, starting at index 0,
 // until one element is not equal to the other.
 // The result of comparing the first non-matching elements is returned.
 // If both slices are equal until one of them ends, the shorter slice is
 // considered less than the longer one.
 // The result is 0 if s1 == s2, -1 if s1 < s2, and +1 if s1 > s2.
-// Comparisons involving floating point NaNs are ignored.
-func Compare[E constraints.Ordered](s1, s2 []E) int {
-	s2len := len(s2)
+func Compare[S ~[]E, E constraints.Ordered](s1, s2 S) int {
 	for i, v1 := range s1 {
-		if i >= s2len {
+		if i >= len(s2) {
 			return +1
 		}
 		v2 := s2[i]
-		switch {
-		case v1 < v2:
-			return -1
-		case v1 > v2:
-			return +1
+		if c := cmpCompare(v1, v2); c != 0 {
+			return c
 		}
 	}
-	if len(s1) < s2len {
+	if len(s1) < len(s2) {
 		return -1
 	}
 	return 0
 }
 
-// CompareFunc is like Compare but uses a comparison function
-// on each pair of elements. The elements are compared in increasing
-// index order, and the comparisons stop after the first time cmp
-// returns non-zero.
+// CompareFunc is like [Compare] but uses a custom comparison function on each
+// pair of elements.
 // The result is the first non-zero result of cmp; if cmp always
 // returns 0 the result is 0 if len(s1) == len(s2), -1 if len(s1) < len(s2),
 // and +1 if len(s1) > len(s2).
-func CompareFunc[E1, E2 any](s1 []E1, s2 []E2, cmp func(E1, E2) int) int {
-	s2len := len(s2)
+func CompareFunc[S1 ~[]E1, S2 ~[]E2, E1, E2 any](s1 S1, s2 S2, cmp func(E1, E2) int) int {
 	for i, v1 := range s1 {
-		if i >= s2len {
+		if i >= len(s2) {
 			return +1
 		}
 		v2 := s2[i]
@@ -95,7 +84,7 @@ func CompareFunc[E1, E2 any](s1 []E1, s2 []E2, cmp func(E1, E2) int) int {
 			return c
 		}
 	}
-	if len(s1) < s2len {
+	if len(s1) < len(s2) {
 		return -1
 	}
 	return 0
@@ -103,7 +92,7 @@ func CompareFunc[E1, E2 any](s1 []E1, s2 []E2, cmp func(E1, E2) int) int {
 
 // Index returns the index of the first occurrence of v in s,
 // or -1 if not present.
-func Index[E comparable](s []E, v E) int {
+func Index[S ~[]E, E comparable](s S, v E) int {
 	for i := range s {
 		if v == s[i] {
 			return i
@@ -114,7 +103,7 @@ func Index[E comparable](s []E, v E) int {
 
 // IndexFunc returns the first index i satisfying f(s[i]),
 // or -1 if none do.
-func IndexFunc[E any](s []E, f func(E) bool) int {
+func IndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
 	for i := range s {
 		if f(s[i]) {
 			return i
@@ -124,39 +113,104 @@ func IndexFunc[E any](s []E, f func(E) bool) int {
 }
 
 // Contains reports whether v is present in s.
-func Contains[E comparable](s []E, v E) bool {
+func Contains[S ~[]E, E comparable](s S, v E) bool {
 	return Index(s, v) >= 0
 }
 
 // ContainsFunc reports whether at least one
 // element e of s satisfies f(e).
-func ContainsFunc[E any](s []E, f func(E) bool) bool {
+func ContainsFunc[S ~[]E, E any](s S, f func(E) bool) bool {
 	return IndexFunc(s, f) >= 0
 }
 
 // Insert inserts the values v... into s at index i,
 // returning the modified slice.
-// In the returned slice r, r[i] == v[0].
+// The elements at s[i:] are shifted up to make room.
+// In the returned slice r, r[i] == v[0],
+// and r[i+len(v)] == value originally at r[i].
 // Insert panics if i is out of range.
 // This function is O(len(s) + len(v)).
 func Insert[S ~[]E, E any](s S, i int, v ...E) S {
-	tot := len(s) + len(v)
-	if tot <= cap(s) {
-		s2 := s[:tot]
-		copy(s2[i+len(v):], s[i:])
+	m := len(v)
+	if m == 0 {
+		return s
+	}
+	n := len(s)
+	if i == n {
+		return append(s, v...)
+	}
+	if n+m > cap(s) {
+		// Use append rather than make so that we bump the size of
+		// the slice up to the next storage class.
+		// This is what Grow does but we don't call Grow because
+		// that might copy the values twice.
+		s2 := append(s[:i], make(S, n+m-i)...)
 		copy(s2[i:], v)
+		copy(s2[i+m:], s[i:])
 		return s2
 	}
-	s2 := make(S, tot)
-	copy(s2, s[:i])
-	copy(s2[i:], v)
-	copy(s2[i+len(v):], s[i:])
-	return s2
+	s = s[:n+m]
+
+	// before:
+	// s: aaaaaaaabbbbccccccccdddd
+	//            ^   ^       ^   ^
+	//            i  i+m      n  n+m
+	// after:
+	// s: aaaaaaaavvvvbbbbcccccccc
+	//            ^   ^       ^   ^
+	//            i  i+m      n  n+m
+	//
+	// a are the values that don't move in s.
+	// v are the values copied in from v.
+	// b and c are the values from s that are shifted up in index.
+	// d are the values that get overwritten, never to be seen again.
+
+	if !overlaps(v, s[i+m:]) {
+		// Easy case - v does not overlap either the c or d regions.
+		// (It might be in some of a or b, or elsewhere entirely.)
+		// The data we copy up doesn't write to v at all, so just do it.
+
+		copy(s[i+m:], s[i:])
+
+		// Now we have
+		// s: aaaaaaaabbbbbbbbcccccccc
+		//            ^   ^       ^   ^
+		//            i  i+m      n  n+m
+		// Note the b values are duplicated.
+
+		copy(s[i:], v)
+
+		// Now we have
+		// s: aaaaaaaavvvvbbbbcccccccc
+		//            ^   ^       ^   ^
+		//            i  i+m      n  n+m
+		// That's the result we want.
+		return s
+	}
+
+	// The hard case - v overlaps c or d. We can't just shift up
+	// the data because we'd move or clobber the values we're trying
+	// to insert.
+	// So instead, write v on top of d, then rotate.
+	copy(s[n:], v)
+
+	// Now we have
+	// s: aaaaaaaabbbbccccccccvvvv
+	//            ^   ^       ^   ^
+	//            i  i+m      n  n+m
+
+	rotateRight(s[i:], m)
+
+	// Now we have
+	// s: aaaaaaaavvvvbbbbcccccccc
+	//            ^   ^       ^   ^
+	//            i  i+m      n  n+m
+	// That's the result we want.
+	return s
 }
 
 // Delete removes the elements s[i:j] from s, returning the modified slice.
 // Delete panics if s[i:j] is not a valid slice of s.
-// Delete modifies the contents of the slice s; it does not create a new slice.
 // Delete is O(len(s)-j), so if many items must be deleted, it is better to
 // make a single call deleting them all together than to delete one at a time.
 // Delete might not modify the elements s[len(s)-(j-i):len(s)]. If those
@@ -168,22 +222,113 @@ func Delete[S ~[]E, E any](s S, i, j int) S {
 	return append(s[:i], s[j:]...)
 }
 
+// DeleteFunc removes any elements from s for which del returns true,
+// returning the modified slice.
+// When DeleteFunc removes m elements, it might not modify the elements
+// s[len(s)-m:len(s)]. If those elements contain pointers you might consider
+// zeroing those elements so that objects they reference can be garbage
+// collected.
+func DeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
+	i := IndexFunc(s, del)
+	if i == -1 {
+		return s
+	}
+	// Don't start copying elements until we find one to delete.
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; !del(v) {
+			s[i] = v
+			i++
+		}
+	}
+	return s[:i]
+}
+
 // Replace replaces the elements s[i:j] by the given v, and returns the
 // modified slice. Replace panics if s[i:j] is not a valid slice of s.
 func Replace[S ~[]E, E any](s S, i, j int, v ...E) S {
 	_ = s[i:j] // verify that i:j is a valid subslice
+
+	if i == j {
+		return Insert(s, i, v...)
+	}
+	if j == len(s) {
+		return append(s[:i], v...)
+	}
+
 	tot := len(s[:i]) + len(v) + len(s[j:])
-	if tot <= cap(s) {
-		s2 := s[:tot]
-		copy(s2[i+len(v):], s[j:])
+	if tot > cap(s) {
+		// Too big to fit, allocate and copy over.
+		s2 := append(s[:i], make(S, tot-i)...) // See Insert
 		copy(s2[i:], v)
+		copy(s2[i+len(v):], s[j:])
 		return s2
 	}
-	s2 := make(S, tot)
-	copy(s2, s[:i])
-	copy(s2[i:], v)
-	copy(s2[i+len(v):], s[j:])
-	return s2
+
+	r := s[:tot]
+
+	if i+len(v) <= j {
+		// Easy, as v fits in the deleted portion.
+		copy(r[i:], v)
+		if i+len(v) != j {
+			copy(r[i+len(v):], s[j:])
+		}
+		return r
+	}
+
+	// We are expanding (v is bigger than j-i).
+	// The situation is something like this:
+	// (example has i=4,j=8,len(s)=16,len(v)=6)
+	// s: aaaaxxxxbbbbbbbbyy
+	//        ^   ^       ^ ^
+	//        i   j  len(s) tot
+	// a: prefix of s
+	// x: deleted range
+	// b: more of s
+	// y: area to expand into
+
+	if !overlaps(r[i+len(v):], v) {
+		// Easy, as v is not clobbered by the first copy.
+		copy(r[i+len(v):], s[j:])
+		copy(r[i:], v)
+		return r
+	}
+
+	// This is a situation where we don't have a single place to which
+	// we can copy v. Parts of it need to go to two different places.
+	// We want to copy the prefix of v into y and the suffix into x, then
+	// rotate |y| spots to the right.
+	//
+	//        v[2:]      v[:2]
+	//         |           |
+	// s: aaaavvvvbbbbbbbbvv
+	//        ^   ^       ^ ^
+	//        i   j  len(s) tot
+	//
+	// If either of those two destinations don't alias v, then we're good.
+	y := len(v) - (j - i) // length of y portion
+
+	if !overlaps(r[i:j], v) {
+		copy(r[i:j], v[y:])
+		copy(r[len(s):], v[:y])
+		rotateRight(r[i:], y)
+		return r
+	}
+	if !overlaps(r[len(s):], v) {
+		copy(r[len(s):], v[:y])
+		copy(r[i:j], v[y:])
+		rotateRight(r[i:], y)
+		return r
+	}
+
+	// Now we know that v overlaps both x and y.
+	// That means that the entirety of b is *inside* v.
+	// So we don't need to preserve b at all; instead we
+	// can copy v first, then copy the b part of v out of
+	// v to the right destination.
+	k := startIdx(v, s[j:])
+	copy(r[i:], v)
+	copy(r[i+len(v):], r[i+k:])
+	return r
 }
 
 // Clone returns a copy of the slice.
@@ -198,7 +343,8 @@ func Clone[S ~[]E, E any](s S) S {
 
 // Compact replaces consecutive runs of equal elements with a single copy.
 // This is like the uniq command found on Unix.
-// Compact modifies the contents of the slice s; it does not create a new slice.
+// Compact modifies the contents of the slice s and returns the modified slice,
+// which may have a smaller length.
 // When Compact discards m elements in total, it might not modify the elements
 // s[len(s)-m:len(s)]. If those elements contain pointers you might consider
 // zeroing those elements so that objects they reference can be garbage collected.
@@ -218,7 +364,8 @@ func Compact[S ~[]E, E comparable](s S) S {
 	return s[:i]
 }
 
-// CompactFunc is like Compact but uses a comparison function.
+// CompactFunc is like [Compact] but uses an equality function to compare elements.
+// For runs of elements that compare equal, CompactFunc keeps the first one.
 func CompactFunc[S ~[]E, E any](s S, eq func(E, E) bool) S {
 	if len(s) < 2 {
 		return s
@@ -256,3 +403,97 @@ func Grow[S ~[]E, E any](s S, n int) S {
 func Clip[S ~[]E, E any](s S) S {
 	return s[:len(s):len(s)]
 }
+
+// Rotation algorithm explanation:
+//
+// rotate left by 2
+// start with
+//   0123456789
+// split up like this
+//   01 234567 89
+// swap first 2 and last 2
+//   89 234567 01
+// join first parts
+//   89234567 01
+// recursively rotate first left part by 2
+//   23456789 01
+// join at the end
+//   2345678901
+//
+// rotate left by 8
+// start with
+//   0123456789
+// split up like this
+//   01 234567 89
+// swap first 2 and last 2
+//   89 234567 01
+// join last parts
+//   89 23456701
+// recursively rotate second part left by 6
+//   89 01234567
+// join at the end
+//   8901234567
+
+// TODO: There are other rotate algorithms.
+// This algorithm has the desirable property that it moves each element exactly twice.
+// The triple-reverse algorithm is simpler and more cache friendly, but takes more writes.
+// The follow-cycles algorithm can be 1-write but it is not very cache friendly.
+
+// rotateLeft rotates b left by n spaces.
+// s_final[i] = s_orig[i+r], wrapping around.
+func rotateLeft[E any](s []E, r int) {
+	for r != 0 && r != len(s) {
+		if r*2 <= len(s) {
+			swap(s[:r], s[len(s)-r:])
+			s = s[:len(s)-r]
+		} else {
+			swap(s[:len(s)-r], s[r:])
+			s, r = s[len(s)-r:], r*2-len(s)
+		}
+	}
+}
+func rotateRight[E any](s []E, r int) {
+	rotateLeft(s, len(s)-r)
+}
+
+// swap swaps the contents of x and y. x and y must be equal length and disjoint.
+func swap[E any](x, y []E) {
+	for i := 0; i < len(x); i++ {
+		x[i], y[i] = y[i], x[i]
+	}
+}
+
+// overlaps reports whether the memory ranges a[0:len(a)] and b[0:len(b)] overlap.
+func overlaps[E any](a, b []E) bool {
+	if len(a) == 0 || len(b) == 0 {
+		return false
+	}
+	elemSize := unsafe.Sizeof(a[0])
+	if elemSize == 0 {
+		return false
+	}
+	// TODO: use a runtime/unsafe facility once one becomes available. See issue 12445.
+	// Also see crypto/internal/alias/alias.go:AnyOverlap
+	return uintptr(unsafe.Pointer(&a[0])) <= uintptr(unsafe.Pointer(&b[len(b)-1]))+(elemSize-1) &&
+		uintptr(unsafe.Pointer(&b[0])) <= uintptr(unsafe.Pointer(&a[len(a)-1]))+(elemSize-1)
+}
+
+// startIdx returns the index in haystack where the needle starts.
+// prerequisite: the needle must be aliased entirely inside the haystack.
+func startIdx[E any](haystack, needle []E) int {
+	p := &needle[0]
+	for i := range haystack {
+		if p == &haystack[i] {
+			return i
+		}
+	}
+	// TODO: what if the overlap is by a non-integral number of Es?
+	panic("needle not found")
+}
+
+// Reverse reverses the elements of the slice in place.
+func Reverse[S ~[]E, E any](s S) {
+	for i, j := 0, len(s)-1; i < j; i, j = i+1, j-1 {
+		s[i], s[j] = s[j], s[i]
+	}
+}
diff --git a/vendor/golang.org/x/exp/slices/sort.go b/vendor/golang.org/x/exp/slices/sort.go
index 231b6448acd..b67897f76b5 100644
--- a/vendor/golang.org/x/exp/slices/sort.go
+++ b/vendor/golang.org/x/exp/slices/sort.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:generate go run $GOROOT/src/sort/gen_sort_variants.go -exp
+
 package slices
 
 import (
@@ -11,57 +13,116 @@ import (
 )
 
 // Sort sorts a slice of any ordered type in ascending order.
-// Sort may fail to sort correctly when sorting slices of floating-point
-// numbers containing Not-a-number (NaN) values.
-// Use slices.SortFunc(x, func(a, b float64) bool {return a < b || (math.IsNaN(a) && !math.IsNaN(b))})
-// instead if the input may contain NaNs.
-func Sort[E constraints.Ordered](x []E) {
+// When sorting floating-point numbers, NaNs are ordered before other values.
+func Sort[S ~[]E, E constraints.Ordered](x S) {
 	n := len(x)
 	pdqsortOrdered(x, 0, n, bits.Len(uint(n)))
 }
 
-// SortFunc sorts the slice x in ascending order as determined by the less function.
-// This sort is not guaranteed to be stable.
+// SortFunc sorts the slice x in ascending order as determined by the cmp
+// function. This sort is not guaranteed to be stable.
+// cmp(a, b) should return a negative number when a < b, a positive number when
+// a > b and zero when a == b.
 //
-// SortFunc requires that less is a strict weak ordering.
+// SortFunc requires that cmp is a strict weak ordering.
 // See https://en.wikipedia.org/wiki/Weak_ordering#Strict_weak_orderings.
-func SortFunc[E any](x []E, less func(a, b E) bool) {
+func SortFunc[S ~[]E, E any](x S, cmp func(a, b E) int) {
 	n := len(x)
-	pdqsortLessFunc(x, 0, n, bits.Len(uint(n)), less)
+	pdqsortCmpFunc(x, 0, n, bits.Len(uint(n)), cmp)
 }
 
 // SortStableFunc sorts the slice x while keeping the original order of equal
-// elements, using less to compare elements.
-func SortStableFunc[E any](x []E, less func(a, b E) bool) {
-	stableLessFunc(x, len(x), less)
+// elements, using cmp to compare elements in the same way as [SortFunc].
+func SortStableFunc[S ~[]E, E any](x S, cmp func(a, b E) int) {
+	stableCmpFunc(x, len(x), cmp)
 }
 
 // IsSorted reports whether x is sorted in ascending order.
-func IsSorted[E constraints.Ordered](x []E) bool {
+func IsSorted[S ~[]E, E constraints.Ordered](x S) bool {
 	for i := len(x) - 1; i > 0; i-- {
-		if x[i] < x[i-1] {
+		if cmpLess(x[i], x[i-1]) {
 			return false
 		}
 	}
 	return true
 }
 
-// IsSortedFunc reports whether x is sorted in ascending order, with less as the
-// comparison function.
-func IsSortedFunc[E any](x []E, less func(a, b E) bool) bool {
+// IsSortedFunc reports whether x is sorted in ascending order, with cmp as the
+// comparison function as defined by [SortFunc].
+func IsSortedFunc[S ~[]E, E any](x S, cmp func(a, b E) int) bool {
 	for i := len(x) - 1; i > 0; i-- {
-		if less(x[i], x[i-1]) {
+		if cmp(x[i], x[i-1]) < 0 {
 			return false
 		}
 	}
 	return true
 }
 
+// Min returns the minimal value in x. It panics if x is empty.
+// For floating-point numbers, Min propagates NaNs (any NaN value in x
+// forces the output to be NaN).
+func Min[S ~[]E, E constraints.Ordered](x S) E {
+	if len(x) < 1 {
+		panic("slices.Min: empty list")
+	}
+	m := x[0]
+	for i := 1; i < len(x); i++ {
+		m = min(m, x[i])
+	}
+	return m
+}
+
+// MinFunc returns the minimal value in x, using cmp to compare elements.
+// It panics if x is empty. If there is more than one minimal element
+// according to the cmp function, MinFunc returns the first one.
+func MinFunc[S ~[]E, E any](x S, cmp func(a, b E) int) E {
+	if len(x) < 1 {
+		panic("slices.MinFunc: empty list")
+	}
+	m := x[0]
+	for i := 1; i < len(x); i++ {
+		if cmp(x[i], m) < 0 {
+			m = x[i]
+		}
+	}
+	return m
+}
+
+// Max returns the maximal value in x. It panics if x is empty.
+// For floating-point E, Max propagates NaNs (any NaN value in x
+// forces the output to be NaN).
+func Max[S ~[]E, E constraints.Ordered](x S) E {
+	if len(x) < 1 {
+		panic("slices.Max: empty list")
+	}
+	m := x[0]
+	for i := 1; i < len(x); i++ {
+		m = max(m, x[i])
+	}
+	return m
+}
+
+// MaxFunc returns the maximal value in x, using cmp to compare elements.
+// It panics if x is empty. If there is more than one maximal element
+// according to the cmp function, MaxFunc returns the first one.
+func MaxFunc[S ~[]E, E any](x S, cmp func(a, b E) int) E {
+	if len(x) < 1 {
+		panic("slices.MaxFunc: empty list")
+	}
+	m := x[0]
+	for i := 1; i < len(x); i++ {
+		if cmp(x[i], m) > 0 {
+			m = x[i]
+		}
+	}
+	return m
+}
+
 // BinarySearch searches for target in a sorted slice and returns the position
 // where target is found, or the position where target would appear in the
 // sort order; it also returns a bool saying whether the target is really found
 // in the slice. The slice must be sorted in increasing order.
-func BinarySearch[E constraints.Ordered](x []E, target E) (int, bool) {
+func BinarySearch[S ~[]E, E constraints.Ordered](x S, target E) (int, bool) {
 	// Inlining is faster than calling BinarySearchFunc with a lambda.
 	n := len(x)
 	// Define x[-1] < target and x[n] >= target.
@@ -70,24 +131,24 @@ func BinarySearch[E constraints.Ordered](x []E, target E) (int, bool) {
 	for i < j {
 		h := int(uint(i+j) >> 1) // avoid overflow when computing h
 		// i ≤ h < j
-		if x[h] < target {
+		if cmpLess(x[h], target) {
 			i = h + 1 // preserves x[i-1] < target
 		} else {
 			j = h // preserves x[j] >= target
 		}
 	}
 	// i == j, x[i-1] < target, and x[j] (= x[i]) >= target  =>  answer is i.
-	return i, i < n && x[i] == target
+	return i, i < n && (x[i] == target || (isNaN(x[i]) && isNaN(target)))
 }
 
-// BinarySearchFunc works like BinarySearch, but uses a custom comparison
+// BinarySearchFunc works like [BinarySearch], but uses a custom comparison
 // function. The slice must be sorted in increasing order, where "increasing"
 // is defined by cmp. cmp should return 0 if the slice element matches
 // the target, a negative number if the slice element precedes the target,
 // or a positive number if the slice element follows the target.
 // cmp must implement the same ordering as the slice, such that if
 // cmp(a, t) < 0 and cmp(b, t) >= 0, then a must precede b in the slice.
-func BinarySearchFunc[E, T any](x []E, target T, cmp func(E, T) int) (int, bool) {
+func BinarySearchFunc[S ~[]E, E, T any](x S, target T, cmp func(E, T) int) (int, bool) {
 	n := len(x)
 	// Define cmp(x[-1], target) < 0 and cmp(x[n], target) >= 0 .
 	// Invariant: cmp(x[i - 1], target) < 0, cmp(x[j], target) >= 0.
@@ -126,3 +187,9 @@ func (r *xorshift) Next() uint64 {
 func nextPowerOfTwo(length int) uint {
 	return 1 << bits.Len(uint(length))
 }
+
+// isNaN reports whether x is a NaN without requiring the math package.
+// This will always return false if T is not floating-point.
+func isNaN[T constraints.Ordered](x T) bool {
+	return x != x
+}
diff --git a/vendor/golang.org/x/exp/slices/zsortfunc.go b/vendor/golang.org/x/exp/slices/zsortanyfunc.go
similarity index 64%
rename from vendor/golang.org/x/exp/slices/zsortfunc.go
rename to vendor/golang.org/x/exp/slices/zsortanyfunc.go
index 2a632476c50..06f2c7a2481 100644
--- a/vendor/golang.org/x/exp/slices/zsortfunc.go
+++ b/vendor/golang.org/x/exp/slices/zsortanyfunc.go
@@ -6,28 +6,28 @@
 
 package slices
 
-// insertionSortLessFunc sorts data[a:b] using insertion sort.
-func insertionSortLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
+// insertionSortCmpFunc sorts data[a:b] using insertion sort.
+func insertionSortCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) {
 	for i := a + 1; i < b; i++ {
-		for j := i; j > a && less(data[j], data[j-1]); j-- {
+		for j := i; j > a && (cmp(data[j], data[j-1]) < 0); j-- {
 			data[j], data[j-1] = data[j-1], data[j]
 		}
 	}
 }
 
-// siftDownLessFunc implements the heap property on data[lo:hi].
+// siftDownCmpFunc implements the heap property on data[lo:hi].
 // first is an offset into the array where the root of the heap lies.
-func siftDownLessFunc[E any](data []E, lo, hi, first int, less func(a, b E) bool) {
+func siftDownCmpFunc[E any](data []E, lo, hi, first int, cmp func(a, b E) int) {
 	root := lo
 	for {
 		child := 2*root + 1
 		if child >= hi {
 			break
 		}
-		if child+1 < hi && less(data[first+child], data[first+child+1]) {
+		if child+1 < hi && (cmp(data[first+child], data[first+child+1]) < 0) {
 			child++
 		}
-		if !less(data[first+root], data[first+child]) {
+		if !(cmp(data[first+root], data[first+child]) < 0) {
 			return
 		}
 		data[first+root], data[first+child] = data[first+child], data[first+root]
@@ -35,30 +35,30 @@ func siftDownLessFunc[E any](data []E, lo, hi, first int, less func(a, b E) bool
 	}
 }
 
-func heapSortLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
+func heapSortCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) {
 	first := a
 	lo := 0
 	hi := b - a
 
 	// Build heap with greatest element at top.
 	for i := (hi - 1) / 2; i >= 0; i-- {
-		siftDownLessFunc(data, i, hi, first, less)
+		siftDownCmpFunc(data, i, hi, first, cmp)
 	}
 
 	// Pop elements, largest first, into end of data.
 	for i := hi - 1; i >= 0; i-- {
 		data[first], data[first+i] = data[first+i], data[first]
-		siftDownLessFunc(data, lo, i, first, less)
+		siftDownCmpFunc(data, lo, i, first, cmp)
 	}
 }
 
-// pdqsortLessFunc sorts data[a:b].
+// pdqsortCmpFunc sorts data[a:b].
 // The algorithm based on pattern-defeating quicksort(pdqsort), but without the optimizations from BlockQuicksort.
 // pdqsort paper: https://arxiv.org/pdf/2106.05123.pdf
 // C++ implementation: https://github.com/orlp/pdqsort
 // Rust implementation: https://docs.rs/pdqsort/latest/pdqsort/
 // limit is the number of allowed bad (very unbalanced) pivots before falling back to heapsort.
-func pdqsortLessFunc[E any](data []E, a, b, limit int, less func(a, b E) bool) {
+func pdqsortCmpFunc[E any](data []E, a, b, limit int, cmp func(a, b E) int) {
 	const maxInsertion = 12
 
 	var (
@@ -70,25 +70,25 @@ func pdqsortLessFunc[E any](data []E, a, b, limit int, less func(a, b E) bool) {
 		length := b - a
 
 		if length <= maxInsertion {
-			insertionSortLessFunc(data, a, b, less)
+			insertionSortCmpFunc(data, a, b, cmp)
 			return
 		}
 
 		// Fall back to heapsort if too many bad choices were made.
 		if limit == 0 {
-			heapSortLessFunc(data, a, b, less)
+			heapSortCmpFunc(data, a, b, cmp)
 			return
 		}
 
 		// If the last partitioning was imbalanced, we need to breaking patterns.
 		if !wasBalanced {
-			breakPatternsLessFunc(data, a, b, less)
+			breakPatternsCmpFunc(data, a, b, cmp)
 			limit--
 		}
 
-		pivot, hint := choosePivotLessFunc(data, a, b, less)
+		pivot, hint := choosePivotCmpFunc(data, a, b, cmp)
 		if hint == decreasingHint {
-			reverseRangeLessFunc(data, a, b, less)
+			reverseRangeCmpFunc(data, a, b, cmp)
 			// The chosen pivot was pivot-a elements after the start of the array.
 			// After reversing it is pivot-a elements before the end of the array.
 			// The idea came from Rust's implementation.
@@ -98,48 +98,48 @@ func pdqsortLessFunc[E any](data []E, a, b, limit int, less func(a, b E) bool) {
 
 		// The slice is likely already sorted.
 		if wasBalanced && wasPartitioned && hint == increasingHint {
-			if partialInsertionSortLessFunc(data, a, b, less) {
+			if partialInsertionSortCmpFunc(data, a, b, cmp) {
 				return
 			}
 		}
 
 		// Probably the slice contains many duplicate elements, partition the slice into
 		// elements equal to and elements greater than the pivot.
-		if a > 0 && !less(data[a-1], data[pivot]) {
-			mid := partitionEqualLessFunc(data, a, b, pivot, less)
+		if a > 0 && !(cmp(data[a-1], data[pivot]) < 0) {
+			mid := partitionEqualCmpFunc(data, a, b, pivot, cmp)
 			a = mid
 			continue
 		}
 
