From 4b36e05eea38f0bba121ea179dda770e893318db Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 25 Feb 2025 12:35:45 +0000
Subject: [PATCH] fix(deps): update patch updates

---
 go.mod                                        |   71 +-
 go.sum                                        |  145 +-
 oci/Containerfile                             |    4 +-
 tools/go.mod                                  |   46 +-
 tools/go.sum                                  |  294 +--
 vendor/dario.cat/mergo/.gitignore             |    3 +
 vendor/dario.cat/mergo/README.md              |  102 +-
 vendor/dario.cat/mergo/map.go                 |    2 +-
 vendor/dario.cat/mergo/merge.go               |    2 +-
 .../go-crypto/internal/byteutil/byteutil.go   |    8 +-
 .../ProtonMail/go-crypto/ocb/ocb.go           |   55 +-
 .../go-crypto/openpgp/armor/encode.go         |   12 +-
 .../go-crypto/openpgp/packet/aead_crypter.go  |  120 +-
 .../openpgp/packet/aead_encrypted.go          |   12 +-
 .../packet/symmetrically_encrypted_aead.go    |   27 +-
 .../aws/aws-sdk-go-v2/aws/checksum.go         |   33 +
 .../aws/aws-sdk-go-v2/aws/config.go           |   27 +
 .../aws-sdk-go-v2/aws/go_module_metadata.go   |    2 +-
 .../aws/middleware/user_agent.go              |   46 +-
 .../aws/protocol/eventstream/CHANGELOG.md     |   32 +
 .../eventstream/go_module_metadata.go         |    2 +-
 .../aws/protocol/eventstream/message.go       |   22 +-
 .../aws-sdk-go-v2/aws/protocol/query/array.go |   29 +-
 .../aws/protocol/query/object.go              |   11 +-
 .../aws-sdk-go-v2/aws/protocol/query/value.go |    2 +
 .../aws/retry/retryable_error.go              |    6 +
 .../aws/signer/internal/v4/headers.go         |    9 +-
 .../aws-sdk-go-v2/credentials/CHANGELOG.md    |  173 ++
 .../endpointcreds/internal/client/client.go   |    1 +
 .../credentials/endpointcreds/provider.go     |    1 +
 .../credentials/go_module_metadata.go         |    2 +-
 .../credentials/processcreds/provider.go      |    4 +
 .../credentials/ssocreds/sso_cached_token.go  |    2 +-
 .../ssocreds/sso_credentials_provider.go      |    1 +
 .../stscreds/assume_role_provider.go          |    6 +
 .../stscreds/web_identity_provider.go         |   19 +
 .../feature/ec2/imds/CHANGELOG.md             |  100 +
 .../feature/ec2/imds/go_module_metadata.go    |    2 +-
 .../internal/configsources/CHANGELOG.md       |   30 +
 .../configsources/go_module_metadata.go       |    2 +-
 .../endpoints/awsrulesfn/partitions.json      |   18 +-
 .../internal/endpoints/v2/CHANGELOG.md        |   30 +
 .../endpoints/v2/go_module_metadata.go        |    2 +-
 .../aws-sdk-go-v2/internal/ini/CHANGELOG.md   |   12 +
 .../internal/ini/go_module_metadata.go        |    2 +-
 .../aws-sdk-go-v2/internal/v4a/CHANGELOG.md   |  117 +
 .../internal/v4a/go_module_metadata.go        |    2 +-
 .../internal/v4a/internal/v4/headers.go       |    7 +-
 .../aws/aws-sdk-go-v2/internal/v4a/smithy.go  |    8 +-
 .../aws-sdk-go-v2/service/ecs/CHANGELOG.md    |   67 +
 .../aws-sdk-go-v2/service/ecs/api_client.go   |    2 +-
 .../service/ecs/api_op_CreateService.go       |    2 +-
 .../service/ecs/api_op_DescribeServices.go    |  191 +-
 .../service/ecs/api_op_DescribeTasks.go       |  131 +-
 .../ecs/api_op_ListServiceDeployments.go      |    6 +-
 .../ecs/api_op_RegisterTaskDefinition.go      |    6 +-
 .../service/ecs/api_op_StopTask.go            |    2 +-
 .../service/ecs/api_op_TagResource.go         |   16 +
 .../service/ecs/api_op_UpdateService.go       |    2 +-
 .../aws-sdk-go-v2/service/ecs/generated.json  |    5 +-
 .../service/ecs/go_module_metadata.go         |    2 +-
 .../ecs/internal/endpoints/endpoints.go       |   14 +
 .../aws-sdk-go-v2/service/ecs/types/errors.go |    4 +-
 .../aws-sdk-go-v2/service/ecs/types/types.go  |   87 +-
 .../internal/accept-encoding/CHANGELOG.md     |   28 +
 .../accept-encoding/go_module_metadata.go     |    2 +-
 .../internal/presigned-url/CHANGELOG.md       |  101 +
 .../presigned-url/go_module_metadata.go       |    2 +-
 .../aws-sdk-go-v2/service/sso/CHANGELOG.md    |  143 ++
 .../aws-sdk-go-v2/service/sso/api_client.go   |  367 +++-
 .../service/sso/api_op_GetRoleCredentials.go  |   18 +
 .../service/sso/api_op_ListAccountRoles.go    |   37 +-
 .../service/sso/api_op_ListAccounts.go        |   35 +-
 .../service/sso/api_op_Logout.go              |   18 +
 .../aws/aws-sdk-go-v2/service/sso/auth.go     |   43 +-
 .../service/sso/deserializers.go              |   29 +-
 .../aws-sdk-go-v2/service/sso/endpoints.go    |   27 +-
 .../aws-sdk-go-v2/service/sso/generated.json  |    2 +-
 .../service/sso/go_module_metadata.go         |    2 +-
 .../sso/internal/endpoints/endpoints.go       |   10 +-
 .../aws/aws-sdk-go-v2/service/sso/options.go  |    8 +
 .../aws-sdk-go-v2/service/sso/serializers.go  |   33 +-
 .../service/ssooidc/CHANGELOG.md              |  140 ++
 .../service/ssooidc/api_client.go             |  367 +++-
 .../service/ssooidc/api_op_CreateToken.go     |   41 +-
 .../ssooidc/api_op_CreateTokenWithIAM.go      |   24 +-
 .../service/ssooidc/api_op_RegisterClient.go  |   34 +-
 .../api_op_StartDeviceAuthorization.go        |   18 +
 .../aws/aws-sdk-go-v2/service/ssooidc/auth.go |   43 +-
 .../service/ssooidc/deserializers.go          |   21 +
 .../aws/aws-sdk-go-v2/service/ssooidc/doc.go  |    7 +-
 .../service/ssooidc/endpoints.go              |   27 +-
 .../service/ssooidc/generated.json            |    2 +-
 .../service/ssooidc/go_module_metadata.go     |    2 +-
 .../ssooidc/internal/endpoints/endpoints.go   |   10 +-
 .../aws-sdk-go-v2/service/ssooidc/options.go  |    8 +
 .../service/ssooidc/serializers.go            |   25 +
 .../aws-sdk-go-v2/service/sts/CHANGELOG.md    |  159 ++
 .../aws-sdk-go-v2/service/sts/api_client.go   |  367 +++-
 .../service/sts/api_op_AssumeRole.go          |   70 +-
 .../service/sts/api_op_AssumeRoleWithSAML.go  |   30 +-
 .../sts/api_op_AssumeRoleWithWebIdentity.go   |   69 +-
 .../service/sts/api_op_AssumeRoot.go          |  220 ++
 .../sts/api_op_DecodeAuthorizationMessage.go  |   18 +
 .../service/sts/api_op_GetAccessKeyInfo.go    |   18 +
 .../service/sts/api_op_GetCallerIdentity.go   |   18 +
 .../service/sts/api_op_GetFederationToken.go  |   22 +-
 .../service/sts/api_op_GetSessionToken.go     |   22 +-
 .../aws/aws-sdk-go-v2/service/sts/auth.go     |   43 +-
 .../service/sts/deserializers.go              |  203 ++
 .../aws-sdk-go-v2/service/sts/endpoints.go    |   27 +-
 .../aws-sdk-go-v2/service/sts/generated.json  |    3 +-
 .../service/sts/go_module_metadata.go         |    2 +-
 .../sts/internal/endpoints/endpoints.go       |   19 +-
 .../aws/aws-sdk-go-v2/service/sts/options.go  |    8 +
 .../aws-sdk-go-v2/service/sts/serializers.go  |  143 ++
 .../aws-sdk-go-v2/service/sts/types/errors.go |    8 +-
 .../aws-sdk-go-v2/service/sts/validators.go   |   42 +
 vendor/github.com/aws/smithy-go/CHANGELOG.md  |   20 +
 .../github.com/aws/smithy-go/CONTRIBUTING.md  |   31 +
 vendor/github.com/aws/smithy-go/Makefile      |    7 +
 .../aws/smithy-go/changelog-template.json     |    9 +
 .../aws/smithy-go/go_module_metadata.go       |    2 +-
 .../aws/smithy-go/transport/http/host.go      |    2 +-
 .../aws/smithy-go/transport/http/metrics.go   |   44 +-
 .../http/middleware_close_response_body.go    |    8 +-
 .../aws/smithy-go/transport/http/request.go   |    5 +-
 .../cyphar/filepath-securejoin/CHANGELOG.md   |  209 ++
 .../cyphar/filepath-securejoin/LICENSE        |    2 +-
 .../cyphar/filepath-securejoin/README.md      |  140 +-
 .../cyphar/filepath-securejoin/VERSION        |    2 +-
 .../cyphar/filepath-securejoin/doc.go         |   39 +
 .../gocompat_errors_go120.go                  |   18 +
 .../gocompat_errors_unsupported.go            |   38 +
 .../gocompat_generics_go121.go                |   32 +
 .../gocompat_generics_unsupported.go          |  124 ++
 .../cyphar/filepath-securejoin/join.go        |   27 +-
 .../filepath-securejoin/lookup_linux.go       |  388 ++++
 .../cyphar/filepath-securejoin/mkdir_linux.go |  215 ++
 .../cyphar/filepath-securejoin/open_linux.go  |  103 +
 .../filepath-securejoin/openat2_linux.go      |  127 ++
 .../filepath-securejoin/openat_linux.go       |   59 +
 .../filepath-securejoin/procfs_linux.go       |  452 ++++
 .../cyphar/filepath-securejoin/vfs.go         |   26 +-
 .../v5/plumbing/transport/http/common.go      |    3 +-
 .../v5/plumbing/transport/ssh/auth_method.go  |   13 +-
 .../v5/plumbing/transport/ssh/common.go       |   17 +-
 .../github.com/go-git/go-git/v5/worktree.go   |    3 +-
 .../go-git/go-git/v5/worktree_status.go       |    2 +
 .../github.com/iwdgo/sigintwindows/.gitignore |    1 +
 vendor/github.com/iwdgo/sigintwindows/LICENSE |   29 +
 .../github.com/iwdgo/sigintwindows/README.md  |   63 +
 .../iwdgo/sigintwindows/signal_windows.go     |   27 +
 .../magiconair/properties/CHANGELOG.md        |  205 --
 .../magiconair/properties/README.md           |   30 -
 .../magiconair/properties/decode.go           |    6 +-
 .../github.com/magiconair/properties/load.go  |   27 +-
 .../mattn/go-runewidth/runewidth_table.go     |  323 +--
 vendor/github.com/nxadm/tail/.cirrus.yml      |    8 -
 vendor/github.com/nxadm/tail/.gitignore       |    2 -
 vendor/github.com/nxadm/tail/CHANGES.md       |   64 -
 vendor/github.com/nxadm/tail/CONTRIBUTING.md  |    5 -
 vendor/github.com/nxadm/tail/Dockerfile       |   19 -
 vendor/github.com/nxadm/tail/README.md        |   45 -
 .../github.com/nxadm/tail/ratelimiter/Licence |    7 -
 .../nxadm/tail/ratelimiter/leakybucket.go     |   97 -
 .../nxadm/tail/ratelimiter/memory.go          |   60 -
 .../nxadm/tail/ratelimiter/storage.go         |    6 -
 vendor/github.com/nxadm/tail/tail_posix.go    |   17 -
 vendor/github.com/nxadm/tail/tail_windows.go  |   19 -
 .../pelletier/go-toml/v2/.goreleaser.yaml     |    1 +
 .../github.com/pelletier/go-toml/v2/README.md |    2 +-
 .../pelletier/go-toml/v2/marshaler.go         |   24 +-
 .../pelletier/go-toml/v2/unmarshaler.go       |   45 +-
 vendor/github.com/pjbgf/sha1cd/Dockerfile.arm |    3 +-
 .../github.com/pjbgf/sha1cd/Dockerfile.arm64  |    2 +-
 vendor/github.com/pjbgf/sha1cd/LICENSE        |    2 +-
 vendor/github.com/pjbgf/sha1cd/Makefile       |    3 +-
 vendor/github.com/pjbgf/sha1cd/sha1cd.go      |    2 +
 .../pjbgf/sha1cd/sha1cdblock_amd64.s          |    3 +-
 .../pjbgf/sha1cd/ubc/{doc.go => ubc.go}       |    2 +
 .../github.com/pjbgf/sha1cd/ubc/ubc_amd64.go  |   14 +
 .../github.com/pjbgf/sha1cd/ubc/ubc_amd64.s   | 1897 +++++++++++++++++
 .../sha1cd/ubc/{check.go => ubc_generic.go}   |    2 +-
 .../github.com/pjbgf/sha1cd/ubc/ubc_noasm.go  |   12 +
 .../go/command/internal/pulumiUtilities.go    |    4 +-
 .../github.com/pulumi/pulumi/sdk/v3/.version  |    2 +-
 .../pulumi/pulumi/sdk/v3/go/auto/cmd.go       |   11 +
 .../pulumi/pulumi/sdk/v3/go/auto/cmd_other.go |   30 +
 .../pulumi/sdk/v3/go/auto/cmd_windows.go      |   36 +
 .../pulumi/sdk/v3/go/auto/local_workspace.go  |   36 +-
 .../sdk/v3/go/auto/optdestroy/optdestroy.go   |    7 +
 .../sdk/v3/go/auto/optpreview/optpreview.go   |    7 +
 .../sdk/v3/go/auto/optrefresh/optrefresh.go   |   18 +-
 .../pulumi/sdk/v3/go/auto/optup/optup.go      |    7 +
 .../pulumi/pulumi/sdk/v3/go/auto/stack.go     |   38 +-
 .../pulumi/pulumi/sdk/v3/go/auto/workspace.go |   16 +-
 .../sdk/v3/go/common/resource/config/crypt.go |   57 +-
 .../sdk/v3/go/common/resource/config/map.go   |   32 +-
 .../sdk/v3/go/common/resource/config/value.go |   22 +-
 .../sdk/v3/go/common/resource/plugin/host.go  |    6 +-
 .../go/common/resource/plugin/langruntime.go  |    5 +-
 .../resource/plugin/langruntime_plugin.go     |   83 +-
 .../v3/go/common/resource/plugin/plugin.go    |   96 +-
 .../common/resource/plugin/provider_plugin.go |   11 +-
 .../sdk/v3/go/common/resource/properties.go   |    4 +-
 .../v3/go/common/resource/properties_diff.go  |    9 +
 .../pulumi/sdk/v3/go/common/tail/LICENSE      |   21 +
 .../pulumi/sdk/v3/go/common}/tail/tail.go     |   98 +-
 .../sdk/v3/go/common/tail/tail_posix.go       |   17 +
 .../sdk/v3/go/common/tail/tail_windows.go     |   19 +
 .../sdk/v3/go/common/util/gitutil/git.go      |  106 +-
 .../sdk/v3/go/common/workspace/plugins.go     |  370 +++-
 .../sdk/v3/go/common/workspace/project.go     |    2 +
 .../sdk/v3/go/common/workspace/templates.go   |    4 +-
 .../v3/go/common/workspace/templates_zip.go   |   26 +-
 .../pulumi/pulumi/sdk/v3/go/pulumi/context.go |  144 +-
 .../pulumi/sdk/v3/go/pulumi/provider.go       |   35 +-
 .../pulumi/sdk/v3/go/pulumi/resource.go       |   13 +-
 .../pulumi/pulumi/sdk/v3/go/pulumi/rpc.go     |   43 +-
 .../sdk/v3/go/pulumi/stack_reference.go       |    2 +-
 .../pulumi/pulumi/sdk/v3/go/pulumi/types.go   |   19 +
 .../pulumi/pulumi/sdk/v3/go/pulumi/urnset.go  |   61 -
 .../pulumi/sdk/v3/proto/go/language.pb.go     |  392 +++-
 .../sdk/v3/proto/go/language_grpc.pb.go       |  144 +-
 .../pulumi/sdk/v3/proto/go/provider.pb.go     |    7 +
 .../sdk/v3/proto/go/provider_grpc.pb.go       |    8 +
 .../pulumi/sdk/v3/proto/go/resource.pb.go     |   10 +-
 .../sdk/v3/proto/go/resource_grpc.pb.go       |    4 +
 .../pulumi/sdk/v3/python/toolchain/pip.go     |   38 -
 .../sdk/v3/python/toolchain/toolchain.go      |   38 +
 .../pulumi/sdk/v3/python/toolchain/uv.go      |   75 +-
 vendor/github.com/sahilm/fuzzy/.travis.yml    |    3 +
 vendor/github.com/sahilm/fuzzy/README.md      |    8 +-
 vendor/github.com/sahilm/fuzzy/fuzzy.go       |   21 +-
 vendor/github.com/skeema/knownhosts/NOTICE    |    2 +-
 vendor/github.com/skeema/knownhosts/README.md |    2 +-
 vendor/github.com/spf13/pflag/.editorconfig   |   12 +
 vendor/github.com/spf13/pflag/.golangci.yaml  |    4 +
 vendor/github.com/spf13/pflag/flag.go         |   29 +-
 vendor/github.com/spf13/pflag/ip.go           |    3 +
 vendor/github.com/spf13/pflag/ipnet_slice.go  |  147 ++
 vendor/github.com/spf13/pflag/string_array.go |    4 -
 vendor/golang.org/x/crypto/pkcs12/crypto.go   |    2 +-
 vendor/golang.org/x/net/http2/config.go       |    2 +-
 vendor/golang.org/x/net/http2/config_go124.go |    2 +-
 vendor/golang.org/x/net/http2/transport.go    |   13 +-
 .../x/sys/unix/syscall_dragonfly.go           |   12 +
 .../golang.org/x/sys/windows/dll_windows.go   |   11 +-
 vendor/modules.txt                            |  116 +-
 250 files changed, 10776 insertions(+), 2478 deletions(-)
 create mode 100644 vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go
 create mode 100644 vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go
 create mode 100644 vendor/github.com/aws/smithy-go/changelog-template.json
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/doc.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/open_linux.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
 create mode 100644 vendor/github.com/iwdgo/sigintwindows/.gitignore
 create mode 100644 vendor/github.com/iwdgo/sigintwindows/LICENSE
 create mode 100644 vendor/github.com/iwdgo/sigintwindows/README.md
 create mode 100644 vendor/github.com/iwdgo/sigintwindows/signal_windows.go
 delete mode 100644 vendor/github.com/magiconair/properties/CHANGELOG.md
 delete mode 100644 vendor/github.com/nxadm/tail/.cirrus.yml
 delete mode 100644 vendor/github.com/nxadm/tail/.gitignore
 delete mode 100644 vendor/github.com/nxadm/tail/CHANGES.md
 delete mode 100644 vendor/github.com/nxadm/tail/CONTRIBUTING.md
 delete mode 100644 vendor/github.com/nxadm/tail/Dockerfile
 delete mode 100644 vendor/github.com/nxadm/tail/README.md
 delete mode 100644 vendor/github.com/nxadm/tail/ratelimiter/Licence
 delete mode 100644 vendor/github.com/nxadm/tail/ratelimiter/leakybucket.go
 delete mode 100644 vendor/github.com/nxadm/tail/ratelimiter/memory.go
 delete mode 100644 vendor/github.com/nxadm/tail/ratelimiter/storage.go
 delete mode 100644 vendor/github.com/nxadm/tail/tail_posix.go
 delete mode 100644 vendor/github.com/nxadm/tail/tail_windows.go
 rename vendor/github.com/pjbgf/sha1cd/ubc/{doc.go => ubc.go} (68%)
 create mode 100644 vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
 create mode 100644 vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
 rename vendor/github.com/pjbgf/sha1cd/ubc/{check.go => ubc_generic.go} (99%)
 create mode 100644 vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
 create mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_other.go
 create mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_windows.go
 create mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/LICENSE
 rename vendor/github.com/{nxadm => pulumi/pulumi/sdk/v3/go/common}/tail/tail.go (82%)
 create mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_posix.go
 create mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_windows.go
 delete mode 100644 vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/urnset.go
 create mode 100644 vendor/github.com/spf13/pflag/.editorconfig
 create mode 100644 vendor/github.com/spf13/pflag/.golangci.yaml
 create mode 100644 vendor/github.com/spf13/pflag/ipnet_slice.go