-		mid, alreadyPartitioned := partitionLessFunc(data, a, b, pivot, less)
+		mid, alreadyPartitioned := partitionCmpFunc(data, a, b, pivot, cmp)
 		wasPartitioned = alreadyPartitioned
 
 		leftLen, rightLen := mid-a, b-mid
 		balanceThreshold := length / 8
 		if leftLen < rightLen {
 			wasBalanced = leftLen >= balanceThreshold
-			pdqsortLessFunc(data, a, mid, limit, less)
+			pdqsortCmpFunc(data, a, mid, limit, cmp)
 			a = mid + 1
 		} else {
 			wasBalanced = rightLen >= balanceThreshold
-			pdqsortLessFunc(data, mid+1, b, limit, less)
+			pdqsortCmpFunc(data, mid+1, b, limit, cmp)
 			b = mid
 		}
 	}
 }
 
-// partitionLessFunc does one quicksort partition.
+// partitionCmpFunc does one quicksort partition.
 // Let p = data[pivot]
 // Moves elements in data[a:b] around, so that data[i]<p and data[j]>=p for i<newpivot and j>newpivot.
 // On return, data[newpivot] = p
-func partitionLessFunc[E any](data []E, a, b, pivot int, less func(a, b E) bool) (newpivot int, alreadyPartitioned bool) {
+func partitionCmpFunc[E any](data []E, a, b, pivot int, cmp func(a, b E) int) (newpivot int, alreadyPartitioned bool) {
 	data[a], data[pivot] = data[pivot], data[a]
 	i, j := a+1, b-1 // i and j are inclusive of the elements remaining to be partitioned
 
-	for i <= j && less(data[i], data[a]) {
+	for i <= j && (cmp(data[i], data[a]) < 0) {
 		i++
 	}
-	for i <= j && !less(data[j], data[a]) {
+	for i <= j && !(cmp(data[j], data[a]) < 0) {
 		j--
 	}
 	if i > j {
@@ -151,10 +151,10 @@ func partitionLessFunc[E any](data []E, a, b, pivot int, less func(a, b E) bool)
 	j--
 
 	for {
-		for i <= j && less(data[i], data[a]) {
+		for i <= j && (cmp(data[i], data[a]) < 0) {
 			i++
 		}
-		for i <= j && !less(data[j], data[a]) {
+		for i <= j && !(cmp(data[j], data[a]) < 0) {
 			j--
 		}
 		if i > j {
@@ -168,17 +168,17 @@ func partitionLessFunc[E any](data []E, a, b, pivot int, less func(a, b E) bool)
 	return j, false
 }
 
-// partitionEqualLessFunc partitions data[a:b] into elements equal to data[pivot] followed by elements greater than data[pivot].
+// partitionEqualCmpFunc partitions data[a:b] into elements equal to data[pivot] followed by elements greater than data[pivot].
 // It assumed that data[a:b] does not contain elements smaller than the data[pivot].
-func partitionEqualLessFunc[E any](data []E, a, b, pivot int, less func(a, b E) bool) (newpivot int) {
+func partitionEqualCmpFunc[E any](data []E, a, b, pivot int, cmp func(a, b E) int) (newpivot int) {
 	data[a], data[pivot] = data[pivot], data[a]
 	i, j := a+1, b-1 // i and j are inclusive of the elements remaining to be partitioned
 
 	for {
-		for i <= j && !less(data[a], data[i]) {
+		for i <= j && !(cmp(data[a], data[i]) < 0) {
 			i++
 		}
-		for i <= j && less(data[a], data[j]) {
+		for i <= j && (cmp(data[a], data[j]) < 0) {
 			j--
 		}
 		if i > j {
@@ -191,15 +191,15 @@ func partitionEqualLessFunc[E any](data []E, a, b, pivot int, less func(a, b E)
 	return i
 }
 
-// partialInsertionSortLessFunc partially sorts a slice, returns true if the slice is sorted at the end.
-func partialInsertionSortLessFunc[E any](data []E, a, b int, less func(a, b E) bool) bool {
+// partialInsertionSortCmpFunc partially sorts a slice, returns true if the slice is sorted at the end.
+func partialInsertionSortCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) bool {
 	const (
 		maxSteps         = 5  // maximum number of adjacent out-of-order pairs that will get shifted
 		shortestShifting = 50 // don't shift any elements on short arrays
 	)
 	i := a + 1
 	for j := 0; j < maxSteps; j++ {
-		for i < b && !less(data[i], data[i-1]) {
+		for i < b && !(cmp(data[i], data[i-1]) < 0) {
 			i++
 		}
 
@@ -216,7 +216,7 @@ func partialInsertionSortLessFunc[E any](data []E, a, b int, less func(a, b E) b
 		// Shift the smaller one to the left.
 		if i-a >= 2 {
 			for j := i - 1; j >= 1; j-- {
-				if !less(data[j], data[j-1]) {
+				if !(cmp(data[j], data[j-1]) < 0) {
 					break
 				}
 				data[j], data[j-1] = data[j-1], data[j]
@@ -225,7 +225,7 @@ func partialInsertionSortLessFunc[E any](data []E, a, b int, less func(a, b E) b
 		// Shift the greater one to the right.
 		if b-i >= 2 {
 			for j := i + 1; j < b; j++ {
-				if !less(data[j], data[j-1]) {
+				if !(cmp(data[j], data[j-1]) < 0) {
 					break
 				}
 				data[j], data[j-1] = data[j-1], data[j]
@@ -235,9 +235,9 @@ func partialInsertionSortLessFunc[E any](data []E, a, b int, less func(a, b E) b
 	return false
 }
 
-// breakPatternsLessFunc scatters some elements around in an attempt to break some patterns
+// breakPatternsCmpFunc scatters some elements around in an attempt to break some patterns
 // that might cause imbalanced partitions in quicksort.
-func breakPatternsLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
+func breakPatternsCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) {
 	length := b - a
 	if length >= 8 {
 		random := xorshift(length)
@@ -253,12 +253,12 @@ func breakPatternsLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
 	}
 }
 
-// choosePivotLessFunc chooses a pivot in data[a:b].
+// choosePivotCmpFunc chooses a pivot in data[a:b].
 //
 // [0,8): chooses a static pivot.
 // [8,shortestNinther): uses the simple median-of-three method.
 // [shortestNinther,∞): uses the Tukey ninther method.
-func choosePivotLessFunc[E any](data []E, a, b int, less func(a, b E) bool) (pivot int, hint sortedHint) {
+func choosePivotCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) (pivot int, hint sortedHint) {
 	const (
 		shortestNinther = 50
 		maxSwaps        = 4 * 3
@@ -276,12 +276,12 @@ func choosePivotLessFunc[E any](data []E, a, b int, less func(a, b E) bool) (piv
 	if l >= 8 {
 		if l >= shortestNinther {
 			// Tukey ninther method, the idea came from Rust's implementation.
-			i = medianAdjacentLessFunc(data, i, &swaps, less)
-			j = medianAdjacentLessFunc(data, j, &swaps, less)
-			k = medianAdjacentLessFunc(data, k, &swaps, less)
+			i = medianAdjacentCmpFunc(data, i, &swaps, cmp)
+			j = medianAdjacentCmpFunc(data, j, &swaps, cmp)
+			k = medianAdjacentCmpFunc(data, k, &swaps, cmp)
 		}
 		// Find the median among i, j, k and stores it into j.
-		j = medianLessFunc(data, i, j, k, &swaps, less)
+		j = medianCmpFunc(data, i, j, k, &swaps, cmp)
 	}
 
 	switch swaps {
@@ -294,29 +294,29 @@ func choosePivotLessFunc[E any](data []E, a, b int, less func(a, b E) bool) (piv
 	}
 }
 
-// order2LessFunc returns x,y where data[x] <= data[y], where x,y=a,b or x,y=b,a.
-func order2LessFunc[E any](data []E, a, b int, swaps *int, less func(a, b E) bool) (int, int) {
-	if less(data[b], data[a]) {
+// order2CmpFunc returns x,y where data[x] <= data[y], where x,y=a,b or x,y=b,a.
+func order2CmpFunc[E any](data []E, a, b int, swaps *int, cmp func(a, b E) int) (int, int) {
+	if cmp(data[b], data[a]) < 0 {
 		*swaps++
 		return b, a
 	}
 	return a, b
 }
 
-// medianLessFunc returns x where data[x] is the median of data[a],data[b],data[c], where x is a, b, or c.
-func medianLessFunc[E any](data []E, a, b, c int, swaps *int, less func(a, b E) bool) int {
-	a, b = order2LessFunc(data, a, b, swaps, less)
-	b, c = order2LessFunc(data, b, c, swaps, less)
-	a, b = order2LessFunc(data, a, b, swaps, less)
+// medianCmpFunc returns x where data[x] is the median of data[a],data[b],data[c], where x is a, b, or c.
+func medianCmpFunc[E any](data []E, a, b, c int, swaps *int, cmp func(a, b E) int) int {
+	a, b = order2CmpFunc(data, a, b, swaps, cmp)
+	b, c = order2CmpFunc(data, b, c, swaps, cmp)
+	a, b = order2CmpFunc(data, a, b, swaps, cmp)
 	return b
 }
 
-// medianAdjacentLessFunc finds the median of data[a - 1], data[a], data[a + 1] and stores the index into a.
-func medianAdjacentLessFunc[E any](data []E, a int, swaps *int, less func(a, b E) bool) int {
-	return medianLessFunc(data, a-1, a, a+1, swaps, less)
+// medianAdjacentCmpFunc finds the median of data[a - 1], data[a], data[a + 1] and stores the index into a.
+func medianAdjacentCmpFunc[E any](data []E, a int, swaps *int, cmp func(a, b E) int) int {
+	return medianCmpFunc(data, a-1, a, a+1, swaps, cmp)
 }
 
-func reverseRangeLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
+func reverseRangeCmpFunc[E any](data []E, a, b int, cmp func(a, b E) int) {
 	i := a
 	j := b - 1
 	for i < j {
@@ -326,37 +326,37 @@ func reverseRangeLessFunc[E any](data []E, a, b int, less func(a, b E) bool) {
 	}
 }
 
-func swapRangeLessFunc[E any](data []E, a, b, n int, less func(a, b E) bool) {
+func swapRangeCmpFunc[E any](data []E, a, b, n int, cmp func(a, b E) int) {
 	for i := 0; i < n; i++ {
 		data[a+i], data[b+i] = data[b+i], data[a+i]
 	}
 }
 
-func stableLessFunc[E any](data []E, n int, less func(a, b E) bool) {
+func stableCmpFunc[E any](data []E, n int, cmp func(a, b E) int) {
 	blockSize := 20 // must be > 0
 	a, b := 0, blockSize
 	for b <= n {
-		insertionSortLessFunc(data, a, b, less)
+		insertionSortCmpFunc(data, a, b, cmp)
 		a = b
 		b += blockSize
 	}
-	insertionSortLessFunc(data, a, n, less)
+	insertionSortCmpFunc(data, a, n, cmp)
 
 	for blockSize < n {
 		a, b = 0, 2*blockSize
 		for b <= n {
-			symMergeLessFunc(data, a, a+blockSize, b, less)
+			symMergeCmpFunc(data, a, a+blockSize, b, cmp)
 			a = b
 			b += 2 * blockSize
 		}
 		if m := a + blockSize; m < n {
-			symMergeLessFunc(data, a, m, n, less)
+			symMergeCmpFunc(data, a, m, n, cmp)
 		}
 		blockSize *= 2
 	}
 }
 
-// symMergeLessFunc merges the two sorted subsequences data[a:m] and data[m:b] using
+// symMergeCmpFunc merges the two sorted subsequences data[a:m] and data[m:b] using
 // the SymMerge algorithm from Pok-Son Kim and Arne Kutzner, "Stable Minimum
 // Storage Merging by Symmetric Comparisons", in Susanne Albers and Tomasz
 // Radzik, editors, Algorithms - ESA 2004, volume 3221 of Lecture Notes in
@@ -375,7 +375,7 @@ func stableLessFunc[E any](data []E, n int, less func(a, b E) bool) {
 // symMerge assumes non-degenerate arguments: a < m && m < b.
 // Having the caller check this condition eliminates many leaf recursion calls,
 // which improves performance.
-func symMergeLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
+func symMergeCmpFunc[E any](data []E, a, m, b int, cmp func(a, b E) int) {
 	// Avoid unnecessary recursions of symMerge
 	// by direct insertion of data[a] into data[m:b]
 	// if data[a:m] only contains one element.
@@ -387,7 +387,7 @@ func symMergeLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
 		j := b
 		for i < j {
 			h := int(uint(i+j) >> 1)
-			if less(data[h], data[a]) {
+			if cmp(data[h], data[a]) < 0 {
 				i = h + 1
 			} else {
 				j = h
@@ -411,7 +411,7 @@ func symMergeLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
 		j := m
 		for i < j {
 			h := int(uint(i+j) >> 1)
-			if !less(data[m], data[h]) {
+			if !(cmp(data[m], data[h]) < 0) {
 				i = h + 1
 			} else {
 				j = h
@@ -438,7 +438,7 @@ func symMergeLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
 
 	for start < r {
 		c := int(uint(start+r) >> 1)
-		if !less(data[p-c], data[c]) {
+		if !(cmp(data[p-c], data[c]) < 0) {
 			start = c + 1
 		} else {
 			r = c
@@ -447,33 +447,33 @@ func symMergeLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
 
 	end := n - start
 	if start < m && m < end {
-		rotateLessFunc(data, start, m, end, less)
+		rotateCmpFunc(data, start, m, end, cmp)
 	}
 	if a < start && start < mid {
-		symMergeLessFunc(data, a, start, mid, less)
+		symMergeCmpFunc(data, a, start, mid, cmp)
 	}
 	if mid < end && end < b {
-		symMergeLessFunc(data, mid, end, b, less)
+		symMergeCmpFunc(data, mid, end, b, cmp)
 	}
 }
 
-// rotateLessFunc rotates two consecutive blocks u = data[a:m] and v = data[m:b] in data:
+// rotateCmpFunc rotates two consecutive blocks u = data[a:m] and v = data[m:b] in data:
 // Data of the form 'x u v y' is changed to 'x v u y'.
 // rotate performs at most b-a many calls to data.Swap,
 // and it assumes non-degenerate arguments: a < m && m < b.
-func rotateLessFunc[E any](data []E, a, m, b int, less func(a, b E) bool) {
+func rotateCmpFunc[E any](data []E, a, m, b int, cmp func(a, b E) int) {
 	i := m - a
 	j := b - m
 
 	for i != j {
 		if i > j {
-			swapRangeLessFunc(data, m-i, m, j, less)
+			swapRangeCmpFunc(data, m-i, m, j, cmp)
 			i -= j
 		} else {
-			swapRangeLessFunc(data, m-i, m+j-i, i, less)
+			swapRangeCmpFunc(data, m-i, m+j-i, i, cmp)
 			j -= i
 		}
 	}
 	// i == j
-	swapRangeLessFunc(data, m-i, m, i, less)
+	swapRangeCmpFunc(data, m-i, m, i, cmp)
 }
diff --git a/vendor/golang.org/x/exp/slices/zsortordered.go b/vendor/golang.org/x/exp/slices/zsortordered.go
index efaa1c8b714..99b47c3986a 100644
--- a/vendor/golang.org/x/exp/slices/zsortordered.go
+++ b/vendor/golang.org/x/exp/slices/zsortordered.go
@@ -11,7 +11,7 @@ import "golang.org/x/exp/constraints"
 // insertionSortOrdered sorts data[a:b] using insertion sort.
 func insertionSortOrdered[E constraints.Ordered](data []E, a, b int) {
 	for i := a + 1; i < b; i++ {
-		for j := i; j > a && (data[j] < data[j-1]); j-- {
+		for j := i; j > a && cmpLess(data[j], data[j-1]); j-- {
 			data[j], data[j-1] = data[j-1], data[j]
 		}
 	}
@@ -26,10 +26,10 @@ func siftDownOrdered[E constraints.Ordered](data []E, lo, hi, first int) {
 		if child >= hi {
 			break
 		}
-		if child+1 < hi && (data[first+child] < data[first+child+1]) {
+		if child+1 < hi && cmpLess(data[first+child], data[first+child+1]) {
 			child++
 		}
-		if !(data[first+root] < data[first+child]) {
+		if !cmpLess(data[first+root], data[first+child]) {
 			return
 		}
 		data[first+root], data[first+child] = data[first+child], data[first+root]
@@ -107,7 +107,7 @@ func pdqsortOrdered[E constraints.Ordered](data []E, a, b, limit int) {
 
 		// Probably the slice contains many duplicate elements, partition the slice into
 		// elements equal to and elements greater than the pivot.
-		if a > 0 && !(data[a-1] < data[pivot]) {
+		if a > 0 && !cmpLess(data[a-1], data[pivot]) {
 			mid := partitionEqualOrdered(data, a, b, pivot)
 			a = mid
 			continue
@@ -138,10 +138,10 @@ func partitionOrdered[E constraints.Ordered](data []E, a, b, pivot int) (newpivo
 	data[a], data[pivot] = data[pivot], data[a]
 	i, j := a+1, b-1 // i and j are inclusive of the elements remaining to be partitioned
 
-	for i <= j && (data[i] < data[a]) {
+	for i <= j && cmpLess(data[i], data[a]) {
 		i++
 	}
-	for i <= j && !(data[j] < data[a]) {
+	for i <= j && !cmpLess(data[j], data[a]) {
 		j--
 	}
 	if i > j {
@@ -153,10 +153,10 @@ func partitionOrdered[E constraints.Ordered](data []E, a, b, pivot int) (newpivo
 	j--
 
 	for {
-		for i <= j && (data[i] < data[a]) {
+		for i <= j && cmpLess(data[i], data[a]) {
 			i++
 		}
-		for i <= j && !(data[j] < data[a]) {
+		for i <= j && !cmpLess(data[j], data[a]) {
 			j--
 		}
 		if i > j {
@@ -177,10 +177,10 @@ func partitionEqualOrdered[E constraints.Ordered](data []E, a, b, pivot int) (ne
 	i, j := a+1, b-1 // i and j are inclusive of the elements remaining to be partitioned
 
 	for {
-		for i <= j && !(data[a] < data[i]) {
+		for i <= j && !cmpLess(data[a], data[i]) {
 			i++
 		}
-		for i <= j && (data[a] < data[j]) {
+		for i <= j && cmpLess(data[a], data[j]) {
 			j--
 		}
 		if i > j {
@@ -201,7 +201,7 @@ func partialInsertionSortOrdered[E constraints.Ordered](data []E, a, b int) bool
 	)
 	i := a + 1
 	for j := 0; j < maxSteps; j++ {
-		for i < b && !(data[i] < data[i-1]) {
+		for i < b && !cmpLess(data[i], data[i-1]) {
 			i++
 		}
 
@@ -218,7 +218,7 @@ func partialInsertionSortOrdered[E constraints.Ordered](data []E, a, b int) bool
 		// Shift the smaller one to the left.
 		if i-a >= 2 {
 			for j := i - 1; j >= 1; j-- {
-				if !(data[j] < data[j-1]) {
+				if !cmpLess(data[j], data[j-1]) {
 					break
 				}
 				data[j], data[j-1] = data[j-1], data[j]
@@ -227,7 +227,7 @@ func partialInsertionSortOrdered[E constraints.Ordered](data []E, a, b int) bool
 		// Shift the greater one to the right.
 		if b-i >= 2 {
 			for j := i + 1; j < b; j++ {
-				if !(data[j] < data[j-1]) {
+				if !cmpLess(data[j], data[j-1]) {
 					break
 				}
 				data[j], data[j-1] = data[j-1], data[j]
@@ -298,7 +298,7 @@ func choosePivotOrdered[E constraints.Ordered](data []E, a, b int) (pivot int, h
 
 // order2Ordered returns x,y where data[x] <= data[y], where x,y=a,b or x,y=b,a.
 func order2Ordered[E constraints.Ordered](data []E, a, b int, swaps *int) (int, int) {
-	if data[b] < data[a] {
+	if cmpLess(data[b], data[a]) {
 		*swaps++
 		return b, a
 	}
@@ -389,7 +389,7 @@ func symMergeOrdered[E constraints.Ordered](data []E, a, m, b int) {
 		j := b
 		for i < j {
 			h := int(uint(i+j) >> 1)
-			if data[h] < data[a] {
+			if cmpLess(data[h], data[a]) {
 				i = h + 1
 			} else {
 				j = h
@@ -413,7 +413,7 @@ func symMergeOrdered[E constraints.Ordered](data []E, a, m, b int) {
 		j := m
 		for i < j {
 			h := int(uint(i+j) >> 1)
-			if !(data[m] < data[h]) {
+			if !cmpLess(data[m], data[h]) {
 				i = h + 1
 			} else {
 				j = h
@@ -440,7 +440,7 @@ func symMergeOrdered[E constraints.Ordered](data []E, a, m, b int) {
 
 	for start < r {
 		c := int(uint(start+r) >> 1)
-		if !(data[p-c] < data[c]) {
+		if !cmpLess(data[p-c], data[c]) {
 			start = c + 1
 		} else {
 			r = c
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc b/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
deleted file mode 100644
index 730e569b069..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.gitcookies.sh.enc
+++ /dev/null
@@ -1 +0,0 @@
-'|Ê&{tÄU|gGê(ì�Cy=+¨œòcû:u:/pœ#~žü["±4¤!­nÙAªDK<ŠufÿhÅa¿Â:ºü¸¡´B/£Ø¤¹¤ò_�hÎÛSãT*wÌx¼¯�¹-ç|�àÀÓƒÑÄäóÌ㣗A$$â6£ÁâG)8nÏpûÆË¡3ÌšœoïÏvŽB–3¿­]xÝ“Ó2l§G•|qRÞ¯
ö2
5R–Ó×Ç$´ñ½Yè¡ÞÝ™l‘Ë«yAI"ÛŒ˜®íû¹¼kÄ|Kåþ[9ÆâÒå=°úÿŸñ|@S•3ó#æ�x?¾V„,¾‚SÆÝõœwPíogÒ6&V6	©D.dBŠ7
\ No newline at end of file
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore b/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
deleted file mode 100644
index 95a851586a5..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.gitignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*~
-.*.swp
-*.out
-*.test
-*.pem
-*.cov
-jose-util/jose-util
-jose-util.t.err
\ No newline at end of file
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml b/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
deleted file mode 100644
index 391b99a4014..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/.travis.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-language: go
-
-sudo: false
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - go: tip
-
-go:
-- '1.14.x'
-- '1.15.x'
-- tip
-
-go_import_path: gopkg.in/square/go-jose.v2
-
-before_script:
-- export PATH=$HOME/.local/bin:$PATH
-
-before_install:
-# Install encrypted gitcookies to get around bandwidth-limits
-# that is causing Travis-CI builds to fail. For more info, see
-# https://github.com/golang/go/issues/12933
-- openssl aes-256-cbc -K $encrypted_1528c3c2cafd_key -iv $encrypted_1528c3c2cafd_iv -in .gitcookies.sh.enc -out .gitcookies.sh -d || true
-- bash .gitcookies.sh || true
-- go get github.com/wadey/gocovmerge
-- go get github.com/mattn/goveralls
-- go get github.com/stretchr/testify/assert
-- go get github.com/stretchr/testify/require
-- go get github.com/google/go-cmp/cmp
-- go get golang.org/x/tools/cmd/cover || true
-- go get code.google.com/p/go.tools/cmd/cover || true
-- pip install cram --user
-
-script:
-- go test . -v -covermode=count -coverprofile=profile.cov
-- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
-- go test ./jwt -v -covermode=count -coverprofile=jwt/profile.cov
-- go test ./json -v # no coverage for forked encoding/json package
-- cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util
-- cd ..
-
-after_success:
-- gocovmerge *.cov */*.cov > merged.coverprofile
-- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md b/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
deleted file mode 100644
index 8e6e9132395..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/CHANGELOG.md
+++ /dev/null
@@ -1,84 +0,0 @@
-# v4.0.1
-
-## Fixed
-
- - An attacker could send a JWE containing compressed data that used large
-   amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
-   Those functions now return an error if the decompressed data would exceed
-   250kB or 10x the compressed size (whichever is larger). Thanks to
-   Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
-   for reporting.
-
-# v4.0.0
-
-This release makes some breaking changes in order to more thoroughly
-address the vulnerabilities discussed in [Three New Attacks Against JSON Web
-Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
-token".
-
-## Changed
-
- - Limit JWT encryption types (exclude password or public key types) (#78)
- - Enforce minimum length for HMAC keys (#85)
- - jwt: match any audience in a list, rather than requiring all audiences (#81)
- - jwt: accept only Compact Serialization (#75)
- - jws: Add expected algorithms for signatures (#74)
- - Require specifying expected algorithms for ParseEncrypted,
-   ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
-   jwt.ParseSignedAndEncrypted (#69, #74)
-   - Usually there is a small, known set of appropriate algorithms for a program
-     to use and it's a mistake to allow unexpected algorithms. For instance the
-     "billion hash attack" relies in part on programs accepting the PBES2
-     encryption algorithm and doing the necessary work even if they weren't
-     specifically configured to allow PBES2.
- - Revert "Strip padding off base64 strings" (#82)
-  - The specs require base64url encoding without padding.
- - Minimum supported Go version is now 1.21
-
-## Added
-
- - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
-   - These allow parsing a specific serialization, as opposed to ParseSigned and
-     ParseEncrypted, which try to automatically detect which serialization was
-     provided. It's common to require a specific serialization for a specific
-     protocol - for instance JWT requires Compact serialization.
-
-[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v3.0.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
-
-# v3.0.2
-
-## Fixed
-
- - DecryptMulti: handle decompression error (#19)
-
-## Changed
-
- - jwe/CompactSerialize: improve performance (#67)
- - Increase the default number of PBKDF2 iterations to 600k (#48)
- - Return the proper algorithm for ECDSA keys (#45)
-
-## Added
-
- - Add Thumbprint support for opaque signers (#38)
-
-# v3.0.1
-
-## Fixed
-
- - Security issue: an attacker specifying a large "p2c" value can cause
-   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
-   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
-   disclosure and to Tom Tervoort for originally publishing the category of attack.
-   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v2.6.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md b/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md
deleted file mode 100644
index 61b183651c0..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/CONTRIBUTING.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Contributing
-
-If you would like to contribute code to go-jose you can do so through GitHub by
-forking the repository and sending a pull request.
-
-When submitting code, please make every effort to follow existing conventions
-and style in order to keep the code as readable as possible. Please also make
-sure all tests pass by running `go test`, and format your code with `go fmt`.
-We also recommend using `golint` and `errcheck`.
-
-Before your code can be accepted into the project you must also sign the
-[Individual Contributor License Agreement][1].
-
- [1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE b/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE
deleted file mode 100644
index d6456956733..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/README.md
deleted file mode 100644
index b877f412c41..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# go-jose v2
-
-Version 2 of this library is no longer supported. [Please use v4
-instead](https://pkg.go.dev/github.com/go-jose/go-jose/v4).
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
deleted file mode 100644
index 43f9ce2fc70..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/asymmetric.go
+++ /dev/null
@@ -1,595 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto"
-	"crypto/aes"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"math/big"
-
-	"golang.org/x/crypto/ed25519"
-	josecipher "gopkg.in/go-jose/go-jose.v2/cipher"
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// A generic RSA-based encrypter/verifier
-type rsaEncrypterVerifier struct {
-	publicKey *rsa.PublicKey
-}
-
-// A generic RSA-based decrypter/signer
-type rsaDecrypterSigner struct {
-	privateKey *rsa.PrivateKey
-}
-
-// A generic EC-based encrypter/verifier
-type ecEncrypterVerifier struct {
-	publicKey *ecdsa.PublicKey
-}
-
-type edEncrypterVerifier struct {
-	publicKey ed25519.PublicKey
-}
-
-// A key generator for ECDH-ES
-type ecKeyGenerator struct {
-	size      int
-	algID     string
-	publicKey *ecdsa.PublicKey
-}
-
-// A generic EC-based decrypter/signer
-type ecDecrypterSigner struct {
-	privateKey *ecdsa.PrivateKey
-}
-
-type edDecrypterSigner struct {
-	privateKey ed25519.PrivateKey
-}
-
-// newRSARecipient creates recipientKeyInfo based on the given key.
-func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch keyAlg {
-	case RSA1_5, RSA_OAEP, RSA_OAEP_256:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if publicKey == nil {
-		return recipientKeyInfo{}, errors.New("invalid public key")
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &rsaEncrypterVerifier{
-			publicKey: publicKey,
-		},
-	}, nil
-}
-
-// newRSASigner creates a recipientSigInfo based on the given key.
-func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case RS256, RS384, RS512, PS256, PS384, PS512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &rsaDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-func newEd25519Signer(sigAlg SignatureAlgorithm, privateKey ed25519.PrivateKey) (recipientSigInfo, error) {
-	if sigAlg != EdDSA {
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &edDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-// newECDHRecipient creates recipientKeyInfo based on the given key.
-func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch keyAlg {
-	case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
-		return recipientKeyInfo{}, errors.New("invalid public key")
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &ecEncrypterVerifier{
-			publicKey: publicKey,
-		},
-	}, nil
-}
-
-// newECDSASigner creates a recipientSigInfo based on the given key.
-func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case ES256, ES384, ES512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &ecDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-// Encrypt the given payload and update the object.
-func (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	encryptedKey, err := ctx.encrypt(cek, alg)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	return recipientInfo{
-		encryptedKey: encryptedKey,
-		header:       &rawHeader{},
-	}, nil
-}
-
-// Encrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {
-	switch alg {
-	case RSA1_5:
-		return rsa.EncryptPKCS1v15(RandReader, ctx.publicKey, cek)
-	case RSA_OAEP:
-		return rsa.EncryptOAEP(sha1.New(), RandReader, ctx.publicKey, cek, []byte{})
-	case RSA_OAEP_256:
-		return rsa.EncryptOAEP(sha256.New(), RandReader, ctx.publicKey, cek, []byte{})
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	return ctx.decrypt(recipient.encryptedKey, headers.getAlgorithm(), generator)
-}
-
-// Decrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {
-	// Note: The random reader on decrypt operations is only used for blinding,
-	// so stubbing is meanlingless (hence the direct use of rand.Reader).
-	switch alg {
-	case RSA1_5:
-		defer func() {
-			// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
-			// because of an index out of bounds error, which we want to ignore.
-			// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
-			// only exists for preventing crashes with unpatched versions.
-			// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
-			// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
-			_ = recover()
-		}()
-
-		// Perform some input validation.
-		keyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8
-		if keyBytes != len(jek) {
-			// Input size is incorrect, the encrypted payload should always match
-			// the size of the public modulus (e.g. using a 2048 bit key will
-			// produce 256 bytes of output). Reject this since it's invalid input.
-			return nil, ErrCryptoFailure
-		}
-
-		cek, _, err := generator.genKey()
-		if err != nil {
-			return nil, ErrCryptoFailure
-		}
-
-		// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
-		// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
-		// the Million Message Attack on Cryptographic Message Syntax". We are
-		// therefore deliberately ignoring errors here.
-		_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)
-
-		return cek, nil
-	case RSA_OAEP:
-		// Use rand.Reader for RSA blinding
-		return rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})
-	case RSA_OAEP_256:
-		// Use rand.Reader for RSA blinding
-		return rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	var hash crypto.Hash
-
-	switch alg {
-	case RS256, PS256:
-		hash = crypto.SHA256
-	case RS384, PS384:
-		hash = crypto.SHA384
-	case RS512, PS512:
-		hash = crypto.SHA512
-	default:
-		return Signature{}, ErrUnsupportedAlgorithm
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	var out []byte
-	var err error
-
-	switch alg {
-	case RS256, RS384, RS512:
-		// TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the
-		// random parameter is legacy and ignored, and it can be nil.
-		// https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1
-		out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)
-	case PS256, PS384, PS512:
-		out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthEqualsHash,
-		})
-	}
-
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	var hash crypto.Hash
-
-	switch alg {
-	case RS256, PS256:
-		hash = crypto.SHA256
-	case RS384, PS384:
-		hash = crypto.SHA384
-	case RS512, PS512:
-		hash = crypto.SHA512
-	default:
-		return ErrUnsupportedAlgorithm
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	switch alg {
-	case RS256, RS384, RS512:
-		return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
-	case PS256, PS384, PS512:
-		return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
-	}
-
-	return ErrUnsupportedAlgorithm
-}
-
-// Encrypt the given payload and update the object.
-func (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	switch alg {
-	case ECDH_ES:
-		// ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.
-		return recipientInfo{
-			header: &rawHeader{},
-		}, nil
-	case ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
-	default:
-		return recipientInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	generator := ecKeyGenerator{
-		algID:     string(alg),
-		publicKey: ctx.publicKey,
-	}
-
-	switch alg {
-	case ECDH_ES_A128KW:
-		generator.size = 16
-	case ECDH_ES_A192KW:
-		generator.size = 24
-	case ECDH_ES_A256KW:
-		generator.size = 32
-	}
-
-	kek, header, err := generator.genKey()
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	block, err := aes.NewCipher(kek)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	jek, err := josecipher.KeyWrap(block, cek)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	return recipientInfo{
-		encryptedKey: jek,
-		header:       &header,
-	}, nil
-}
-
-// Get key size for EC key generator
-func (ctx ecKeyGenerator) keySize() int {
-	return ctx.size
-}
-
-// Get a content encryption key for ECDH-ES
-func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	priv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, RandReader)
-	if err != nil {
-		return nil, rawHeader{}, err
-	}
-
-	out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)
-
-	b, err := json.Marshal(&JSONWebKey{
-		Key: &priv.PublicKey,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	headers := rawHeader{
-		headerEPK: makeRawMessage(b),
-	}
-
-	return out, headers, nil
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	epk, err := headers.getEPK()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
-	}
-	if epk == nil {
-		return nil, errors.New("go-jose/go-jose: missing epk header")
-	}
-
-	publicKey, ok := epk.Key.(*ecdsa.PublicKey)
-	if publicKey == nil || !ok {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
-	}
-
-	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
-		return nil, errors.New("go-jose/go-jose: invalid public key in epk header")
-	}
-
-	apuData, err := headers.getAPU()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apu header")
-	}
-	apvData, err := headers.getAPV()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apv header")
-	}
-
-	deriveKey := func(algID string, size int) []byte {
-		return josecipher.DeriveECDHES(algID, apuData.bytes(), apvData.bytes(), ctx.privateKey, publicKey, size)
-	}
-
-	var keySize int
-
-	algorithm := headers.getAlgorithm()
-	switch algorithm {
-	case ECDH_ES:
-		// ECDH-ES uses direct key agreement, no key unwrapping necessary.
-		return deriveKey(string(headers.getEncryption()), generator.keySize()), nil
-	case ECDH_ES_A128KW:
-		keySize = 16
-	case ECDH_ES_A192KW:
-		keySize = 24
-	case ECDH_ES_A256KW:
-		keySize = 32
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	key := deriveKey(string(algorithm), keySize)
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	return josecipher.KeyUnwrap(block, recipient.encryptedKey)
-}
-
-func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	if alg != EdDSA {
-		return Signature{}, ErrUnsupportedAlgorithm
-	}
-
-	sig, err := ctx.privateKey.Sign(RandReader, payload, crypto.Hash(0))
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: sig,
-		protected: &rawHeader{},
-	}, nil
-}
-
-func (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	if alg != EdDSA {
-		return ErrUnsupportedAlgorithm
-	}
-	ok := ed25519.Verify(ctx.publicKey, payload, signature)
-	if !ok {
-		return errors.New("go-jose/go-jose: ed25519 signature failed to verify")
-	}
-	return nil
-}
-
-// Sign the given payload
-func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	var expectedBitSize int
-	var hash crypto.Hash
-
-	switch alg {
-	case ES256:
-		expectedBitSize = 256
-		hash = crypto.SHA256
-	case ES384:
-		expectedBitSize = 384
-		hash = crypto.SHA384
-	case ES512:
-		expectedBitSize = 521
-		hash = crypto.SHA512
-	}
-
-	curveBits := ctx.privateKey.Curve.Params().BitSize
-	if expectedBitSize != curveBits {
-		return Signature{}, fmt.Errorf("go-jose/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	r, s, err := ecdsa.Sign(RandReader, ctx.privateKey, hashed)
-	if err != nil {
-		return Signature{}, err
-	}
-
-	keyBytes := curveBits / 8
-	if curveBits%8 > 0 {
-		keyBytes++
-	}
-
-	// We serialize the outputs (r and s) into big-endian byte arrays and pad
-	// them with zeros on the left to make sure the sizes work out. Both arrays
-	// must be keyBytes long, and the output must be 2*keyBytes long.
-	rBytes := r.Bytes()
-	rBytesPadded := make([]byte, keyBytes)
-	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
-
-	sBytes := s.Bytes()
-	sBytesPadded := make([]byte, keyBytes)
-	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
-
-	out := append(rBytesPadded, sBytesPadded...)
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	var keySize int
-	var hash crypto.Hash
-
-	switch alg {
-	case ES256:
-		keySize = 32
-		hash = crypto.SHA256
-	case ES384:
-		keySize = 48
-		hash = crypto.SHA384
-	case ES512:
-		keySize = 66
-		hash = crypto.SHA512
-	default:
-		return ErrUnsupportedAlgorithm
-	}
-
-	if len(signature) != 2*keySize {
-		return fmt.Errorf("go-jose/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	r := big.NewInt(0).SetBytes(signature[:keySize])
-	s := big.NewInt(0).SetBytes(signature[keySize:])
-
-	match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
-	if !match {
-		return errors.New("go-jose/go-jose: ecdsa signature failed to verify")
-	}
-
-	return nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go
deleted file mode 100644
index 87065a5b96e..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/cbc_hmac.go
+++ /dev/null
@@ -1,196 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"bytes"
-	"crypto/cipher"
-	"crypto/hmac"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-	"hash"
-)
-
-const (
-	nonceBytes = 16
-)
-
-// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.
-func NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {
-	keySize := len(key) / 2
-	integrityKey := key[:keySize]
-	encryptionKey := key[keySize:]
-
-	blockCipher, err := newBlockCipher(encryptionKey)
-	if err != nil {
-		return nil, err
-	}
-
-	var hash func() hash.Hash
-	switch keySize {
-	case 16:
-		hash = sha256.New
-	case 24:
-		hash = sha512.New384
-	case 32:
-		hash = sha512.New
-	}
-
-	return &cbcAEAD{
-		hash:         hash,
-		blockCipher:  blockCipher,
-		authtagBytes: keySize,
-		integrityKey: integrityKey,
-	}, nil
-}
-
-// An AEAD based on CBC+HMAC
-type cbcAEAD struct {
-	hash         func() hash.Hash
-	authtagBytes int
-	integrityKey []byte
-	blockCipher  cipher.Block
-}
-
-func (ctx *cbcAEAD) NonceSize() int {
-	return nonceBytes
-}
-
-func (ctx *cbcAEAD) Overhead() int {
-	// Maximum overhead is block size (for padding) plus auth tag length, where
-	// the length of the auth tag is equivalent to the key size.
-	return ctx.blockCipher.BlockSize() + ctx.authtagBytes
-}
-
-// Seal encrypts and authenticates the plaintext.
-func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
-	// Output buffer -- must take care not to mangle plaintext input.
-	ciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]
-	copy(ciphertext, plaintext)
-	ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
-
-	cbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)
-
-	cbc.CryptBlocks(ciphertext, ciphertext)
-	authtag := ctx.computeAuthTag(data, nonce, ciphertext)
-
-	ret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))
-	copy(out, ciphertext)
-	copy(out[len(ciphertext):], authtag)
-
-	return ret
-}
-
-// Open decrypts and authenticates the ciphertext.
-func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	if len(ciphertext) < ctx.authtagBytes {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (too short)")
-	}
-
-	offset := len(ciphertext) - ctx.authtagBytes
-	expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
-	match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
-	if match != 1 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (auth tag mismatch)")
-	}
-
-	cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
-
-	// Make copy of ciphertext buffer, don't want to modify in place
-	buffer := append([]byte{}, []byte(ciphertext[:offset])...)
-
-	if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (invalid length)")
-	}
-
-	cbc.CryptBlocks(buffer, buffer)
-
-	// Remove padding
-	plaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())
-	if err != nil {
-		return nil, err
-	}
-
-	ret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))
-	copy(out, plaintext)
-
-	return ret, nil
-}
-
-// Compute an authentication tag
-func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
-	buffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)
-	n := 0
-	n += copy(buffer, aad)
-	n += copy(buffer[n:], nonce)
-	n += copy(buffer[n:], ciphertext)
-	binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)
-
-	// According to documentation, Write() on hash.Hash never fails.
-	hmac := hmac.New(ctx.hash, ctx.integrityKey)
-	_, _ = hmac.Write(buffer)
-
-	return hmac.Sum(nil)[:ctx.authtagBytes]
-}
-
-// resize ensures that the given slice has a capacity of at least n bytes.
-// If the capacity of the slice is less than n, a new slice is allocated
-// and the existing data will be copied.
-func resize(in []byte, n uint64) (head, tail []byte) {
-	if uint64(cap(in)) >= n {
-		head = in[:n]
-	} else {
-		head = make([]byte, n)
-		copy(head, in)
-	}
-
-	tail = head[len(in):]
-	return
-}
-
-// Apply padding
-func padBuffer(buffer []byte, blockSize int) []byte {
-	missing := blockSize - (len(buffer) % blockSize)
-	ret, out := resize(buffer, uint64(len(buffer))+uint64(missing))
-	padding := bytes.Repeat([]byte{byte(missing)}, missing)
-	copy(out, padding)
-	return ret
-}
-
-// Remove padding
-func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
-	if len(buffer)%blockSize != 0 {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	last := buffer[len(buffer)-1]
-	count := int(last)
-
-	if count == 0 || count > blockSize || count > len(buffer) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	padding := bytes.Repeat([]byte{last}, count)
-	if !bytes.HasSuffix(buffer, padding) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	return buffer[:len(buffer)-count], nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go
deleted file mode 100644
index f62c3bdba5d..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/concat_kdf.go
+++ /dev/null
@@ -1,75 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"crypto"
-	"encoding/binary"
-	"hash"
-	"io"
-)
-
-type concatKDF struct {
-	z, info []byte
-	i       uint32
-	cache   []byte
-	hasher  hash.Hash
-}
-
-// NewConcatKDF builds a KDF reader based on the given inputs.
-func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
-	buffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))
-	n := 0
-	n += copy(buffer, algID)
-	n += copy(buffer[n:], ptyUInfo)
-	n += copy(buffer[n:], ptyVInfo)
-	n += copy(buffer[n:], supPubInfo)
-	copy(buffer[n:], supPrivInfo)
-
-	hasher := hash.New()
-
-	return &concatKDF{
-		z:      z,
-		info:   buffer,
-		hasher: hasher,
-		cache:  []byte{},
-		i:      1,
-	}
-}
-
-func (ctx *concatKDF) Read(out []byte) (int, error) {
-	copied := copy(out, ctx.cache)
-	ctx.cache = ctx.cache[copied:]
-
-	for copied < len(out) {
-		ctx.hasher.Reset()
-
-		// Write on a hash.Hash never fails
-		_ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)
-		_, _ = ctx.hasher.Write(ctx.z)
-		_, _ = ctx.hasher.Write(ctx.info)
-
-		hash := ctx.hasher.Sum(nil)
-		chunkCopied := copy(out[copied:], hash)
-		copied += chunkCopied
-		ctx.cache = hash[chunkCopied:]
-
-		ctx.i++
-	}
-
-	return copied, nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go
deleted file mode 100644
index 093c646740b..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/ecdh_es.go
+++ /dev/null
@@ -1,86 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"encoding/binary"
-)
-
-// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
-// It is an error to call this function with a private/public key that are not on the same
-// curve. Callers must ensure that the keys are valid before calling this function. Output
-// size may be at most 1<<16 bytes (64 KiB).
-func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
-	if size > 1<<16 {
-		panic("ECDH-ES output size too large, must be less than or equal to 1<<16")
-	}
-
-	// algId, partyUInfo, partyVInfo inputs must be prefixed with the length
-	algID := lengthPrefixed([]byte(alg))
-	ptyUInfo := lengthPrefixed(apuData)
-	ptyVInfo := lengthPrefixed(apvData)
-
-	// suppPubInfo is the encoded length of the output size in bits
-	supPubInfo := make([]byte, 4)
-	binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
-
-	if !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {
-		panic("public key not on same curve as private key")
-	}
-
-	z, _ := priv.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
-	zBytes := z.Bytes()
-
-	// Note that calling z.Bytes() on a big.Int may strip leading zero bytes from
-	// the returned byte array. This can lead to a problem where zBytes will be
-	// shorter than expected which breaks the key derivation. Therefore we must pad
-	// to the full length of the expected coordinate here before calling the KDF.
-	octSize := dSize(priv.Curve)
-	if len(zBytes) != octSize {
-		zBytes = append(bytes.Repeat([]byte{0}, octSize-len(zBytes)), zBytes...)
-	}
-
-	reader := NewConcatKDF(crypto.SHA256, zBytes, algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
-	key := make([]byte, size)
-
-	// Read on the KDF will never fail
-	_, _ = reader.Read(key)
-
-	return key
-}
-
-// dSize returns the size in octets for a coordinate on a elliptic curve.
-func dSize(curve elliptic.Curve) int {
-	order := curve.Params().P
-	bitLen := order.BitLen()
-	size := bitLen / 8
-	if bitLen%8 != 0 {
-		size++
-	}
-	return size
-}
-
-func lengthPrefixed(data []byte) []byte {
-	out := make([]byte, len(data)+4)
-	binary.BigEndian.PutUint32(out, uint32(len(data)))
-	copy(out[4:], data)
-	return out
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go b/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go
deleted file mode 100644
index 668358f981b..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/cipher/key_wrap.go
+++ /dev/null
@@ -1,109 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"crypto/cipher"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-)
-
-var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
-
-// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
-func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
-	if len(cek)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
-	}
-
-	n := len(cek) / 8
-	r := make([][]byte, n)
-
-	for i := range r {
-		r[i] = make([]byte, 8)
-		copy(r[i], cek[i*8:])
-	}
-
-	buffer := make([]byte, 16)
-	tBytes := make([]byte, 8)
-	copy(buffer, defaultIV)
-
-	for t := 0; t < 6*n; t++ {
-		copy(buffer[8:], r[t%n])
-
-		block.Encrypt(buffer, buffer)
-
-		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
-		for i := 0; i < 8; i++ {
-			buffer[i] = buffer[i] ^ tBytes[i]
-		}
-		copy(r[t%n], buffer[8:])
-	}
-
-	out := make([]byte, (n+1)*8)
-	copy(out, buffer[:8])
-	for i := range r {
-		copy(out[(i+1)*8:], r[i])
-	}
-
-	return out, nil
-}
-
-// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
-func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
-	if len(ciphertext)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
-	}
-
-	n := (len(ciphertext) / 8) - 1
-	r := make([][]byte, n)
-
-	for i := range r {
-		r[i] = make([]byte, 8)
-		copy(r[i], ciphertext[(i+1)*8:])
-	}
-
-	buffer := make([]byte, 16)
-	tBytes := make([]byte, 8)
-	copy(buffer[:8], ciphertext[:8])
-
-	for t := 6*n - 1; t >= 0; t-- {
-		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
-		for i := 0; i < 8; i++ {
-			buffer[i] = buffer[i] ^ tBytes[i]
-		}
-		copy(buffer[8:], r[t%n])
-
-		block.Decrypt(buffer, buffer)
-
-		copy(r[t%n], buffer[8:])
-	}
-
-	if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
-		return nil, errors.New("go-jose/go-jose: failed to unwrap key")
-	}
-
-	out := make([]byte, n*8)
-	for i := range r {
-		copy(out[i*8:], r[i])
-	}
-
-	return out, nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go b/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
deleted file mode 100644
index 0ae2e5ebaa7..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/crypter.go
+++ /dev/null
@@ -1,548 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"errors"
-	"fmt"
-	"reflect"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// Encrypter represents an encrypter which produces an encrypted JWE object.
-type Encrypter interface {
-	Encrypt(plaintext []byte) (*JSONWebEncryption, error)
-	EncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error)
-	Options() EncrypterOptions
-}
-
-// A generic content cipher
-type contentCipher interface {
-	keySize() int
-	encrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)
-	decrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)
-}
-
-// A key generator (for generating/getting a CEK)
-type keyGenerator interface {
-	keySize() int
-	genKey() ([]byte, rawHeader, error)
-}
-
-// A generic key encrypter
-type keyEncrypter interface {
-	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key
-}
-
-// A generic key decrypter
-type keyDecrypter interface {
-	decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key
-}
-
-// A generic encrypter based on the given key encrypter and content cipher.
-type genericEncrypter struct {
-	contentAlg     ContentEncryption
-	compressionAlg CompressionAlgorithm
-	cipher         contentCipher
-	recipients     []recipientKeyInfo
-	keyGenerator   keyGenerator
-	extraHeaders   map[HeaderKey]interface{}
-}
-
-type recipientKeyInfo struct {
-	keyID        string
-	keyAlg       KeyAlgorithm
-	keyEncrypter keyEncrypter
-}
-
-// EncrypterOptions represents options that can be set on new encrypters.
-type EncrypterOptions struct {
-	Compression CompressionAlgorithm
-
-	// Optional map of additional keys to be inserted into the protected header
-	// of a JWS object. Some specifications which make use of JWS like to insert
-	// additional values here. All values must be JSON-serializable.
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary. It returns itself and so can be used in a fluent style.
-func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions {
-	if eo.ExtraHeaders == nil {
-		eo.ExtraHeaders = map[HeaderKey]interface{}{}
-	}
-	eo.ExtraHeaders[k] = v
-	return eo
-}
-
-// WithContentType adds a content type ("cty") header and returns the updated
-// EncrypterOptions.
-func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions {
-	return eo.WithHeader(HeaderContentType, contentType)
-}
-
-// WithType adds a type ("typ") header and returns the updated EncrypterOptions.
-func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions {
-	return eo.WithHeader(HeaderType, typ)
-}
-
-// Recipient represents an algorithm/key to encrypt messages to.
-//