diff --git a/go.mod b/go.mod
index 7a0ea3f7f..4b8327cf2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,14 +1,14 @@
 module github.com/redhat-developer/mapt
 
-go 1.21.12
+go 1.22
 
-toolchain go1.22.9
+toolchain go1.24.0
 
 require (
 	github.com/coocood/freecache v1.2.4
-	github.com/pulumi/pulumi-command/sdk v1.0.1
+	github.com/pulumi/pulumi-command/sdk v1.0.2
 	github.com/pulumi/pulumi-random/sdk/v4 v4.16.7
-	github.com/pulumi/pulumi/sdk/v3 v3.143.0
+	github.com/pulumi/pulumi/sdk/v3 v3.150.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
@@ -20,7 +20,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0
 	github.com/aws/amazon-ec2-instance-selector/v2 v2.4.2-0.20231006140257-d989c5d76f0e
-	github.com/aws/aws-sdk-go-v2 v1.32.7
+	github.com/aws/aws-sdk-go-v2 v1.36.2
 	github.com/aws/aws-sdk-go-v2/config v1.27.18
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.142.0
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
@@ -39,8 +39,8 @@ require (
 require (
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/aws/aws-sdk-go v1.50.36 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.33 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/pricing v1.21.6 // indirect
@@ -48,34 +48,35 @@ require (
 	github.com/evertras/bubble-table v0.15.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pulumi/pulumi-docker/sdk/v4 v4.4.3 // indirect
-	github.com/sahilm/fuzzy v0.1.0 // indirect
+	github.com/sahilm/fuzzy v0.1.1 // indirect
 	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/tools v0.23.0 // indirect
 )
 
 require (
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
-	github.com/aws/smithy-go v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.60 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.15 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.16.1 // indirect
@@ -83,7 +84,7 @@ require (
 	github.com/charmbracelet/lipgloss v0.7.1 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -92,7 +93,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
@@ -101,9 +102,9 @@ require (
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
 	github.com/pulumi/esc v0.10.0 // indirect
@@ -111,7 +112,7 @@ require (
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 // indirect
-	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -126,9 +127,9 @@ require (
 
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.3 // indirect
+	github.com/ProtonMail/go-crypto v1.1.5 // indirect
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.0
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.16
 	github.com/aws/aws-sdk-go-v2/service/iam v1.38.3
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
@@ -136,8 +137,8 @@ require (
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.0 // indirect
-	github.com/go-git/go-git/v5 v5.13.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.13.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v1.2.4 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
@@ -146,7 +147,7 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
@@ -158,17 +159,17 @@ require (
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.19.0
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
diff --git a/go.sum b/go.sum
index c89ed37fe..c548a69db 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 h1:GJHeeA2N7xrG3q30L2UXDyuWRzDM900/65j70wcM4Ww=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
@@ -23,8 +23,8 @@ github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXY
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
-github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
+github.com/ProtonMail/go-crypto v1.1.5 h1:eoAQfK2dwL+tFSFpr7TbOaPNUbPiJj4fLYwwGE1FQO4=
+github.com/ProtonMail/go-crypto v1.1.5/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
@@ -44,53 +44,53 @@ github.com/aws/amazon-ec2-instance-selector/v2 v2.4.2-0.20231006140257-d989c5d76
 github.com/aws/aws-sdk-go v1.50.36 h1:PjWXHwZPuTLMR1NIb8nEjLucZBMzmf84TLoLbD8BZqk=
 github.com/aws/aws-sdk-go v1.50.36/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
-github.com/aws/aws-sdk-go-v2 v1.32.7 h1:ky5o35oENWi0JYWUZkB7WYvVPP+bcRF5/Iq7JWSb5Rw=
-github.com/aws/aws-sdk-go-v2 v1.32.7/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
+github.com/aws/aws-sdk-go-v2 v1.36.2 h1:Ub6I4lq/71+tPb/atswvToaLGVMxKZvjYDVOWEExOcU=
+github.com/aws/aws-sdk-go-v2 v1.36.2/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
 github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
 github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.60 h1:1dq+ELaT5ogfmqtV1eocq8SpOK1NRsuUfmhQtD/XAh4=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.60/go.mod h1:HDes+fn/xo9VeszXqjBVkxOo/aUy8Mc6QqKvZk32GlE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29 h1:JO8pydejFKmGcUNiiwt75dzLHRWthkwApIvPoyUtXEg=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29/go.mod h1:adxZ9i9DRmB8zAT0pO0yGnsmu0geomp5a3uq5XpgOJ8=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 h1:I/5wmGMffY4happ8NOCuIUEWGUvvFp5NSeQcXl9RHcI=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26/go.mod h1:FR8f4turZtNy6baO0KJ5FJUmXH/cSkI9fOngs0yl6mA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33 h1:knLyPMw3r3JsU8MFHWctE4/e2qWbPaxDYLlohPvnY8c=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33/go.mod h1:EBp2HQ3f+XCB+5J+IoEbGhoV7CpJbnrsd4asNXmTL0A=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 h1:zXFLuEuMMUOvEARXFUVJdfqZ4bvvSgdGRq/ATcrQxzM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26/go.mod h1:3o2Wpy0bogG1kyOPrgkXA8pgIfEEv0+m19O9D5+W8y8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33 h1:K0+Ne08zqti8J9jwENxZ5NoUyBnaFDTu3apwQJWrwwA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33/go.mod h1:K97stwwzaWzmqxO8yLGHhClbVW1tC6VT1pDLk1pGrq4=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.33 h1:/frG8aV09yhCVSOEC2pzktflJJO48NwY3xntHBwxHiA=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.33/go.mod h1:8vwASlAcV366M+qxZnjNzCjeastk1Rt1bpSRaGZanGU=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.142.0 h1:VrFC1uEZjX4ghkm/et8ATVGb1mT75Iv8aPKPjUE+F8A=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.142.0/go.mod h1:qjhtI9zjpUHRc6khtrIM9fb48+ii6+UikL3/b+MKYn0=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.53.0 h1:TCQZX4ztlcWXAcZouKh9qJMcVaH/qTidFTfsvJwUI30=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.53.0/go.mod h1:Ghi1OWUv4+VMEULWiHsKH2gNA3KAcMoLWsvU0eRXvIA=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.53.16 h1:HTiE5RcRpLXJpn/ZQLhkwtuMhTQke+DzpDWAgStjHUk=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.53.16/go.mod h1:49tE5yYdlAHqZIO8u5+u9Xy9k8IaV0v5cstZrjnX5+c=
 github.com/aws/aws-sdk-go-v2/service/iam v1.38.3 h1:2sFIoFzU1IEL9epJWubJm9Dhrn45aTNEJuwsesaCGnk=
 github.com/aws/aws-sdk-go-v2/service/iam v1.38.3/go.mod h1:KzlNINwfr/47tKkEhgk0r10/OZq3rjtyWy0txL3lM+I=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14 h1:2scbY6//jy/s8+5vGrk7l1+UtHl0h9A4MjOO2k/TM2E=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14/go.mod h1:bRpZPHZpSe5YRHmPfK3h1M7UBFCn2szHzyx0rw04zro=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.21.6 h1:k/f3T13s7wx/By6aKovlVsjdNkRVT0QRR2RlZEvaTGg=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.21.6/go.mod h1:9n3tkRCngy3+Iw/8vK3C69iXh22SCGsy3yn16nTxH+s=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.16 h1:YV6xIKDJp6U7YB2bxfud9IENO1LRpGhe2Tv/OKtPrOQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.16/go.mod h1:DvbmMKgtpA6OihFJK13gHMZOZrCHttz8wPHGKXqU+3o=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15 h1:kMyK3aKotq1aTBsj1eS8ERJLjqYRRRcsmP33ozlCvlk=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15/go.mod h1:5uPZU7vSNzb8Y0dm75xTikinegPYK3uJmIHQZFq5Aqo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.15 h1:ht1jVmeeo2anR7zDiYJLSnRYnO/9NILXXu42FP3rJg0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.15/go.mod h1:xWZ5cOiFe3czngChE4LhCBqUxNwgfwndEF7XlYP/yD8=
 github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
-github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
+github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
@@ -115,16 +115,16 @@ github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6
 github.com/coocood/freecache v1.2.4 h1:UdR6Yz/X1HW4fZOuH0Z94KwG851GWOSknua5VUbb/5M=
 github.com/coocood/freecache v1.2.4/go.mod h1:RBUWa/Cy+OHdfTGFEhEuE1pMCMX51Ncizj7rthiQ3vk=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
-github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
+github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/djherbis/times v1.5.0 h1:79myA211VwPhFTqUk8xehWrsEO+zcIZj0zT8mXPVARU=
 github.com/djherbis/times v1.5.0/go.mod h1:5q7FDLvbNg1L/KaBmPcWlVR9NmoKo3+ucqUA3ijQhA0=
-github.com/elazarl/goproxy v1.2.1 h1:njjgvO6cRG9rIqN2ebkqy6cQz2Njkx7Fsfv/zIZqgug=
-github.com/elazarl/goproxy v1.2.1/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64=
+github.com/elazarl/goproxy v1.4.0 h1:4GyuSbFa+s26+3rmYNSuUVsx+HgPrV1bk1jXI0l9wjM=
+github.com/elazarl/goproxy v1.4.0/go.mod h1:X/5W/t+gzDyLfHW4DrMdpjqYjpXsURlBt9lpBDxZZZQ=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/evertras/bubble-table v0.15.2 h1:hVj27V9tk5TD5p6mVv0RK/KJu2sHq0U+mBMux/HptkU=
@@ -141,12 +141,12 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.6.0 h1:w2hPNtoehvJIxR00Vb4xX94qHQi/ApZfX+nBE2Cjio8=
-github.com/go-git/go-billy/v5 v5.6.0/go.mod h1:sFDq7xD3fn3E0GOwUSZqHo9lrkmx8xJhA0ZrfvjBRGM=
+github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
+github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.13.0 h1:vLn5wlGIh/X78El6r3Jr+30W16Blk0CTcxTYcYPWi5E=
-github.com/go-git/go-git/v5 v5.13.0/go.mod h1:Wjo7/JyVKtQgUNdXYXIepzWfJQkUEIGvkvVkiXRR/zw=
+github.com/go-git/go-git/v5 v5.13.2 h1:7O7xvsK7K+rZPKW6AQR1YyNhfywkv7B8/FsP3ki6Zv0=
+github.com/go-git/go-git/v5 v5.13.2/go.mod h1:hWdW5P4YZRjmpGHwRH2v3zkWcNl6HeXaXQEMGb3NJ9A=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -176,6 +176,8 @@ github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/iwdgo/sigintwindows v0.2.2 h1:P6oWzpvV7MrEAmhUgs+zmarrWkyL77ycZz4v7+1gYAE=
+github.com/iwdgo/sigintwindows v0.2.2/go.mod h1:70wPb8oz8OnxPvsj2QMUjgIVhb8hMu5TUgX8KfFl7QY=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
@@ -198,8 +200,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
@@ -211,8 +213,8 @@ github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2J
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
@@ -242,12 +244,12 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -283,16 +285,16 @@ github.com/pulumi/pulumi-azure-native-sdk/storage/v2 v2.76.0 h1:DibeHp41RuqnWnvT
 github.com/pulumi/pulumi-azure-native-sdk/storage/v2 v2.76.0/go.mod h1:ptTNCATyAzeT7NgWBhRTMnd8L+cQtuf3VrwYfdjiLOo=
 github.com/pulumi/pulumi-azure-native-sdk/v2 v2.76.0 h1:SzPA7P0H213ULOUvneoJRi40XERRzLM0xJJ3I98noLQ=
 github.com/pulumi/pulumi-azure-native-sdk/v2 v2.76.0/go.mod h1:pzCvLkEbZ3aZJ3SMXxR3+0mV1fK0Qm7wHiMDfaoLib4=
-github.com/pulumi/pulumi-command/sdk v1.0.1 h1:ZuBSFT57nxg/fs8yBymUhKLkjJ6qmyN3gNvlY/idiN0=
-github.com/pulumi/pulumi-command/sdk v1.0.1/go.mod h1:C7sfdFbUIoXKoIASfXUbP/U9xnwPfxvz8dBpFodohlA=
+github.com/pulumi/pulumi-command/sdk v1.0.2 h1:OhyVaUlE+kvx0NXU+wzf7xTA5OL2bHWvKWAHvyhi1uo=
+github.com/pulumi/pulumi-command/sdk v1.0.2/go.mod h1:BbcTHkvZtcJqyB7SeLDzP99dj8xyCbA8v/6WjixsuBA=
 github.com/pulumi/pulumi-docker/sdk/v4 v4.4.3 h1:gQC2As+wE8QflbLCG90jLaKwIpqW3yl1y327Jj6ovbI=
 github.com/pulumi/pulumi-docker/sdk/v4 v4.4.3/go.mod h1:i19ZhFjFQrngtXYLHp3kjZNRmnEnq/DUdXK6/CBk77o=
 github.com/pulumi/pulumi-random/sdk/v4 v4.16.7 h1:39rhOe/PTUGMYia8pR5T2wbxxMt2pwrlonf0ncYKSzE=
 github.com/pulumi/pulumi-random/sdk/v4 v4.16.7/go.mod h1:cxxDhJzUPt/YElfvlWa15Q4NGF6XXS8kUs4OQsCxSBk=
 github.com/pulumi/pulumi-tls/sdk/v5 v5.0.9 h1:JH5TkGJDwlTqKdSJxd49DfrJOpVkRyGDvgKS9gwcV9U=
 github.com/pulumi/pulumi-tls/sdk/v5 v5.0.9/go.mod h1:3B+v+HC4bjAYf1mVxRVL/bDY20+VEMwfxRKgc3oeCrs=
-github.com/pulumi/pulumi/sdk/v3 v3.143.0 h1:z1m8Fc6l723eU2J/bP7UHE5t6WbBu4iIDAl1WaalQk4=
-github.com/pulumi/pulumi/sdk/v3 v3.143.0/go.mod h1:OFpZabILGxrFqzcABFpMCksrHGVp4ymRM2BkKjlazDY=
+github.com/pulumi/pulumi/sdk/v3 v3.150.0 h1:w5df9oOxqmVfsokWNb901/AvJEFjgBGrG9rgsWFlsJI=
+github.com/pulumi/pulumi/sdk/v3 v3.150.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -306,8 +308,8 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/sahilm/fuzzy v0.1.0 h1:FzWGaw2Opqyu+794ZQ9SYifWv2EIXpwP4q8dY1kDAwI=
-github.com/sahilm/fuzzy v0.1.0/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
+github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
+github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
 github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 h1:TToq11gyfNlrMFZiYujSekIsPd9AmsA2Bj/iv+s4JHE=
 github.com/santhosh-tekuri/jsonschema/v5 v5.0.0/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
@@ -315,8 +317,8 @@ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
-github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
+github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
+github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
@@ -325,25 +327,20 @@ github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
 github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@@ -368,8 +365,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -384,8 +381,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -407,11 +404,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
diff --git a/oci/Containerfile b/oci/Containerfile
index e229f9ed1..a172de3c7 100644
--- a/oci/Containerfile
+++ b/oci/Containerfile
@@ -18,7 +18,7 @@ RUN GOARCH=${TARGETARCH} make build \
     && tar -xzvf pulumicli.tar.gz 
 