-// PBES2Count and PBES2Salt correspond with the  "p2c" and "p2s" headers used
-// on the password-based encryption algorithms PBES2-HS256+A128KW,
-// PBES2-HS384+A192KW, and PBES2-HS512+A256KW. If they are not provided a safe
-// default of 100000 will be used for the count and a 128-bit random salt will
-// be generated.
-type Recipient struct {
-	Algorithm  KeyAlgorithm
-	Key        interface{}
-	KeyID      string
-	PBES2Count int
-	PBES2Salt  []byte
-}
-
-// NewEncrypter creates an appropriate encrypter based on the key type
-func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error) {
-	encrypter := &genericEncrypter{
-		contentAlg: enc,
-		recipients: []recipientKeyInfo{},
-		cipher:     getContentCipher(enc),
-	}
-	if opts != nil {
-		encrypter.compressionAlg = opts.Compression
-		encrypter.extraHeaders = opts.ExtraHeaders
-	}
-
-	if encrypter.cipher == nil {
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	var keyID string
-	var rawKey interface{}
-	switch encryptionKey := rcpt.Key.(type) {
-	case JSONWebKey:
-		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
-	case *JSONWebKey:
-		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
-	case OpaqueKeyEncrypter:
-		keyID, rawKey = encryptionKey.KeyID(), encryptionKey
-	default:
-		rawKey = encryptionKey
-	}
-
-	switch rcpt.Algorithm {
-	case DIRECT:
-		// Direct encryption mode must be treated differently
-		if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) {
-			return nil, ErrUnsupportedKeyType
-		}
-		if encrypter.cipher.keySize() != len(rawKey.([]byte)) {
-			return nil, ErrInvalidKeySize
-		}
-		encrypter.keyGenerator = staticKeyGenerator{
-			key: rawKey.([]byte),
-		}
-		recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, rawKey.([]byte))
-		recipientInfo.keyID = keyID
-		if rcpt.KeyID != "" {
-			recipientInfo.keyID = rcpt.KeyID
-		}
-		encrypter.recipients = []recipientKeyInfo{recipientInfo}
-		return encrypter, nil
-	case ECDH_ES:
-		// ECDH-ES (w/o key wrapping) is similar to DIRECT mode
-		typeOf := reflect.TypeOf(rawKey)
-		if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) {
-			return nil, ErrUnsupportedKeyType
-		}
-		encrypter.keyGenerator = ecKeyGenerator{
-			size:      encrypter.cipher.keySize(),
-			algID:     string(enc),
-			publicKey: rawKey.(*ecdsa.PublicKey),
-		}
-		recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, rawKey.(*ecdsa.PublicKey))
-		recipientInfo.keyID = keyID
-		if rcpt.KeyID != "" {
-			recipientInfo.keyID = rcpt.KeyID
-		}
-		encrypter.recipients = []recipientKeyInfo{recipientInfo}
-		return encrypter, nil
-	default:
-		// Can just add a standard recipient
-		encrypter.keyGenerator = randomKeyGenerator{
-			size: encrypter.cipher.keySize(),
-		}
-		err := encrypter.addRecipient(rcpt)
-		return encrypter, err
-	}
-}
-
-// NewMultiEncrypter creates a multi-encrypter based on the given parameters
-func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error) {
-	cipher := getContentCipher(enc)
-
-	if cipher == nil {
-		return nil, ErrUnsupportedAlgorithm
-	}
-	if rcpts == nil || len(rcpts) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: recipients is nil or empty")
-	}
-
-	encrypter := &genericEncrypter{
-		contentAlg: enc,
-		recipients: []recipientKeyInfo{},
-		cipher:     cipher,
-		keyGenerator: randomKeyGenerator{
-			size: cipher.keySize(),
-		},
-	}
-
-	if opts != nil {
-		encrypter.compressionAlg = opts.Compression
-		encrypter.extraHeaders = opts.ExtraHeaders
-	}
-
-	for _, recipient := range rcpts {
-		err := encrypter.addRecipient(recipient)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return encrypter, nil
-}
-
-func (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) {
-	var recipientInfo recipientKeyInfo
-
-	switch recipient.Algorithm {
-	case DIRECT, ECDH_ES:
-		return fmt.Errorf("go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
-	}
-
-	recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)
-	if recipient.KeyID != "" {
-		recipientInfo.keyID = recipient.KeyID
-	}
-
-	switch recipient.Algorithm {
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		if sr, ok := recipientInfo.keyEncrypter.(*symmetricKeyCipher); ok {
-			sr.p2c = recipient.PBES2Count
-			sr.p2s = recipient.PBES2Salt
-		}
-	}
-
-	if err == nil {
-		ctx.recipients = append(ctx.recipients, recipientInfo)
-	}
-	return err
-}
-
-func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {
-	switch encryptionKey := encryptionKey.(type) {
-	case *rsa.PublicKey:
-		return newRSARecipient(alg, encryptionKey)
-	case *ecdsa.PublicKey:
-		return newECDHRecipient(alg, encryptionKey)
-	case []byte:
-		return newSymmetricRecipient(alg, encryptionKey)
-	case string:
-		return newSymmetricRecipient(alg, []byte(encryptionKey))
-	case *JSONWebKey:
-		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
-		recipient.keyID = encryptionKey.KeyID
-		return recipient, err
-	}
-	if encrypter, ok := encryptionKey.(OpaqueKeyEncrypter); ok {
-		return newOpaqueKeyEncrypter(alg, encrypter)
-	}
-	return recipientKeyInfo{}, ErrUnsupportedKeyType
-}
-
-// newDecrypter creates an appropriate decrypter based on the key type
-func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
-	switch decryptionKey := decryptionKey.(type) {
-	case *rsa.PrivateKey:
-		return &rsaDecrypterSigner{
-			privateKey: decryptionKey,
-		}, nil
-	case *ecdsa.PrivateKey:
-		return &ecDecrypterSigner{
-			privateKey: decryptionKey,
-		}, nil
-	case []byte:
-		return &symmetricKeyCipher{
-			key: decryptionKey,
-		}, nil
-	case string:
-		return &symmetricKeyCipher{
-			key: []byte(decryptionKey),
-		}, nil
-	case JSONWebKey:
-		return newDecrypter(decryptionKey.Key)
-	case *JSONWebKey:
-		return newDecrypter(decryptionKey.Key)
-	}
-	if okd, ok := decryptionKey.(OpaqueKeyDecrypter); ok {
-		return &opaqueKeyDecrypter{decrypter: okd}, nil
-	}
-	return nil, ErrUnsupportedKeyType
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JSONWebEncryption, error) {
-	return ctx.EncryptWithAuthData(plaintext, nil)
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) {
-	obj := &JSONWebEncryption{}
-	obj.aad = aad
-
-	obj.protected = &rawHeader{}
-	err := obj.protected.set(headerEncryption, ctx.contentAlg)
-	if err != nil {
-		return nil, err
-	}
-
-	obj.recipients = make([]recipientInfo, len(ctx.recipients))
-
-	if len(ctx.recipients) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: no recipients to encrypt to")
-	}
-
-	cek, headers, err := ctx.keyGenerator.genKey()
-	if err != nil {
-		return nil, err
-	}
-
-	obj.protected.merge(&headers)
-
-	for i, info := range ctx.recipients {
-		recipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		err = recipient.header.set(headerAlgorithm, info.keyAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		if info.keyID != "" {
-			err = recipient.header.set(headerKeyID, info.keyID)
-			if err != nil {
-				return nil, err
-			}
-		}
-		obj.recipients[i] = recipient
-	}
-
-	if len(ctx.recipients) == 1 {
-		// Move per-recipient headers into main protected header if there's
-		// only a single recipient.
-		obj.protected.merge(obj.recipients[0].header)
-		obj.recipients[0].header = nil
-	}
-
-	if ctx.compressionAlg != NONE {
-		plaintext, err = compress(ctx.compressionAlg, plaintext)
-		if err != nil {
-			return nil, err
-		}
-
-		err = obj.protected.set(headerCompression, ctx.compressionAlg)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	for k, v := range ctx.extraHeaders {
-		b, err := json.Marshal(v)
-		if err != nil {
-			return nil, err
-		}
-		(*obj.protected)[k] = makeRawMessage(b)
-	}
-
-	authData := obj.computeAuthData()
-	parts, err := ctx.cipher.encrypt(cek, authData, plaintext)
-	if err != nil {
-		return nil, err
-	}
-
-	obj.iv = parts.iv
-	obj.ciphertext = parts.ciphertext
-	obj.tag = parts.tag
-
-	return obj, nil
-}
-
-func (ctx *genericEncrypter) Options() EncrypterOptions {
-	return EncrypterOptions{
-		Compression:  ctx.compressionAlg,
-		ExtraHeaders: ctx.extraHeaders,
-	}
-}
-
-// Decrypt and validate the object and return the plaintext. Note that this
-// function does not support multi-recipient, if you desire multi-recipient
-// decryption use DecryptMulti instead.
-//
-// Automatically decompresses plaintext, but returns an error if the decompressed
-// data would be >250kB or >10x the size of the compressed data, whichever is larger.
-func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
-	headers := obj.mergedHeaders(nil)
-
-	if len(obj.recipients) > 1 {
-		return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
-	}
-
-	critical, err := headers.getCritical()
-	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
-	}
-
-	decrypter, err := newDecrypter(decryptionKey)
-	if err != nil {
-		return nil, err
-	}
-
-	cipher := getContentCipher(headers.getEncryption())
-	if cipher == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
-	}
-
-	generator := randomKeyGenerator{
-		size: cipher.keySize(),
-	}
-
-	parts := &aeadParts{
-		iv:         obj.iv,
-		ciphertext: obj.ciphertext,
-		tag:        obj.tag,
-	}
-
-	authData := obj.computeAuthData()
-
-	var plaintext []byte
-	recipient := obj.recipients[0]
-	recipientHeaders := obj.mergedHeaders(&recipient)
-
-	cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
-	if err == nil {
-		// Found a valid CEK -- let's try to decrypt.
-		plaintext, err = cipher.decrypt(cek, authData, parts)
-	}
-
-	if plaintext == nil {
-		return nil, ErrCryptoFailure
-	}
-
-	// The "zip" header parameter may only be present in the protected header.
-	if comp := obj.protected.getCompression(); comp != "" {
-		plaintext, err = decompress(comp, plaintext)
-	}
-
-	return plaintext, err
-}
-
-// DecryptMulti decrypts and validates the object and returns the plaintexts,
-// with support for multiple recipients. It returns the index of the recipient
-// for which the decryption was successful, the merged headers for that recipient,
-// and the plaintext.
-//
-// Automatically decompresses plaintext, but returns an error if the decompressed
-// data would be >250kB or >3x the size of the compressed data, whichever is larger.
-func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
-	globalHeaders := obj.mergedHeaders(nil)
-
-	critical, err := globalHeaders.getCritical()
-	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
-	}
-
-	decrypter, err := newDecrypter(decryptionKey)
-	if err != nil {
-		return -1, Header{}, nil, err
-	}
-
-	encryption := globalHeaders.getEncryption()
-	cipher := getContentCipher(encryption)
-	if cipher == nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(encryption))
-	}
-
-	generator := randomKeyGenerator{
-		size: cipher.keySize(),
-	}
-
-	parts := &aeadParts{
-		iv:         obj.iv,
-		ciphertext: obj.ciphertext,
-		tag:        obj.tag,
-	}
-
-	authData := obj.computeAuthData()
-
-	index := -1
-	var plaintext []byte
-	var headers rawHeader
-
-	for i, recipient := range obj.recipients {
-		recipientHeaders := obj.mergedHeaders(&recipient)
-
-		cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
-		if err == nil {
-			// Found a valid CEK -- let's try to decrypt.
-			plaintext, err = cipher.decrypt(cek, authData, parts)
-			if err == nil {
-				index = i
-				headers = recipientHeaders
-				break
-			}
-		}
-	}
-
-	if plaintext == nil || err != nil {
-		return -1, Header{}, nil, ErrCryptoFailure
-	}
-
-	// The "zip" header parameter may only be present in the protected header.
-	if comp := obj.protected.getCompression(); comp != "" {
-		plaintext, err = decompress(comp, plaintext)
-	}
-
-	sanitized, err := headers.sanitized()
-	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to sanitize header: %v", err)
-	}
-
-	return index, sanitized, plaintext, err
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/doc.go b/vendor/gopkg.in/go-jose/go-jose.v2/doc.go
deleted file mode 100644
index dd1387f3f06..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/doc.go
+++ /dev/null
@@ -1,27 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
-
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. It implements encryption and signing based on
-the JSON Web Encryption and JSON Web Signature standards, with optional JSON
-Web Token support available in a sub-package. The library supports both the
-compact and full serialization formats, and has optional support for multiple
-recipients.
-
-*/
-package jose
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
deleted file mode 100644
index 636f6c8f565..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+++ /dev/null
@@ -1,198 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"compress/flate"
-	"encoding/base64"
-	"encoding/binary"
-	"fmt"
-	"io"
-	"math/big"
-	"strings"
-	"unicode"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// Helper function to serialize known-good objects.
-// Precondition: value is not a nil pointer.
-func mustSerializeJSON(value interface{}) []byte {
-	out, err := json.Marshal(value)
-	if err != nil {
-		panic(err)
-	}
-	// We never want to serialize the top-level value "null," since it's not a
-	// valid JOSE message. But if a caller passes in a nil pointer to this method,
-	// MarshalJSON will happily serialize it as the top-level value "null". If
-	// that value is then embedded in another operation, for instance by being
-	// base64-encoded and fed as input to a signing algorithm
-	// (https://github.com/go-jose/go-jose/issues/22), the result will be
-	// incorrect. Because this method is intended for known-good objects, and a nil
-	// pointer is not a known-good object, we are free to panic in this case.
-	// Note: It's not possible to directly check whether the data pointed at by an
-	// interface is a nil pointer, so we do this hacky workaround.
-	// https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I
-	if string(out) == "null" {
-		panic("Tried to serialize a nil pointer.")
-	}
-	return out
-}
-
-// Strip all newlines and whitespace
-func stripWhitespace(data string) string {
-	buf := strings.Builder{}
-	buf.Grow(len(data))
-	for _, r := range data {
-		if !unicode.IsSpace(r) {
-			buf.WriteRune(r)
-		}
-	}
-	return buf.String()
-}
-
-// Perform compression based on algorithm
-func compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
-	switch algorithm {
-	case DEFLATE:
-		return deflate(input)
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-}
-
-// Perform decompression based on algorithm
-func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
-	switch algorithm {
-	case DEFLATE:
-		return inflate(input)
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-}
-
-// deflate compresses the input.
-func deflate(input []byte) ([]byte, error) {
-	output := new(bytes.Buffer)
-
-	// Writing to byte buffer, err is always nil
-	writer, _ := flate.NewWriter(output, 1)
-	_, _ = io.Copy(writer, bytes.NewBuffer(input))
-
-	err := writer.Close()
-	return output.Bytes(), err
-}
-
-// inflate decompresses the input.
-//
-// Errors if the decompressed data would be >250kB or >10x the size of the
-// compressed data, whichever is larger.
-func inflate(input []byte) ([]byte, error) {
-	output := new(bytes.Buffer)
-	reader := flate.NewReader(bytes.NewBuffer(input))
-
-	maxCompressedSize := 10 * int64(len(input))
-	if maxCompressedSize < 250000 {
-		maxCompressedSize = 250000
-	}
-
-	limit := maxCompressedSize + 1
-	n, err := io.CopyN(output, reader, limit)
-	if err != nil && err != io.EOF {
-		return nil, err
-	}
-	if n == limit {
-		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
-	}
-
-	err = reader.Close()
-	return output.Bytes(), err
-}
-
-// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.
-type byteBuffer struct {
-	data []byte
-}
-
-func newBuffer(data []byte) *byteBuffer {
-	if data == nil {
-		return nil
-	}
-	return &byteBuffer{
-		data: data,
-	}
-}
-
-func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
-	if len(data) > length {
-		panic("go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
-	}
-	pad := make([]byte, length-len(data))
-	return newBuffer(append(pad, data...))
-}
-
-func newBufferFromInt(num uint64) *byteBuffer {
-	data := make([]byte, 8)
-	binary.BigEndian.PutUint64(data, num)
-	return newBuffer(bytes.TrimLeft(data, "\x00"))
-}
-
-func (b *byteBuffer) MarshalJSON() ([]byte, error) {
-	return json.Marshal(b.base64())
-}
-
-func (b *byteBuffer) UnmarshalJSON(data []byte) error {
-	var encoded string
-	err := json.Unmarshal(data, &encoded)
-	if err != nil {
-		return err
-	}
-
-	if encoded == "" {
-		return nil
-	}
-
-	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
-	if err != nil {
-		return err
-	}
-
-	*b = *newBuffer(decoded)
-
-	return nil
-}
-
-func (b *byteBuffer) base64() string {
-	return base64.RawURLEncoding.EncodeToString(b.data)
-}
-
-func (b *byteBuffer) bytes() []byte {
-	// Handling nil here allows us to transparently handle nil slices when serializing.
-	if b == nil {
-		return nil
-	}
-	return b.data
-}
-
-func (b byteBuffer) bigInt() *big.Int {
-	return new(big.Int).SetBytes(b.data)
-}
-
-func (b byteBuffer) toInt() int {
-	return int(b.bigInt().Int64())
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE b/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE
deleted file mode 100644
index 74487567632..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md b/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md
deleted file mode 100644
index 86de5e5581f..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Safe JSON
-
-This repository contains a fork of the `encoding/json` package from Go 1.6.
-
-The following changes were made:
-
-* Object deserialization uses case-sensitive member name matching instead of
-  [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).
-  This is to avoid differences in the interpretation of JOSE messages between
-  go-jose and libraries written in other languages.
-* When deserializing a JSON object, we check for duplicate keys and reject the
-  input whenever we detect a duplicate. Rather than trying to work with malformed
-  data, we prefer to reject it right away.
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go
deleted file mode 100644
index 4dbc4146cf9..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/decode.go
+++ /dev/null
@@ -1,1217 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Represents JSON data structure using native Go types: booleans, floats,
-// strings, arrays, and maps.
-
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"math"
-	"reflect"
-	"runtime"
-	"strconv"
-	"unicode"
-	"unicode/utf16"
-	"unicode/utf8"
-)
-
-// Unmarshal parses the JSON-encoded data and stores the result
-// in the value pointed to by v.
-//
-// Unmarshal uses the inverse of the encodings that
-// Marshal uses, allocating maps, slices, and pointers as necessary,
-// with the following additional rules:
-//
-// To unmarshal JSON into a pointer, Unmarshal first handles the case of
-// the JSON being the JSON literal null.  In that case, Unmarshal sets
-// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
-// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
-// allocates a new value for it to point to.
-//
-// To unmarshal JSON into a struct, Unmarshal matches incoming object
-// keys to the keys used by Marshal (either the struct field name or its tag),
-// preferring an exact match but also accepting a case-insensitive match.
-// Unmarshal will only set exported fields of the struct.
-//
-// To unmarshal JSON into an interface value,
-// Unmarshal stores one of these in the interface value:
-//
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	string, for JSON strings
-//	[]interface{}, for JSON arrays
-//	map[string]interface{}, for JSON objects
-//	nil for JSON null
-//
-// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
-// to zero and then appends each element to the slice.
-// As a special case, to unmarshal an empty JSON array into a slice,
-// Unmarshal replaces the slice with a new empty slice.
-//
-// To unmarshal a JSON array into a Go array, Unmarshal decodes
-// JSON array elements into corresponding Go array elements.
-// If the Go array is smaller than the JSON array,
-// the additional JSON array elements are discarded.
-// If the JSON array is smaller than the Go array,
-// the additional Go array elements are set to zero values.
-//
-// To unmarshal a JSON object into a string-keyed map, Unmarshal first
-// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
-// Otherwise Unmarshal reuses the existing map, keeping existing entries.
-// Unmarshal then stores key-value pairs from the JSON object into the map.
-//
-// If a JSON value is not appropriate for a given target type,
-// or if a JSON number overflows the target type, Unmarshal
-// skips that field and completes the unmarshaling as best it can.
-// If no more serious errors are encountered, Unmarshal returns
-// an UnmarshalTypeError describing the earliest such error.
-//
-// The JSON null value unmarshals into an interface, map, pointer, or slice
-// by setting that Go value to nil. Because null is often used in JSON to mean
-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
-// on the value and produces no error.
-//
-// When unmarshaling quoted strings, invalid UTF-8 or
-// invalid UTF-16 surrogate pairs are not treated as an error.
-// Instead, they are replaced by the Unicode replacement
-// character U+FFFD.
-//
-func Unmarshal(data []byte, v interface{}) error {
-	// Check for well-formedness.
-	// Avoids filling out half a data structure
-	// before discovering a JSON syntax error.
-	var d decodeState
-	err := checkValid(data, &d.scan)
-	if err != nil {
-		return err
-	}
-
-	d.init(data)
-	return d.unmarshal(v)
-}
-
-// Unmarshaler is the interface implemented by objects
-// that can unmarshal a JSON description of themselves.
-// The input can be assumed to be a valid encoding of
-// a JSON value. UnmarshalJSON must copy the JSON data
-// if it wishes to retain the data after returning.
-type Unmarshaler interface {
-	UnmarshalJSON([]byte) error
-}
-
-// An UnmarshalTypeError describes a JSON value that was
-// not appropriate for a value of a specific Go type.
-type UnmarshalTypeError struct {
-	Value  string       // description of JSON value - "bool", "array", "number -5"
-	Type   reflect.Type // type of Go value it could not be assigned to
-	Offset int64        // error occurred after reading Offset bytes
-}
-
-func (e *UnmarshalTypeError) Error() string {
-	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
-}
-
-// An UnmarshalFieldError describes a JSON object key that
-// led to an unexported (and therefore unwritable) struct field.
-// (No longer used; kept for compatibility.)
-type UnmarshalFieldError struct {
-	Key   string
-	Type  reflect.Type
-	Field reflect.StructField
-}
-
-func (e *UnmarshalFieldError) Error() string {
-	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
-}
-
-// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
-// (The argument to Unmarshal must be a non-nil pointer.)
-type InvalidUnmarshalError struct {
-	Type reflect.Type
-}
-
-func (e *InvalidUnmarshalError) Error() string {
-	if e.Type == nil {
-		return "json: Unmarshal(nil)"
-	}
-
-	if e.Type.Kind() != reflect.Ptr {
-		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
-	}
-	return "json: Unmarshal(nil " + e.Type.String() + ")"
-}
-
-func (d *decodeState) unmarshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			err = r.(error)
-		}
-	}()
-
-	rv := reflect.ValueOf(v)
-	if rv.Kind() != reflect.Ptr || rv.IsNil() {
-		return &InvalidUnmarshalError{reflect.TypeOf(v)}
-	}
-
-	d.scan.reset()
-	// We decode rv not rv.Elem because the Unmarshaler interface
-	// test must be applied at the top level of the value.
-	d.value(rv)
-	return d.savedError
-}
-
-// A Number represents a JSON number literal.
-type Number string
-
-// String returns the literal text of the number.
-func (n Number) String() string { return string(n) }
-
-// Float64 returns the number as a float64.
-func (n Number) Float64() (float64, error) {
-	return strconv.ParseFloat(string(n), 64)
-}
-
-// Int64 returns the number as an int64.
-func (n Number) Int64() (int64, error) {
-	return strconv.ParseInt(string(n), 10, 64)
-}
-
-// isValidNumber reports whether s is a valid JSON number literal.
-func isValidNumber(s string) bool {
-	// This function implements the JSON numbers grammar.
-	// See https://tools.ietf.org/html/rfc7159#section-6
-	// and http://json.org/number.gif
-
-	if s == "" {
-		return false
-	}
-
-	// Optional -
-	if s[0] == '-' {
-		s = s[1:]
-		if s == "" {
-			return false
-		}
-	}
-
-	// Digits
-	switch {
-	default:
-		return false
-
-	case s[0] == '0':
-		s = s[1:]
-
-	case '1' <= s[0] && s[0] <= '9':
-		s = s[1:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// . followed by 1 or more digits.
-	if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
-		s = s[2:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// e or E followed by an optional - or + and
-	// 1 or more digits.
-	if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
-		s = s[1:]
-		if s[0] == '+' || s[0] == '-' {
-			s = s[1:]
-			if s == "" {
-				return false
-			}
-		}
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// Make sure we are at the end.
-	return s == ""
-}
-
-type NumberUnmarshalType int
-
-const (
-	// unmarshal a JSON number into an interface{} as a float64
-	UnmarshalFloat NumberUnmarshalType = iota
-	// unmarshal a JSON number into an interface{} as a `json.Number`
-	UnmarshalJSONNumber
-	// unmarshal a JSON number into an interface{} as a int64
-	// if value is an integer otherwise float64
-	UnmarshalIntOrFloat
-)
-
-// decodeState represents the state while decoding a JSON value.
-type decodeState struct {
-	data       []byte
-	off        int // read offset in data
-	scan       scanner
-	nextscan   scanner // for calls to nextValue
-	savedError error
-	numberType NumberUnmarshalType
-}
-
-// errPhase is used for errors that should not happen unless
-// there is a bug in the JSON decoder or something is editing
-// the data slice while the decoder executes.
-var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
-
-func (d *decodeState) init(data []byte) *decodeState {
-	d.data = data
-	d.off = 0
-	d.savedError = nil
-	return d
-}
-
-// error aborts the decoding by panicking with err.
-func (d *decodeState) error(err error) {
-	panic(err)
-}
-
-// saveError saves the first err it is called with,
-// for reporting at the end of the unmarshal.
-func (d *decodeState) saveError(err error) {
-	if d.savedError == nil {
-		d.savedError = err
-	}
-}
-
-// next cuts off and returns the next full JSON value in d.data[d.off:].
-// The next value is known to be an object or array, not a literal.
-func (d *decodeState) next() []byte {
-	c := d.data[d.off]
-	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-	if err != nil {
-		d.error(err)
-	}
-	d.off = len(d.data) - len(rest)
-
-	// Our scanner has seen the opening brace/bracket
-	// and thinks we're still in the middle of the object.
-	// invent a closing brace/bracket to get it out.
-	if c == '{' {
-		d.scan.step(&d.scan, '}')
-	} else {
-		d.scan.step(&d.scan, ']')
-	}
-
-	return item
-}
-
-// scanWhile processes bytes in d.data[d.off:] until it
-// receives a scan code not equal to op.
-// It updates d.off and returns the new scan code.
-func (d *decodeState) scanWhile(op int) int {
-	var newOp int
-	for {
-		if d.off >= len(d.data) {
-			newOp = d.scan.eof()
-			d.off = len(d.data) + 1 // mark processed EOF with len+1
-		} else {
-			c := d.data[d.off]
-			d.off++
-			newOp = d.scan.step(&d.scan, c)
-		}
-		if newOp != op {
-			break
-		}
-	}
-	return newOp
-}
-
-// value decodes a JSON value from d.data[d.off:] into the value.
-// it updates d.off to point past the decoded value.
-func (d *decodeState) value(v reflect.Value) {
-	if !v.IsValid() {
-		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-		if err != nil {
-			d.error(err)
-		}
-		d.off = len(d.data) - len(rest)
-
-		// d.scan thinks we're still at the beginning of the item.
-		// Feed in an empty string - the shortest, simplest value -
-		// so that it knows we got to the end of the value.
-		if d.scan.redo {
-			// rewind.
-			d.scan.redo = false
-			d.scan.step = stateBeginValue
-		}
-		d.scan.step(&d.scan, '"')
-		d.scan.step(&d.scan, '"')
-
-		n := len(d.scan.parseState)
-		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
-			// d.scan thinks we just read an object key; finish the object
-			d.scan.step(&d.scan, ':')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '}')
-		}
-
-		return
-	}
-
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(v)
-
-	case scanBeginObject:
-		d.object(v)
-
-	case scanBeginLiteral:
-		d.literal(v)
-	}
-}
-
-type unquotedValue struct{}
-
-// valueQuoted is like value but decodes a
-// quoted string literal or literal null into an interface value.
-// If it finds anything other than a quoted string literal or null,
-// valueQuoted returns unquotedValue{}.
-func (d *decodeState) valueQuoted() interface{} {
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(reflect.Value{})
-
-	case scanBeginObject:
-		d.object(reflect.Value{})
-
-	case scanBeginLiteral:
-		switch v := d.literalInterface().(type) {
-		case nil, string:
-			return v
-		}
-	}
-	return unquotedValue{}
-}
-
-// indirect walks down v allocating pointers as needed,
-// until it gets to a non-pointer.
-// if it encounters an Unmarshaler, indirect stops and returns that.
-// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
-func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
-	// If v is a named type and is addressable,
-	// start with its address, so that if the type has pointer methods,
-	// we find them.
-	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
-		v = v.Addr()
-	}
-	for {
-		// Load value from interface, but only if the result will be
-		// usefully addressable.
-		if v.Kind() == reflect.Interface && !v.IsNil() {
-			e := v.Elem()
-			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
-				v = e
-				continue
-			}
-		}
-
-		if v.Kind() != reflect.Ptr {
-			break
-		}
-
-		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
-			break
-		}
-		if v.IsNil() {
-			v.Set(reflect.New(v.Type().Elem()))
-		}
-		if v.Type().NumMethod() > 0 {
-			if u, ok := v.Interface().(Unmarshaler); ok {
-				return u, nil, reflect.Value{}
-			}
-			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
-				return nil, u, reflect.Value{}
-			}
-		}
-		v = v.Elem()
-	}
-	return nil, nil, v
-}
-
-// array consumes an array from d.data[d.off-1:], decoding into the value v.
-// the first byte of the array ('[') has been read already.
-func (d *decodeState) array(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	}
-
-	v = pv
-
-	// Check type of target.
-	switch v.Kind() {
-	case reflect.Interface:
-		if v.NumMethod() == 0 {
-			// Decoding into nil interface?  Switch to non-reflect code.
-			v.Set(reflect.ValueOf(d.arrayInterface()))
-			return
-		}
-		// Otherwise it's invalid.
-		fallthrough
-	default:
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	case reflect.Array:
-	case reflect.Slice:
-		break
-	}
-
-	i := 0
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		// Get element of array, growing if necessary.
-		if v.Kind() == reflect.Slice {
-			// Grow slice if necessary
-			if i >= v.Cap() {
-				newcap := v.Cap() + v.Cap()/2
-				if newcap < 4 {
-					newcap = 4
-				}
-				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
-				reflect.Copy(newv, v)
-				v.Set(newv)
-			}
-			if i >= v.Len() {
-				v.SetLen(i + 1)
-			}
-		}
-
-		if i < v.Len() {
-			// Decode into element.
-			d.value(v.Index(i))
-		} else {
-			// Ran out of fixed array: skip.
-			d.value(reflect.Value{})
-		}
-		i++
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-
-	if i < v.Len() {
-		if v.Kind() == reflect.Array {
-			// Array.  Zero the rest.
-			z := reflect.Zero(v.Type().Elem())
-			for ; i < v.Len(); i++ {
-				v.Index(i).Set(z)
-			}
-		} else {
-			v.SetLen(i)
-		}
-	}
-	if i == 0 && v.Kind() == reflect.Slice {
-		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
-	}
-}
-
-var nullLiteral = []byte("null")
-
-// object consumes an object from d.data[d.off-1:], decoding into the value v.
-// the first byte ('{') of the object has been read already.
-func (d *decodeState) object(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-	v = pv
-
-	// Decoding into nil interface?  Switch to non-reflect code.
-	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
-		v.Set(reflect.ValueOf(d.objectInterface()))
-		return
-	}
-
-	// Check type of target: struct or map[string]T
-	switch v.Kind() {
-	case reflect.Map:
-		// map must have string kind
-		t := v.Type()
-		if t.Key().Kind() != reflect.String {
-			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-			d.off--