 # ubi 9.5-1732804088
-FROM registry.access.redhat.com/ubi9/ubi:9.5-1732804088
+FROM registry.access.redhat.com/ubi9/ubi:9.5-1739751568@sha256:d342aa80781bf41c4c73485c41d8f1e2dbc40ee491633d9cafe787c361dd44ff
 ARG TARGETARCH
 LABEL org.opencontainers.image.authors="Redhat Developer"
 
@@ -38,7 +38,7 @@ ARG PULUMI_AWSX_VERSION=v2.19.0
 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native
 ARG PULUMI_AZURE_NATIVE_VERSION=v2.76.0
 # renovate: datasource=github-releases depName=pulumi/pulumi-command
-ARG PULUMI_COMMAND_VERSION=v1.0.1
+ARG PULUMI_COMMAND_VERSION=v1.0.2
 # renovate: datasource=github-releases depName=pulumi/pulumi-tls
 ARG PULUMI_TLS_VERSION=v5.0.9
 # renovate: datasource=github-releases depName=pulumi/pulumi-random
diff --git a/tools/go.mod b/tools/go.mod
index 113d2ccfd..424902613 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -1,15 +1,15 @@
 module github.com/redhat-developer/mapt/tools
 
-go 1.22.1
+go 1.23.0
 
-toolchain go1.23.4
+toolchain go1.24.0
 
 require github.com/golangci/golangci-lint v1.63.4
 
 require (
 	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
-	4d63.com/gochecknoglobals v0.2.1 // indirect
-	github.com/4meepo/tagalign v1.4.1 // indirect
+	4d63.com/gochecknoglobals v0.2.2 // indirect
+	github.com/4meepo/tagalign v1.4.2 // indirect
 	github.com/Abirdcfly/dupword v0.1.3 // indirect
 	github.com/Antonboom/errname v1.0.0 // indirect
 	github.com/Antonboom/nilnil v1.0.1 // indirect
@@ -17,14 +17,14 @@ require (
 	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
 	github.com/Crocmagnon/fatcontext v0.5.3 // indirect
 	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect
-	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
 	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
 	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
 	github.com/alexkohler/nakedret/v2 v2.0.5 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
-	github.com/alingse/nilnesserr v0.1.1 // indirect
+	github.com/alingse/nilnesserr v0.1.2 // indirect
 	github.com/ashanbrown/forbidigo v1.6.0 // indirect
 	github.com/ashanbrown/makezero v1.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -51,7 +51,7 @@ require (
 	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.8 // indirect
+	github.com/ghostiam/protogetter v0.3.9 // indirect
 	github.com/go-critic/go-critic v0.11.5 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect
 	github.com/go-toolsmith/astcopy v1.1.0 // indirect
@@ -69,7 +69,6 @@ require (
 	github.com/golangci/go-printf-func-name v0.1.0 // indirect
 	github.com/golangci/gofmt v0.0.0-20241223200906-057b0627d9b9 // indirect
 	github.com/golangci/misspell v0.6.0 // indirect
-	github.com/golangci/modinfo v0.3.4 // indirect
 	github.com/golangci/plugin-module-register v0.1.1 // indirect
 	github.com/golangci/revgrep v0.5.3 // indirect
 	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
@@ -87,7 +86,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jgautheron/goconst v1.7.1 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
 	github.com/jjti/go-spancheck v0.6.4 // indirect
 	github.com/julz/importas v0.2.0 // indirect
 	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
@@ -98,18 +96,17 @@ require (
 	github.com/kyoh86/exportloopref v0.1.11 // indirect
 	github.com/lasiar/canonicalheader v1.1.2 // indirect
 	github.com/ldez/exptostd v0.3.1 // indirect
-	github.com/ldez/gomoddirectives v0.6.0 // indirect
-	github.com/ldez/grignotin v0.7.0 // indirect
+	github.com/ldez/gomoddirectives v0.6.1 // indirect
+	github.com/ldez/grignotin v0.9.0 // indirect
 	github.com/ldez/tagliatelle v0.7.1 // indirect
 	github.com/ldez/usetesting v0.4.2 // indirect
 	github.com/leonklingele/grouper v1.1.2 // indirect
-	github.com/lufeee/execinquery v1.2.1 // indirect
 	github.com/macabu/inamedparam v0.1.3 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/maratori/testableexamples v1.0.0 // indirect
 	github.com/maratori/testpackage v1.1.1 // indirect
 	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
@@ -125,12 +122,12 @@ require (
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/polyfloyd/go-errorlint v1.7.0 // indirect
+	github.com/polyfloyd/go-errorlint v1.7.1 // indirect
 	github.com/prometheus/client_golang v1.12.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.4 // indirect
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
 	github.com/quasilyte/gogrep v0.5.0 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
@@ -141,7 +138,6 @@ require (
 	github.com/ryancurrah/gomodguard v1.3.5 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
 	github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
@@ -156,14 +152,13 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.12.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
-	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
 	github.com/tdakkota/asciicheck v0.3.0 // indirect
 	github.com/tetafro/godot v1.4.20 // indirect
 	github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 // indirect
@@ -173,7 +168,7 @@ require (
 	github.com/ultraware/funlen v0.2.0 // indirect
 	github.com/ultraware/whitespace v0.2.0 // indirect
 	github.com/uudashr/gocognit v1.2.0 // indirect
-	github.com/uudashr/iface v1.3.0 // indirect
+	github.com/uudashr/iface v1.3.1 // indirect
 	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.3.0 // indirect
@@ -187,13 +182,12 @@ require (
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.20.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/tools/go.sum b/tools/go.sum
index 5ed92e6e8..b4c44029e 100644
--- a/tools/go.sum
+++ b/tools/go.sum
@@ -1,7 +1,7 @@
 4d63.com/gocheckcompilerdirectives v1.2.1 h1:AHcMYuw56NPjq/2y615IGg2kYkBdTvOaojYCBcRE7MA=
 4d63.com/gocheckcompilerdirectives v1.2.1/go.mod h1:yjDJSxmDTtIHHCqX0ufRYZDL6vQtMG7tJdKVeWwsqvs=
-4d63.com/gochecknoglobals v0.2.1 h1:1eiorGsgHOFOuoOiJDy2psSrQbRdIHrlge0IJIkUgDc=
-4d63.com/gochecknoglobals v0.2.1/go.mod h1:KRE8wtJB3CXCsb1xy421JfTHIIbmT3U5ruxw2Qu8fSU=
+4d63.com/gochecknoglobals v0.2.2 h1:H1vdnwnMaZdQW/N+NrkT1SZMTBmcwHe9Vq8lJcYYTtU=
+4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -35,75 +35,51 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8=
-github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0=
-github.com/4meepo/tagalign v1.4.1 h1:GYTu2FaPGOGb/xJalcqHeD4il5BiCywyEYZOA55P6J4=
-github.com/4meepo/tagalign v1.4.1/go.mod h1:2H9Yu6sZ67hmuraFgfZkNcg5Py9Ch/Om9l2K/2W1qS4=
-github.com/Abirdcfly/dupword v0.0.14 h1:3U4ulkc8EUo+CaT105/GJ1BQwtgyj6+VaBVbAX11Ba8=
-github.com/Abirdcfly/dupword v0.0.14/go.mod h1:VKDAbxdY8YbKUByLGg8EETzYSuC4crm9WwI6Y3S0cLI=
+github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E=
+github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
 github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
 github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
-github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM=
-github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns=
 github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA=
 github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI=
-github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ=
-github.com/Antonboom/nilnil v0.1.9/go.mod h1:iGe2rYwCq5/Me1khrysB4nwI7swQvjclR8/YRPl5ihQ=
 github.com/Antonboom/nilnil v1.0.1 h1:C3Tkm0KUxgfO4Duk3PM+ztPncTFlOf0b2qadmS0s4xs=
 github.com/Antonboom/nilnil v1.0.1/go.mod h1:CH7pW2JsRNFgEh8B2UaPZTEPhCMuFowP/e8Udp9Nnb0=
-github.com/Antonboom/testifylint v1.3.1 h1:Uam4q1Q+2b6H7gvk9RQFw6jyVDdpzIirFOOrbs14eG4=
-github.com/Antonboom/testifylint v1.3.1/go.mod h1:NV0hTlteCkViPW9mSR4wEMfwp+Hs1T3dY60bkvSfhpM=
 github.com/Antonboom/testifylint v1.5.2 h1:4s3Xhuv5AvdIgbd8wOOEeo0uZG7PbDKQyKY5lGoQazk=
 github.com/Antonboom/testifylint v1.5.2/go.mod h1:vxy8VJ0bc6NavlYqjZfmp6EfqXMtBgQ4+mhCojwC1P8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
-github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Crocmagnon/fatcontext v0.2.2 h1:OrFlsDdOj9hW/oBEJBNSuH7QWf+E9WPVHw+x52bXVbk=
-github.com/Crocmagnon/fatcontext v0.2.2/go.mod h1:WSn/c/+MMNiD8Pri0ahRj0o9jVpeowzavOQplBJw6u0=
 github.com/Crocmagnon/fatcontext v0.5.3 h1:zCh/wjc9oyeF+Gmp+V60wetm8ph2tlsxocgg/J0hOps=
 github.com/Crocmagnon/fatcontext v0.5.3/go.mod h1:XoCQYY1J+XTfyv74qLXvNw4xFunr3L1wkopIIKG7wGM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 h1:sATXp1x6/axKxz2Gjxv8MALP0bXaNRfQinEwyfMcx8c=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0/go.mod h1:Nl76DrGNJTA1KJ0LePKBw/vznBX1EHbAZX8mwjR82nI=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0/go.mod h1:ONJg5sxcbsdQQ4pOW8TGdTidT2TMAUy/2Xhr8mrYaao=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
-github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 h1:Sz1JIXEcSfhz7fUi7xHnhpIE0thVASYjvosApmHuD2k=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1/go.mod h1:n/LSCXNuIYqVfBlVXyHfMQkZDdp1/mmxfSjADd3z1Zg=
+github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
+github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ=
-github.com/alecthomas/assert/v2 v2.2.2 h1:Z/iVC0xZfWTaFNE6bA3z07T86hd45Xe2eLt6WVy2bbk=
-github.com/alecthomas/assert/v2 v2.2.2/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
-github.com/alecthomas/go-check-sumtype v0.1.4 h1:WCvlB3l5Vq5dZQTFmodqL2g68uHiSwwlWcT5a2FGK0c=
-github.com/alecthomas/go-check-sumtype v0.1.4/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ=
+github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
+github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/go-check-sumtype v0.3.1 h1:u9aUvbGINJxLVXiFvHUlPEaD7VDULsrxJb4Aq31NLkU=
 github.com/alecthomas/go-check-sumtype v0.3.1/go.mod h1:A8TSiN3UPRw3laIgWEUOHHLPa6/r9MtoigdlP5h3K/E=
-github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
-github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
+github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alexkohler/nakedret/v2 v2.0.4 h1:yZuKmjqGi0pSmjGpOC016LtPJysIL0WEUiaXW5SUnNg=
-github.com/alexkohler/nakedret/v2 v2.0.4/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
 github.com/alexkohler/nakedret/v2 v2.0.5 h1:fP5qLgtwbx9EJE8dGEERT02YwS8En4r9nnZ71RK+EVU=
 github.com/alexkohler/nakedret/v2 v2.0.5/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
 github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw=
 github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqrSP7t/cW5+I=
-github.com/alingse/nilnesserr v0.1.1 h1:7cYuJewpy9jFNMEA72Q1+3Nm3zKHzg+Q28D5f2bBFUA=
-github.com/alingse/nilnesserr v0.1.1/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
+github.com/alingse/nilnesserr v0.1.2 h1:Yf8Iwm3z2hUUrP4muWfW83DF4nE3r1xZ26fGWUKCZlo=
+github.com/alingse/nilnesserr v0.1.2/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
 github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8gerOIVIY=
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
-github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
-github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
 github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU=
 github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -112,30 +88,18 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJY=
-github.com/bkielbasa/cyclop v1.2.1/go.mod h1:K/dT/M0FPAiYjBgQGau7tz+3TMh4FWAEqlMhzFWCrgM=
 github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5w=
 github.com/bkielbasa/cyclop v1.2.3/go.mod h1:kHTwA9Q0uZqOADdupvcFJQtp/ksSnytRMe8ztxG8Fuo=
 github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M=
 github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
-github.com/bombsimon/wsl/v4 v4.2.1 h1:Cxg6u+XDWff75SIFFmNsqnIOgob+Q9hG6y/ioKbRFiM=
-github.com/bombsimon/wsl/v4 v4.2.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo=
 github.com/bombsimon/wsl/v4 v4.5.0 h1:iZRsEvDdyhd2La0FVi5k6tYehpOR/R7qIUjmKk7N74A=
 github.com/bombsimon/wsl/v4 v4.5.0/go.mod h1:NOQ3aLF4nD7N5YPXMruR6ZXDOAqLoM0GEpLwTdvmOSc=
-github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY=
-github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ=
 github.com/breml/bidichk v0.3.2 h1:xV4flJ9V5xWTqxL+/PMFF6dtJPvZLPsyixAoPe8BGJs=
 github.com/breml/bidichk v0.3.2/go.mod h1:VzFLBxuYtT23z5+iVkamXO386OB+/sVwZOpIj6zXGos=
-github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA=
-github.com/breml/errchkjson v0.3.6/go.mod h1:jhSDoFheAF2RSDOlCfhHO9KqhZgAYLyvHe7bRCX8f/U=
 github.com/breml/errchkjson v0.4.0 h1:gftf6uWZMtIa/Is3XJgibewBm2ksAQSY/kABDNFTAdk=
 github.com/breml/errchkjson v0.4.0/go.mod h1:AuBOSTHyLSaaAFlWsRSuRBIroCh3eh7ZHh5YeelDIk8=
-github.com/butuzov/ireturn v0.3.0 h1:hTjMqWw3y5JC3kpnC5vXmFJAWI/m31jaCYQqzkS6PL0=
-github.com/butuzov/ireturn v0.3.0/go.mod h1:A09nIiwiqzN/IoVo9ogpa0Hzi9fex1kd9PSD6edP5ZA=
 github.com/butuzov/ireturn v0.3.1 h1:mFgbEI6m+9W8oP/oDdfA34dLisRFCj2G6o/yiI1yZrY=
 github.com/butuzov/ireturn v0.3.1/go.mod h1:ZfRp+E7eJLC0NQmk1Nrm1LOrn/gQlOykv+cVPdiXH5M=
-github.com/butuzov/mirror v1.2.0 h1:9YVK1qIjNspaqWutSv8gsge2e/Xpq1eqEkslEUHy5cs=
-github.com/butuzov/mirror v1.2.0/go.mod h1:DqZZDtzm42wIAIyHXeN8W/qb1EPlb9Qn/if9icBOpdQ=
 github.com/butuzov/mirror v1.3.0 h1:HdWCXzmwlQHdVhwvsfBb2Au0r3HyINry3bDWLYXiKoc=
 github.com/butuzov/mirror v1.3.0/go.mod h1:AEij0Z8YMALaq4yQj9CPPVYOyJQyiexpQEQgihajRfI=
 github.com/catenacyber/perfsprint v0.7.1 h1:PGW5G/Kxn+YrN04cRAZKC+ZuvlVwolYMrIyyTJ/rMmc=
@@ -153,20 +117,13 @@ github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+U
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/ckaznocha/intrange v0.1.2 h1:3Y4JAxcMntgb/wABQ6e8Q8leMd26JbX2790lIss9MTI=
-github.com/ckaznocha/intrange v0.1.2/go.mod h1:RWffCw/vKBwHeOEwWdCikAtY0q4gGt8VhJZEEA5n+RE=
 github.com/ckaznocha/intrange v0.3.0 h1:VqnxtK32pxgkhJgYQEeOArVidIPg+ahLP7WBOXZd5ZY=
 github.com/ckaznocha/intrange v0.3.0/go.mod h1:+I/o2d2A1FBHgGELbGxzIcyd3/9l9DuwjM8FsbSS3Lo=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo=
-github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc=
 github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
 github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
-github.com/daixiang0/gci v0.13.4 h1:61UGkmpoAcxHM2hhNkZEf5SzwQtWJXTSws7jaPyqwlw=
-github.com/daixiang0/gci v0.13.4/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
 github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c=
 github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -174,32 +131,28 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denis-tingaikin/go-header v0.5.0 h1:SRdnP5ZKvcO9KKRP1KJrhFR3RrlGuD+42t4429eC9k8=
 github.com/denis-tingaikin/go-header v0.5.0/go.mod h1:mMenU5bWrok6Wl2UsZjy+1okegmwQ3UgWl4V1D8gjlY=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q=
 github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A=
-github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
-github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA=
 github.com/firefart/nonamedreturns v1.0.5/go.mod h1:gHJjDqhGM4WyPt639SOZs+G89Ko7QKH5R5BhnO6xJhw=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/ghostiam/protogetter v0.3.6 h1:R7qEWaSgFCsy20yYHNIJsU9ZOb8TziSRRxuAOTVKeOk=
-github.com/ghostiam/protogetter v0.3.6/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw=
-github.com/ghostiam/protogetter v0.3.8 h1:LYcXbYvybUyTIxN2Mj9h6rHrDZBDwZloPoKctWrFyJY=
-github.com/ghostiam/protogetter v0.3.8/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
-github.com/go-critic/go-critic v0.11.4 h1:O7kGOCx0NDIni4czrkRIXTnit0mkyKOCePh3My6OyEU=
-github.com/go-critic/go-critic v0.11.4/go.mod h1:2QAdo4iuLik5S9YG0rT4wcZ8QxwHYkrr6/2MWAiv/vc=
+github.com/ghostiam/protogetter v0.3.9 h1:j+zlLLWzqLay22Cz/aYwTHKQ88GE2DQ6GkWSYFOI4lQ=
+github.com/ghostiam/protogetter v0.3.9/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
 github.com/go-critic/go-critic v0.11.5 h1:TkDTOn5v7EEngMxu8KbuFqFR43USaaH8XRJLz1jhVYA=
 github.com/go-critic/go-critic v0.11.5/go.mod h1:wu6U7ny9PiaHaZHcvMDmdysMqvDem162Rh3zWTrqk8M=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -211,8 +164,10 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
@@ -235,18 +190,12 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
-github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
 github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U=
-github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
 github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
-github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -283,18 +232,12 @@ github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9
 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
 github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU=
 github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s=
-github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g=
-github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM=
 github.com/golangci/gofmt v0.0.0-20241223200906-057b0627d9b9 h1:t5wybL6RtO83VwoMOb7U/Peqe3gGKQlPIC66wXmnkvM=
 github.com/golangci/gofmt v0.0.0-20241223200906-057b0627d9b9/go.mod h1:Ag3L7sh7E28qAp/5xnpMMTuGYqxLZoSaEHZDkZB1RgU=
-github.com/golangci/golangci-lint v1.59.1 h1:CRRLu1JbhK5avLABFJ/OHVSQ0Ie5c4ulsOId1h3TTks=
-github.com/golangci/golangci-lint v1.59.1/go.mod h1:jX5Oif4C7P0j9++YB2MMJmoNrb01NJ8ITqKWNLewThg=
 github.com/golangci/golangci-lint v1.63.4 h1:bJQFQ3hSfUto597dkL7ipDzOxsGEpiWdLiZ359OWOBI=
 github.com/golangci/golangci-lint v1.63.4/go.mod h1:Hx0B7Lg5/NXbaOHem8+KU+ZUIzMI6zNj/7tFwdnn10I=
 github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs=
 github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo=
-github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA=
-github.com/golangci/modinfo v0.3.4/go.mod h1:wytF1M5xl9u0ij8YSvhkEVPP3M5Mc7XLl1pxH3B2aUM=
 github.com/golangci/plugin-module-register v0.1.1 h1:TCmesur25LnyJkpsVrupv1Cdzo+2f7zX0H6Jkw1Ol6c=
 github.com/golangci/plugin-module-register v0.1.1/go.mod h1:TTpqoB6KkwOJMV8u7+NyXMrkwwESJLOkfl9TxR1DGFc=
 github.com/golangci/revgrep v0.5.3 h1:3tL7c1XBMtWHHqVpS5ChmiAAoe4PF/d5+ULzV9sLAzs=
@@ -327,8 +270,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@@ -344,17 +287,17 @@ github.com/gostaticanalysis/forcetypeassert v0.1.0/go.mod h1:qZEedyP/sY1lTGV1uJ3
 github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3Uqrmrcpk=
 github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A=
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
-github.com/gostaticanalysis/testutil v0.4.0 h1:nhdCmubdmDF6VEatUNjgUZBJKWRqugoISdUv3PPQgHY=