-			d.next() // skip over { } in input
-			return
-		}
-		if v.IsNil() {
-			v.Set(reflect.MakeMap(t))
-		}
-	case reflect.Struct:
-
-	default:
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-
-	var mapElem reflect.Value
-	keys := map[string]bool{}
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Check for duplicate keys.
-		_, ok = keys[key]
-		if !ok {
-			keys[key] = true
-		} else {
-			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
-		}
-
-		// Figure out field corresponding to key.
-		var subv reflect.Value
-		destring := false // whether the value is wrapped in a string to be decoded first
-
-		if v.Kind() == reflect.Map {
-			elemType := v.Type().Elem()
-			if !mapElem.IsValid() {
-				mapElem = reflect.New(elemType).Elem()
-			} else {
-				mapElem.Set(reflect.Zero(elemType))
-			}
-			subv = mapElem
-		} else {
-			var f *field
-			fields := cachedTypeFields(v.Type())
-			for i := range fields {
-				ff := &fields[i]
-				if bytes.Equal(ff.nameBytes, []byte(key)) {
-					f = ff
-					break
-				}
-			}
-			if f != nil {
-				subv = v
-				destring = f.quoted
-				for _, i := range f.index {
-					if subv.Kind() == reflect.Ptr {
-						if subv.IsNil() {
-							subv.Set(reflect.New(subv.Type().Elem()))
-						}
-						subv = subv.Elem()
-					}
-					subv = subv.Field(i)
-				}
-			}
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		if destring {
-			switch qv := d.valueQuoted().(type) {
-			case nil:
-				d.literalStore(nullLiteral, subv, false)
-			case string:
-				d.literalStore([]byte(qv), subv, true)
-			default:
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
-			}
-		} else {
-			d.value(subv)
-		}
-
-		// Write value back to map;
-		// if using struct, subv points into struct already.
-		if v.Kind() == reflect.Map {
-			kv := reflect.ValueOf(key).Convert(v.Type().Key())
-			v.SetMapIndex(kv, subv)
-		}
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-}
-
-// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
-// The first byte of the literal has been read already
-// (that's how the caller knows it's a literal).
-func (d *decodeState) literal(v reflect.Value) {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-
-	d.literalStore(d.data[start:d.off], v, false)
-}
-
-// convertNumber converts the number literal s to a float64, int64 or a Number
-// depending on d.numberDecodeType.
-func (d *decodeState) convertNumber(s string) (interface{}, error) {
-	switch d.numberType {
-
-	case UnmarshalJSONNumber:
-		return Number(s), nil
-	case UnmarshalIntOrFloat:
-		v, err := strconv.ParseInt(s, 10, 64)
-		if err == nil {
-			return v, nil
-		}
-
-		// tries to parse integer number in scientific notation
-		f, err := strconv.ParseFloat(s, 64)
-		if err != nil {
-			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-		}
-
-		// if it has no decimal value use int64
-		if fi, fd := math.Modf(f); fd == 0.0 {
-			return int64(fi), nil
-		}
-		return f, nil
-	default:
-		f, err := strconv.ParseFloat(s, 64)
-		if err != nil {
-			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-		}
-		return f, nil
-	}
-
-}
-
-var numberType = reflect.TypeOf(Number(""))
-
-// literalStore decodes a literal stored in item into v.
-//
-// fromQuoted indicates whether this literal came from unwrapping a
-// string from the ",string" struct tag option. this is used only to
-// produce more helpful error messages.
-func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
-	// Check for unmarshaler.
-	if len(item) == 0 {
-		//Empty string given
-		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-		return
-	}
-	wantptr := item[0] == 'n' // null
-	u, ut, pv := d.indirect(v, wantptr)
-	if u != nil {
-		err := u.UnmarshalJSON(item)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		if item[0] != '"' {
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-			return
-		}
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		err := ut.UnmarshalText(s)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-
-	v = pv
-
-	switch c := item[0]; c {
-	case 'n': // null
-		switch v.Kind() {
-		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
-			v.Set(reflect.Zero(v.Type()))
-			// otherwise, ignore null for primitives/string
-		}
-	case 't', 'f': // true, false
-		value := c == 't'
-		switch v.Kind() {
-		default:
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		case reflect.Bool:
-			v.SetBool(value)
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(value))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		}
-
-	case '"': // string
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		switch v.Kind() {
-		default:
-			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-		case reflect.Slice:
-			if v.Type().Elem().Kind() != reflect.Uint8 {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-				break
-			}
-			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
-			n, err := base64.StdEncoding.Decode(b, s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			v.SetBytes(b[:n])
-		case reflect.String:
-			v.SetString(string(s))
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(string(s)))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-		}
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		s := string(item)
-		switch v.Kind() {
-		default:
-			if v.Kind() == reflect.String && v.Type() == numberType {
-				v.SetString(s)
-				if !isValidNumber(s) {
-					d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
-				}
-				break
-			}
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-			}
-		case reflect.Interface:
-			n, err := d.convertNumber(s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			if v.NumMethod() != 0 {
-				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-				break
-			}
-			v.Set(reflect.ValueOf(n))
-
-		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-			n, err := strconv.ParseInt(s, 10, 64)
-			if err != nil || v.OverflowInt(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetInt(n)
-
-		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-			n, err := strconv.ParseUint(s, 10, 64)
-			if err != nil || v.OverflowUint(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetUint(n)
-
-		case reflect.Float32, reflect.Float64:
-			n, err := strconv.ParseFloat(s, v.Type().Bits())
-			if err != nil || v.OverflowFloat(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetFloat(n)
-		}
-	}
-}
-
-// The xxxInterface routines build up a value to be stored
-// in an empty interface.  They are not strictly necessary,
-// but they avoid the weight of reflection in this common case.
-
-// valueInterface is like value but returns interface{}
-func (d *decodeState) valueInterface() interface{} {
-	switch d.scanWhile(scanSkipSpace) {
-	default:
-		d.error(errPhase)
-		panic("unreachable")
-	case scanBeginArray:
-		return d.arrayInterface()
-	case scanBeginObject:
-		return d.objectInterface()
-	case scanBeginLiteral:
-		return d.literalInterface()
-	}
-}
-
-// arrayInterface is like array but returns []interface{}.
-func (d *decodeState) arrayInterface() []interface{} {
-	var v = make([]interface{}, 0)
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		v = append(v, d.valueInterface())
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-	return v
-}
-
-// objectInterface is like object but returns map[string]interface{}.
-func (d *decodeState) objectInterface() map[string]interface{} {
-	m := make(map[string]interface{})
-	keys := map[string]bool{}
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read string key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Check for duplicate keys.
-		_, ok = keys[key]
-		if !ok {
-			keys[key] = true
-		} else {
-			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		m[key] = d.valueInterface()
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-	return m
-}
-
-// literalInterface is like literal but returns an interface value.
-func (d *decodeState) literalInterface() interface{} {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-	item := d.data[start:d.off]
-
-	switch c := item[0]; c {
-	case 'n': // null
-		return nil
-
-	case 't', 'f': // true, false
-		return c == 't'
-
-	case '"': // string
-		s, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-		return s
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			d.error(errPhase)
-		}
-		n, err := d.convertNumber(string(item))
-		if err != nil {
-			d.saveError(err)
-		}
-		return n
-	}
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
-	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
-		return -1
-	}
-	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
-	if err != nil {
-		return -1
-	}
-	return rune(r)
-}
-
-// unquote converts a quoted JSON string literal s into an actual string t.
-// The rules are different than for Go, so cannot use strconv.Unquote.
-func unquote(s []byte) (t string, ok bool) {
-	s, ok = unquoteBytes(s)
-	t = string(s)
-	return
-}
-
-func unquoteBytes(s []byte) (t []byte, ok bool) {
-	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
-		return
-	}
-	s = s[1 : len(s)-1]
-
-	// Check for unusual characters. If there are none,
-	// then no unquoting is needed, so return a slice of the
-	// original bytes.
-	r := 0
-	for r < len(s) {
-		c := s[r]
-		if c == '\\' || c == '"' || c < ' ' {
-			break
-		}
-		if c < utf8.RuneSelf {
-			r++
-			continue
-		}
-		rr, size := utf8.DecodeRune(s[r:])
-		if rr == utf8.RuneError && size == 1 {
-			break
-		}
-		r += size
-	}
-	if r == len(s) {
-		return s, true
-	}
-
-	b := make([]byte, len(s)+2*utf8.UTFMax)
-	w := copy(b, s[0:r])
-	for r < len(s) {
-		// Out of room?  Can only happen if s is full of
-		// malformed UTF-8 and we're replacing each
-		// byte with RuneError.
-		if w >= len(b)-2*utf8.UTFMax {
-			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
-			copy(nb, b[0:w])
-			b = nb
-		}
-		switch c := s[r]; {
-		case c == '\\':
-			r++
-			if r >= len(s) {
-				return
-			}
-			switch s[r] {
-			default:
-				return
-			case '"', '\\', '/', '\'':
-				b[w] = s[r]
-				r++
-				w++
-			case 'b':
-				b[w] = '\b'
-				r++
-				w++
-			case 'f':
-				b[w] = '\f'
-				r++
-				w++
-			case 'n':
-				b[w] = '\n'
-				r++
-				w++
-			case 'r':
-				b[w] = '\r'
-				r++
-				w++
-			case 't':
-				b[w] = '\t'
-				r++
-				w++
-			case 'u':
-				r--
-				rr := getu4(s[r:])
-				if rr < 0 {
-					return
-				}
-				r += 6
-				if utf16.IsSurrogate(rr) {
-					rr1 := getu4(s[r:])
-					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
-						// A valid pair; consume.
-						r += 6
-						w += utf8.EncodeRune(b[w:], dec)
-						break
-					}
-					// Invalid surrogate; fall back to replacement rune.
-					rr = unicode.ReplacementChar
-				}
-				w += utf8.EncodeRune(b[w:], rr)
-			}
-
-		// Quote, control characters are invalid.
-		case c == '"', c < ' ':
-			return
-
-		// ASCII
-		case c < utf8.RuneSelf:
-			b[w] = c
-			r++
-			w++
-
-		// Coerce to well-formed UTF-8.
-		default:
-			rr, size := utf8.DecodeRune(s[r:])
-			r += size
-			w += utf8.EncodeRune(b[w:], rr)
-		}
-	}
-	return b[0:w], true
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go
deleted file mode 100644
index 1dae8bb7cd8..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/encode.go
+++ /dev/null
@@ -1,1197 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package json implements encoding and decoding of JSON objects as defined in
-// RFC 4627. The mapping between JSON objects and Go values is described
-// in the documentation for the Marshal and Unmarshal functions.
-//
-// See "JSON and Go" for an introduction to this package:
-// https://golang.org/doc/articles/json_and_go.html
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"fmt"
-	"math"
-	"reflect"
-	"runtime"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"unicode"
-	"unicode/utf8"
-)
-
-// Marshal returns the JSON encoding of v.
-//
-// Marshal traverses the value v recursively.
-// If an encountered value implements the Marshaler interface
-// and is not a nil pointer, Marshal calls its MarshalJSON method
-// to produce JSON. If no MarshalJSON method is present but the
-// value implements encoding.TextMarshaler instead, Marshal calls
-// its MarshalText method.
-// The nil pointer exception is not strictly necessary
-// but mimics a similar, necessary exception in the behavior of
-// UnmarshalJSON.
-//
-// Otherwise, Marshal uses the following type-dependent default encodings:
-//
-// Boolean values encode as JSON booleans.
-//
-// Floating point, integer, and Number values encode as JSON numbers.
-//
-// String values encode as JSON strings coerced to valid UTF-8,
-// replacing invalid bytes with the Unicode replacement rune.
-// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
-// to keep some browsers from misinterpreting JSON output as HTML.
-// Ampersand "&" is also escaped to "\u0026" for the same reason.
-//
-// Array and slice values encode as JSON arrays, except that
-// []byte encodes as a base64-encoded string, and a nil slice
-// encodes as the null JSON object.
-//
-// Struct values encode as JSON objects. Each exported struct field
-// becomes a member of the object unless
-//   - the field's tag is "-", or
-//   - the field is empty and its tag specifies the "omitempty" option.
-// The empty values are false, 0, any
-// nil pointer or interface value, and any array, slice, map, or string of
-// length zero. The object's default key string is the struct field name
-// but can be specified in the struct field's tag value. The "json" key in
-// the struct field's tag value is the key name, followed by an optional comma
-// and options. Examples:
-//
-//   // Field is ignored by this package.
-//   Field int `json:"-"`
-//
-//   // Field appears in JSON as key "myName".
-//   Field int `json:"myName"`
-//
-//   // Field appears in JSON as key "myName" and
-//   // the field is omitted from the object if its value is empty,
-//   // as defined above.
-//   Field int `json:"myName,omitempty"`
-//
-//   // Field appears in JSON as key "Field" (the default), but
-//   // the field is skipped if empty.
-//   // Note the leading comma.
-//   Field int `json:",omitempty"`
-//
-// The "string" option signals that a field is stored as JSON inside a
-// JSON-encoded string. It applies only to fields of string, floating point,
-// integer, or boolean types. This extra level of encoding is sometimes used
-// when communicating with JavaScript programs:
-//
-//    Int64String int64 `json:",string"`
-//
-// The key name will be used if it's a non-empty string consisting of
-// only Unicode letters, digits, dollar signs, percent signs, hyphens,
-// underscores and slashes.
-//
-// Anonymous struct fields are usually marshaled as if their inner exported fields
-// were fields in the outer struct, subject to the usual Go visibility rules amended
-// as described in the next paragraph.
-// An anonymous struct field with a name given in its JSON tag is treated as
-// having that name, rather than being anonymous.
-// An anonymous struct field of interface type is treated the same as having
-// that type as its name, rather than being anonymous.
-//
-// The Go visibility rules for struct fields are amended for JSON when
-// deciding which field to marshal or unmarshal. If there are
-// multiple fields at the same level, and that level is the least
-// nested (and would therefore be the nesting level selected by the
-// usual Go rules), the following extra rules apply:
-//
-// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
-// even if there are multiple untagged fields that would otherwise conflict.
-// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
-// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
-//
-// Handling of anonymous struct fields is new in Go 1.1.
-// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
-// an anonymous struct field in both current and earlier versions, give the field
-// a JSON tag of "-".
-//
-// Map values encode as JSON objects.
-// The map's key type must be string; the map keys are used as JSON object
-// keys, subject to the UTF-8 coercion described for string values above.
-//
-// Pointer values encode as the value pointed to.
-// A nil pointer encodes as the null JSON object.
-//
-// Interface values encode as the value contained in the interface.
-// A nil interface value encodes as the null JSON object.
-//
-// Channel, complex, and function values cannot be encoded in JSON.
-// Attempting to encode such a value causes Marshal to return
-// an UnsupportedTypeError.
-//
-// JSON cannot represent cyclic data structures and Marshal does not
-// handle them.  Passing cyclic structures to Marshal will result in
-// an infinite recursion.
-//
-func Marshal(v interface{}) ([]byte, error) {
-	e := &encodeState{}
-	err := e.marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	return e.Bytes(), nil
-}
-
-// MarshalIndent is like Marshal but applies Indent to format the output.
-func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
-	b, err := Marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	var buf bytes.Buffer
-	err = Indent(&buf, b, prefix, indent)
-	if err != nil {
-		return nil, err
-	}
-	return buf.Bytes(), nil
-}
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must
-// be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-}
-
-// Marshaler is the interface implemented by objects that
-// can marshal themselves into valid JSON.
-type Marshaler interface {
-	MarshalJSON() ([]byte, error)
-}
-
-// An UnsupportedTypeError is returned by Marshal when attempting
-// to encode an unsupported value type.
-type UnsupportedTypeError struct {
-	Type reflect.Type
-}
-
-func (e *UnsupportedTypeError) Error() string {
-	return "json: unsupported type: " + e.Type.String()
-}
-
-type UnsupportedValueError struct {
-	Value reflect.Value
-	Str   string
-}
-
-func (e *UnsupportedValueError) Error() string {
-	return "json: unsupported value: " + e.Str
-}
-
-// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
-// attempting to encode a string value with invalid UTF-8 sequences.
-// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
-// replacing invalid bytes with the Unicode replacement rune U+FFFD.
-// This error is no longer generated but is kept for backwards compatibility
-// with programs that might mention it.
-type InvalidUTF8Error struct {
-	S string // the whole string value that caused the error
-}
-
-func (e *InvalidUTF8Error) Error() string {
-	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
-}
-
-type MarshalerError struct {
-	Type reflect.Type
-	Err  error
-}
-
-func (e *MarshalerError) Error() string {
-	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
-}
-
-var hex = "0123456789abcdef"
-
-// An encodeState encodes JSON into a bytes.Buffer.
-type encodeState struct {
-	bytes.Buffer // accumulated output
-	scratch      [64]byte
-}
-
-var encodeStatePool sync.Pool
-
-func newEncodeState() *encodeState {
-	if v := encodeStatePool.Get(); v != nil {
-		e := v.(*encodeState)
-		e.Reset()
-		return e
-	}
-	return new(encodeState)
-}
-
-func (e *encodeState) marshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			if s, ok := r.(string); ok {
-				panic(s)
-			}
-			err = r.(error)
-		}
-	}()
-	e.reflectValue(reflect.ValueOf(v))
-	return nil
-}
-
-func (e *encodeState) error(err error) {
-	panic(err)
-}
-
-func isEmptyValue(v reflect.Value) bool {
-	switch v.Kind() {
-	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
-		return v.Len() == 0
-	case reflect.Bool:
-		return !v.Bool()
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return v.Int() == 0
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return v.Uint() == 0
-	case reflect.Float32, reflect.Float64:
-		return v.Float() == 0
-	case reflect.Interface, reflect.Ptr:
-		return v.IsNil()
-	}
-	return false
-}
-
-func (e *encodeState) reflectValue(v reflect.Value) {
-	valueEncoder(v)(e, v, false)
-}
-
-type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
-
-var encoderCache struct {
-	sync.RWMutex
-	m map[reflect.Type]encoderFunc
-}
-
-func valueEncoder(v reflect.Value) encoderFunc {
-	if !v.IsValid() {
-		return invalidValueEncoder
-	}
-	return typeEncoder(v.Type())
-}
-
-func typeEncoder(t reflect.Type) encoderFunc {
-	encoderCache.RLock()
-	f := encoderCache.m[t]
-	encoderCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// To deal with recursive types, populate the map with an
-	// indirect func before we build it. This type waits on the
-	// real func (f) to be ready and then calls it.  This indirect
-	// func is only used for recursive types.
-	encoderCache.Lock()
-	if encoderCache.m == nil {
-		encoderCache.m = make(map[reflect.Type]encoderFunc)
-	}
-	var wg sync.WaitGroup
-	wg.Add(1)
-	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
-		wg.Wait()
-		f(e, v, quoted)
-	}
-	encoderCache.Unlock()
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = newTypeEncoder(t, true)
-	wg.Done()
-	encoderCache.Lock()
-	encoderCache.m[t] = f
-	encoderCache.Unlock()
-	return f
-}
-
-var (
-	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
-	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
-)
-
-// newTypeEncoder constructs an encoderFunc for a type.
-// The returned encoder only checks CanAddr when allowAddr is true.
-func newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
-	if t.Implements(marshalerType) {
-		return marshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(marshalerType) {
-			return newCondAddrEncoder(addrMarshalerEncoder, newTypeEncoder(t, false))
-		}
-	}
-
-	if t.Implements(textMarshalerType) {
-		return textMarshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(textMarshalerType) {
-			return newCondAddrEncoder(addrTextMarshalerEncoder, newTypeEncoder(t, false))
-		}
-	}
-
-	switch t.Kind() {
-	case reflect.Bool:
-		return boolEncoder
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return intEncoder
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return uintEncoder
-	case reflect.Float32:
-		return float32Encoder
-	case reflect.Float64:
-		return float64Encoder
-	case reflect.String:
-		return stringEncoder
-	case reflect.Interface:
-		return interfaceEncoder
-	case reflect.Struct:
-		return newStructEncoder(t)
-	case reflect.Map:
-		return newMapEncoder(t)
-	case reflect.Slice:
-		return newSliceEncoder(t)
-	case reflect.Array:
-		return newArrayEncoder(t)
-	case reflect.Ptr:
-		return newPtrEncoder(t)
-	default:
-		return unsupportedTypeEncoder
-	}
-}
-
-func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteString("null")
-}
-
-func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if quoted {
-		e.WriteByte('"')
-	}
-	if v.Bool() {
-		e.WriteString("true")
-	} else {
-		e.WriteString("false")
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-type floatEncoder int // number of bits
-
-func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	f := v.Float()
-	if math.IsInf(f, 0) || math.IsNaN(f) {
-		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
-	}
-	b := strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-var (
-	float32Encoder = (floatEncoder(32)).encode
-	float64Encoder = (floatEncoder(64)).encode
-)
-
-func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Type() == numberType {
-		numStr := v.String()
-		// In Go1.5 the empty string encodes to "0", while this is not a valid number literal
-		// we keep compatibility so check validity after this.
-		if numStr == "" {
-			numStr = "0" // Number's zero-val
-		}
-		if !isValidNumber(numStr) {
-			e.error(fmt.Errorf("json: invalid number literal %q", numStr))
-		}
-		e.WriteString(numStr)
-		return
-	}
-	if quoted {
-		sb, err := Marshal(v.String())
-		if err != nil {
-			e.error(err)
-		}
-		e.string(string(sb))
-	} else {
-		e.string(v.String())
-	}
-}
-
-func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.reflectValue(v.Elem())
-}
-
-func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.error(&UnsupportedTypeError{v.Type()})
-}
-
-type structEncoder struct {
-	fields    []field
-	fieldEncs []encoderFunc
-}
-
-func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteByte('{')
-	first := true
-	for i, f := range se.fields {
-		fv := fieldByIndex(v, f.index)
-		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
-			continue
-		}
-		if first {
-			first = false
-		} else {
-			e.WriteByte(',')
-		}
-		e.string(f.name)
-		e.WriteByte(':')
-		se.fieldEncs[i](e, fv, f.quoted)
-	}
-	e.WriteByte('}')
-}
-
-func newStructEncoder(t reflect.Type) encoderFunc {
-	fields := cachedTypeFields(t)
-	se := &structEncoder{
-		fields:    fields,
-		fieldEncs: make([]encoderFunc, len(fields)),
-	}
-	for i, f := range fields {
-		se.fieldEncs[i] = typeEncoder(typeByIndex(t, f.index))
-	}
-	return se.encode
-}
-
-type mapEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.WriteByte('{')
-	var sv stringValues = v.MapKeys()
-	sort.Sort(sv)
-	for i, k := range sv {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		e.string(k.String())
-		e.WriteByte(':')
-		me.elemEnc(e, v.MapIndex(k), false)
-	}
-	e.WriteByte('}')
-}
-
-func newMapEncoder(t reflect.Type) encoderFunc {
-	if t.Key().Kind() != reflect.String {
-		return unsupportedTypeEncoder
-	}
-	me := &mapEncoder{typeEncoder(t.Elem())}
-	return me.encode
-}
-
-func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	s := v.Bytes()
-	e.WriteByte('"')
-	if len(s) < 1024 {
-		// for small buffers, using Encode directly is much faster.
-		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
-		base64.StdEncoding.Encode(dst, s)
-		e.Write(dst)
-	} else {
-		// for large buffers, avoid unnecessary extra temporary
-		// buffer space.
-		enc := base64.NewEncoder(base64.StdEncoding, e)
-		enc.Write(s)
-		enc.Close()
-	}
-	e.WriteByte('"')
-}
-
-// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
-type sliceEncoder struct {
-	arrayEnc encoderFunc
-}
-
-func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	se.arrayEnc(e, v, false)
-}
-
-func newSliceEncoder(t reflect.Type) encoderFunc {
-	// Byte slices get special treatment; arrays don't.
-	if t.Elem().Kind() == reflect.Uint8 {
-		return encodeByteSlice
-	}
-	enc := &sliceEncoder{newArrayEncoder(t)}
-	return enc.encode
-}
-
-type arrayEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	e.WriteByte('[')
-	n := v.Len()
-	for i := 0; i < n; i++ {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		ae.elemEnc(e, v.Index(i), false)
-	}
-	e.WriteByte(']')
-}
-
-func newArrayEncoder(t reflect.Type) encoderFunc {
-	enc := &arrayEncoder{typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type ptrEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	pe.elemEnc(e, v.Elem(), quoted)
-}
-
-func newPtrEncoder(t reflect.Type) encoderFunc {
-	enc := &ptrEncoder{typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type condAddrEncoder struct {
-	canAddrEnc, elseEnc encoderFunc
-}
-
-func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.CanAddr() {
-		ce.canAddrEnc(e, v, quoted)
-	} else {
-		ce.elseEnc(e, v, quoted)
-	}
-}
-
-// newCondAddrEncoder returns an encoder that checks whether its value
-// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
-func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
-	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
-	return enc.encode
-}
-
-func isValidTag(s string) bool {
-	if s == "" {
-		return false
-	}
-	for _, c := range s {
-		switch {
-		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
-			// Backslash and quote chars are reserved, but
-			// otherwise any punctuation chars are allowed
-			// in a tag name.
-		default:
-			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-				return false
-			}
-		}
-	}
-	return true
-}
-
-func fieldByIndex(v reflect.Value, index []int) reflect.Value {
-	for _, i := range index {
-		if v.Kind() == reflect.Ptr {
-			if v.IsNil() {
-				return reflect.Value{}
-			}
-			v = v.Elem()
-		}
-		v = v.Field(i)
-	}
-	return v
-}
-
-func typeByIndex(t reflect.Type, index []int) reflect.Type {
-	for _, i := range index {
-		if t.Kind() == reflect.Ptr {
-			t = t.Elem()
-		}
-		t = t.Field(i).Type
-	}
-	return t
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-func (sv stringValues) Len() int           { return len(sv) }
-func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
-func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
-func (sv stringValues) get(i int) string   { return sv[i].String() }
-
-// NOTE: keep in sync with stringBytes below.
-func (e *encodeState) string(s string) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
-				i++
-				continue
-			}
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, > and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		c, size := utf8.DecodeRuneInString(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.WriteString(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// NOTE: keep in sync with string above.
-func (e *encodeState) stringBytes(s []byte) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
-				i++
-				continue
-			}
-			if start < i {
-				e.Write(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, >, and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		c, size := utf8.DecodeRune(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.Write(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// A field represents a single field found in a struct.
-type field struct {
-	name      string
-	nameBytes []byte // []byte(name)
-
-	tag       bool
-	index     []int
-	typ       reflect.Type
-	omitEmpty bool
-	quoted    bool
-}
-
-func fillField(f field) field {
-	f.nameBytes = []byte(f.name)
-	return f
-}
-
-// byName sorts field by name, breaking ties with depth,
-// then breaking ties with "name came from json tag", then
-// breaking ties with index sequence.
-type byName []field
-
-func (x byName) Len() int { return len(x) }
-
-func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byName) Less(i, j int) bool {
-	if x[i].name != x[j].name {
-		return x[i].name < x[j].name
-	}
-	if len(x[i].index) != len(x[j].index) {
-		return len(x[i].index) < len(x[j].index)
-	}
-	if x[i].tag != x[j].tag {
-		return x[i].tag
-	}
-	return byIndex(x).Less(i, j)
-}
-
-// byIndex sorts field by index sequence.
-type byIndex []field
-
-func (x byIndex) Len() int { return len(x) }
-
-func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byIndex) Less(i, j int) bool {
-	for k, xik := range x[i].index {
-		if k >= len(x[j].index) {
-			return false
-		}
-		if xik != x[j].index[k] {
-			return xik < x[j].index[k]
-		}
-	}
-	return len(x[i].index) < len(x[j].index)
-}
-
-// typeFields returns a list of fields that JSON should recognize for the given type.
-// The algorithm is breadth-first search over the set of structs to include - the top struct
-// and then any reachable anonymous structs.
-func typeFields(t reflect.Type) []field {
-	// Anonymous fields to explore at the current level and the next.
-	current := []field{}
-	next := []field{{typ: t}}
-
-	// Count of queued names for current level and the next.
-	count := map[reflect.Type]int{}
-	nextCount := map[reflect.Type]int{}
-
-	// Types already visited at an earlier level.
-	visited := map[reflect.Type]bool{}
-
-	// Fields found.
-	var fields []field
-
-	for len(next) > 0 {
-		current, next = next, current[:0]
-		count, nextCount = nextCount, map[reflect.Type]int{}
-
-		for _, f := range current {
-			if visited[f.typ] {
-				continue
-			}
-			visited[f.typ] = true
-
-			// Scan f.typ for fields to include.
-			for i := 0; i < f.typ.NumField(); i++ {
-				sf := f.typ.Field(i)
-				if sf.PkgPath != "" && !sf.Anonymous { // unexported
-					continue
-				}
-				tag := sf.Tag.Get("json")
-				if tag == "-" {
-					continue
-				}
-				name, opts := parseTag(tag)
-				if !isValidTag(name) {
-					name = ""
-				}
-				index := make([]int, len(f.index)+1)
-				copy(index, f.index)
-				index[len(f.index)] = i
-
-				ft := sf.Type
-				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
-					// Follow pointer.
-					ft = ft.Elem()
-				}
-
-				// Only strings, floats, integers, and booleans can be quoted.
-				quoted := false
-				if opts.Contains("string") {
-					switch ft.Kind() {
-					case reflect.Bool,
-						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
-						reflect.Float32, reflect.Float64,
-						reflect.String:
-						quoted = true
-					}
-				}
-
-				// Record found field and index sequence.
-				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
-					tagged := name != ""
-					if name == "" {
-						name = sf.Name
-					}
-					fields = append(fields, fillField(field{
-						name:      name,
-						tag:       tagged,
-						index:     index,
-						typ:       ft,
-						omitEmpty: opts.Contains("omitempty"),
-						quoted:    quoted,
-					}))
-					if count[f.typ] > 1 {
-						// If there were multiple instances, add a second,
-						// so that the annihilation code will see a duplicate.
-						// It only cares about the distinction between 1 or 2,
-						// so don't bother generating any more copies.
-						fields = append(fields, fields[len(fields)-1])
-					}
-					continue
-				}
-
-				// Record new anonymous struct to explore in next round.
-				nextCount[ft]++
-				if nextCount[ft] == 1 {
-					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
-				}
-			}
-		}
-	}
-
-	sort.Sort(byName(fields))
-
-	// Delete all fields that are hidden by the Go rules for embedded fields,
-	// except that fields with JSON tags are promoted.
-
-	// The fields are sorted in primary order of name, secondary order
-	// of field index length. Loop over names; for each name, delete
-	// hidden fields by choosing the one dominant field that survives.
-	out := fields[:0]
-	for advance, i := 0, 0; i < len(fields); i += advance {
-		// One iteration per name.
-		// Find the sequence of fields with the name of this first field.
-		fi := fields[i]
-		name := fi.name
-		for advance = 1; i+advance < len(fields); advance++ {
-			fj := fields[i+advance]
-			if fj.name != name {
-				break
-			}
-		}
-		if advance == 1 { // Only one field with this name
-			out = append(out, fi)
-			continue
-		}
-		dominant, ok := dominantField(fields[i : i+advance])
-		if ok {
-			out = append(out, dominant)
-		}
-	}
-
-	fields = out
-	sort.Sort(byIndex(fields))
-
-	return fields
-}
-
-// dominantField looks through the fields, all of which are known to
-// have the same name, to find the single field that dominates the
-// others using Go's embedding rules, modified by the presence of
-// JSON tags. If there are multiple top-level fields, the boolean
-// will be false: This condition is an error in Go and we skip all
-// the fields.
-func dominantField(fields []field) (field, bool) {
-	// The fields are sorted in increasing index-length order. The winner
-	// must therefore be one with the shortest index length. Drop all
-	// longer entries, which is easy: just truncate the slice.
-	length := len(fields[0].index)
-	tagged := -1 // Index of first tagged field.
-	for i, f := range fields {
-		if len(f.index) > length {
-			fields = fields[:i]
-			break
-		}
-		if f.tag {
-			if tagged >= 0 {
-				// Multiple tagged fields at the same level: conflict.
-				// Return no field.
-				return field{}, false
-			}
-			tagged = i
-		}
-	}
-	if tagged >= 0 {
-		return fields[tagged], true
-	}
-	// All remaining fields have the same length. If there's more than one,
-	// we have a conflict (two fields named "X" at the same level) and we
-	// return no field.
-	if len(fields) > 1 {
-		return field{}, false
-	}
-	return fields[0], true
-}
-
-var fieldCache struct {
-	sync.RWMutex
-	m map[reflect.Type][]field
-}
-
-// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
-func cachedTypeFields(t reflect.Type) []field {
-	fieldCache.RLock()
-	f := fieldCache.m[t]
-	fieldCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = typeFields(t)
-	if f == nil {
-		f = []field{}
-	}
-
-	fieldCache.Lock()
-	if fieldCache.m == nil {
-		fieldCache.m = map[reflect.Type][]field{}
-	}
-	fieldCache.m[t] = f
-	fieldCache.Unlock()
-	return f
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go
deleted file mode 100644
index 7cd9f4db184..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/indent.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	return compact(dst, src, false)
-}
-
-func compact(dst *bytes.Buffer, src []byte, escape bool) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-		v := scan.step(&scan, c)
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-	return nil
-}
-
-func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
-	dst.WriteByte('\n')
-	dst.WriteString(prefix)
-	for i := 0; i < depth; i++ {
-		dst.WriteString(indent)
-	}
-}
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(&scan, c)
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			newline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst.WriteByte(c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst.WriteByte(c)
-
-		case ',':
-			dst.WriteByte(c)
-			newline(dst, prefix, indent, depth)
-
-		case ':':
-			dst.WriteByte(c)
-			dst.WriteByte(' ')
-
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				newline(dst, prefix, indent, depth)
-			}
-			dst.WriteByte(c)
-
-		default:
-			dst.WriteByte(c)
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	return nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go
deleted file mode 100644
index ee6622e8cf8..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/scanner.go
+++ /dev/null
@@ -1,623 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, nextValue, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import "strconv"
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, c) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// nextValue splits data after the next whole JSON value,
-// returning that value and the bytes that follow it as separate slices.
-// scan is passed in for use by nextValue to avoid an allocation.
-func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
-	scan.reset()
-	for i, c := range data {
-		v := scan.step(scan, c)
-		if v >= scanEndObject {
-			switch v {
-			// probe the scanner with a space to determine whether we will
-			// get scanEnd on the next character. Otherwise, if the next character
-			// is not a space, scanEndTop allocates a needless error.
-			case scanEndObject, scanEndArray:
-				if scan.step(scan, ' ') == scanEnd {
-					return data[:i+1], data[i+1:], nil
-				}
-			case scanError:
-				return nil, nil, scan.err
-			case scanEnd:
-				return data[:i], data[i:], nil
-			}
-		}
-	}
-	if scan.eof() == scanError {
-		return nil, nil, scan.err
-	}
-	return data, nil, nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset() and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, byte) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// 1-byte redo (see undo method)
-	redo      bool
-	redoCode  int
-	redoState func(*scanner, byte) int
-
-	// total bytes consumed, updated by decoder.Decode
-	bytes int64
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned.  If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.redo = false
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-func (s *scanner) pushParseState(p int) {
-	s.parseState = append(s.parseState, p)
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	s.redo = false
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c byte) bool {
-	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		s.pushParseState(parseObjectKey)
-		return scanBeginObject
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		s.pushParseState(parseArrayValue)
-		return scanBeginArray
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if c <= ' ' && isSpace(c) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
-	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	case 'u':
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
-	if c == '+' || c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal
-func quoteChar(c byte) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
-
-// undo causes the scanner to return scanCode from the next state transition.
-// This gives callers a simple 1-byte undo mechanism.
-func (s *scanner) undo(scanCode int) {
-	if s.redo {
-		panic("json: invalid use of scanner")
-	}
-	s.redoCode = scanCode
-	s.redoState = s.step
-	s.step = stateRedo
-	s.redo = true
-}
-
-// stateRedo helps implement the scanner's 1-byte undo.
-func stateRedo(s *scanner, c byte) int {
-	s.redo = false
-	s.step = s.redoState
-	return s.redoCode
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go
deleted file mode 100644
index 9b2b926b033..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/stream.go
+++ /dev/null
@@ -1,485 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON objects from an input stream.
-type Decoder struct {
-	r     io.Reader
-	buf   []byte
-	d     decodeState
-	scanp int // start of unread data in buf
-	scan  scanner
-	err   error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// Deprecated: Use `SetNumberType` instead
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.numberType = UnmarshalJSONNumber }
-
-// SetNumberType causes the Decoder to unmarshal a number into an interface{} as a
-// Number, float64 or int64 depending on `t` enum value.
-func (dec *Decoder) SetNumberType(t NumberUnmarshalType) { dec.d.numberType = t }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v interface{}) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value"}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	for {
-		// Look in the buffer for a new value.
-		for i, c := range dec.buf[scanp:] {
-			dec.scan.bytes++
-			v := dec.scan.step(&dec.scan, c)
-			if v == scanEnd {
-				scanp += i
-				break Input
-			}
-			// scanEnd is delayed one byte.
-			// We might block trying to get that byte from src,
-			// so instead invent a space byte.
-			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
-				scanp += i + 1
-				break Input
-			}
-			if v == scanError {
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-		scanp = len(dec.buf)
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read.  Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(c) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON objects to an output stream.
-type Encoder struct {
-	w   io.Writer
-	err error
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w}
-}
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v interface{}) error {
-	if enc.err != nil {
-		return enc.err
-	}
-	e := newEncodeState()
-	err := e.marshal(v)
-	if err != nil {
-		return err
-	}
-
-	// Terminate each value with a newline.
-	// This makes the output look a little nicer
-	// when debugging, and some kind of space
-	// is required if the encoded value was a number,
-	// so that the reader knows there aren't more
-	// digits coming.
-	e.WriteByte('\n')
-
-	if _, err = enc.w.Write(e.Bytes()); err != nil {
-		enc.err = err
-	}
-	encodeStatePool.Put(e)
-	return err
-}
-
-// RawMessage is a raw encoded JSON object.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns *m as the JSON encoding of m.
-func (m *RawMessage) MarshalJSON() ([]byte, error) {
-	return *m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var _ Marshaler = (*RawMessage)(nil)
-var _ Unmarshaler = (*RawMessage)(nil)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-//
-type Token interface{}
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					clearOffset(err)
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x interface{}
-			if err := dec.Decode(&x); err != nil {
-				clearOffset(err)
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func clearOffset(err error) {
-	if s, ok := err.(*SyntaxError); ok {
-		s.Offset = 0
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(c) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-/*
-TODO
-
-// EncodeToken writes the given JSON token to the stream.
-// It returns an error if the delimiters [ ] { } are not properly used.
-//
-// EncodeToken does not call Flush, because usually it is part of
-// a larger operation such as Encode, and those will call Flush when finished.
-// Callers that create an Encoder and then invoke EncodeToken directly,
-// without using Encode, need to call Flush when finished to ensure that
-// the JSON is written to the underlying writer.
-func (e *Encoder) EncodeToken(t Token) error  {
-	...
-}
-
-*/
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go b/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go
deleted file mode 100644
index c38fd5102f6..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/json/tags.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	if idx := strings.Index(tag, ","); idx != -1 {
-		return tag[:idx], tagOptions(tag[idx+1:])
-	}
-	return tag, tagOptions("")
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var next string
-		i := strings.Index(s, ",")
-		if i >= 0 {
-			s, next = s[:i], s[i+1:]
-		}
-		if s == optionName {
-			return true
-		}
-		s = next
-	}
-	return false
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
deleted file mode 100644
index a8966ab8e9d..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go
+++ /dev/null
@@ -1,294 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"encoding/base64"
-	"fmt"
-	"strings"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
-type rawJSONWebEncryption struct {
-	Protected    *byteBuffer        `json:"protected,omitempty"`
-	Unprotected  *rawHeader         `json:"unprotected,omitempty"`
-	Header       *rawHeader         `json:"header,omitempty"`
-	Recipients   []rawRecipientInfo `json:"recipients,omitempty"`
-	Aad          *byteBuffer        `json:"aad,omitempty"`
-	EncryptedKey *byteBuffer        `json:"encrypted_key,omitempty"`
-	Iv           *byteBuffer        `json:"iv,omitempty"`
-	Ciphertext   *byteBuffer        `json:"ciphertext,omitempty"`
-	Tag          *byteBuffer        `json:"tag,omitempty"`
-}
-
-// rawRecipientInfo represents a raw JWE Per-Recipient header JSON object. Used for parsing/serializing.
-type rawRecipientInfo struct {
-	Header       *rawHeader `json:"header,omitempty"`
-	EncryptedKey string     `json:"encrypted_key,omitempty"`
-}
-
-// JSONWebEncryption represents an encrypted JWE object after parsing.
-type JSONWebEncryption struct {
-	Header                   Header
-	protected, unprotected   *rawHeader
-	recipients               []recipientInfo
-	aad, iv, ciphertext, tag []byte
-	original                 *rawJSONWebEncryption
-}
-
-// recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing.
-type recipientInfo struct {
-	header       *rawHeader
-	encryptedKey []byte
-}
-
-// GetAuthData retrieves the (optional) authenticated data attached to the object.
-func (obj JSONWebEncryption) GetAuthData() []byte {
-	if obj.aad != nil {
-		out := make([]byte, len(obj.aad))
-		copy(out, obj.aad)
-		return out
-	}
-
-	return nil
-}
-
-// Get the merged header values
-func (obj JSONWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
-	out := rawHeader{}
-	out.merge(obj.protected)
-	out.merge(obj.unprotected)
-
-	if recipient != nil {
-		out.merge(recipient.header)
-	}
-
-	return out
-}
-
-// Get the additional authenticated data from a JWE object.
-func (obj JSONWebEncryption) computeAuthData() []byte {
-	var protected string
-
-	if obj.original != nil && obj.original.Protected != nil {
-		protected = obj.original.Protected.base64()
-	} else if obj.protected != nil {
-		protected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON((obj.protected)))
-	} else {
-		protected = ""
-	}
-
-	output := []byte(protected)
-	if obj.aad != nil {
-		output = append(output, '.')
-		output = append(output, []byte(base64.RawURLEncoding.EncodeToString(obj.aad))...)
-	}
-
-	return output
-}
-
-// ParseEncrypted parses an encrypted message in compact or full serialization format.
-func ParseEncrypted(input string) (*JSONWebEncryption, error) {
-	input = stripWhitespace(input)
-	if strings.HasPrefix(input, "{") {
-		return parseEncryptedFull(input)
-	}
-
-	return parseEncryptedCompact(input)
-}
-
-// parseEncryptedFull parses a message in compact format.
-func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
-	var parsed rawJSONWebEncryption
-	err := json.Unmarshal([]byte(input), &parsed)
-	if err != nil {
-		return nil, err
-	}
-
-	return parsed.sanitized()
-}
-
-// sanitized produces a cleaned-up JWE object from the raw JSON.
-func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
-	obj := &JSONWebEncryption{
-		original:    parsed,
-		unprotected: parsed.Unprotected,
-	}
-
-	// Check that there is not a nonce in the unprotected headers
-	if parsed.Unprotected != nil {
-		if nonce := parsed.Unprotected.getNonce(); nonce != "" {
-			return nil, ErrUnprotectedNonce
-		}
-	}
-	if parsed.Header != nil {
-		if nonce := parsed.Header.getNonce(); nonce != "" {
-			return nil, ErrUnprotectedNonce
-		}
-	}
-
-	if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
-		err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
-		}
-	}
-
-	// Note: this must be called _after_ we parse the protected header,
-	// otherwise fields from the protected header will not get picked up.
-	var err error
-	mergedHeaders := obj.mergedHeaders(nil)
-	obj.Header, err = mergedHeaders.sanitized()
-	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
-	}
-
-	if len(parsed.Recipients) == 0 {
-		obj.recipients = []recipientInfo{
-			{
-				header:       parsed.Header,
-				encryptedKey: parsed.EncryptedKey.bytes(),
-			},
-		}
-	} else {
-		obj.recipients = make([]recipientInfo, len(parsed.Recipients))
-		for r := range parsed.Recipients {
-			encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
-			if err != nil {
-				return nil, err
-			}
-
-			// Check that there is not a nonce in the unprotected header
-			if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.getNonce() != "" {
-				return nil, ErrUnprotectedNonce
-			}
-
-			obj.recipients[r].header = parsed.Recipients[r].Header
-			obj.recipients[r].encryptedKey = encryptedKey
-		}
-	}
-
-	for _, recipient := range obj.recipients {
-		headers := obj.mergedHeaders(&recipient)
-		if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
-			return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
-		}
-	}
-
-	obj.iv = parsed.Iv.bytes()
-	obj.ciphertext = parsed.Ciphertext.bytes()
-	obj.tag = parsed.Tag.bytes()
-	obj.aad = parsed.Aad.bytes()
-
-	return obj, nil
-}
-
-// parseEncryptedCompact parses a message in compact format.
-func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 5 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
-	}
-
-	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
-	if err != nil {
-		return nil, err
-	}
-
-	encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
-	if err != nil {
-		return nil, err
-	}
-
-	iv, err := base64.RawURLEncoding.DecodeString(parts[2])
-	if err != nil {
-		return nil, err
-	}
-
-	ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
-	if err != nil {
-		return nil, err
-	}
-
-	tag, err := base64.RawURLEncoding.DecodeString(parts[4])
-	if err != nil {
-		return nil, err
-	}
-
-	raw := &rawJSONWebEncryption{
-		Protected:    newBuffer(rawProtected),
-		EncryptedKey: newBuffer(encryptedKey),
-		Iv:           newBuffer(iv),
-		Ciphertext:   newBuffer(ciphertext),
-		Tag:          newBuffer(tag),
-	}
-
-	return raw.sanitized()
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JSONWebEncryption) CompactSerialize() (string, error) {
-	if len(obj.recipients) != 1 || obj.unprotected != nil ||
-		obj.protected == nil || obj.recipients[0].header != nil {
-		return "", ErrNotSupported
-	}
-
-	serializedProtected := mustSerializeJSON(obj.protected)
-
-	return fmt.Sprintf(
-		"%s.%s.%s.%s.%s",
-		base64.RawURLEncoding.EncodeToString(serializedProtected),
-		base64.RawURLEncoding.EncodeToString(obj.recipients[0].encryptedKey),
-		base64.RawURLEncoding.EncodeToString(obj.iv),
-		base64.RawURLEncoding.EncodeToString(obj.ciphertext),
-		base64.RawURLEncoding.EncodeToString(obj.tag)), nil
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JSONWebEncryption) FullSerialize() string {
-	raw := rawJSONWebEncryption{
-		Unprotected:  obj.unprotected,
-		Iv:           newBuffer(obj.iv),
-		Ciphertext:   newBuffer(obj.ciphertext),
-		EncryptedKey: newBuffer(obj.recipients[0].encryptedKey),
-		Tag:          newBuffer(obj.tag),
-		Aad:          newBuffer(obj.aad),
-		Recipients:   []rawRecipientInfo{},
-	}
-
-	if len(obj.recipients) > 1 {
-		for _, recipient := range obj.recipients {
-			info := rawRecipientInfo{
-				Header:       recipient.header,
-				EncryptedKey: base64.RawURLEncoding.EncodeToString(recipient.encryptedKey),
-			}
-			raw.Recipients = append(raw.Recipients, info)
-		}
-	} else {
-		// Use flattened serialization
-		raw.Header = obj.recipients[0].header
-		raw.EncryptedKey = newBuffer(obj.recipients[0].encryptedKey)
-	}
-
-	if obj.protected != nil {
-		raw.Protected = newBuffer(mustSerializeJSON(obj.protected))
-	}
-
-	return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go
deleted file mode 100644
index ea3d863406f..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwk.go
+++ /dev/null
@@ -1,760 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"math/big"
-	"net/url"
-	"reflect"
-	"strings"
-
-	"golang.org/x/crypto/ed25519"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
-type rawJSONWebKey struct {
-	Use string      `json:"use,omitempty"`
-	Kty string      `json:"kty,omitempty"`
-	Kid string      `json:"kid,omitempty"`
-	Crv string      `json:"crv,omitempty"`
-	Alg string      `json:"alg,omitempty"`
-	K   *byteBuffer `json:"k,omitempty"`
-	X   *byteBuffer `json:"x,omitempty"`
-	Y   *byteBuffer `json:"y,omitempty"`
-	N   *byteBuffer `json:"n,omitempty"`
-	E   *byteBuffer `json:"e,omitempty"`
-	// -- Following fields are only used for private keys --
-	// RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
-	// completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
-	// we have a private key whereas D == nil means we have only a public key.
-	D  *byteBuffer `json:"d,omitempty"`
-	P  *byteBuffer `json:"p,omitempty"`
-	Q  *byteBuffer `json:"q,omitempty"`
-	Dp *byteBuffer `json:"dp,omitempty"`
-	Dq *byteBuffer `json:"dq,omitempty"`
-	Qi *byteBuffer `json:"qi,omitempty"`
-	// Certificates
-	X5c       []string `json:"x5c,omitempty"`
-	X5u       *url.URL `json:"x5u,omitempty"`
-	X5tSHA1   string   `json:"x5t,omitempty"`
-	X5tSHA256 string   `json:"x5t#S256,omitempty"`
-}
-
-// JSONWebKey represents a public or private key in JWK format.
-type JSONWebKey struct {
-	// Cryptographic key, can be a symmetric or asymmetric key.
-	Key interface{}
-	// Key identifier, parsed from `kid` header.
-	KeyID string
-	// Key algorithm, parsed from `alg` header.
-	Algorithm string
-	// Key use, parsed from `use` header.
-	Use string
-
-	// X.509 certificate chain, parsed from `x5c` header.
-	Certificates []*x509.Certificate
-	// X.509 certificate URL, parsed from `x5u` header.
-	CertificatesURL *url.URL
-	// X.509 certificate thumbprint (SHA-1), parsed from `x5t` header.
-	CertificateThumbprintSHA1 []byte
-	// X.509 certificate thumbprint (SHA-256), parsed from `x5t#S256` header.
-	CertificateThumbprintSHA256 []byte
-}
-
-// MarshalJSON serializes the given key to its JSON representation.
-func (k JSONWebKey) MarshalJSON() ([]byte, error) {
-	var raw *rawJSONWebKey
-	var err error
-
-	switch key := k.Key.(type) {
-	case ed25519.PublicKey:
-		raw = fromEdPublicKey(key)
-	case *ecdsa.PublicKey:
-		raw, err = fromEcPublicKey(key)
-	case *rsa.PublicKey:
-		raw = fromRsaPublicKey(key)
-	case ed25519.PrivateKey:
-		raw, err = fromEdPrivateKey(key)
-	case *ecdsa.PrivateKey:
-		raw, err = fromEcPrivateKey(key)
-	case *rsa.PrivateKey:
-		raw, err = fromRsaPrivateKey(key)
-	case []byte:
-		raw, err = fromSymmetricKey(key)
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	raw.Kid = k.KeyID
-	raw.Alg = k.Algorithm
-	raw.Use = k.Use
-
-	for _, cert := range k.Certificates {
-		raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
-	}
-
-	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
-	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
-	if x5tSHA1Len > 0 {
-		if x5tSHA1Len != sha1.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
-		}
-		raw.X5tSHA1 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA1)
-	}
-	if x5tSHA256Len > 0 {
-		if x5tSHA256Len != sha256.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
-		}
-		raw.X5tSHA256 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA256)
-	}
-
-	// If cert chain is attached (as opposed to being behind a URL), check the
-	// keys thumbprints to make sure they match what is expected. This is to
-	// ensure we don't accidentally produce a JWK with semantically inconsistent
-	// data in the headers.
-	if len(k.Certificates) > 0 {
-		expectedSHA1 := sha1.Sum(k.Certificates[0].Raw)
-		expectedSHA256 := sha256.Sum256(k.Certificates[0].Raw)
-
-		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(k.CertificateThumbprintSHA1, expectedSHA1[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
-		}
-		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(k.CertificateThumbprintSHA256, expectedSHA256[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
-		}
-	}
-
-	raw.X5u = k.CertificatesURL
-
-	return json.Marshal(raw)
-}
-
-// UnmarshalJSON reads a key from its JSON representation.
-func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
-	var raw rawJSONWebKey
-	err = json.Unmarshal(data, &raw)
-	if err != nil {
-		return err
-	}
-
-	certs, err := parseCertificateChain(raw.X5c)
-	if err != nil {
-		return fmt.Errorf("go-jose/go-jose: failed to unmarshal x5c field: %s", err)
-	}
-
-	var key interface{}
-	var certPub interface{}
-	var keyPub interface{}
-
-	if len(certs) > 0 {
-		// We need to check that leaf public key matches the key embedded in this
-		// JWK, as required by the standard (see RFC 7517, Section 4.7). Otherwise
-		// the JWK parsed could be semantically invalid. Technically, should also
-		// check key usage fields and other extensions on the cert here, but the
-		// standard doesn't exactly explain how they're supposed to map from the
-		// JWK representation to the X.509 extensions.
-		certPub = certs[0].PublicKey
-	}
-
-	switch raw.Kty {
-	case "EC":
-		if raw.D != nil {
-			key, err = raw.ecPrivateKey()
-			if err == nil {
-				keyPub = key.(*ecdsa.PrivateKey).Public()
-			}
-		} else {
-			key, err = raw.ecPublicKey()
-			keyPub = key
-		}
-	case "RSA":
-		if raw.D != nil {
-			key, err = raw.rsaPrivateKey()
-			if err == nil {
-				keyPub = key.(*rsa.PrivateKey).Public()
-			}
-		} else {
-			key, err = raw.rsaPublicKey()
-			keyPub = key
-		}
-	case "oct":
-		if certPub != nil {
-			return errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
-		}
-		key, err = raw.symmetricKey()
-	case "OKP":
-		if raw.Crv == "Ed25519" && raw.X != nil {
-			if raw.D != nil {
-				key, err = raw.edPrivateKey()
-				if err == nil {
-					keyPub = key.(ed25519.PrivateKey).Public()
-				}
-			} else {
-				key, err = raw.edPublicKey()
-				keyPub = key
-			}
-		} else {
-			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
-		}
-	default:
-		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
-	}
-
-	if err != nil {
-		return
-	}
-
-	if certPub != nil && keyPub != nil {
-		if !reflect.DeepEqual(certPub, keyPub) {
-			return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields to not match")
-		}
-	}
-
-	*k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use, Certificates: certs}
-
-	k.CertificatesURL = raw.X5u
-
-	// x5t parameters are base64url-encoded SHA thumbprints
-	// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
-	x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
-	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
-	}
-
-	// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
-	// for this reason, after base64 decoding, if the size is sha1.Size it's likely that the value is a byte encoded
-	// checksum so we skip this. Otherwise if the checksum was hex encoded we expect a 40 byte sized array so we'll
-	// try to hex decode it. When Marshalling this value we'll always use a base64 encoded version of byte format checksum.
-	if len(x5tSHA1bytes) == 2*sha1.Size {
-		hx, err := hex.DecodeString(string(x5tSHA1bytes))
-		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
-
-		}
-		x5tSHA1bytes = hx
-	}
-
-	k.CertificateThumbprintSHA1 = x5tSHA1bytes
-
-	x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
-	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
-	}
-
-	if len(x5tSHA256bytes) == 2*sha256.Size {
-		hx256, err := hex.DecodeString(string(x5tSHA256bytes))
-		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
-		}
-		x5tSHA256bytes = hx256
-	}
-
-	k.CertificateThumbprintSHA256 = x5tSHA256bytes
-
-	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
-	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
-	if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
-	}
-	if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
-	}
-
-	// If certificate chain *and* thumbprints are set, verify correctness.
-	if len(k.Certificates) > 0 {
-		leaf := k.Certificates[0]
-		sha1sum := sha1.Sum(leaf.Raw)
-		sha256sum := sha256.Sum256(leaf.Raw)
-
-		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
-		}
-
-		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
-		}
-	}
-
-	return
-}
-
-// JSONWebKeySet represents a JWK Set object.
-type JSONWebKeySet struct {
-	Keys []JSONWebKey `json:"keys"`
-}
-
-// Key convenience method returns keys by key ID. Specification states
-// that a JWK Set "SHOULD" use distinct key IDs, but allows for some
-// cases where they are not distinct. Hence method returns a slice
-// of JSONWebKeys.
-func (s *JSONWebKeySet) Key(kid string) []JSONWebKey {
-	var keys []JSONWebKey
-	for _, key := range s.Keys {
-		if key.KeyID == kid {
-			keys = append(keys, key)
-		}
-	}
-
-	return keys
-}
-
-const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
-const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
-const edThumbprintTemplate = `{"crv":"%s","kty":"OKP","x":"%s"}`
-
-func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
-	coordLength := curveSize(curve)
-	crv, err := curveName(curve)
-	if err != nil {
-		return "", err
-	}
-
-	if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
-	}
-
-	return fmt.Sprintf(ecThumbprintTemplate, crv,
-		newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
-		newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
-}
-
-func rsaThumbprintInput(n *big.Int, e int) (string, error) {
-	return fmt.Sprintf(rsaThumbprintTemplate,
-		newBufferFromInt(uint64(e)).base64(),
-		newBuffer(n.Bytes()).base64()), nil
-}
-
-func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
-	crv := "Ed25519"
-	if len(ed) > 32 {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
-	}
-	return fmt.Sprintf(edThumbprintTemplate, crv,
-		newFixedSizeBuffer(ed, 32).base64()), nil
-}
-
-// Thumbprint computes the JWK Thumbprint of a key using the
-// indicated hash algorithm.
-func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
-	var input string
-	var err error
-	switch key := k.Key.(type) {
-	case ed25519.PublicKey:
-		input, err = edThumbprintInput(key)
-	case *ecdsa.PublicKey:
-		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
-	case *ecdsa.PrivateKey:
-		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
-	case *rsa.PublicKey:
-		input, err = rsaThumbprintInput(key.N, key.E)
-	case *rsa.PrivateKey:
-		input, err = rsaThumbprintInput(key.N, key.E)
-	case ed25519.PrivateKey:
-		input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	h := hash.New()
-	h.Write([]byte(input))
-	return h.Sum(nil), nil
-}
-
-// IsPublic returns true if the JWK represents a public key (not symmetric, not private).
-func (k *JSONWebKey) IsPublic() bool {
-	switch k.Key.(type) {
-	case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
-		return true
-	default:
-		return false
-	}
-}
-
-// Public creates JSONWebKey with corresponding public key if JWK represents asymmetric private key.
-func (k *JSONWebKey) Public() JSONWebKey {
-	if k.IsPublic() {
-		return *k
-	}
-	ret := *k
-	switch key := k.Key.(type) {
-	case *ecdsa.PrivateKey:
-		ret.Key = key.Public()
-	case *rsa.PrivateKey:
-		ret.Key = key.Public()
-	case ed25519.PrivateKey:
-		ret.Key = key.Public()
-	default:
-		return JSONWebKey{} // returning invalid key
-	}
-	return ret
-}
-
-// Valid checks that the key contains the expected parameters.
-func (k *JSONWebKey) Valid() bool {
-	if k.Key == nil {
-		return false
-	}
-	switch key := k.Key.(type) {
-	case *ecdsa.PublicKey:
-		if key.Curve == nil || key.X == nil || key.Y == nil {
-			return false
-		}
-	case *ecdsa.PrivateKey:
-		if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
-			return false
-		}
-	case *rsa.PublicKey:
-		if key.N == nil || key.E == 0 {
-			return false
-		}
-	case *rsa.PrivateKey:
-		if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
-			return false
-		}
-	case ed25519.PublicKey:
-		if len(key) != 32 {
-			return false
-		}
-	case ed25519.PrivateKey:
-		if len(key) != 64 {
-			return false
-		}
-	default:
-		return false
-	}
-	return true
-}
-
-func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
-	if key.N == nil || key.E == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
-	}
-
-	return &rsa.PublicKey{
-		N: key.N.bigInt(),
-		E: key.E.toInt(),
-	}, nil
-}
-
-func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey {
-	return &rawJSONWebKey{
-		Kty: "OKP",
-		Crv: "Ed25519",