-github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU=
-github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
+github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8=
+github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs=
 github.com/hashicorp/go-immutable-radix/v2 v2.1.0 h1:CUW5RYIcysz+D3B+l1mDeXrQ7fUvGGCwJfdASSzbrfo=
 github.com/hashicorp/go-immutable-radix/v2 v2.1.0/go.mod h1:hgdqLXA4f6NIjRVisM1TJ9aOJVNRqKZj+xDGF6m7PBw=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
@@ -368,10 +311,6 @@ github.com/jgautheron/goconst v1.7.1 h1:VpdAG7Ca7yvvJk5n8dMwQhfEZJh95kl/Hl9S1OI5
 github.com/jgautheron/goconst v1.7.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
 github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs=
 github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
-github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9BjwUk7KlCh6S9EAGWBt1oExIUv9WyNCiRz5amv48=
-github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0=
-github.com/jjti/go-spancheck v0.6.1 h1:ZK/wE5Kyi1VX3PJpUO2oEgeoI4FWOUm7Shb2Gbv5obI=
-github.com/jjti/go-spancheck v0.6.1/go.mod h1:vF1QkOO159prdo6mHRxak2CpzDpHAfKiPUDP/NeRnX8=
 github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpRRc=
 github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
@@ -383,14 +322,10 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/julz/importas v0.1.0 h1:F78HnrsjY3cR7j0etXy5+TU1Zuy7Xt08X/1aJnH5xXY=
-github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0=
 github.com/julz/importas v0.2.0 h1:y+MJN/UdL63QbFJHws9BVC5RpA2iq0kpjrFajTGivjQ=
 github.com/julz/importas v0.2.0/go.mod h1:pThlt589EnCYtMnmhmRYY/qn9lCf/frPOK+WMx3xiJY=
 github.com/karamaru-alpha/copyloopvar v1.1.0 h1:x7gNyKcC2vRBO1H2Mks5u1VxQtYvFiym7fCjIP8RPos=
 github.com/karamaru-alpha/copyloopvar v1.1.0/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
-github.com/kisielk/errcheck v1.7.0 h1:+SbscKmWJ5mOK/bO1zS60F5I9WwZDWOfRsC4RwfwRV0=
-github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
 github.com/kisielk/errcheck v1.8.0 h1:ZX/URYa7ilESY19ik/vBmCn6zdGQLxACwjAcWbHlYlg=
 github.com/kisielk/errcheck v1.8.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -400,7 +335,6 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -413,32 +347,24 @@ github.com/kunwardeep/paralleltest v1.0.10 h1:wrodoaKYzS2mdNVnc4/w31YaXFtsc21PCT
 github.com/kunwardeep/paralleltest v1.0.10/go.mod h1:2C7s65hONVqY7Q5Efj5aLzRCNLjw2h4eMc9EcypGjcY=
 github.com/kyoh86/exportloopref v0.1.11 h1:1Z0bcmTypkL3Q4k+IDHMWTcnCliEZcaPiIe0/ymEyhQ=
 github.com/kyoh86/exportloopref v0.1.11/go.mod h1:qkV4UF1zGl6EkF1ox8L5t9SwyeBAZ3qLMd6up458uqA=
-github.com/lasiar/canonicalheader v1.1.1 h1:wC+dY9ZfiqiPwAexUApFush/csSPXeIi4QqyxXmng8I=
-github.com/lasiar/canonicalheader v1.1.1/go.mod h1:cXkb3Dlk6XXy+8MVQnF23CYKWlyA7kfQhSw2CcZtZb0=
 github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4=
 github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI=
 github.com/ldez/exptostd v0.3.1 h1:90yWWoAKMFHeovTK8uzBms9Ppp8Du/xQ20DRO26Ymrw=
 github.com/ldez/exptostd v0.3.1/go.mod h1:iZBRYaUmcW5jwCR3KROEZ1KivQQp6PHXbDPk9hqJKCQ=
-github.com/ldez/gomoddirectives v0.2.4 h1:j3YjBIjEBbqZ0NKtBNzr8rtMHTOrLPeiwTkfUJZ3alg=
-github.com/ldez/gomoddirectives v0.2.4/go.mod h1:oWu9i62VcQDYp9EQ0ONTfqLNh+mDLWWDO+SO0qSQw5g=
-github.com/ldez/gomoddirectives v0.6.0 h1:Jyf1ZdTeiIB4dd+2n4qw+g4aI9IJ6JyfOZ8BityWvnA=
-github.com/ldez/gomoddirectives v0.6.0/go.mod h1:TuwOGYoPAoENDWQpe8DMqEm5nIfjrxZXmxX/CExWyZ4=
-github.com/ldez/grignotin v0.7.0 h1:vh0dI32WhHaq6LLPZ38g7WxXuZ1+RzyrJ7iPG9JMa8c=
-github.com/ldez/grignotin v0.7.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
-github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo=
-github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4=
+github.com/ldez/gomoddirectives v0.6.1 h1:Z+PxGAY+217f/bSGjNZr/b2KTXcyYLgiWI6geMBN2Qc=
+github.com/ldez/gomoddirectives v0.6.1/go.mod h1:cVBiu3AHR9V31em9u2kwfMKD43ayN5/XDgr+cdaFaKs=
+github.com/ldez/grignotin v0.9.0 h1:MgOEmjZIVNn6p5wPaGp/0OKWyvq42KnzAt/DAb8O4Ow=
+github.com/ldez/grignotin v0.9.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
 github.com/ldez/tagliatelle v0.7.1 h1:bTgKjjc2sQcsgPiT902+aadvMjCeMHrY7ly2XKFORIk=
 github.com/ldez/tagliatelle v0.7.1/go.mod h1:3zjxUpsNB2aEZScWiZTHrAXOl1x25t3cRmzfK1mlo2I=
 github.com/ldez/usetesting v0.4.2 h1:J2WwbrFGk3wx4cZwSMiCQQ00kjGR0+tuuyW0Lqm4lwA=
 github.com/ldez/usetesting v0.4.2/go.mod h1:eEs46T3PpQ+9RgN9VjpY6qWdiw2/QmfiDeWmdZdrjIQ=
 github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY=
 github.com/leonklingele/grouper v1.1.2/go.mod h1:6D0M/HVkhs2yRKRFZUoGjeDy7EZTfFBE9gl4kjmIGkA=
-github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCEtOM=
-github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM=
 github.com/macabu/inamedparam v0.1.3 h1:2tk/phHkMlEL/1GNe/Yf6kkR/hkcUdAEY3L0hjYV1Mk=
 github.com/macabu/inamedparam v0.1.3/go.mod h1:93FLICAIk/quk7eaPPQvbzihUdn/QkGDwIZEoLtpH6I=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/maratori/testableexamples v1.0.0 h1:dU5alXRrD8WKSjOUnmJZuzdxWOEQ57+7s93SLMxb2vI=
 github.com/maratori/testableexamples v1.0.0/go.mod h1:4rhjL1n20TUTT4vdh3RDqSizKLyXp7K2u6HgraZCGzE=
 github.com/maratori/testpackage v1.1.1 h1:S58XVV5AD7HADMmD0fNnziNHqKvSdDuEKdPD1rNTU04=
@@ -447,20 +373,15 @@ github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 h1:gWg6ZQ4JhDfJPqlo2
 github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s=
 github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
 github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mgechev/revive v1.3.7 h1:502QY0vQGe9KtYJ9FpxMz9rL+Fc/P13CI5POL4uHCcE=
-github.com/mgechev/revive v1.3.7/go.mod h1:RJ16jUbF0OWC3co/+XTxmFNgEpUPwnnA0BRllX2aDNA=
 github.com/mgechev/revive v1.5.1 h1:hE+QPeq0/wIzJwOphdVyUJ82njdd8Khp4fUIHGZHW3M=
 github.com/mgechev/revive v1.5.1/go.mod h1:lC9AhkJIBs5zwx8wkudyHrU+IJkrEKmpCmGMnIJPk4o=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -472,8 +393,6 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/moricho/tparallel v0.3.1 h1:fQKD4U1wRMAYNngDonW5XupoB/ZGJHdpzrWqgyg9krA=
-github.com/moricho/tparallel v0.3.1/go.mod h1:leENX2cUv7Sv2qDgdi0D0fCftN8fRC67Bcn8pqzeYNI=
 github.com/moricho/tparallel v0.3.2 h1:odr8aZVFA3NZrNybggMkYO3rgPRcqjeQUlBBFVxKHTI=
 github.com/moricho/tparallel v0.3.2/go.mod h1:OQ+K3b4Ln3l2TZveGCywybl68glfLEwFGqvnjok8b+U=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -484,16 +403,14 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
 github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
-github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbnVSxfHJk=
-github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
 github.com/nunnatsa/ginkgolinter v0.18.4 h1:zmX4KUR+6fk/vhUFt8DOP6KwznekhkmVSzzVJve2vyM=
 github.com/nunnatsa/ginkgolinter v0.18.4/go.mod h1:AMEane4QQ6JwFz5GgjI5xLUM9S/CylO+UyM97fN2iBI=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU=
-github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
-github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
+github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
+github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
@@ -503,8 +420,6 @@ github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT9
 github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -513,10 +428,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/polyfloyd/go-errorlint v1.5.2 h1:SJhVik3Umsjh7mte1vE0fVZ5T1gznasQG3PV7U5xFdA=
-github.com/polyfloyd/go-errorlint v1.5.2/go.mod h1:sH1QC1pxxi0fFecsVIzBmxtrgd9IF/SkJpA6wqyKAJs=
-github.com/polyfloyd/go-errorlint v1.7.0 h1:Zp6lzCK4hpBDj8y8a237YK4EPrMXQWvOe3nGoH4pFrU=
-github.com/polyfloyd/go-errorlint v1.7.0/go.mod h1:dGWKu85mGHnegQ2SWpEybFityCg3j7ZbwsVUxAOk9gY=
+github.com/polyfloyd/go-errorlint v1.7.1 h1:RyLVXIbosq1gBdk/pChWA8zWYLsq9UEw7a1L5TVMCnA=
+github.com/polyfloyd/go-errorlint v1.7.1/go.mod h1:aXjNb1x2TNhoLsk26iv1yl7a+zTnXPhwEMtEXukiLR8=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -541,10 +454,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs=
-github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
-github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 h1:+Wl/0aFp0hpuHM3H//KMft64WQ1yX9LdJY64Qm/gFCo=
-github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
+github.com/quasilyte/go-ruleguard v0.4.4 h1:53DncefIeLX3qEpjzlS1lyUmQoUEeOWPFWqaTJq9eAQ=
+github.com/quasilyte/go-ruleguard v0.4.4/go.mod h1:Vl05zJ538vcEEwu16V/Hdu7IYZWyKSwIy4c88Ro1kRE=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/quasilyte/gogrep v0.5.0 h1:eTKODPXbI8ffJMN+W2aE0+oL0z/nh8/5eNdiO34SOAo=
@@ -555,38 +466,25 @@ github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4l
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ=
 github.com/raeperd/recvcheck v0.2.0 h1:GnU+NsbiCqdC2XX5+vMZzP+jAJC5fht7rcVTAhX74UI=
 github.com/raeperd/recvcheck v0.2.0/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU=
-github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryancurrah/gomodguard v1.3.2 h1:CuG27ulzEB1Gu5Dk5gP8PFxSOZ3ptSdP5iI/3IXxM18=
-github.com/ryancurrah/gomodguard v1.3.2/go.mod h1:LqdemiFomEjcxOqirbQCb3JFvSxH2JUYMerTFd3sF2o=
 github.com/ryancurrah/gomodguard v1.3.5 h1:cShyguSwUEeC0jS7ylOiG/idnd1TpJ1LfHGpV3oJmPU=
 github.com/ryancurrah/gomodguard v1.3.5/go.mod h1:MXlEPQRxgfPQa62O8wzK3Ozbkv9Rkqr+wKjSxTdsNJE=
 github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU=
 github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
-github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
-github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
 github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
-github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
-github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw=
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
-github.com/sashamelentyev/usestdlibvars v1.26.0 h1:LONR2hNVKxRmzIrZR0PhSF3mhCAzvnr+DcUiHgREfXE=
-github.com/sashamelentyev/usestdlibvars v1.26.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
 github.com/sashamelentyev/usestdlibvars v1.28.0 h1:jZnudE2zKCtYlGzLVreNp5pmCdOxXUzwsMDBkR21cyQ=
 github.com/sashamelentyev/usestdlibvars v1.28.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
-github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 h1:rnO6Zp1YMQwv8AyxzuwsVohljJgp4L0ZqiCgtACsPsc=
-github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9/go.mod h1:dg7lPlu/xK/Ut9SedURCoZbVCR4yC7fM65DtH9/CDHs=
 github.com/securego/gosec/v2 v2.21.4 h1:Le8MSj0PDmOnHJgUATjD96PaXRvCpKC+DGJvwyy0Mlk=
 github.com/securego/gosec/v2 v2.21.4/go.mod h1:Jtb/MwRQfRxCXyCm1rfM1BEiiiTfUOdyzzAhlr6lUTA=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU=
@@ -600,12 +498,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
-github.com/sivchari/tenv v1.7.1 h1:PSpuD4bu6fSmtWMxSGWcvqUUgIn7k3yOJhOIzVWn8Ak=
-github.com/sivchari/tenv v1.7.1/go.mod h1:64yStXKSOxDfX47NlhVwND4dHwfZDdbp2Lyl018Icvg=
 github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY=
 github.com/sivchari/tenv v1.12.1/go.mod h1:1LjSOUCc25snIr5n3DtGGrENhX3LuWefcplwVGC24mw=
-github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00=
-github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo=
 github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM=
 github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
@@ -614,20 +508,17 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
-github.com/stbenjam/no-sprintf-host-port v0.1.1 h1:tYugd/yrm1O0dV+ThCbaKZh195Dfm07ysF0U6JQXczc=
-github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8LHsN9N74I+PhRquPsxpL0I=
 github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4=
 github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -644,54 +535,34 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplBwWcHBo6q9xrfWdMrT9o4kltkmmvpemgIjep/8=
-github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
-github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM=
-github.com/tdakkota/asciicheck v0.2.0/go.mod h1:Qb7Y9EgjCLJGup51gDHFzbI08/gbGhL/UVhYIPWG2rg=
 github.com/tdakkota/asciicheck v0.3.0 h1:LqDGgZdholxZMaJgpM6b0U9CFIjDCbFdUF00bDnBKOQ=
 github.com/tdakkota/asciicheck v0.3.0/go.mod h1:KoJKXuX/Z/lt6XzLo8WMBfQGzak0SrAKZlvRr4tg8Ac=
 github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
-github.com/tetafro/godot v1.4.16 h1:4ChfhveiNLk4NveAZ9Pu2AN8QZ2nkUGFuadM9lrr5D0=
-github.com/tetafro/godot v1.4.16/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
 github.com/tetafro/godot v1.4.20 h1:z/p8Ek55UdNvzt4TFn2zx2KscpW4rWqcnUrdmvWJj7E=
 github.com/tetafro/godot v1.4.20/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
-github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+nhpFa4gg4yJyTRJ13reZMDHrKwYw53M=
-github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ=
 github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 h1:y4mJRFlM6fUyPhoXuFg/Yu02fg/nIPFMOY8tOqppoFg=
 github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3/go.mod h1:mkjARE7Yr8qU23YcGMSALbIxTQ9r9QBVahQOBRfU460=
-github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4=
-github.com/timonwong/loggercheck v0.9.4/go.mod h1:caz4zlPcgvpEkXgVnAJGowHAMW2NwHaNlpS8xDbVhTg=
 github.com/timonwong/loggercheck v0.10.1 h1:uVZYClxQFpw55eh+PIoqM7uAOHMrhVcDoWDery9R8Lg=
 github.com/timonwong/loggercheck v0.10.1/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8=
-github.com/tomarrell/wrapcheck/v2 v2.8.3 h1:5ov+Cbhlgi7s/a42BprYoxsr73CbdMUTzE3bRDFASUs=
-github.com/tomarrell/wrapcheck/v2 v2.8.3/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
 github.com/tomarrell/wrapcheck/v2 v2.10.0 h1:SzRCryzy4IrAH7bVGG4cK40tNUhmVmMDuJujy4XwYDg=
 github.com/tomarrell/wrapcheck/v2 v2.10.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
-github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI=
-github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4=
 github.com/ultraware/funlen v0.2.0 h1:gCHmCn+d2/1SemTdYMiKLAHFYxTYz7z9VIDRaTGyLkI=
 github.com/ultraware/funlen v0.2.0/go.mod h1:ZE0q4TsJ8T1SQcjmkhN/w+MceuatI6pBFSxxyteHIJA=
-github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/Gk8VQ=
-github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
 github.com/ultraware/whitespace v0.2.0 h1:TYowo2m9Nfj1baEQBjuHzvMRbp19i+RCcRYrSWoFa+g=
 github.com/ultraware/whitespace v0.2.0/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
-github.com/uudashr/gocognit v1.1.2 h1:l6BAEKJqQH2UpKAPKdMfZf5kE4W/2xk8pfU1OVLvniI=
-github.com/uudashr/gocognit v1.1.2/go.mod h1:aAVdLURqcanke8h3vg35BC++eseDm66Z7KmchI5et4k=
 github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
 github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
-github.com/uudashr/iface v1.3.0 h1:zwPch0fs9tdh9BmL5kcgSpvnObV+yHjO4JjVBl8IA10=
-github.com/uudashr/iface v1.3.0/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
+github.com/uudashr/iface v1.3.1 h1:bA51vmVx1UIhiIsQFSNq6GZ6VPTk3WNMZgRiCe9R29U=
+github.com/uudashr/iface v1.3.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
 github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU=
 github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg=
 github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM=
@@ -711,12 +582,8 @@ gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo=
 gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8=
 go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ=
 go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28=
-go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs=
-go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM=
 go-simpler.org/musttag v0.13.0 h1:Q/YAW0AHvaoaIbsPj3bvEI5/QFP7w696IMUpnKXQfCE=
 go-simpler.org/musttag v0.13.0/go.mod h1:FTzIGeK6OkKlUDVpj0iQUXZLUO1Js9+mvykDQy9C5yM=
-go-simpler.org/sloglint v0.7.1 h1:qlGLiqHbN5islOxjeLXoPtUdZXb669RW+BDQ+xOSNoU=
-go-simpler.org/sloglint v0.7.1/go.mod h1:OlaVDRh/FKKd4X4sIMbsz8st97vomydceL146Fthh/c=
 go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY=
 go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -726,8 +593,6 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
-go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
@@ -743,7 +608,6 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -756,14 +620,10 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc h1:ao2WRsKSzW6KuUY9IWPwWahcHCgR0s52IfwutMfEbdM=
-golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
-golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f h1:WTyX8eCCyfdqiPYkRGm0MqElSfYFH3yR1+rl/mct9sA=
 golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -788,19 +648,15 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -835,16 +691,14 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -866,10 +720,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -903,7 +755,6 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -915,27 +766,19 @@ golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220702020025-31831981b65f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
@@ -949,13 +792,10 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -978,7 +818,6 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1009,26 +848,19 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
-golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
 golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
-golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
-golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1108,8 +940,6 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
@@ -1138,12 +968,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
-honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
 honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
 honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
-mvdan.cc/gofumpt v0.6.0 h1:G3QvahNDmpD+Aek/bNOLrFR2XC6ZAdo62dZu65gmwGo=
-mvdan.cc/gofumpt v0.6.0/go.mod h1:4L0wf+kgIPZtcCWXynNS2e6bhmj73umwnuXSZarixzA=
 mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU=
 mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo=
 mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U=
diff --git a/vendor/dario.cat/mergo/.gitignore b/vendor/dario.cat/mergo/.gitignore
index 529c3412b..45ad0f1ae 100644
--- a/vendor/dario.cat/mergo/.gitignore
+++ b/vendor/dario.cat/mergo/.gitignore
@@ -13,6 +13,9 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+# Golang/Intellij
+.idea
+
 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
 
diff --git a/vendor/dario.cat/mergo/README.md b/vendor/dario.cat/mergo/README.md
index 7d0cf9f32..0b3c48889 100644
--- a/vendor/dario.cat/mergo/README.md
+++ b/vendor/dario.cat/mergo/README.md
@@ -44,13 +44,21 @@ Also a lovely [comune](http://en.wikipedia.org/wiki/Mergo) (municipality) in the
 
 ## Status
 
-It is ready for production use. [It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, Microsoft, etc](https://github.com/imdario/mergo#mergo-in-the-wild).
+Mergo is stable and frozen, ready for production. Check a short list of the projects using at large scale it [here](https://github.com/imdario/mergo#mergo-in-the-wild).
+
+No new features are accepted. They will be considered for a future v2 that improves the implementation and fixes bugs for corner cases.
 
 ### Important notes
 
 #### 1.0.0
 
-In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`.
+In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`. No more v1 versions will be released.
+
+If the vanity URL is causing issues in your project due to a dependency pulling Mergo - it isn't a direct dependency in your project - it is recommended to use [replace](https://github.com/golang/go/wiki/Modules#when-should-i-use-the-replace-directive) to pin the version to the last one with the old import URL:
+
+```
+replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16
+```
 
 #### 0.3.9
 
@@ -64,55 +72,24 @@ If you were using Mergo before April 6th, 2015, please check your project works
 
 If Mergo is useful to you, consider buying me a coffee, a beer, or making a monthly donation to allow me to keep building great free software. :heart_eyes:
 
-<a href='https://ko-fi.com/B0B58839' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://az743702.vo.msecnd.net/cdn/kofi1.png?v=0' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
 <a href="https://liberapay.com/dario/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
 <a href='https://github.com/sponsors/imdario' target='_blank'><img alt="Become my sponsor" src="https://img.shields.io/github/sponsors/imdario?style=for-the-badge" /></a>
 
 ### Mergo in the wild
 
-- [moby/moby](https://github.com/moby/moby)
-- [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
-- [vmware/dispatch](https://github.com/vmware/dispatch)
-- [Shopify/themekit](https://github.com/Shopify/themekit)
-- [imdario/zas](https://github.com/imdario/zas)
-- [matcornic/hermes](https://github.com/matcornic/hermes)
-- [OpenBazaar/openbazaar-go](https://github.com/OpenBazaar/openbazaar-go)
-- [kataras/iris](https://github.com/kataras/iris)
-- [michaelsauter/crane](https://github.com/michaelsauter/crane)
-- [go-task/task](https://github.com/go-task/task)
-- [sensu/uchiwa](https://github.com/sensu/uchiwa)
-- [ory/hydra](https://github.com/ory/hydra)
-- [sisatech/vcli](https://github.com/sisatech/vcli)
-- [dairycart/dairycart](https://github.com/dairycart/dairycart)
-- [projectcalico/felix](https://github.com/projectcalico/felix)
-- [resin-os/balena](https://github.com/resin-os/balena)
-- [go-kivik/kivik](https://github.com/go-kivik/kivik)
-- [Telefonica/govice](https://github.com/Telefonica/govice)
-- [supergiant/supergiant](supergiant/supergiant)
-- [SergeyTsalkov/brooce](https://github.com/SergeyTsalkov/brooce)
-- [soniah/dnsmadeeasy](https://github.com/soniah/dnsmadeeasy)
-- [ohsu-comp-bio/funnel](https://github.com/ohsu-comp-bio/funnel)
-- [EagerIO/Stout](https://github.com/EagerIO/Stout)
-- [lynndylanhurley/defsynth-api](https://github.com/lynndylanhurley/defsynth-api)
-- [russross/canvasassignments](https://github.com/russross/canvasassignments)
-- [rdegges/cryptly-api](https://github.com/rdegges/cryptly-api)
-- [casualjim/exeggutor](https://github.com/casualjim/exeggutor)
-- [divshot/gitling](https://github.com/divshot/gitling)
-- [RWJMurphy/gorl](https://github.com/RWJMurphy/gorl)
-- [andrerocker/deploy42](https://github.com/andrerocker/deploy42)
-- [elwinar/rambler](https://github.com/elwinar/rambler)
-- [tmaiaroto/gopartman](https://github.com/tmaiaroto/gopartman)
-- [jfbus/impressionist](https://github.com/jfbus/impressionist)
-- [Jmeyering/zealot](https://github.com/Jmeyering/zealot)
-- [godep-migrator/rigger-host](https://github.com/godep-migrator/rigger-host)
-- [Dronevery/MultiwaySwitch-Go](https://github.com/Dronevery/MultiwaySwitch-Go)
-- [thoas/picfit](https://github.com/thoas/picfit)
-- [mantasmatelis/whooplist-server](https://github.com/mantasmatelis/whooplist-server)
-- [jnuthong/item_search](https://github.com/jnuthong/item_search)
-- [bukalapak/snowboard](https://github.com/bukalapak/snowboard)
-- [containerssh/containerssh](https://github.com/containerssh/containerssh)
-- [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser)
-- [tjpnz/structbot](https://github.com/tjpnz/structbot)
+Mergo is used by [thousands](https://deps.dev/go/dario.cat%2Fmergo/v1.0.0/dependents) [of](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.16/dependents) [projects](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.12), including:
+
+* [containerd/containerd](https://github.com/containerd/containerd)
+* [datadog/datadog-agent](https://github.com/datadog/datadog-agent)
+* [docker/cli/](https://github.com/docker/cli/)
+* [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser)
+* [go-micro/go-micro](https://github.com/go-micro/go-micro)
+* [grafana/loki](https://github.com/grafana/loki)
+* [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
+* [masterminds/sprig](github.com/Masterminds/sprig)
+* [moby/moby](https://github.com/moby/moby)
+* [slackhq/nebula](https://github.com/slackhq/nebula)
+* [volcano-sh/volcano](https://github.com/volcano-sh/volcano)
 
 ## Install
 
@@ -141,6 +118,39 @@ if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil {
 }
 ```
 
+If you need to override pointers, so the source pointer's value is assigned to the destination's pointer, you must use `WithoutDereference`:
+
+```go
+package main
+
+import (
+	"fmt"
+
+	"dario.cat/mergo"
+)
+
+type Foo struct {
+	A *string
+	B int64
+}
+
+func main() {
+	first := "first"
+	second := "second"
+	src := Foo{
+		A: &first,
+		B: 2,
+	}
+
+	dest := Foo{
+		A: &second,
+		B: 1,
+	}
+
+	mergo.Merge(&dest, src, mergo.WithOverride, mergo.WithoutDereference)
+}
+```
+
 Additionally, you can map a `map[string]interface{}` to a struct (and otherwise, from struct to map), following the same restrictions as in `Merge()`. Keys are capitalized to find each corresponding exported field.
 
 ```go
diff --git a/vendor/dario.cat/mergo/map.go b/vendor/dario.cat/mergo/map.go
index b50d5c2a4..759b4f74f 100644
--- a/vendor/dario.cat/mergo/map.go
+++ b/vendor/dario.cat/mergo/map.go
@@ -58,7 +58,7 @@ func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, conf
 			}
 			fieldName := field.Name
 			fieldName = changeInitialCase(fieldName, unicode.ToLower)
-			if v, ok := dstMap[fieldName]; !ok || (isEmptyValue(reflect.ValueOf(v), !config.ShouldNotDereference) || overwrite) {
+			if _, ok := dstMap[fieldName]; !ok || (!isEmptyValue(reflect.ValueOf(src.Field(i).Interface()), !config.ShouldNotDereference) && overwrite) || config.overwriteWithEmptyValue {
 				dstMap[fieldName] = src.Field(i).Interface()
 			}
 		}
diff --git a/vendor/dario.cat/mergo/merge.go b/vendor/dario.cat/mergo/merge.go
index 0ef9b2138..fd47c95b2 100644
--- a/vendor/dario.cat/mergo/merge.go
+++ b/vendor/dario.cat/mergo/merge.go
@@ -269,7 +269,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 					if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
 						return
 					}
-				} else {
+				} else if src.Elem().Kind() != reflect.Struct {
 					if overwriteWithEmptySrc || (overwrite && !src.IsNil()) || dst.IsNil() {
 						dst.Set(src)
 					}
diff --git a/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go b/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go
index affb74a76..d558b9bd8 100644
--- a/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go
+++ b/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go
@@ -49,16 +49,16 @@ func ShiftNBytesLeft(dst, x []byte, n int) {
 	dst = append(dst, make([]byte, n/8)...)
 }
 
-// XorBytesMut assumes equal input length, replaces X with X XOR Y
+// XorBytesMut replaces X with X XOR Y. len(X) must be >= len(Y).
 func XorBytesMut(X, Y []byte) {
-	for i := 0; i < len(X); i++ {
+	for i := 0; i < len(Y); i++ {
 		X[i] ^= Y[i]
 	}
 }
 
-// XorBytes assumes equal input length, puts X XOR Y into Z
+// XorBytes puts X XOR Y into Z. len(Z) and len(X) must be >= len(Y).
 func XorBytes(Z, X, Y []byte) {
-	for i := 0; i < len(X); i++ {
+	for i := 0; i < len(Y); i++ {
 		Z[i] = X[i] ^ Y[i]
 	}
 }
diff --git a/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go b/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go
index 5022285b4..24f893017 100644
--- a/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go
+++ b/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go
@@ -109,8 +109,10 @@ func (o *ocb) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	if len(nonce) > o.nonceSize {
 		panic("crypto/ocb: Incorrect nonce length given to OCB")
 	}
-	ret, out := byteutil.SliceForAppend(dst, len(plaintext)+o.tagSize)
-	o.crypt(enc, out, nonce, adata, plaintext)
+	sep := len(plaintext)
+	ret, out := byteutil.SliceForAppend(dst, sep+o.tagSize)
+	tag := o.crypt(enc, out[:sep], nonce, adata, plaintext)
+	copy(out[sep:], tag)
 	return ret
 }
 