-		X:   newBuffer(pub),
-	}
-}
-
-func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey {
-	return &rawJSONWebKey{
-		Kty: "RSA",
-		N:   newBuffer(pub.N.Bytes()),
-		E:   newBufferFromInt(uint64(pub.E)),
-	}
-}
-
-func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
-	var curve elliptic.Curve
-	switch key.Crv {
-	case "P-256":
-		curve = elliptic.P256()
-	case "P-384":
-		curve = elliptic.P384()
-	case "P-521":
-		curve = elliptic.P521()
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
-	}
-
-	if key.X == nil || key.Y == nil {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
-	}
-
-	// The length of this octet string MUST be the full size of a coordinate for
-	// the curve specified in the "crv" parameter.
-	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
-	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
-	}
-
-	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
-	}
-
-	x := key.X.bigInt()
-	y := key.Y.bigInt()
-
-	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
-	}
-
-	return &ecdsa.PublicKey{
-		Curve: curve,
-		X:     x,
-		Y:     y,
-	}, nil
-}
-
-func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
-	if pub == nil || pub.X == nil || pub.Y == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (nil, or X/Y missing)")
-	}
-
-	name, err := curveName(pub.Curve)
-	if err != nil {
-		return nil, err
-	}
-
-	size := curveSize(pub.Curve)
-
-	xBytes := pub.X.Bytes()
-	yBytes := pub.Y.Bytes()
-
-	if len(xBytes) > size || len(yBytes) > size {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (X/Y too large)")
-	}
-
-	key := &rawJSONWebKey{
-		Kty: "EC",
-		Crv: name,
-		X:   newFixedSizeBuffer(xBytes, size),
-		Y:   newFixedSizeBuffer(yBytes, size),
-	}
-
-	return key, nil
-}
-
-func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
-	var missing []string
-	switch {
-	case key.D == nil:
-		missing = append(missing, "D")
-	case key.X == nil:
-		missing = append(missing, "X")
-	}
-
-	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
-	}
-
-	privateKey := make([]byte, ed25519.PrivateKeySize)
-	copy(privateKey[0:32], key.D.bytes())
-	copy(privateKey[32:], key.X.bytes())
-	rv := ed25519.PrivateKey(privateKey)
-	return rv, nil
-}
-
-func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
-	if key.X == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
-	}
-	publicKey := make([]byte, ed25519.PublicKeySize)
-	copy(publicKey[0:32], key.X.bytes())
-	rv := ed25519.PublicKey(publicKey)
-	return rv, nil
-}
-
-func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
-	var missing []string
-	switch {
-	case key.N == nil:
-		missing = append(missing, "N")
-	case key.E == nil:
-		missing = append(missing, "E")
-	case key.D == nil:
-		missing = append(missing, "D")
-	case key.P == nil:
-		missing = append(missing, "P")
-	case key.Q == nil:
-		missing = append(missing, "Q")
-	}
-
-	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
-	}
-
-	rv := &rsa.PrivateKey{
-		PublicKey: rsa.PublicKey{
-			N: key.N.bigInt(),
-			E: key.E.toInt(),
-		},
-		D: key.D.bigInt(),
-		Primes: []*big.Int{
-			key.P.bigInt(),
-			key.Q.bigInt(),
-		},
-	}
-
-	if key.Dp != nil {
-		rv.Precomputed.Dp = key.Dp.bigInt()
-	}
-	if key.Dq != nil {
-		rv.Precomputed.Dq = key.Dq.bigInt()
-	}
-	if key.Qi != nil {
-		rv.Precomputed.Qinv = key.Qi.bigInt()
-	}
-
-	err := rv.Validate()
-	return rv, err
-}
-
-func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) {
-	raw := fromEdPublicKey(ed25519.PublicKey(ed[32:]))
-
-	raw.D = newBuffer(ed[0:32])
-	return raw, nil
-}
-
-func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) {
-	if len(rsa.Primes) != 2 {
-		return nil, ErrUnsupportedKeyType
-	}
-
-	raw := fromRsaPublicKey(&rsa.PublicKey)
-
-	raw.D = newBuffer(rsa.D.Bytes())
-	raw.P = newBuffer(rsa.Primes[0].Bytes())
-	raw.Q = newBuffer(rsa.Primes[1].Bytes())
-
-	if rsa.Precomputed.Dp != nil {
-		raw.Dp = newBuffer(rsa.Precomputed.Dp.Bytes())
-	}
-	if rsa.Precomputed.Dq != nil {
-		raw.Dq = newBuffer(rsa.Precomputed.Dq.Bytes())
-	}
-	if rsa.Precomputed.Qinv != nil {
-		raw.Qi = newBuffer(rsa.Precomputed.Qinv.Bytes())
-	}
-
-	return raw, nil
-}
-
-func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
-	var curve elliptic.Curve
-	switch key.Crv {
-	case "P-256":
-		curve = elliptic.P256()
-	case "P-384":
-		curve = elliptic.P384()
-	case "P-521":
-		curve = elliptic.P521()
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
-	}
-
-	if key.X == nil || key.Y == nil || key.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
-	}
-
-	// The length of this octet string MUST be the full size of a coordinate for
-	// the curve specified in the "crv" parameter.
-	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
-	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
-	}
-
-	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
-	}
-
-	// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
-	if dSize(curve) != len(key.D.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
-	}
-
-	x := key.X.bigInt()
-	y := key.Y.bigInt()
-
-	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
-	}
-
-	return &ecdsa.PrivateKey{
-		PublicKey: ecdsa.PublicKey{
-			Curve: curve,
-			X:     x,
-			Y:     y,
-		},
-		D: key.D.bigInt(),
-	}, nil
-}
-
-func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) {
-	raw, err := fromEcPublicKey(&ec.PublicKey)
-	if err != nil {
-		return nil, err
-	}
-
-	if ec.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key")
-	}
-
-	raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
-
-	return raw, nil
-}
-
-// dSize returns the size in octets for the "d" member of an elliptic curve
-// private key.
-// The length of this octet string MUST be ceiling(log-base-2(n)/8)
-// octets (where n is the order of the curve).
-// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
-func dSize(curve elliptic.Curve) int {
-	order := curve.Params().P
-	bitLen := order.BitLen()
-	size := bitLen / 8
-	if bitLen%8 != 0 {
-		size = size + 1
-	}
-	return size
-}
-
-func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) {
-	return &rawJSONWebKey{
-		Kty: "oct",
-		K:   newBuffer(key),
-	}, nil
-}
-
-func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
-	if key.K == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
-	}
-	return key.K.bytes(), nil
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
deleted file mode 100644
index 1a24fa468a3..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go
+++ /dev/null
@@ -1,366 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"strings"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
-type rawJSONWebSignature struct {
-	Payload    *byteBuffer        `json:"payload,omitempty"`
-	Signatures []rawSignatureInfo `json:"signatures,omitempty"`
-	Protected  *byteBuffer        `json:"protected,omitempty"`
-	Header     *rawHeader         `json:"header,omitempty"`
-	Signature  *byteBuffer        `json:"signature,omitempty"`
-}
-
-// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
-type rawSignatureInfo struct {
-	Protected *byteBuffer `json:"protected,omitempty"`
-	Header    *rawHeader  `json:"header,omitempty"`
-	Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// JSONWebSignature represents a signed JWS object after parsing.
-type JSONWebSignature struct {
-	payload []byte
-	// Signatures attached to this object (may be more than one for multi-sig).
-	// Be careful about accessing these directly, prefer to use Verify() or
-	// VerifyMulti() to ensure that the data you're getting is verified.
-	Signatures []Signature
-}
-
-// Signature represents a single signature over the JWS payload and protected header.
-type Signature struct {
-	// Merged header fields. Contains both protected and unprotected header
-	// values. Prefer using Protected and Unprotected fields instead of this.
-	// Values in this header may or may not have been signed and in general
-	// should not be trusted.
-	Header Header
-
-	// Protected header. Values in this header were signed and
-	// will be verified as part of the signature verification process.
-	Protected Header
-
-	// Unprotected header. Values in this header were not signed
-	// and in general should not be trusted.
-	Unprotected Header
-
-	// The actual signature value
-	Signature []byte
-
-	protected *rawHeader
-	header    *rawHeader
-	original  *rawSignatureInfo
-}
-
-// ParseSigned parses a signed message in compact or full serialization format.
-func ParseSigned(signature string) (*JSONWebSignature, error) {
-	signature = stripWhitespace(signature)
-	if strings.HasPrefix(signature, "{") {
-		return parseSignedFull(signature)
-	}
-
-	return parseSignedCompact(signature, nil)
-}
-
-// ParseDetached parses a signed message in compact serialization format with detached payload.
-func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
-	if payload == nil {
-		return nil, errors.New("go-jose/go-jose: nil payload")
-	}
-	return parseSignedCompact(stripWhitespace(signature), payload)
-}
-
-// Get a header value
-func (sig Signature) mergedHeaders() rawHeader {
-	out := rawHeader{}
-	out.merge(sig.protected)
-	out.merge(sig.header)
-	return out
-}
-
-// Compute data to be signed
-func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature) ([]byte, error) {
-	var authData bytes.Buffer
-
-	protectedHeader := new(rawHeader)
-
-	if signature.original != nil && signature.original.Protected != nil {
-		if err := json.Unmarshal(signature.original.Protected.bytes(), protectedHeader); err != nil {
-			return nil, err
-		}
-		authData.WriteString(signature.original.Protected.base64())
-	} else if signature.protected != nil {
-		protectedHeader = signature.protected
-		authData.WriteString(base64.RawURLEncoding.EncodeToString(mustSerializeJSON(protectedHeader)))
-	}
-
-	needsBase64 := true
-
-	if protectedHeader != nil {
-		var err error
-		if needsBase64, err = protectedHeader.getB64(); err != nil {
-			needsBase64 = true
-		}
-	}
-
-	authData.WriteByte('.')
-
-	if needsBase64 {
-		authData.WriteString(base64.RawURLEncoding.EncodeToString(payload))
-	} else {
-		authData.Write(payload)
-	}
-
-	return authData.Bytes(), nil
-}
-
-// parseSignedFull parses a message in full format.
-func parseSignedFull(input string) (*JSONWebSignature, error) {
-	var parsed rawJSONWebSignature
-	err := json.Unmarshal([]byte(input), &parsed)
-	if err != nil {
-		return nil, err
-	}
-
-	return parsed.sanitized()
-}
-
-// sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
-	if parsed.Payload == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
-	}
-
-	obj := &JSONWebSignature{
-		payload:    parsed.Payload.bytes(),
-		Signatures: make([]Signature, len(parsed.Signatures)),
-	}
-
-	if len(parsed.Signatures) == 0 {
-		// No signatures array, must be flattened serialization
-		signature := Signature{}
-		if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
-			signature.protected = &rawHeader{}
-			err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Check that there is not a nonce in the unprotected header
-		if parsed.Header != nil && parsed.Header.getNonce() != "" {
-			return nil, ErrUnprotectedNonce
-		}
-
-		signature.header = parsed.Header
-		signature.Signature = parsed.Signature.bytes()
-		// Make a fake "original" rawSignatureInfo to store the unprocessed
-		// Protected header. This is necessary because the Protected header can
-		// contain arbitrary fields not registered as part of the spec. See
-		// https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
-		// If we unmarshal Protected into a rawHeader with its explicit list of fields,
-		// we cannot marshal losslessly. So we have to keep around the original bytes.
-		// This is used in computeAuthData, which will first attempt to use
-		// the original bytes of a protected header, and fall back on marshaling the
-		// header struct only if those bytes are not available.
-		signature.original = &rawSignatureInfo{
-			Protected: parsed.Protected,
-			Header:    parsed.Header,
-			Signature: parsed.Signature,
-		}
-
-		var err error
-		signature.Header, err = signature.mergedHeaders().sanitized()
-		if err != nil {
-			return nil, err
-		}
-
-		if signature.header != nil {
-			signature.Unprotected, err = signature.header.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		if signature.protected != nil {
-			signature.Protected, err = signature.protected.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
-		jwk := signature.Header.JSONWebKey
-		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
-		}
-
-		obj.Signatures = append(obj.Signatures, signature)
-	}
-
-	for i, sig := range parsed.Signatures {
-		if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
-			obj.Signatures[i].protected = &rawHeader{}
-			err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Check that there is not a nonce in the unprotected header
-		if sig.Header != nil && sig.Header.getNonce() != "" {
-			return nil, ErrUnprotectedNonce
-		}
-
-		var err error
-		obj.Signatures[i].Header, err = obj.Signatures[i].mergedHeaders().sanitized()
-		if err != nil {
-			return nil, err
-		}
-
-		if obj.Signatures[i].header != nil {
-			obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		if obj.Signatures[i].protected != nil {
-			obj.Signatures[i].Protected, err = obj.Signatures[i].protected.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		obj.Signatures[i].Signature = sig.Signature.bytes()
-
-		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
-		jwk := obj.Signatures[i].Header.JSONWebKey
-		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
-		}
-
-		// Copy value of sig
-		original := sig
-
-		obj.Signatures[i].header = sig.Header
-		obj.Signatures[i].original = &original
-	}
-
-	return obj, nil
-}
-
-// parseSignedCompact parses a message in compact format.
-func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
-	parts := strings.Split(input, ".")
-	if len(parts) != 3 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
-	}
-
-	if parts[1] != "" && payload != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
-	}
-
-	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
-	if err != nil {
-		return nil, err
-	}
-
-	if payload == nil {
-		payload, err = base64.RawURLEncoding.DecodeString(parts[1])
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
-	if err != nil {
-		return nil, err
-	}
-
-	raw := &rawJSONWebSignature{
-		Payload:   newBuffer(payload),
-		Protected: newBuffer(rawProtected),
-		Signature: newBuffer(signature),
-	}
-	return raw.sanitized()
-}
-
-func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
-	if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
-		return "", ErrNotSupported
-	}
-
-	serializedProtected := base64.RawURLEncoding.EncodeToString(mustSerializeJSON(obj.Signatures[0].protected))
-	payload := ""
-	signature := base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature)
-
-	if !detached {
-		payload = base64.RawURLEncoding.EncodeToString(obj.payload)
-	}
-
-	return fmt.Sprintf("%s.%s.%s", serializedProtected, payload, signature), nil
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JSONWebSignature) CompactSerialize() (string, error) {
-	return obj.compactSerialize(false)
-}
-
-// DetachedCompactSerialize serializes an object using the compact serialization format with detached payload.
-func (obj JSONWebSignature) DetachedCompactSerialize() (string, error) {
-	return obj.compactSerialize(true)
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JSONWebSignature) FullSerialize() string {
-	raw := rawJSONWebSignature{
-		Payload: newBuffer(obj.payload),
-	}
-
-	if len(obj.Signatures) == 1 {
-		if obj.Signatures[0].protected != nil {
-			serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
-			raw.Protected = newBuffer(serializedProtected)
-		}
-		raw.Header = obj.Signatures[0].header
-		raw.Signature = newBuffer(obj.Signatures[0].Signature)
-	} else {
-		raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
-		for i, signature := range obj.Signatures {
-			raw.Signatures[i] = rawSignatureInfo{
-				Header:    signature.header,
-				Signature: newBuffer(signature.Signature),
-			}
-
-			if signature.protected != nil {
-				raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
-			}
-		}
-	}
-
-	return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go b/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go
deleted file mode 100644
index fc3e8d2ef6e..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/opaque.go
+++ /dev/null
@@ -1,144 +0,0 @@
-/*-
- * Copyright 2018 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-// OpaqueSigner is an interface that supports signing payloads with opaque
-// private key(s). Private key operations performed by implementers may, for
-// example, occur in a hardware module. An OpaqueSigner may rotate signing keys
-// transparently to the user of this interface.
-type OpaqueSigner interface {
-	// Public returns the public key of the current signing key.
-	Public() *JSONWebKey
-	// Algs returns a list of supported signing algorithms.
-	Algs() []SignatureAlgorithm
-	// SignPayload signs a payload with the current signing key using the given
-	// algorithm.
-	SignPayload(payload []byte, alg SignatureAlgorithm) ([]byte, error)
-}
-
-type opaqueSigner struct {
-	signer OpaqueSigner
-}
-
-func newOpaqueSigner(alg SignatureAlgorithm, signer OpaqueSigner) (recipientSigInfo, error) {
-	var algSupported bool
-	for _, salg := range signer.Algs() {
-		if alg == salg {
-			algSupported = true
-			break
-		}
-	}
-	if !algSupported {
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientSigInfo{
-		sigAlg:    alg,
-		publicKey: signer.Public,
-		signer: &opaqueSigner{
-			signer: signer,
-		},
-	}, nil
-}
-
-func (o *opaqueSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	out, err := o.signer.SignPayload(payload, alg)
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// OpaqueVerifier is an interface that supports verifying payloads with opaque
-// public key(s). An OpaqueSigner may rotate signing keys transparently to the
-// user of this interface.
-type OpaqueVerifier interface {
-	VerifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
-}
-
-type opaqueVerifier struct {
-	verifier OpaqueVerifier
-}
-
-func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	return o.verifier.VerifyPayload(payload, signature, alg)
-}
-
-// OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
-type OpaqueKeyEncrypter interface {
-	// KeyID returns the kid
-	KeyID() string
-	// Algs returns a list of supported key encryption algorithms.
-	Algs() []KeyAlgorithm
-	// encryptKey encrypts the CEK using the given algorithm.
-	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error)
-}
-
-type opaqueKeyEncrypter struct {
-	encrypter OpaqueKeyEncrypter
-}
-
-func newOpaqueKeyEncrypter(alg KeyAlgorithm, encrypter OpaqueKeyEncrypter) (recipientKeyInfo, error) {
-	var algSupported bool
-	for _, salg := range encrypter.Algs() {
-		if alg == salg {
-			algSupported = true
-			break
-		}
-	}
-	if !algSupported {
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientKeyInfo{
-		keyID:  encrypter.KeyID(),
-		keyAlg: alg,
-		keyEncrypter: &opaqueKeyEncrypter{
-			encrypter: encrypter,
-		},
-	}, nil
-}
-
-func (oke *opaqueKeyEncrypter) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	return oke.encrypter.encryptKey(cek, alg)
-}
-
-//OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
-type OpaqueKeyDecrypter interface {
-	DecryptKey(encryptedKey []byte, header Header) ([]byte, error)
-}
-
-type opaqueKeyDecrypter struct {
-	decrypter OpaqueKeyDecrypter
-}
-
-func (okd *opaqueKeyDecrypter) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	mergedHeaders := rawHeader{}
-	mergedHeaders.merge(&headers)
-	mergedHeaders.merge(recipient.header)
-
-	header, err := mergedHeaders.sanitized()
-	if err != nil {
-		return nil, err
-	}
-
-	return okd.decrypter.DecryptKey(recipient.encryptedKey, header)
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/shared.go b/vendor/gopkg.in/go-jose/go-jose.v2/shared.go
deleted file mode 100644
index 0fa66a44bd6..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/shared.go
+++ /dev/null
@@ -1,520 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto/elliptic"
-	"crypto/x509"
-	"encoding/base64"
-	"errors"
-	"fmt"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// KeyAlgorithm represents a key management algorithm.
-type KeyAlgorithm string
-
-// SignatureAlgorithm represents a signature (or MAC) algorithm.
-type SignatureAlgorithm string
-
-// ContentEncryption represents a content encryption algorithm.
-type ContentEncryption string
-
-// CompressionAlgorithm represents an algorithm used for plaintext compression.
-type CompressionAlgorithm string
-
-// ContentType represents type of the contained data.
-type ContentType string
-
-var (
-	// ErrCryptoFailure represents an error in cryptographic primitive. This
-	// occurs when, for example, a message had an invalid authentication tag or
-	// could not be decrypted.
-	ErrCryptoFailure = errors.New("go-jose/go-jose: error in cryptographic primitive")
-
-	// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
-	// supported. This occurs when trying to instantiate an encrypter for an
-	// algorithm that is not yet implemented.
-	ErrUnsupportedAlgorithm = errors.New("go-jose/go-jose: unknown/unsupported algorithm")
-
-	// ErrUnsupportedKeyType indicates that the given key type/format is not
-	// supported. This occurs when trying to instantiate an encrypter and passing
-	// it a key of an unrecognized type or with unsupported parameters, such as
-	// an RSA private key with more than two primes.
-	ErrUnsupportedKeyType = errors.New("go-jose/go-jose: unsupported key type/format")
-
-	// ErrInvalidKeySize indicates that the given key is not the correct size
-	// for the selected algorithm. This can occur, for example, when trying to
-	// encrypt with AES-256 but passing only a 128-bit key as input.
-	ErrInvalidKeySize = errors.New("go-jose/go-jose: invalid key size for algorithm")
-
-	// ErrNotSupported serialization of object is not supported. This occurs when
-	// trying to compact-serialize an object which can't be represented in
-	// compact form.
-	ErrNotSupported = errors.New("go-jose/go-jose: compact serialization not supported for object")
-
-	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
-	// nonce header parameter was included in an unprotected header object.
-	ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
-)
-
-// Key management algorithms
-const (
-	ED25519            = KeyAlgorithm("ED25519")
-	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
-	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
-	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
-	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
-	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
-	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
-	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
-	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
-	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
-	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
-	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
-	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
-	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
-	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
-	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
-	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
-	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
-)
-
-// Signature algorithms
-const (
-	EdDSA = SignatureAlgorithm("EdDSA")
-	HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
-	HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
-	HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
-	RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
-	RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
-	RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
-	ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
-	ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
-	ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
-	PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
-	PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
-	PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
-)
-
-// Content encryption algorithms
-const (
-	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
-	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
-	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
-	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
-	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
-	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
-)
-
-// Compression algorithms
-const (
-	NONE    = CompressionAlgorithm("")    // No compression
-	DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951)
-)
-
-// A key in the protected header of a JWS object. Use of the Header...
-// constants is preferred to enhance type safety.
-type HeaderKey string
-
-const (
-	HeaderType        HeaderKey = "typ" // string
-	HeaderContentType           = "cty" // string
-
-	// These are set by go-jose and shouldn't need to be set by consumers of the
-	// library.
-	headerAlgorithm   = "alg"  // string
-	headerEncryption  = "enc"  // ContentEncryption
-	headerCompression = "zip"  // CompressionAlgorithm
-	headerCritical    = "crit" // []string
-
-	headerAPU = "apu" // *byteBuffer
-	headerAPV = "apv" // *byteBuffer
-	headerEPK = "epk" // *JSONWebKey
-	headerIV  = "iv"  // *byteBuffer
-	headerTag = "tag" // *byteBuffer
-	headerX5c = "x5c" // []*x509.Certificate
-
-	headerJWK   = "jwk"   // *JSONWebKey
-	headerKeyID = "kid"   // string
-	headerNonce = "nonce" // string
-	headerB64   = "b64"   // bool
-
-	headerP2C = "p2c" // *byteBuffer (int)
-	headerP2S = "p2s" // *byteBuffer ([]byte)
-
-)
-
-// supportedCritical is the set of supported extensions that are understood and processed.
-var supportedCritical = map[string]bool{
-	headerB64: true,
-}
-
-// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
-//
-// The decoding of the constituent items is deferred because we want to marshal
-// some members into particular structs rather than generic maps, but at the
-// same time we need to receive any extra fields unhandled by this library to
-// pass through to consuming code in case it wants to examine them.
-type rawHeader map[HeaderKey]*json.RawMessage
-
-// Header represents the read-only JOSE header for JWE/JWS objects.
-type Header struct {
-	KeyID      string
-	JSONWebKey *JSONWebKey
-	Algorithm  string
-	Nonce      string
-
-	// Unverified certificate chain parsed from x5c header.
-	certificates []*x509.Certificate
-
-	// Any headers not recognised above get unmarshalled
-	// from JSON in a generic manner and placed in this map.
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// Certificates verifies & returns the certificate chain present
-// in the x5c header field of a message, if one was present. Returns
-// an error if there was no x5c header present or the chain could
-// not be validated with the given verify options.
-func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
-	if len(h.certificates) == 0 {
-		return nil, errors.New("go-jose/go-jose: no x5c header present in message")
-	}
-
-	leaf := h.certificates[0]
-	if opts.Intermediates == nil {
-		opts.Intermediates = x509.NewCertPool()
-		for _, intermediate := range h.certificates[1:] {
-			opts.Intermediates.AddCert(intermediate)
-		}
-	}
-
-	return leaf.Verify(opts)
-}
-
-func (parsed rawHeader) set(k HeaderKey, v interface{}) error {
-	b, err := json.Marshal(v)
-	if err != nil {
-		return err
-	}
-
-	parsed[k] = makeRawMessage(b)
-	return nil
-}
-
-// getString gets a string from the raw JSON, defaulting to "".
-func (parsed rawHeader) getString(k HeaderKey) string {
-	v, ok := parsed[k]
-	if !ok || v == nil {
-		return ""
-	}
-	var s string
-	err := json.Unmarshal(*v, &s)
-	if err != nil {
-		return ""
-	}
-	return s
-}
-
-// getByteBuffer gets a byte buffer from the raw JSON. Returns (nil, nil) if
-// not specified.
-func (parsed rawHeader) getByteBuffer(k HeaderKey) (*byteBuffer, error) {
-	v := parsed[k]
-	if v == nil {
-		return nil, nil
-	}
-	var bb *byteBuffer
-	err := json.Unmarshal(*v, &bb)
-	if err != nil {
-		return nil, err
-	}
-	return bb, nil
-}
-
-// getAlgorithm extracts parsed "alg" from the raw JSON as a KeyAlgorithm.
-func (parsed rawHeader) getAlgorithm() KeyAlgorithm {
-	return KeyAlgorithm(parsed.getString(headerAlgorithm))
-}
-
-// getSignatureAlgorithm extracts parsed "alg" from the raw JSON as a SignatureAlgorithm.
-func (parsed rawHeader) getSignatureAlgorithm() SignatureAlgorithm {
-	return SignatureAlgorithm(parsed.getString(headerAlgorithm))
-}
-
-// getEncryption extracts parsed "enc" from the raw JSON.
-func (parsed rawHeader) getEncryption() ContentEncryption {
-	return ContentEncryption(parsed.getString(headerEncryption))
-}
-
-// getCompression extracts parsed "zip" from the raw JSON.
-func (parsed rawHeader) getCompression() CompressionAlgorithm {
-	return CompressionAlgorithm(parsed.getString(headerCompression))
-}
-
-func (parsed rawHeader) getNonce() string {
-	return parsed.getString(headerNonce)
-}
-
-// getEPK extracts parsed "epk" from the raw JSON.
-func (parsed rawHeader) getEPK() (*JSONWebKey, error) {
-	v := parsed[headerEPK]
-	if v == nil {
-		return nil, nil
-	}
-	var epk *JSONWebKey
-	err := json.Unmarshal(*v, &epk)
-	if err != nil {
-		return nil, err
-	}
-	return epk, nil
-}
-
-// getAPU extracts parsed "apu" from the raw JSON.
-func (parsed rawHeader) getAPU() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerAPU)
-}
-
-// getAPV extracts parsed "apv" from the raw JSON.
-func (parsed rawHeader) getAPV() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerAPV)
-}
-
-// getIV extracts parsed "iv" from the raw JSON.
-func (parsed rawHeader) getIV() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerIV)
-}
-
-// getTag extracts parsed "tag" from the raw JSON.
-func (parsed rawHeader) getTag() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerTag)
-}
-
-// getJWK extracts parsed "jwk" from the raw JSON.
-func (parsed rawHeader) getJWK() (*JSONWebKey, error) {
-	v := parsed[headerJWK]
-	if v == nil {
-		return nil, nil
-	}
-	var jwk *JSONWebKey
-	err := json.Unmarshal(*v, &jwk)
-	if err != nil {
-		return nil, err
-	}
-	return jwk, nil
-}
-
-// getCritical extracts parsed "crit" from the raw JSON. If omitted, it
-// returns an empty slice.
-func (parsed rawHeader) getCritical() ([]string, error) {
-	v := parsed[headerCritical]
-	if v == nil {
-		return nil, nil
-	}
-
-	var q []string
-	err := json.Unmarshal(*v, &q)
-	if err != nil {
-		return nil, err
-	}
-	return q, nil
-}
-
-// getS2C extracts parsed "p2c" from the raw JSON.
-func (parsed rawHeader) getP2C() (int, error) {
-	v := parsed[headerP2C]
-	if v == nil {
-		return 0, nil
-	}
-
-	var p2c int
-	err := json.Unmarshal(*v, &p2c)
-	if err != nil {
-		return 0, err
-	}
-	return p2c, nil
-}
-
-// getS2S extracts parsed "p2s" from the raw JSON.
-func (parsed rawHeader) getP2S() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerP2S)
-}
-
-// getB64 extracts parsed "b64" from the raw JSON, defaulting to true.
-func (parsed rawHeader) getB64() (bool, error) {
-	v := parsed[headerB64]
-	if v == nil {
-		return true, nil
-	}
-
-	var b64 bool
-	err := json.Unmarshal(*v, &b64)
-	if err != nil {
-		return true, err
-	}
-	return b64, nil
-}
-
-// sanitized produces a cleaned-up header object from the raw JSON.
-func (parsed rawHeader) sanitized() (h Header, err error) {
-	for k, v := range parsed {
-		if v == nil {
-			continue
-		}
-		switch k {
-		case headerJWK:
-			var jwk *JSONWebKey
-			err = json.Unmarshal(*v, &jwk)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal JWK: %v: %#v", err, string(*v))
-				return
-			}
-			h.JSONWebKey = jwk
-		case headerKeyID:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal key ID: %v: %#v", err, string(*v))
-				return
-			}
-			h.KeyID = s
-		case headerAlgorithm:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal algorithm: %v: %#v", err, string(*v))
-				return
-			}
-			h.Algorithm = s
-		case headerNonce:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal nonce: %v: %#v", err, string(*v))
-				return
-			}
-			h.Nonce = s
-		case headerX5c:
-			c := []string{}
-			err = json.Unmarshal(*v, &c)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
-				return
-			}
-			h.certificates, err = parseCertificateChain(c)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
-				return
-			}
-		default:
-			if h.ExtraHeaders == nil {
-				h.ExtraHeaders = map[HeaderKey]interface{}{}
-			}
-			var v2 interface{}
-			err = json.Unmarshal(*v, &v2)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal value: %v: %#v", err, string(*v))
-				return
-			}
-			h.ExtraHeaders[k] = v2
-		}
-	}
-	return
-}
-
-func parseCertificateChain(chain []string) ([]*x509.Certificate, error) {
-	out := make([]*x509.Certificate, len(chain))
-	for i, cert := range chain {
-		raw, err := base64.StdEncoding.DecodeString(cert)
-		if err != nil {
-			return nil, err
-		}
-		out[i], err = x509.ParseCertificate(raw)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return out, nil
-}
-
-func (dst rawHeader) isSet(k HeaderKey) bool {
-	dvr := dst[k]
-	if dvr == nil {
-		return false
-	}
-
-	var dv interface{}
-	err := json.Unmarshal(*dvr, &dv)
-	if err != nil {
-		return true
-	}
-
-	if dvStr, ok := dv.(string); ok {
-		return dvStr != ""
-	}
-
-	return true
-}
-
-// Merge headers from src into dst, giving precedence to headers from l.
-func (dst rawHeader) merge(src *rawHeader) {
-	if src == nil {
-		return
-	}
-
-	for k, v := range *src {
-		if dst.isSet(k) {
-			continue
-		}
-
-		dst[k] = v
-	}
-}
-
-// Get JOSE name of curve
-func curveName(crv elliptic.Curve) (string, error) {
-	switch crv {
-	case elliptic.P256():
-		return "P-256", nil
-	case elliptic.P384():
-		return "P-384", nil
-	case elliptic.P521():
-		return "P-521", nil
-	default:
-		return "", fmt.Errorf("go-jose/go-jose: unsupported/unknown elliptic curve")
-	}
-}
-
-// Get size of curve in bytes
-func curveSize(crv elliptic.Curve) int {
-	bits := crv.Params().BitSize
-
-	div := bits / 8
-	mod := bits % 8
-
-	if mod == 0 {
-		return div
-	}
-
-	return div + 1
-}
-
-func makeRawMessage(b []byte) *json.RawMessage {
-	rm := json.RawMessage(b)
-	return &rm
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/signing.go b/vendor/gopkg.in/go-jose/go-jose.v2/signing.go
deleted file mode 100644
index 5195a1a916b..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/signing.go
+++ /dev/null
@@ -1,441 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"encoding/base64"
-	"errors"
-	"fmt"
-
-	"golang.org/x/crypto/ed25519"
-
-	"gopkg.in/go-jose/go-jose.v2/json"
-)
-
-// NonceSource represents a source of random nonces to go into JWS objects
-type NonceSource interface {
-	Nonce() (string, error)
-}
-
-// Signer represents a signer which takes a payload and produces a signed JWS object.
-type Signer interface {
-	Sign(payload []byte) (*JSONWebSignature, error)
-	Options() SignerOptions
-}
-
-// SigningKey represents an algorithm/key used to sign a message.
-type SigningKey struct {
-	Algorithm SignatureAlgorithm
-	Key       interface{}
-}
-
-// SignerOptions represents options that can be set when creating signers.
-type SignerOptions struct {
-	NonceSource NonceSource
-	EmbedJWK    bool
-
-	// Optional map of additional keys to be inserted into the protected header
-	// of a JWS object. Some specifications which make use of JWS like to insert
-	// additional values here. All values must be JSON-serializable.
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary. It returns itself and so can be used in a fluent style.
-func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions {
-	if so.ExtraHeaders == nil {
-		so.ExtraHeaders = map[HeaderKey]interface{}{}
-	}
-	so.ExtraHeaders[k] = v
-	return so
-}
-
-// WithContentType adds a content type ("cty") header and returns the updated
-// SignerOptions.
-func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions {
-	return so.WithHeader(HeaderContentType, contentType)
-}
-
-// WithType adds a type ("typ") header and returns the updated SignerOptions.
-func (so *SignerOptions) WithType(typ ContentType) *SignerOptions {
-	return so.WithHeader(HeaderType, typ)
-}
-
-// WithCritical adds the given names to the critical ("crit") header and returns
-// the updated SignerOptions.
-func (so *SignerOptions) WithCritical(names ...string) *SignerOptions {
-	if so.ExtraHeaders[headerCritical] == nil {
-		so.WithHeader(headerCritical, make([]string, 0, len(names)))
-	}
-	crit := so.ExtraHeaders[headerCritical].([]string)
-	so.ExtraHeaders[headerCritical] = append(crit, names...)
-	return so
-}
-
-// WithBase64 adds a base64url-encode payload ("b64") header and returns the updated
-// SignerOptions. When the "b64" value is "false", the payload is not base64 encoded.
-func (so *SignerOptions) WithBase64(b64 bool) *SignerOptions {
-	if !b64 {
-		so.WithHeader(headerB64, b64)
-		so.WithCritical(headerB64)
-	}
-	return so
-}
-
-type payloadSigner interface {
-	signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error)
-}
-
-type payloadVerifier interface {
-	verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
-}
-
-type genericSigner struct {
-	recipients   []recipientSigInfo
-	nonceSource  NonceSource
-	embedJWK     bool
-	extraHeaders map[HeaderKey]interface{}
-}
-
-type recipientSigInfo struct {
-	sigAlg    SignatureAlgorithm
-	publicKey func() *JSONWebKey
-	signer    payloadSigner
-}
-
-func staticPublicKey(jwk *JSONWebKey) func() *JSONWebKey {
-	return func() *JSONWebKey {
-		return jwk
-	}
-}
-
-// NewSigner creates an appropriate signer based on the key type
-func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error) {
-	return NewMultiSigner([]SigningKey{sig}, opts)
-}
-
-// NewMultiSigner creates a signer for multiple recipients
-func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) {
-	signer := &genericSigner{recipients: []recipientSigInfo{}}
-
-	if opts != nil {
-		signer.nonceSource = opts.NonceSource
-		signer.embedJWK = opts.EmbedJWK
-		signer.extraHeaders = opts.ExtraHeaders
-	}
-
-	for _, sig := range sigs {
-		err := signer.addRecipient(sig.Algorithm, sig.Key)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return signer, nil
-}
-
-// newVerifier creates a verifier based on the key type
-func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
-	switch verificationKey := verificationKey.(type) {
-	case ed25519.PublicKey:
-		return &edEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case *rsa.PublicKey:
-		return &rsaEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case *ecdsa.PublicKey:
-		return &ecEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case []byte:
-		return &symmetricMac{
-			key: verificationKey,
-		}, nil
-	case JSONWebKey:
-		return newVerifier(verificationKey.Key)
-	case *JSONWebKey:
-		return newVerifier(verificationKey.Key)
-	}
-	if ov, ok := verificationKey.(OpaqueVerifier); ok {
-		return &opaqueVerifier{verifier: ov}, nil
-	}
-	return nil, ErrUnsupportedKeyType
-}
-
-func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
-	recipient, err := makeJWSRecipient(alg, signingKey)
-	if err != nil {
-		return err
-	}
-
-	ctx.recipients = append(ctx.recipients, recipient)
-	return nil
-}
-
-func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) {
-	switch signingKey := signingKey.(type) {
-	case ed25519.PrivateKey:
-		return newEd25519Signer(alg, signingKey)
-	case *rsa.PrivateKey:
-		return newRSASigner(alg, signingKey)
-	case *ecdsa.PrivateKey:
-		return newECDSASigner(alg, signingKey)
-	case []byte:
-		return newSymmetricSigner(alg, signingKey)
-	case JSONWebKey:
-		return newJWKSigner(alg, signingKey)
-	case *JSONWebKey:
-		return newJWKSigner(alg, *signingKey)
-	}
-	if signer, ok := signingKey.(OpaqueSigner); ok {
-		return newOpaqueSigner(alg, signer)
-	}
-	return recipientSigInfo{}, ErrUnsupportedKeyType
-}
-
-func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) {
-	recipient, err := makeJWSRecipient(alg, signingKey.Key)
-	if err != nil {
-		return recipientSigInfo{}, err
-	}
-	if recipient.publicKey != nil && recipient.publicKey() != nil {
-		// recipient.publicKey is a JWK synthesized for embedding when recipientSigInfo
-		// was created for the inner key (such as a RSA or ECDSA public key). It contains
-		// the pub key for embedding, but doesn't have extra params like key id.
-		publicKey := signingKey
-		publicKey.Key = recipient.publicKey().Key
-		recipient.publicKey = staticPublicKey(&publicKey)
-
-		// This should be impossible, but let's check anyway.
-		if !recipient.publicKey().IsPublic() {
-			return recipientSigInfo{}, errors.New("go-jose/go-jose: public key was unexpectedly not public")
-		}
-	}
-	return recipient, nil
-}
-
-func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
-	obj := &JSONWebSignature{}
-	obj.payload = payload
-	obj.Signatures = make([]Signature, len(ctx.recipients))
-
-	for i, recipient := range ctx.recipients {
-		protected := map[HeaderKey]interface{}{
-			headerAlgorithm: string(recipient.sigAlg),
-		}
-
-		if recipient.publicKey != nil && recipient.publicKey() != nil {
-			// We want to embed the JWK or set the kid header, but not both. Having a protected
-			// header that contains an embedded JWK while also simultaneously containing the kid
-			// header is confusing, and at least in ACME the two are considered to be mutually
-			// exclusive. The fact that both can exist at the same time is a somewhat unfortunate
-			// result of the JOSE spec. We've decided that this library will only include one or
-			// the other to avoid this confusion.
-			//
-			// See https://github.com/go-jose/go-jose/issues/157 for more context.
-			if ctx.embedJWK {
-				protected[headerJWK] = recipient.publicKey()
-			} else {
-				keyID := recipient.publicKey().KeyID
-				if keyID != "" {
-					protected[headerKeyID] = keyID
-				}
-			}
-		}
-
-		if ctx.nonceSource != nil {
-			nonce, err := ctx.nonceSource.Nonce()
-			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error generating nonce: %v", err)
-			}
-			protected[headerNonce] = nonce
-		}
-
-		for k, v := range ctx.extraHeaders {
-			protected[k] = v
-		}
-
-		serializedProtected := mustSerializeJSON(protected)
-		needsBase64 := true
-
-		if b64, ok := protected[headerB64]; ok {
-			if needsBase64, ok = b64.(bool); !ok {
-				return nil, errors.New("go-jose/go-jose: Invalid b64 header parameter")
-			}
-		}
-
-		var input bytes.Buffer
-
-		input.WriteString(base64.RawURLEncoding.EncodeToString(serializedProtected))
-		input.WriteByte('.')
-
-		if needsBase64 {
-			input.WriteString(base64.RawURLEncoding.EncodeToString(payload))
-		} else {
-			input.Write(payload)
-		}
-
-		signatureInfo, err := recipient.signer.signPayload(input.Bytes(), recipient.sigAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		signatureInfo.protected = &rawHeader{}
-		for k, v := range protected {
-			b, err := json.Marshal(v)
-			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error marshalling item %#v: %v", k, err)
-			}
-			(*signatureInfo.protected)[k] = makeRawMessage(b)
-		}
-		obj.Signatures[i] = signatureInfo
-	}
-
-	return obj, nil
-}
-
-func (ctx *genericSigner) Options() SignerOptions {
-	return SignerOptions{
-		NonceSource:  ctx.nonceSource,
-		EmbedJWK:     ctx.embedJWK,
-		ExtraHeaders: ctx.extraHeaders,
-	}
-}
-
-// Verify validates the signature on the object and returns the payload.
-// This function does not support multi-signature, if you desire multi-sig
-// verification use VerifyMulti instead.
-//
-// Be careful when verifying signatures based on embedded JWKs inside the
-// payload header. You cannot assume that the key received in a payload is
-// trusted.
-func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
-	err := obj.DetachedVerify(obj.payload, verificationKey)
-	if err != nil {
-		return nil, err
-	}
-	return obj.payload, nil
-}
-
-// UnsafePayloadWithoutVerification returns the payload without
-// verifying it. The content returned from this function cannot be
-// trusted.
-func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
-	return obj.payload
-}
-
-// DetachedVerify validates a detached signature on the given payload. In
-// most cases, you will probably want to use Verify instead. DetachedVerify
-// is only useful if you have a payload and signature that are separated from
-// each other.
-func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
-	verifier, err := newVerifier(verificationKey)
-	if err != nil {
-		return err
-	}
-
-	if len(obj.Signatures) > 1 {
-		return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
-	}
-
-	signature := obj.Signatures[0]
-	headers := signature.mergedHeaders()
-	critical, err := headers.getCritical()
-	if err != nil {
-		return err
-	}
-
-	for _, name := range critical {
-		if !supportedCritical[name] {
-			return ErrCryptoFailure
-		}
-	}
-
-	input, err := obj.computeAuthData(payload, &signature)
-	if err != nil {
-		return ErrCryptoFailure
-	}
-
-	alg := headers.getSignatureAlgorithm()
-	err = verifier.verifyPayload(input, signature.Signature, alg)
-	if err == nil {
-		return nil
-	}
-
-	return ErrCryptoFailure
-}
-
-// VerifyMulti validates (one of the multiple) signatures on the object and
-// returns the index of the signature that was verified, along with the signature
-// object and the payload. We return the signature and index to guarantee that
-// callers are getting the verified value.
-func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
-	idx, sig, err := obj.DetachedVerifyMulti(obj.payload, verificationKey)
-	if err != nil {
-		return -1, Signature{}, nil, err
-	}
-	return idx, sig, obj.payload, nil
-}
-
-// DetachedVerifyMulti validates a detached signature on the given payload with
-// a signature/object that has potentially multiple signers. This returns the index
-// of the signature that was verified, along with the signature object. We return
-// the signature and index to guarantee that callers are getting the verified value.
-//
-// In most cases, you will probably want to use Verify or VerifyMulti instead.
-// DetachedVerifyMulti is only useful if you have a payload and signature that are
-// separated from each other, and the signature can have multiple signers at the
-// same time.
-func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
-	verifier, err := newVerifier(verificationKey)
-	if err != nil {
-		return -1, Signature{}, err
-	}
-
-outer:
-	for i, signature := range obj.Signatures {
-		headers := signature.mergedHeaders()
-		critical, err := headers.getCritical()
-		if err != nil {
-			continue
-		}
-
-		for _, name := range critical {
-			if !supportedCritical[name] {
-				continue outer
-			}
-		}
-
-		input, err := obj.computeAuthData(payload, &signature)
-		if err != nil {
-			continue
-		}
-
-		alg := headers.getSignatureAlgorithm()
-		err = verifier.verifyPayload(input, signature.Signature, alg)
-		if err == nil {
-			return i, signature, nil
-		}
-	}
-
-	return -1, Signature{}, ErrCryptoFailure
-}
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go b/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
deleted file mode 100644
index 52c8b62bf4b..00000000000
--- a/vendor/gopkg.in/go-jose/go-jose.v2/symmetric.go
+++ /dev/null
@@ -1,487 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-
-	"golang.org/x/crypto/pbkdf2"
-	"gopkg.in/go-jose/go-jose.v2/cipher"
-)
-
-// Random reader (stubbed out in tests)
-var RandReader = rand.Reader
-
-const (
-	// RFC7518 recommends a minimum of 1,000 iterations:
-	// https://tools.ietf.org/html/rfc7518#section-4.8.1.2
-	// NIST recommends a minimum of 10,000:
-	// https://pages.nist.gov/800-63-3/sp800-63b.html
-	// 1Password uses 100,000:
-	// https://support.1password.com/pbkdf2/
-	defaultP2C = 100000
-	// Default salt size: 128 bits
-	defaultP2SSize = 16
-)
-
-// Dummy key cipher for shared symmetric key mode
-type symmetricKeyCipher struct {
-	key []byte // Pre-shared content-encryption key
-	p2c int    // PBES2 Count
-	p2s []byte // PBES2 Salt Input
-}
-
-// Signer/verifier for MAC modes
-type symmetricMac struct {
-	key []byte
-}
-
-// Input/output from an AEAD operation
-type aeadParts struct {
-	iv, ciphertext, tag []byte
-}
-
-// A content cipher based on an AEAD construction
-type aeadContentCipher struct {
-	keyBytes     int
-	authtagBytes int
-	getAead      func(key []byte) (cipher.AEAD, error)
-}
-
-// Random key generator
-type randomKeyGenerator struct {
-	size int
-}
-
-// Static key generator
-type staticKeyGenerator struct {
-	key []byte
-}
-
-// Create a new content cipher based on AES-GCM
-func newAESGCM(keySize int) contentCipher {
-	return &aeadContentCipher{
-		keyBytes:     keySize,
-		authtagBytes: 16,
-		getAead: func(key []byte) (cipher.AEAD, error) {
-			aes, err := aes.NewCipher(key)
-			if err != nil {
-				return nil, err
-			}
-
-			return cipher.NewGCM(aes)
-		},
-	}
-}
-
-// Create a new content cipher based on AES-CBC+HMAC
-func newAESCBC(keySize int) contentCipher {
-	return &aeadContentCipher{
-		keyBytes:     keySize * 2,
-		authtagBytes: keySize,
-		getAead: func(key []byte) (cipher.AEAD, error) {
-			return josecipher.NewCBCHMAC(key, aes.NewCipher)
-		},
-	}
-}
-
-// Get an AEAD cipher object for the given content encryption algorithm
-func getContentCipher(alg ContentEncryption) contentCipher {
-	switch alg {
-	case A128GCM:
-		return newAESGCM(16)
-	case A192GCM:
-		return newAESGCM(24)
-	case A256GCM:
-		return newAESGCM(32)
-	case A128CBC_HS256:
-		return newAESCBC(16)
-	case A192CBC_HS384:
-		return newAESCBC(24)
-	case A256CBC_HS512:
-		return newAESCBC(32)
-	default:
-		return nil
-	}
-}
-
-// getPbkdf2Params returns the key length and hash function used in
-// pbkdf2.Key.
-func getPbkdf2Params(alg KeyAlgorithm) (int, func() hash.Hash) {
-	switch alg {
-	case PBES2_HS256_A128KW:
-		return 16, sha256.New
-	case PBES2_HS384_A192KW:
-		return 24, sha512.New384
-	case PBES2_HS512_A256KW:
-		return 32, sha512.New
-	default:
-		panic("invalid algorithm")
-	}
-}
-
-// getRandomSalt generates a new salt of the given size.
-func getRandomSalt(size int) ([]byte, error) {
-	salt := make([]byte, size)
-	_, err := io.ReadFull(RandReader, salt)
-	if err != nil {
-		return nil, err
-	}
-
-	return salt, nil
-}
-
-// newSymmetricRecipient creates a JWE encrypter based on AES-GCM key wrap.
-func newSymmetricRecipient(keyAlg KeyAlgorithm, key []byte) (recipientKeyInfo, error) {
-	switch keyAlg {
-	case DIRECT, A128GCMKW, A192GCMKW, A256GCMKW, A128KW, A192KW, A256KW:
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &symmetricKeyCipher{
-			key: key,
-		},
-	}, nil
-}
-
-// newSymmetricSigner creates a recipientSigInfo based on the given key.
-func newSymmetricSigner(sigAlg SignatureAlgorithm, key []byte) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case HS256, HS384, HS512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		signer: &symmetricMac{
-			key: key,
-		},
-	}, nil
-}
-
-// Generate a random key for the given content cipher
-func (ctx randomKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	key := make([]byte, ctx.size)
-	_, err := io.ReadFull(RandReader, key)
-	if err != nil {
-		return nil, rawHeader{}, err
-	}
-
-	return key, rawHeader{}, nil
-}
-
-// Key size for random generator
-func (ctx randomKeyGenerator) keySize() int {
-	return ctx.size
-}
-
-// Generate a static key (for direct mode)
-func (ctx staticKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	cek := make([]byte, len(ctx.key))
-	copy(cek, ctx.key)
-	return cek, rawHeader{}, nil
-}
-
-// Key size for static generator
-func (ctx staticKeyGenerator) keySize() int {
-	return len(ctx.key)
-}
-
-// Get key size for this cipher
-func (ctx aeadContentCipher) keySize() int {
-	return ctx.keyBytes
-}
-
-// Encrypt some data
-func (ctx aeadContentCipher) encrypt(key, aad, pt []byte) (*aeadParts, error) {
-	// Get a new AEAD instance
-	aead, err := ctx.getAead(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// Initialize a new nonce
-	iv := make([]byte, aead.NonceSize())
-	_, err = io.ReadFull(RandReader, iv)
-	if err != nil {
-		return nil, err
-	}
-
-	ciphertextAndTag := aead.Seal(nil, iv, pt, aad)
-	offset := len(ciphertextAndTag) - ctx.authtagBytes
-
-	return &aeadParts{
-		iv:         iv,
-		ciphertext: ciphertextAndTag[:offset],
-		tag:        ciphertextAndTag[offset:],
-	}, nil
-}
-
-// Decrypt some data
-func (ctx aeadContentCipher) decrypt(key, aad []byte, parts *aeadParts) ([]byte, error) {
-	aead, err := ctx.getAead(key)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(parts.iv) != aead.NonceSize() || len(parts.tag) < ctx.authtagBytes {
-		return nil, ErrCryptoFailure
-	}
-
-	return aead.Open(nil, parts.iv, append(parts.ciphertext, parts.tag...), aad)
-}
-
-// Encrypt the content encryption key.
-func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	switch alg {
-	case DIRECT:
-		return recipientInfo{
-			header: &rawHeader{},
-		}, nil
-	case A128GCMKW, A192GCMKW, A256GCMKW:
-		aead := newAESGCM(len(ctx.key))
-
-		parts, err := aead.encrypt(ctx.key, []byte{}, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		header := &rawHeader{}
-		header.set(headerIV, newBuffer(parts.iv))
-		header.set(headerTag, newBuffer(parts.tag))
-
-		return recipientInfo{
-			header:       header,
-			encryptedKey: parts.ciphertext,
-		}, nil
-	case A128KW, A192KW, A256KW:
-		block, err := aes.NewCipher(ctx.key)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		jek, err := josecipher.KeyWrap(block, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		return recipientInfo{
-			encryptedKey: jek,
-			header:       &rawHeader{},
-		}, nil
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		if len(ctx.p2s) == 0 {
-			salt, err := getRandomSalt(defaultP2SSize)
-			if err != nil {
-				return recipientInfo{}, err
-			}
-			ctx.p2s = salt
-		}
-
-		if ctx.p2c <= 0 {
-			ctx.p2c = defaultP2C
-		}
-
-		// salt is UTF8(Alg) || 0x00 || Salt Input
-		salt := bytes.Join([][]byte{[]byte(alg), ctx.p2s}, []byte{0x00})
-
-		// derive key
-		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
-
-		// use AES cipher with derived key
-		block, err := aes.NewCipher(key)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		jek, err := josecipher.KeyWrap(block, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		header := &rawHeader{}
-		header.set(headerP2C, ctx.p2c)
-		header.set(headerP2S, newBuffer(ctx.p2s))
-
-		return recipientInfo{
-			encryptedKey: jek,
-			header:       header,
-		}, nil
-	}
-
-	return recipientInfo{}, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the content encryption key.
-func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	switch headers.getAlgorithm() {
-	case DIRECT:
-		cek := make([]byte, len(ctx.key))
-		copy(cek, ctx.key)
-		return cek, nil
-	case A128GCMKW, A192GCMKW, A256GCMKW:
-		aead := newAESGCM(len(ctx.key))
-
-		iv, err := headers.getIV()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid IV: %v", err)
-		}
-		tag, err := headers.getTag()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid tag: %v", err)
-		}
-
-		parts := &aeadParts{
-			iv:         iv.bytes(),
-			ciphertext: recipient.encryptedKey,
-			tag:        tag.bytes(),
-		}
-
-		cek, err := aead.decrypt(ctx.key, []byte{}, parts)
-		if err != nil {
-			return nil, err
-		}
-
-		return cek, nil
-	case A128KW, A192KW, A256KW:
-		block, err := aes.NewCipher(ctx.key)
-		if err != nil {
-			return nil, err
-		}
-
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
-		if err != nil {
-			return nil, err
-		}
-		return cek, nil
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		p2s, err := headers.getP2S()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: %v", err)
-		}
-		if p2s == nil || len(p2s.data) == 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: must be present")
-		}
-
-		p2c, err := headers.getP2C()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: %v", err)
-		}
-		if p2c <= 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
-		}
-		if p2c > 1000000 {
-			// An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
-			// DoS attacks.
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
-		}
-
-		// salt is UTF8(Alg) || 0x00 || Salt Input
-		alg := headers.getAlgorithm()
-		salt := bytes.Join([][]byte{[]byte(alg), p2s.bytes()}, []byte{0x00})
-
-		// derive key
-		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
-
-		// use AES cipher with derived key
-		block, err := aes.NewCipher(key)
-		if err != nil {
-			return nil, err
-		}
-
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
-		if err != nil {
-			return nil, err
-		}
-		return cek, nil
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	mac, err := ctx.hmac(payload, alg)
-	if err != nil {
-		return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
-	}
-
-	return Signature{
-		Signature: mac,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
-	expected, err := ctx.hmac(payload, alg)
-	if err != nil {
-		return errors.New("go-jose/go-jose: failed to compute hmac")
-	}
-
-	if len(mac) != len(expected) {
-		return errors.New("go-jose/go-jose: invalid hmac")
-	}
-
-	match := subtle.ConstantTimeCompare(mac, expected)
-	if match != 1 {
-		return errors.New("go-jose/go-jose: invalid hmac")
-	}
-
-	return nil
-}
-
-// Compute the HMAC based on the given alg value
-func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
-	var hash func() hash.Hash
-
-	switch alg {
-	case HS256:
-		hash = sha256.New
-	case HS384:
-		hash = sha512.New384
-	case HS512:
-		hash = sha512.New
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	hmac := hmac.New(hash, ctx.key)
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hmac.Write(payload)
-	return hmac.Sum(nil), nil
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 85a48c637a6..8a69ee264cf 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -53,7 +53,7 @@ dario.cat/mergo
 ## explicit
 github.com/Azure/azure-sdk-for-go/services/preview/containerregistry/runtime/2019-08-15-preview/containerregistry
 github.com/Azure/azure-sdk-for-go/version
-# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
+# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/azcore
 github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource
@@ -75,11 +75,11 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
 github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
 github.com/Azure/azure-sdk-for-go/sdk/azcore/to
 github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/azidentity
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal
-# github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0
+# github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/internal/diag
 github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo
@@ -178,7 +178,7 @@ github.com/ahmetb/gen-crd-api-reference-docs
 # github.com/antlr4-go/antlr/v4 v4.13.0
 ## explicit; go 1.20
 github.com/antlr4-go/antlr/v4
-# github.com/aws/aws-sdk-go-v2 v1.27.0
+# github.com/aws/aws-sdk-go-v2 v1.27.2
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -194,8 +194,10 @@ github.com/aws/aws-sdk-go-v2/aws/signer/v4
 github.com/aws/aws-sdk-go-v2/aws/transport/http
 github.com/aws/aws-sdk-go-v2/internal/auth
 github.com/aws/aws-sdk-go-v2/internal/auth/smithy
+github.com/aws/aws-sdk-go-v2/internal/context
 github.com/aws/aws-sdk-go-v2/internal/endpoints
 github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn
+github.com/aws/aws-sdk-go-v2/internal/middleware
 github.com/aws/aws-sdk-go-v2/internal/rand
 github.com/aws/aws-sdk-go-v2/internal/sdk
 github.com/aws/aws-sdk-go-v2/internal/sdkio
@@ -203,10 +205,10 @@ github.com/aws/aws-sdk-go-v2/internal/shareddefaults
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/config v1.27.16
+# github.com/aws/aws-sdk-go-v2/config v1.27.18
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/config
-# github.com/aws/aws-sdk-go-v2/credentials v1.17.16
+# github.com/aws/aws-sdk-go-v2/credentials v1.17.18
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/credentials
 github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds
@@ -215,14 +217,14 @@ github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client
 github.com/aws/aws-sdk-go-v2/credentials/processcreds
 github.com/aws/aws-sdk-go-v2/credentials/ssocreds
 github.com/aws/aws-sdk-go-v2/credentials/stscreds
-# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3
+# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
 # github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0
@@ -241,7 +243,7 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic/types
 # github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
 # github.com/aws/aws-sdk-go-v2/service/kms v1.32.1
@@ -249,17 +251,17 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
 github.com/aws/aws-sdk-go-v2/service/kms
 github.com/aws/aws-sdk-go-v2/service/kms/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/kms/types
-# github.com/aws/aws-sdk-go-v2/service/sso v1.20.9
+# github.com/aws/aws-sdk-go-v2/service/sso v1.20.11
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/sso
 github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sso/types
-# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3
+# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/ssooidc
 github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ssooidc/types
-# github.com/aws/aws-sdk-go-v2/service/sts v1.28.10
+# github.com/aws/aws-sdk-go-v2/service/sts v1.28.12
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
@@ -383,7 +385,7 @@ github.com/davidmz/go-pageant
 # github.com/dimchansky/utfbom v1.1.1
 ## explicit
 github.com/dimchansky/utfbom
-# github.com/docker/cli v24.0.7+incompatible
+# github.com/docker/cli v27.1.1+incompatible
 ## explicit
 github.com/docker/cli/cli/config
 github.com/docker/cli/cli/config/configfile
@@ -392,9 +394,6 @@ github.com/docker/cli/cli/config/types
 # github.com/docker/distribution v2.8.2+incompatible
 ## explicit
 github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v26.1.5+incompatible
-## explicit
-github.com/docker/docker/pkg/homedir
 # github.com/docker/docker-credential-helpers v0.7.0
 ## explicit; go 1.18
 github.com/docker/docker-credential-helpers/client
@@ -586,7 +585,7 @@ github.com/google/go-cmp/cmp/internal/diff
 github.com/google/go-cmp/cmp/internal/flags
 github.com/google/go-cmp/cmp/internal/function
 github.com/google/go-cmp/cmp/internal/value
-# github.com/google/go-containerregistry v0.19.2
+# github.com/google/go-containerregistry v0.20.2
 ## explicit; go 1.18
 github.com/google/go-containerregistry/internal/and
 github.com/google/go-containerregistry/internal/compression
@@ -719,7 +718,7 @@ github.com/imdario/mergo
 # github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
 ## explicit
 github.com/jbenet/go-context/io
-# github.com/jellydator/ttlcache/v3 v3.2.0
+# github.com/jellydator/ttlcache/v3 v3.3.0
 ## explicit; go 1.18
 github.com/jellydator/ttlcache/v3
 # github.com/jenkins-x/go-scm v1.14.37
@@ -766,8 +765,8 @@ github.com/klauspost/compress/zstd/internal/xxhash
 ## explicit; go 1.11
 github.com/kylelemons/godebug/diff
 github.com/kylelemons/godebug/pretty
-# github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e
-## explicit; go 1.20
+# github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec
+## explicit; go 1.22.0
 github.com/letsencrypt/boulder/core
 github.com/letsencrypt/boulder/goodkey
 github.com/letsencrypt/boulder/identifier
@@ -885,8 +884,8 @@ github.com/sigstore/sigstore/pkg/signature/payload
 # github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.4
 ## explicit; go 1.21
 github.com/sigstore/sigstore/pkg/signature/kms/aws
-# github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.4
-## explicit; go 1.21
+# github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.9
+## explicit; go 1.22.5
 github.com/sigstore/sigstore/pkg/signature/kms/azure
 # github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.4
 ## explicit; go 1.21
@@ -968,13 +967,14 @@ go.opencensus.io/trace
 go.opencensus.io/trace/internal
 go.opencensus.io/trace/propagation
 go.opencensus.io/trace/tracestate
-# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
-## explicit; go 1.20
+# go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0
+## explicit; go 1.21
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal
-# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0
-## explicit; go 1.20
+# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0
+## explicit; go 1.21
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil
 # go.opentelemetry.io/otel v1.28.0
 ## explicit; go 1.21
@@ -1077,7 +1077,7 @@ golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/agent
 golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 golang.org/x/crypto/ssh/knownhosts
-# golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc
+# golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
 ## explicit; go 1.20
 golang.org/x/exp/constraints
 golang.org/x/exp/maps
@@ -1303,11 +1303,6 @@ google.golang.org/protobuf/types/known/fieldmaskpb
 google.golang.org/protobuf/types/known/structpb
 google.golang.org/protobuf/types/known/timestamppb
 google.golang.org/protobuf/types/known/wrapperspb
-# gopkg.in/go-jose/go-jose.v2 v2.6.3
-## explicit
-gopkg.in/go-jose/go-jose.v2
-gopkg.in/go-jose/go-jose.v2/cipher
-gopkg.in/go-jose/go-jose.v2/json
 # gopkg.in/inf.v0 v0.9.1
 ## explicit
 gopkg.in/inf.v0