@@ -122,12 +124,10 @@ func (o *ocb) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
 		return nil, ocbError("Ciphertext shorter than tag length")
 	}
 	sep := len(ciphertext) - o.tagSize
-	ret, out := byteutil.SliceForAppend(dst, len(ciphertext))
+	ret, out := byteutil.SliceForAppend(dst, sep)
 	ciphertextData := ciphertext[:sep]
-	tag := ciphertext[sep:]
-	o.crypt(dec, out, nonce, adata, ciphertextData)
-	if subtle.ConstantTimeCompare(ret[sep:], tag) == 1 {
-		ret = ret[:sep]
+	tag := o.crypt(dec, out, nonce, adata, ciphertextData)
+	if subtle.ConstantTimeCompare(tag, ciphertext[sep:]) == 1 {
 		return ret, nil
 	}
 	for i := range out {
@@ -137,7 +137,8 @@ func (o *ocb) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
 }
 
 // On instruction enc (resp. dec), crypt is the encrypt (resp. decrypt)
-// function. It returns the resulting plain/ciphertext with the tag appended.
+// function. It writes the resulting plain/ciphertext into Y and returns
+// the tag.
 func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 	//
 	// Consider X as a sequence of 128-bit blocks
@@ -194,13 +195,14 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 		byteutil.XorBytesMut(offset, o.mask.L[bits.TrailingZeros(uint(i+1))])
 		blockX := X[i*blockSize : (i+1)*blockSize]
 		blockY := Y[i*blockSize : (i+1)*blockSize]
-		byteutil.XorBytes(blockY, blockX, offset)
 		switch instruction {
 		case enc:
+			byteutil.XorBytesMut(checksum, blockX)
+			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Encrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
-			byteutil.XorBytesMut(checksum, blockX)
 		case dec:
+			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Decrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
 			byteutil.XorBytesMut(checksum, blockY)
@@ -216,31 +218,24 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 		o.block.Encrypt(pad, offset)
 		chunkX := X[blockSize*m:]
 		chunkY := Y[blockSize*m : len(X)]
-		byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
-		// P_* || bit(1) || zeroes(127) - len(P_*)
 		switch instruction {
 		case enc:
-			paddedY := append(chunkX, byte(128))
-			paddedY = append(paddedY, make([]byte, blockSize-len(chunkX)-1)...)
-			byteutil.XorBytesMut(checksum, paddedY)
+			byteutil.XorBytesMut(checksum, chunkX)
+			checksum[len(chunkX)] ^= 128
+			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
+			// P_* || bit(1) || zeroes(127) - len(P_*)
 		case dec:
-			paddedX := append(chunkY, byte(128))
-			paddedX = append(paddedX, make([]byte, blockSize-len(chunkY)-1)...)
-			byteutil.XorBytesMut(checksum, paddedX)
+			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
+			// P_* || bit(1) || zeroes(127) - len(P_*)
+			byteutil.XorBytesMut(checksum, chunkY)
+			checksum[len(chunkY)] ^= 128
 		}
-		byteutil.XorBytes(tag, checksum, offset)
-		byteutil.XorBytesMut(tag, o.mask.lDol)
-		o.block.Encrypt(tag, tag)
-		byteutil.XorBytesMut(tag, o.hash(adata))
-		copy(Y[blockSize*m+len(chunkY):], tag[:o.tagSize])
-	} else {
-		byteutil.XorBytes(tag, checksum, offset)
-		byteutil.XorBytesMut(tag, o.mask.lDol)
-		o.block.Encrypt(tag, tag)
-		byteutil.XorBytesMut(tag, o.hash(adata))
-		copy(Y[blockSize*m:], tag[:o.tagSize])
 	}
-	return Y
+	byteutil.XorBytes(tag, checksum, offset)
+	byteutil.XorBytesMut(tag, o.mask.lDol)
+	o.block.Encrypt(tag, tag)
+	byteutil.XorBytesMut(tag, o.hash(adata))
+	return tag[:o.tagSize]
 }
 
 // This hash function is used to compute the tag. Per design, on empty input it
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go
index 112f98b83..550efddf0 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go
@@ -7,6 +7,7 @@ package armor
 import (
 	"encoding/base64"
 	"io"
+	"sort"
 )
 
 var armorHeaderSep = []byte(": ")
@@ -159,8 +160,15 @@ func encode(out io.Writer, blockType string, headers map[string]string, checksum
 		return
 	}
 
-	for k, v := range headers {
-		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline)
+	keys := make([]string, len(headers))
+	i := 0
+	for k := range headers {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	for _, k := range keys {
+		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(headers[k]), newline)
 		if err != nil {
 			return
 		}
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go
index 2eecd062f..5e4604656 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go
@@ -3,7 +3,6 @@
 package packet
 
 import (
-	"bytes"
 	"crypto/cipher"
 	"encoding/binary"
 	"io"
@@ -15,12 +14,11 @@ import (
 type aeadCrypter struct {
 	aead           cipher.AEAD
 	chunkSize      int
-	initialNonce   []byte
+	nonce          []byte
 	associatedData []byte       // Chunk-independent associated data
 	chunkIndex     []byte       // Chunk counter
 	packetTag      packetType   // SEIP packet (v2) or AEAD Encrypted Data packet
 	bytesProcessed int          // Amount of plaintext bytes encrypted/decrypted
-	buffer         bytes.Buffer // Buffered bytes across chunks
 }
 
 // computeNonce takes the incremental index and computes an eXclusive OR with
@@ -28,12 +26,12 @@ type aeadCrypter struct {
 // 5.16.1 and 5.16.2). It returns the resulting nonce.
 func (wo *aeadCrypter) computeNextNonce() (nonce []byte) {
 	if wo.packetTag == packetTypeSymmetricallyEncryptedIntegrityProtected {
-		return append(wo.initialNonce, wo.chunkIndex...)
+		return wo.nonce
 	}
 
-	nonce = make([]byte, len(wo.initialNonce))
-	copy(nonce, wo.initialNonce)
-	offset := len(wo.initialNonce) - 8
+	nonce = make([]byte, len(wo.nonce))
+	copy(nonce, wo.nonce)
+	offset := len(wo.nonce) - 8
 	for i := 0; i < 8; i++ {
 		nonce[i+offset] ^= wo.chunkIndex[i]
 	}
@@ -62,8 +60,9 @@ func (wo *aeadCrypter) incrementIndex() error {
 type aeadDecrypter struct {
 	aeadCrypter           // Embedded ciphertext opener
 	reader      io.Reader // 'reader' is a partialLengthReader
+	chunkBytes  []byte
 	peekedBytes []byte    // Used to detect last chunk
-	eof         bool
+	buffer      []byte    // Buffered decrypted bytes
 }
 
 // Read decrypts bytes and reads them into dst. It decrypts when necessary and
@@ -71,59 +70,44 @@ type aeadDecrypter struct {
 // and an error.
 func (ar *aeadDecrypter) Read(dst []byte) (n int, err error) {
 	// Return buffered plaintext bytes from previous calls
-	if ar.buffer.Len() > 0 {
-		return ar.buffer.Read(dst)
-	}
-
-	// Return EOF if we've previously validated the final tag
-	if ar.eof {
-		return 0, io.EOF
+	if len(ar.buffer) > 0 {
+		n = copy(dst, ar.buffer)
+		ar.buffer = ar.buffer[n:]
+		return
 	}
 
 	// Read a chunk
 	tagLen := ar.aead.Overhead()
-	cipherChunkBuf := new(bytes.Buffer)
-	_, errRead := io.CopyN(cipherChunkBuf, ar.reader, int64(ar.chunkSize+tagLen))
-	cipherChunk := cipherChunkBuf.Bytes()
-	if errRead != nil && errRead != io.EOF {
+	copy(ar.chunkBytes, ar.peekedBytes) // Copy bytes peeked in previous chunk or in initialization
+	bytesRead, errRead := io.ReadFull(ar.reader, ar.chunkBytes[tagLen:])
+	if errRead != nil && errRead != io.EOF && errRead != io.ErrUnexpectedEOF {
 		return 0, errRead
 	}
 
-	if len(cipherChunk) > 0 {
-		decrypted, errChunk := ar.openChunk(cipherChunk)
+	if bytesRead > 0 {
+		ar.peekedBytes = ar.chunkBytes[bytesRead:bytesRead+tagLen]
+
+		decrypted, errChunk := ar.openChunk(ar.chunkBytes[:bytesRead])
 		if errChunk != nil {
 			return 0, errChunk
 		}
 
 		// Return decrypted bytes, buffering if necessary
-		if len(dst) < len(decrypted) {
-			n = copy(dst, decrypted[:len(dst)])
-			ar.buffer.Write(decrypted[len(dst):])
-		} else {
-			n = copy(dst, decrypted)
-		}
+		n = copy(dst, decrypted)
+		ar.buffer = decrypted[n:]
+		return
 	}
 
-	// Check final authentication tag
-	if errRead == io.EOF {
-		errChunk := ar.validateFinalTag(ar.peekedBytes)
-		if errChunk != nil {
-			return n, errChunk
-		}
-		ar.eof = true // Mark EOF for when we've returned all buffered data
-	}
-	return
+	return 0, io.EOF
 }
 
-// Close is noOp. The final authentication tag of the stream was already
-// checked in the last Read call. In the future, this function could be used to
-// wipe the reader and peeked, decrypted bytes, if necessary.
+// Close checks the final authentication tag of the stream.
+// In the future, this function could also be used to wipe the reader
+// and peeked & decrypted bytes, if necessary.
 func (ar *aeadDecrypter) Close() (err error) {
-	if !ar.eof {
-		errChunk := ar.validateFinalTag(ar.peekedBytes)
-		if errChunk != nil {
-			return errChunk
-		}
+	errChunk := ar.validateFinalTag(ar.peekedBytes)
+	if errChunk != nil {
+		return errChunk
 	}
 	return nil
 }
@@ -132,20 +116,13 @@ func (ar *aeadDecrypter) Close() (err error) {
 // the underlying plaintext and an error. It accesses peeked bytes from next
 // chunk, to identify the last chunk and decrypt/validate accordingly.
 func (ar *aeadDecrypter) openChunk(data []byte) ([]byte, error) {
-	tagLen := ar.aead.Overhead()
-	// Restore carried bytes from last call
-	chunkExtra := append(ar.peekedBytes, data...)
-	// 'chunk' contains encrypted bytes, followed by an authentication tag.
-	chunk := chunkExtra[:len(chunkExtra)-tagLen]
-	ar.peekedBytes = chunkExtra[len(chunkExtra)-tagLen:]
-
 	adata := ar.associatedData
 	if ar.aeadCrypter.packetTag == packetTypeAEADEncrypted {
 		adata = append(ar.associatedData, ar.chunkIndex...)
 	}
 
 	nonce := ar.computeNextNonce()
-	plainChunk, err := ar.aead.Open(nil, nonce, chunk, adata)
+	plainChunk, err := ar.aead.Open(data[:0:len(data)], nonce, data, adata)
 	if err != nil {
 		return nil, errors.ErrAEADTagVerification
 	}
@@ -183,27 +160,29 @@ func (ar *aeadDecrypter) validateFinalTag(tag []byte) error {
 type aeadEncrypter struct {
 	aeadCrypter                // Embedded plaintext sealer
 	writer      io.WriteCloser // 'writer' is a partialLengthWriter
+	chunkBytes  []byte
+	offset      int
 }
 
 // Write encrypts and writes bytes. It encrypts when necessary and buffers extra
 // plaintext bytes for next call. When the stream is finished, Close() MUST be
 // called to append the final tag.
 func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
-	// Append plaintextBytes to existing buffered bytes
-	n, err = aw.buffer.Write(plaintextBytes)
-	if err != nil {
-		return n, err
-	}
-	// Encrypt and write chunks
-	for aw.buffer.Len() >= aw.chunkSize {
-		plainChunk := aw.buffer.Next(aw.chunkSize)
-		encryptedChunk, err := aw.sealChunk(plainChunk)
-		if err != nil {
-			return n, err
-		}
-		_, err = aw.writer.Write(encryptedChunk)
-		if err != nil {
-			return n, err
+	for n != len(plaintextBytes) {
+		copied := copy(aw.chunkBytes[aw.offset:aw.chunkSize], plaintextBytes[n:])
+		n += copied
+		aw.offset += copied
+
+		if aw.offset == aw.chunkSize {
+			encryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
+			if err != nil {
+				return n, err
+			}
+			_, err = aw.writer.Write(encryptedChunk)
+			if err != nil {
+				return n, err
+			}
+			aw.offset = 0
 		}
 	}
 	return
@@ -215,9 +194,8 @@ func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
 func (aw *aeadEncrypter) Close() (err error) {
 	// Encrypt and write a chunk if there's buffered data left, or if we haven't
 	// written any chunks yet.
-	if aw.buffer.Len() > 0 || aw.bytesProcessed == 0 {
-		plainChunk := aw.buffer.Bytes()
-		lastEncryptedChunk, err := aw.sealChunk(plainChunk)
+	if aw.offset > 0 || aw.bytesProcessed == 0 {
+		lastEncryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
 		if err != nil {
 			return err
 		}
@@ -263,7 +241,7 @@ func (aw *aeadEncrypter) sealChunk(data []byte) ([]byte, error) {
 	}
 
 	nonce := aw.computeNextNonce()
-	encrypted := aw.aead.Seal(nil, nonce, data, adata)
+	encrypted := aw.aead.Seal(data[:0], nonce, data, adata)
 	aw.bytesProcessed += len(data)
 	if err := aw.aeadCrypter.incrementIndex(); err != nil {
 		return nil, err
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go
index 98bd876bf..583765d87 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go
@@ -65,24 +65,28 @@ func (ae *AEADEncrypted) decrypt(key []byte) (io.ReadCloser, error) {
 	blockCipher := ae.cipher.new(key)
 	aead := ae.mode.new(blockCipher)
 	// Carry the first tagLen bytes
+	chunkSize := decodeAEADChunkSize(ae.chunkSizeByte)
 	tagLen := ae.mode.TagLength()
-	peekedBytes := make([]byte, tagLen)
+	chunkBytes := make([]byte, chunkSize+tagLen*2)
+	peekedBytes := chunkBytes[chunkSize+tagLen:]
 	n, err := io.ReadFull(ae.Contents, peekedBytes)
 	if n < tagLen || (err != nil && err != io.EOF) {
 		return nil, errors.AEADError("Not enough data to decrypt:" + err.Error())
 	}
-	chunkSize := decodeAEADChunkSize(ae.chunkSizeByte)
+
 	return &aeadDecrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      chunkSize,
-			initialNonce:   ae.initialNonce,
+			nonce:          ae.initialNonce,
 			associatedData: ae.associatedData(),
 			chunkIndex:     make([]byte, 8),
 			packetTag:      packetTypeAEADEncrypted,
 		},
 		reader:      ae.Contents,
-		peekedBytes: peekedBytes}, nil
+		chunkBytes:  chunkBytes,
+		peekedBytes: peekedBytes,
+	}, nil
 }
 
 // associatedData for chunks: tag, version, cipher, mode, chunk size byte
diff --git a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go
index 3957b2d53..3ddc4fe4a 100644
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go
@@ -70,8 +70,10 @@ func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, e
 
 	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
 	// Carry the first tagLen bytes
+	chunkSize := decodeAEADChunkSize(se.ChunkSizeByte)
 	tagLen := se.Mode.TagLength()
-	peekedBytes := make([]byte, tagLen)
+	chunkBytes := make([]byte, chunkSize+tagLen*2)
+	peekedBytes := chunkBytes[chunkSize+tagLen:]
 	n, err := io.ReadFull(se.Contents, peekedBytes)
 	if n < tagLen || (err != nil && err != io.EOF) {
 		return nil, errors.StructuralError("not enough data to decrypt:" + err.Error())
@@ -81,12 +83,13 @@ func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, e
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      decodeAEADChunkSize(se.ChunkSizeByte),
-			initialNonce:   nonce,
+			nonce:          nonce,
 			associatedData: se.associatedData(),
-			chunkIndex:     make([]byte, 8),
+			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
 		reader:      se.Contents,
+		chunkBytes:  chunkBytes,
 		peekedBytes: peekedBytes,
 	}, nil
 }
@@ -130,16 +133,20 @@ func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite
 
 	aead, nonce := getSymmetricallyEncryptedAeadInstance(cipherSuite.Cipher, cipherSuite.Mode, inputKey, salt, prefix)
 
+	chunkSize := decodeAEADChunkSize(chunkSizeByte)
+	tagLen := aead.Overhead()
+	chunkBytes := make([]byte, chunkSize+tagLen)
 	return &aeadEncrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
-			chunkSize:      decodeAEADChunkSize(chunkSizeByte),
+			chunkSize:      chunkSize,
 			associatedData: prefix,
-			chunkIndex:     make([]byte, 8),
-			initialNonce:   nonce,
+			nonce:          nonce,
+			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
-		writer: ciphertext,
+		writer:     ciphertext,
+		chunkBytes: chunkBytes,
 	}, nil
 }
 
@@ -149,10 +156,10 @@ func getSymmetricallyEncryptedAeadInstance(c CipherFunction, mode AEADMode, inpu
 	encryptionKey := make([]byte, c.KeySize())
 	_, _ = readFull(hkdfReader, encryptionKey)
 
-	// Last 64 bits of nonce are the counter
-	nonce = make([]byte, mode.IvLength()-8)
+	nonce = make([]byte, mode.IvLength())
 
-	_, _ = readFull(hkdfReader, nonce)
+	// Last 64 bits of nonce are the counter
+	_, _ = readFull(hkdfReader, nonce[:len(nonce)-8])
 
 	blockCipher := c.new(encryptionKey)
 	aead = mode.new(blockCipher)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go
new file mode 100644
index 000000000..4152caade
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go
@@ -0,0 +1,33 @@
+package aws
+
+// RequestChecksumCalculation controls request checksum calculation workflow
+type RequestChecksumCalculation int
+
+const (
+	// RequestChecksumCalculationUnset is the unset value for RequestChecksumCalculation
+	RequestChecksumCalculationUnset RequestChecksumCalculation = iota
+
+	// RequestChecksumCalculationWhenSupported indicates request checksum will be calculated
+	// if the operation supports input checksums
+	RequestChecksumCalculationWhenSupported
+
+	// RequestChecksumCalculationWhenRequired indicates request checksum will be calculated
+	// if required by the operation or if user elects to set a checksum algorithm in request
+	RequestChecksumCalculationWhenRequired
+)
+
+// ResponseChecksumValidation controls response checksum validation workflow
+type ResponseChecksumValidation int
+
+const (
+	// ResponseChecksumValidationUnset is the unset value for ResponseChecksumValidation
+	ResponseChecksumValidationUnset ResponseChecksumValidation = iota
+
+	// ResponseChecksumValidationWhenSupported indicates response checksum will be validated
+	// if the operation supports output checksums
+	ResponseChecksumValidationWhenSupported
+
+	// ResponseChecksumValidationWhenRequired indicates response checksum will only
+	// be validated if the operation requires output checksum validation
+	ResponseChecksumValidationWhenRequired
+)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
index 16000d792..a015cc5b2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
@@ -165,6 +165,33 @@ type Config struct {
 
 	// Controls how a resolved AWS account ID is handled for endpoint routing.
 	AccountIDEndpointMode AccountIDEndpointMode
+
+	// RequestChecksumCalculation determines when request checksum calculation is performed.
+	//
+	// There are two possible values for this setting:
+	//
+	// 1. RequestChecksumCalculationWhenSupported (default): The checksum is always calculated
+	//    if the operation supports it, regardless of whether the user sets an algorithm in the request.
+	//
+	// 2. RequestChecksumCalculationWhenRequired: The checksum is only calculated if the user
+	//    explicitly sets a checksum algorithm in the request.
+	//
+	// This setting is sourced from the environment variable AWS_REQUEST_CHECKSUM_CALCULATION
+	// or the shared config profile attribute "request_checksum_calculation".
+	RequestChecksumCalculation RequestChecksumCalculation
+
+	// ResponseChecksumValidation determines when response checksum validation is performed
+	//
+	// There are two possible values for this setting:
+	//
+	// 1. ResponseChecksumValidationWhenSupported (default): The checksum is always validated
+	//    if the operation supports it, regardless of whether the user sets the validation mode to ENABLED in request.
+	//
+	// 2. ResponseChecksumValidationWhenRequired: The checksum is only validated if the user
+	//    explicitly sets the validation mode to ENABLED in the request
+	// This variable is sourced from environment variable AWS_RESPONSE_CHECKSUM_VALIDATION or
+	// the shared config profile attribute "response_checksum_validation".
+	ResponseChecksumValidation ResponseChecksumValidation
 }
 
 // NewConfig returns a new Config pointer that can be chained with builder
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index 6fc9dbe1b..8d6c8ef96 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.32.7"
+const goModuleVersion = "1.36.2"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
index ab4e61907..95b6268f4 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
@@ -76,19 +76,39 @@ type UserAgentFeature string
 
 // Enumerates UserAgentFeature.
 const (
-	UserAgentFeatureResourceModel          UserAgentFeature = "A" // n/a (we don't generate separate resource types)
-	UserAgentFeatureWaiter                                  = "B"
-	UserAgentFeaturePaginator                               = "C"
-	UserAgentFeatureRetryModeLegacy                         = "D" // n/a (equivalent to standard)
-	UserAgentFeatureRetryModeStandard                       = "E"
-	UserAgentFeatureRetryModeAdaptive                       = "F"
-	UserAgentFeatureS3Transfer                              = "G"
-	UserAgentFeatureS3CryptoV1N                             = "H" // n/a (crypto client is external)
-	UserAgentFeatureS3CryptoV2                              = "I" // n/a
-	UserAgentFeatureS3ExpressBucket                         = "J"
-	UserAgentFeatureS3AccessGrants                          = "K" // not yet implemented
-	UserAgentFeatureGZIPRequestCompression                  = "L"
-	UserAgentFeatureProtocolRPCV2CBOR                       = "M"
+	UserAgentFeatureResourceModel UserAgentFeature = "A" // n/a (we don't generate separate resource types)
+
+	UserAgentFeatureWaiter    = "B"
+	UserAgentFeaturePaginator = "C"
+
+	UserAgentFeatureRetryModeLegacy   = "D" // n/a (equivalent to standard)
+	UserAgentFeatureRetryModeStandard = "E"
+	UserAgentFeatureRetryModeAdaptive = "F"
+
+	UserAgentFeatureS3Transfer      = "G"
+	UserAgentFeatureS3CryptoV1N     = "H" // n/a (crypto client is external)
+	UserAgentFeatureS3CryptoV2      = "I" // n/a
+	UserAgentFeatureS3ExpressBucket = "J"
+	UserAgentFeatureS3AccessGrants  = "K" // not yet implemented
+
+	UserAgentFeatureGZIPRequestCompression = "L"
+
+	UserAgentFeatureProtocolRPCV2CBOR = "M"
+
+	UserAgentFeatureAccountIDEndpoint      = "O" // DO NOT IMPLEMENT: rules output is not currently defined. SDKs should not parse endpoints for feature information.
+	UserAgentFeatureAccountIDModePreferred = "P"
+	UserAgentFeatureAccountIDModeDisabled  = "Q"
+	UserAgentFeatureAccountIDModeRequired  = "R"
+
+	UserAgentFeatureRequestChecksumCRC32          = "U"
+	UserAgentFeatureRequestChecksumCRC32C         = "V"
+	UserAgentFeatureRequestChecksumCRC64          = "W"
+	UserAgentFeatureRequestChecksumSHA1           = "X"
+	UserAgentFeatureRequestChecksumSHA256         = "Y"
+	UserAgentFeatureRequestChecksumWhenSupported  = "Z"
+	UserAgentFeatureRequestChecksumWhenRequired   = "a"
+	UserAgentFeatureResponseChecksumWhenSupported = "b"
+	UserAgentFeatureResponseChecksumWhenRequired  = "c"
 )
 
 // RequestUserAgent is a build middleware that set the User-Agent for the request.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
index 186c48892..ddb162b36 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
@@ -1,3 +1,35 @@
+# v1.6.10 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+
+# v1.6.9 (2025-02-14)
+
+* **Bug Fix**: Remove max limit on event stream messages
+
+# v1.6.8 (2025-01-24)
+
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.6.7 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+
+# v1.6.6 (2024-10-04)
+
+* No change notes available for this release.
+
+# v1.6.5 (2024-09-20)
+
+* No change notes available for this release.
+
+# v1.6.4 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+
+# v1.6.3 (2024-06-28)
+
+* No change notes available for this release.
+
 # v1.6.2 (2024-03-29)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
index a0479b9be..01981f464 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
@@ -3,4 +3,4 @@
 package eventstream
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.6.2"
+const goModuleVersion = "1.6.10"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/message.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/message.go
index f7427da03..1a77654f7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/message.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/message.go
@@ -10,9 +10,6 @@ const preludeLen = 8
 const preludeCRCLen = 4
 const msgCRCLen = 4
 const minMsgLen = preludeLen + preludeCRCLen + msgCRCLen
-const maxPayloadLen = 1024 * 1024 * 16 // 16MB
-const maxHeadersLen = 1024 * 128       // 128KB
-const maxMsgLen = minMsgLen + maxHeadersLen + maxPayloadLen
 
 var crc32IEEETable = crc32.MakeTable(crc32.IEEE)
 
@@ -82,28 +79,13 @@ func (p messagePrelude) PayloadLen() uint32 {
 }
 
 func (p messagePrelude) ValidateLens() error {
-	if p.Length == 0 || p.Length > maxMsgLen {
+	if p.Length == 0 {
 		return LengthError{
 			Part: "message prelude",
-			Want: maxMsgLen,
+			Want: minMsgLen,
 			Have: int(p.Length),
 		}
 	}
-	if p.HeadersLen > maxHeadersLen {
-		return LengthError{
-			Part: "message headers",
-			Want: maxHeadersLen,
-			Have: int(p.HeadersLen),
-		}
-	}
-	if payloadLen := p.PayloadLen(); payloadLen > maxPayloadLen {
-		return LengthError{
-			Part: "message payload",
-			Want: maxPayloadLen,
-			Have: int(payloadLen),
-		}
-	}
-
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go
index 47ebc0f54..6669a3ddf 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go
@@ -1,8 +1,8 @@
 package query
 
 import (
-	"fmt"
 	"net/url"
+	"strconv"
 )
 
 // Array represents the encoding of Query lists and sets. A Query array is a
@@ -21,19 +21,8 @@ type Array struct {
 	// keys for each element in the list. For example, an entry might have the
 	// key "ParentStructure.ListName.member.MemberName.1".
 	//
-	// While this is currently represented as a string that gets added to, it
-	// could also be represented as a stack that only gets condensed into a
-	// string when a finalized key is created. This could potentially reduce
-	// allocations.
+	// When the array is not flat the prefix will contain the memberName otherwise the memberName is ignored
 	prefix string
-	// Whether the list is flat or not. A list that is not flat will produce the
-	// following entry to the url.Values for a given entry:
-	//     ListName.MemberName.1=value
-	// A list that is flat will produce the following:
-	//     ListName.1=value
-	flat bool
-	// The location name of the member. In most cases this should be "member".
-	memberName string
 	// Elements are stored in values, so we keep track of the list size here.
 	size int32
 	// Empty lists are encoded as "<prefix>=", if we add a value later we will
@@ -45,11 +34,14 @@ func newArray(values url.Values, prefix string, flat bool, memberName string) *A
 	emptyValue := newValue(values, prefix, flat)
 	emptyValue.String("")
 
+	if !flat {
+		// This uses string concatenation in place of fmt.Sprintf as fmt.Sprintf has a much higher resource overhead
+		prefix = prefix + keySeparator + memberName
+	}
+
 	return &Array{
 		values:     values,
 		prefix:     prefix,
-		flat:       flat,
-		memberName: memberName,
 		emptyValue: emptyValue,
 	}
 }
@@ -63,10 +55,7 @@ func (a *Array) Value() Value {
 
 	// Query lists start a 1, so adjust the size first
 	a.size++
-	prefix := a.prefix
-	if !a.flat {
-		prefix = fmt.Sprintf("%s.%s", prefix, a.memberName)
-	}
 	// Lists can't have flat members
-	return newValue(a.values, fmt.Sprintf("%s.%d", prefix, a.size), false)
+	// This uses string concatenation in place of fmt.Sprintf as fmt.Sprintf has a much higher resource overhead
+	return newValue(a.values, a.prefix+keySeparator+strconv.FormatInt(int64(a.size), 10), false)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go
index 455b92515..305a8ace3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go
@@ -1,9 +1,6 @@
 package query
 
-import (
-	"fmt"
-	"net/url"
-)
+import "net/url"
 
 // Object represents the encoding of Query structures and unions. A Query
 // object is a representation of a mapping of string keys to arbitrary
@@ -56,14 +53,16 @@ func (o *Object) FlatKey(name string) Value {
 
 func (o *Object) key(name string, flatValue bool) Value {
 	if o.prefix != "" {
-		return newValue(o.values, fmt.Sprintf("%s.%s", o.prefix, name), flatValue)
+		// This uses string concatenation in place of fmt.Sprintf as fmt.Sprintf has a much higher resource overhead
+		return newValue(o.values, o.prefix+keySeparator+name, flatValue)
 	}
 	return newValue(o.values, name, flatValue)
 }
 
 func (o *Object) keyWithValues(name string, flatValue bool) Value {
 	if o.prefix != "" {
-		return newAppendValue(o.values, fmt.Sprintf("%s.%s", o.prefix, name), flatValue)
+		// This uses string concatenation in place of fmt.Sprintf as fmt.Sprintf has a much higher resource overhead
+		return newAppendValue(o.values, o.prefix+keySeparator+name, flatValue)
 	}
 	return newAppendValue(o.values, name, flatValue)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go
index a9251521f..8063c592d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go
@@ -7,6 +7,8 @@ import (
 	"github.com/aws/smithy-go/encoding/httpbinding"
 )
 
+const keySeparator = "."
+
 // Value represents a Query Value type.
 type Value struct {
 	// The query values to add the value to.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
index acd8d1cc3..1b485f998 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
@@ -116,7 +116,13 @@ func (r RetryableConnectionError) IsErrorRetryable(err error) aws.Ternary {
 	case errors.As(err, &conErr) && conErr.ConnectionError():
 		retryable = true
 
+	case strings.Contains(err.Error(), "use of closed network connection"):
+		fallthrough
 	case strings.Contains(err.Error(), "connection reset"):
+		// The errors "connection reset" and "use of closed network connection"
+		// are effectively the same. It appears to be the difference between
+		// sync and async read of TCP RST in the stdlib's net.Conn read loop.
+		// see #2737
 		retryable = true
 
 	case errors.As(err, &urlErr):
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
index 734e548bd..d99b32ceb 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
@@ -4,10 +4,11 @@ package v4
 var IgnoredHeaders = Rules{
 	ExcludeList{
 		MapRule{
-			"Authorization":   struct{}{},
-			"User-Agent":      struct{}{},
-			"X-Amzn-Trace-Id": struct{}{},
-			"Expect":          struct{}{},
+			"Authorization":     struct{}{},
+			"User-Agent":        struct{}{},
+			"X-Amzn-Trace-Id":   struct{}{},
+			"Expect":            struct{}{},
+			"Transfer-Encoding": struct{}{},
 		},
 	},
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
index c809fc490..899fb31d2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
@@ -1,3 +1,176 @@
+# v1.17.60 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.59 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.58 (2025-02-04)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.57 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.56 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.55 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.17.54 (2025-01-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.53 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.52 (2025-01-14)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.51 (2025-01-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.50 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.49 (2025-01-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.48 (2024-12-19)
+
+* **Bug Fix**: Fix improper use of printf-style functions.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.47 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.46 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.45 (2024-11-14)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.44 (2024-11-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.43 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.42 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.41 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.40 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.39 (2024-10-04)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.38 (2024-10-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.37 (2024-09-27)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.36 (2024-09-25)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.35 (2024-09-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.34 (2024-09-20)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.33 (2024-09-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.32 (2024-09-04)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.31 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.30 (2024-08-26)
+
+* **Bug Fix**: Save SSO cached token expiry in UTC to ensure cross-SDK compatibility.
+
+# v1.17.29 (2024-08-22)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.28 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.27 (2024-07-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.26 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.25 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.24 (2024-07-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.23 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.22 (2024-06-26)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.21 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.20 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.19 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.17.18 (2024-06-07)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go
index 9a869f895..dc291c97c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go
@@ -128,6 +128,7 @@ type GetCredentialsOutput struct {
 	AccessKeyID     string
 	SecretAccessKey string
 	Token           string
+	AccountID       string
 }
 
 // EndpointError is an error returned from the endpoint service
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go
index 0c3c4d682..2386153a9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go
@@ -152,6 +152,7 @@ func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 		SecretAccessKey: resp.SecretAccessKey,
 		SessionToken:    resp.Token,
 		Source:          ProviderName,
+		AccountID:       resp.AccountID,
 	}
 
 	if resp.Expiration != nil {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
index a7b069966..9467985e3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
@@ -3,4 +3,4 @@
 package credentials
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.18"
+const goModuleVersion = "1.17.60"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go
index fe9345e28..911fcc327 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go
@@ -167,6 +167,9 @@ type CredentialProcessResponse struct {
 
 	// The date on which the current credentials expire.
 	Expiration *time.Time
+
+	// The ID of the account for credentials
+	AccountID string `json:"AccountId"`
 }
 
 // Retrieve executes the credential process command and returns the
@@ -208,6 +211,7 @@ func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 		AccessKeyID:     resp.AccessKeyID,
 		SecretAccessKey: resp.SecretAccessKey,
 		SessionToken:    resp.SessionToken,
+		AccountID:       resp.AccountID,
 	}
 
 	// Handle expiration
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
index 3b97e6dd4..46ae2f923 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go
@@ -225,7 +225,7 @@ func (r *rfc3339) UnmarshalJSON(bytes []byte) (err error) {
 }
 
 func (r *rfc3339) MarshalJSON() ([]byte, error) {
-	value := time.Time(*r).Format(time.RFC3339)
+	value := time.Time(*r).UTC().Format(time.RFC3339)
 
 	// Use JSON unmarshal to unescape the quoted value making use of JSON's
 	// quoting rules.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go
index b3cf7853e..8c230be8e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go
@@ -129,6 +129,7 @@ func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 		CanExpire:       true,
 		Expires:         time.Unix(0, output.RoleCredentials.Expiration*int64(time.Millisecond)).UTC(),
 		Source:          ProviderName,
+		AccountID:       p.options.AccountID,
 	}, nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go
index 289707b6d..4c7f7993f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go
@@ -308,6 +308,11 @@ func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, err
 		return aws.Credentials{Source: ProviderName}, err
 	}
 
+	var accountID string
+	if resp.AssumedRoleUser != nil {
+		accountID = getAccountID(resp.AssumedRoleUser)
+	}
+
 	return aws.Credentials{
 		AccessKeyID:     *resp.Credentials.AccessKeyId,
 		SecretAccessKey: *resp.Credentials.SecretAccessKey,
@@ -316,5 +321,6 @@ func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, err
 
 		CanExpire: true,
 		Expires:   *resp.Credentials.Expiration,
+		AccountID: accountID,
 	}, nil
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
index ddaf6df6c..b4b719708 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -135,6 +136,11 @@ func (p *WebIdentityRoleProvider) Retrieve(ctx context.Context) (aws.Credentials
 		return aws.Credentials{}, fmt.Errorf("failed to retrieve credentials, %w", err)
 	}
 
+	var accountID string
+	if resp.AssumedRoleUser != nil {
+		accountID = getAccountID(resp.AssumedRoleUser)
+	}
+
 	// InvalidIdentityToken error is a temporary error that can occur
 	// when assuming an Role with a JWT web identity token.
 
@@ -145,6 +151,19 @@ func (p *WebIdentityRoleProvider) Retrieve(ctx context.Context) (aws.Credentials
 		Source:          WebIdentityProviderName,
 		CanExpire:       true,
 		Expires:         *resp.Credentials.Expiration,
+		AccountID:       accountID,
 	}
 	return value, nil
 }
+
+// extract accountID from arn with format "arn:partition:service:region:account-id:[resource-section]"
+func getAccountID(u *types.AssumedRoleUser) string {
+	if u.Arn == nil {
+		return ""
+	}
+	parts := strings.Split(*u.Arn, ":")
+	if len(parts) < 5 {
+		return ""
+	}
+	return parts[4]
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
index 59b18c59f..47e50bde7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
@@ -1,3 +1,103 @@
+# v1.16.29 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.28 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.27 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.26 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.25 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.16.24 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.23 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.22 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.21 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.20 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.19 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.18 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.17 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.16 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.15 (2024-10-04)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.14 (2024-09-20)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.13 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.12 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.11 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.10 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.9 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.8 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.7 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.6 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.16.5 (2024-06-07)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
index 53bf07399..38d1aa949 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
@@ -3,4 +3,4 @@
 package imds
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.16.5"
+const goModuleVersion = "1.16.29"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index 5a5cdf069..937ddbf49 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,33 @@
+# v1.3.33 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.32 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.31 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.30 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.29 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.3.28 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.27 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.3.26 (2024-12-19)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index a46fe9de6..1aeb06029 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.26"
+const goModuleVersion = "1.3.33"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
index a2f068088..e19224f1b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
@@ -47,6 +47,9 @@
       "ap-southeast-5" : {
         "description" : "Asia Pacific (Malaysia)"
       },
+      "ap-southeast-7" : {
+        "description" : "Asia Pacific (Thailand)"
+      },
       "aws-global" : {
         "description" : "AWS Standard global region"
       },
@@ -89,6 +92,9 @@
       "me-south-1" : {
         "description" : "Middle East (Bahrain)"
       },
+      "mx-central-1" : {
+        "description" : "Mexico (Central)"
+      },
       "sa-east-1" : {
         "description" : "South America (Sao Paulo)"
       },
@@ -217,7 +223,17 @@
       "supportsFIPS" : true
     },
     "regionRegex" : "^us\\-isof\\-\\w+\\-\\d+$",
-    "regions" : { }
+    "regions" : {
+      "aws-iso-f-global" : {
+        "description" : "AWS ISOF global region"
+      },
+      "us-isof-east-1" : {
+        "description" : "US ISOF EAST"
+      },
+      "us-isof-south-1" : {
+        "description" : "US ISOF SOUTH"
+      }
+    }
   } ],
   "version" : "1.1"
 }
\ No newline at end of file
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index 748a80fb0..2bf083e14 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,33 @@
+# v2.6.33 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.32 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.31 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.30 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.29 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v2.6.28 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.27 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.6.26 (2024-12-19)
 
 * **Bug Fix**: Fix improper use of printf-style functions.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index 6a5a4b648..f0509e332 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.6.26"
+const goModuleVersion = "2.6.33"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
index c0e54faff..f729db535 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
@@ -1,3 +1,15 @@
+# v1.8.3 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+
+# v1.8.2 (2025-01-24)
+
+* **Bug Fix**: Refactor filepath.Walk to filepath.WalkDir
+
+# v1.8.1 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+
 # v1.8.0 (2024-02-13)
 
 * **Feature**: Bump minimum Go version to 1.20 per our language support policy.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
index 6e0b906c3..00df0e3cb 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ini
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.8.0"
+const goModuleVersion = "1.8.3"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
index 0f10e0228..6b8c288d5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
@@ -1,3 +1,120 @@
+# v1.3.33 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.32 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.31 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.30 (2025-01-30)
+
+* **Bug Fix**: Do not sign Transfer-Encoding header in Sigv4[a]. Fixes a signer mismatch issue with S3 Accelerate.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.29 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.3.28 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.27 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.26 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.25 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.24 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.23 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.22 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.21 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.20 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.19 (2024-10-04)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.18 (2024-09-20)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.17 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.16 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.15 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.14 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.13 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.12 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.11 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.10 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.3.5 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
index 51aa32cf7..3b069dbdc 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
@@ -3,4 +3,4 @@
 package v4a
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.5"
+const goModuleVersion = "1.3.33"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4/headers.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4/headers.go
index 3487dc335..688f83474 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4/headers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4/headers.go
@@ -4,9 +4,10 @@ package v4
 var IgnoredHeaders = Rules{
 	DenyList{
 		MapRule{
-			"Authorization":   struct{}{},
-			"User-Agent":      struct{}{},
-			"X-Amzn-Trace-Id": struct{}{},
+			"Authorization":     struct{}{},
+			"User-Agent":        struct{}{},
+			"X-Amzn-Trace-Id":   struct{}{},
+			"Transfer-Encoding": struct{}{},
 		},
 	},
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/smithy.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/smithy.go
index 516d459d5..af4f6abcf 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/smithy.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/smithy.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"time"
 
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
 	"github.com/aws/smithy-go"
@@ -72,7 +74,11 @@ func (v *SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request,
 	}
 
 	hash := v4.GetPayloadHash(ctx)
-	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, regions, sdk.NowTime(), func(o *SignerOptions) {
+	signingTime := sdk.NowTime()
+	if skew := internalcontext.GetAttemptSkewContext(ctx); skew != 0 {
+		signingTime.Add(skew)
+	}
+	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, regions, signingTime, func(o *SignerOptions) {
 		o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
 
 		o.Logger = v.Logger
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/CHANGELOG.md
index bf774e97b..52e68b6e7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/CHANGELOG.md
@@ -1,3 +1,70 @@
+# v1.53.16 (2025-02-19)
+
+* **Documentation**: This is a documentation only release for Amazon ECS that supports the CPU task limit increase.
+
+# v1.53.15 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.14 (2025-02-13)
+
+* **Documentation**: This is a documentation only release to support migrating Amazon ECS service ARNs to the long ARN format.
+
+# v1.53.13 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.12 (2025-02-04)
+
+* No change notes available for this release.
+
+# v1.53.11 (2025-01-31)
+
+* **Dependency Update**: Switch to code-generated waiter matchers, removing the dependency on go-jmespath.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.10 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.9 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.53.8 (2025-01-17)
+
+* **Bug Fix**: Fix bug where credentials weren't refreshed during retry loop.
+
+# v1.53.7 (2025-01-16)
+
+* **Documentation**: The release addresses Amazon ECS documentation tickets.
+
+# v1.53.6 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.5 (2025-01-14)
+
+* **Bug Fix**: Fix issue where waiters were not failing on unmatched errors as they should. This may have breaking behavioral changes for users in fringe cases. See [this announcement](https://github.com/aws/aws-sdk-go-v2/discussions/2954) for more information.
+
+# v1.53.4 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.53.3 (2025-01-08)
+
+* No change notes available for this release.
+
+# v1.53.2 (2025-01-03)
+
+* **Documentation**: Adding SDK reference examples for Amazon ECS operations.
+
+# v1.53.1 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.53.0 (2024-12-17)
 
 * **Feature**: Added support for enableFaultInjection task definition parameter which can be used to enable Fault Injection feature on ECS tasks.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_client.go
index 221ba5506..9413d5123 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_client.go
@@ -696,7 +696,7 @@ func addRetry(stack *middleware.Stack, o Options) error {
 		m.LogAttempts = o.ClientLogMode.IsRetries()
 		m.OperationMeter = o.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/ecs")
 	})
-	if err := stack.Finalize.Insert(attempt, "Signing", middleware.Before); err != nil {
+	if err := stack.Finalize.Insert(attempt, "ResolveAuthScheme", middleware.Before); err != nil {
 		return err
 	}
 	if err := stack.Finalize.Insert(&retry.MetricsHeader{}, attempt.ID(), middleware.After); err != nil {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_CreateService.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_CreateService.go
index 72aac5c3e..86568c633 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_CreateService.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_CreateService.go
@@ -142,7 +142,7 @@ type CreateServiceInput struct {
 	// Indicates whether to use Availability Zone rebalancing for the service.
 	//
 	// For more information, see [Balancing an Amazon ECS service across Availability Zones] in the Amazon Elastic Container Service Developer
-	// Guide.
+	// Guide .
 	//
 	// [Balancing an Amazon ECS service across Availability Zones]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
 	AvailabilityZoneRebalancing types.AvailabilityZoneRebalancing
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeServices.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeServices.go
index 3ea1d3935..a84b8a45f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeServices.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeServices.go
@@ -11,7 +11,6 @@ import (
 	smithytime "github.com/aws/smithy-go/time"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	smithywaiter "github.com/aws/smithy-go/waiter"
-	jmespath "github.com/jmespath/go-jmespath"
 	"strconv"
 	"time"
 )
@@ -328,53 +327,54 @@ func (w *ServicesInactiveWaiter) WaitForOutput(ctx context.Context, params *Desc
 func servicesInactiveStateRetryable(ctx context.Context, input *DescribeServicesInput, output *DescribeServicesOutput, err error) (bool, error) {
 
 	if err == nil {
-		pathValue, err := jmespath.Search("failures[].reason", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Failures
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Reason
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "MISSING"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("services[].status", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Services
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Status
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "INACTIVE"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, nil
-			}
+		if match {
+			return false, nil
 		}
 	}
 
+	if err != nil {
+		return false, err
+	}
 	return true, nil
 }
 
@@ -538,98 +538,107 @@ func (w *ServicesStableWaiter) WaitForOutput(ctx context.Context, params *Descri
 func servicesStableStateRetryable(ctx context.Context, input *DescribeServicesInput, output *DescribeServicesOutput, err error) (bool, error) {
 
 	if err == nil {
-		pathValue, err := jmespath.Search("failures[].reason", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Failures
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Reason
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "MISSING"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("services[].status", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Services
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Status
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "DRAINING"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("services[].status", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Services
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Status
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "INACTIVE"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("length(services[?!(length(deployments) == `1` && runningCount == desiredCount)]) == `0`", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Services
+		var v2 []types.Service
+		for _, v := range v1 {
+			v3 := v.Deployments
+			v4 := len(v3)
+			v5 := 1
+			v6 := int64(v4) == int64(v5)
+			v7 := v.RunningCount
+			v8 := v.DesiredCount
+			v9 := int64(v7) == int64(v8)
+			v10 := v6 && v9
+			v11 := !v10
+			if v11 {
+				v2 = append(v2, v)
+			}
 		}
-
+		v12 := len(v2)
+		v13 := 0
+		v14 := int64(v12) == int64(v13)
 		expectedValue := "true"
 		bv, err := strconv.ParseBool(expectedValue)
 		if err != nil {
 			return false, fmt.Errorf("error parsing boolean from string %w", err)
 		}
-		value, ok := pathValue.(bool)
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected bool value got %T", pathValue)
-		}
-
-		if value == bv {
+		if v14 == bv {
 			return false, nil
 		}
 	}
 
+	if err != nil {
+		return false, err
+	}
 	return true, nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeTasks.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeTasks.go
index 0a7437567..53e924198 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeTasks.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_DescribeTasks.go
@@ -11,7 +11,6 @@ import (
 	smithytime "github.com/aws/smithy-go/time"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	smithywaiter "github.com/aws/smithy-go/waiter"
-	jmespath "github.com/jmespath/go-jmespath"
 	"time"
 )
 
@@ -331,77 +330,66 @@ func (w *TasksRunningWaiter) WaitForOutput(ctx context.Context, params *Describe
 func tasksRunningStateRetryable(ctx context.Context, input *DescribeTasksInput, output *DescribeTasksOutput, err error) (bool, error) {
 
 	if err == nil {
-		pathValue, err := jmespath.Search("tasks[].lastStatus", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Tasks
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.LastStatus
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "STOPPED"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("failures[].reason", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Failures
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.Reason
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "MISSING"
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
+		var match bool
+		for _, v := range v2 {
+			if string(v) == expectedValue {
+				match = true
+				break
 			}
+		}
 
-			if string(*value) == expectedValue {
-				return false, fmt.Errorf("waiter state transitioned to Failure")
-			}
+		if match {
+			return false, fmt.Errorf("waiter state transitioned to Failure")
 		}
 	}
 
 	if err == nil {
-		pathValue, err := jmespath.Search("tasks[].lastStatus", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Tasks
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.LastStatus
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "RUNNING"
-		var match = true
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		if len(listOfValues) == 0 {
-			match = false
-		}
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
-			}
-
-			if string(*value) != expectedValue {
+		match := len(v2) > 0
+		for _, v := range v2 {
+			if string(v) != expectedValue {
 				match = false
+				break
 			}
 		}
 
@@ -410,6 +398,9 @@ func tasksRunningStateRetryable(ctx context.Context, input *DescribeTasksInput,
 		}
 	}
 
+	if err != nil {
+		return false, err
+	}
 	return true, nil
 }
 
@@ -572,29 +563,20 @@ func (w *TasksStoppedWaiter) WaitForOutput(ctx context.Context, params *Describe
 func tasksStoppedStateRetryable(ctx context.Context, input *DescribeTasksInput, output *DescribeTasksOutput, err error) (bool, error) {
 
 	if err == nil {
-		pathValue, err := jmespath.Search("tasks[].lastStatus", output)
-		if err != nil {
-			return false, fmt.Errorf("error evaluating waiter state: %w", err)
+		v1 := output.Tasks
+		var v2 []string
+		for _, v := range v1 {
+			v3 := v.LastStatus
+			if v3 != nil {
+				v2 = append(v2, *v3)
+			}
 		}
-
 		expectedValue := "STOPPED"
-		var match = true
-		listOfValues, ok := pathValue.([]interface{})
-		if !ok {
-			return false, fmt.Errorf("waiter comparator expected list got %T", pathValue)
-		}
-
-		if len(listOfValues) == 0 {
-			match = false
-		}
-		for _, v := range listOfValues {
-			value, ok := v.(*string)
-			if !ok {
-				return false, fmt.Errorf("waiter comparator expected *string value, got %T", pathValue)
-			}
-
-			if string(*value) != expectedValue {
+		match := len(v2) > 0
+		for _, v := range v2 {
+			if string(v) != expectedValue {
 				match = false
+				break
 			}
 		}
 
@@ -603,6 +585,9 @@ func tasksStoppedStateRetryable(ctx context.Context, input *DescribeTasksInput,
 		}
 	}
 
+	if err != nil {
+		return false, err
+	}
 	return true, nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_ListServiceDeployments.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_ListServiceDeployments.go
index 3e7d782a6..73526da18 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_ListServiceDeployments.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_ListServiceDeployments.go
@@ -14,9 +14,9 @@ import (
 // This operation lists all the service deployments that meet the specified filter
 // criteria.
 //
-// A service deployment happens when you release a softwre update for the service.
-// You route traffic from the running service revisions to the new service revison
-// and control the number of running tasks.
+// A service deployment happens when you release a software update for the
+// service. You route traffic from the running service revisions to the new service
+// revison and control the number of running tasks.
 //
 // This API returns the values that you use for the request parameters in [DescribeServiceRevisions].
 //
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_RegisterTaskDefinition.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_RegisterTaskDefinition.go
index 650128c54..9133d2f17 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_RegisterTaskDefinition.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_RegisterTaskDefinition.go
@@ -72,9 +72,9 @@ type RegisterTaskDefinitionInput struct {
 	// Task-level CPU and memory parameters are ignored for Windows containers. We
 	// recommend specifying container-level resources for Windows containers.
 	//
-	// If you're using the EC2 launch type, this field is optional. Supported values
-	// are between 128 CPU units ( 0.125 vCPUs) and 10240 CPU units ( 10 vCPUs). If
-	// you do not specify a value, the parameter is ignored.
+	// If you're using the EC2 launch type or external launch type, this field is
+	// optional. Supported values are between 128 CPU units ( 0.125 vCPUs) and 196608
+	// CPU units ( 192 vCPUs). If you do not specify a value, the parameter is ignored.
 	//
 	// If you're using the Fargate launch type, this field is required and you must
 	// use one of the following values, which determines your range of supported values
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_StopTask.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_StopTask.go
index 881579fc2..3bb7683b8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_StopTask.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_StopTask.go
@@ -47,7 +47,7 @@ func (c *Client) StopTask(ctx context.Context, params *StopTaskInput, optFns ...
 
 type StopTaskInput struct {
 
-	// The task ID of the task to stop.
+	// Thefull Amazon Resource Name (ARN) of the task.
 	//
 	// This member is required.
 	Task *string
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_TagResource.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_TagResource.go
index 7883396ed..8bfef40ff 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_TagResource.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_TagResource.go
@@ -36,6 +36,22 @@ type TagResourceInput struct {
 	// supported resources are Amazon ECS capacity providers, tasks, services, task
 	// definitions, clusters, and container instances.
 	//
+	// In order to tag a service that has the following ARN format, you need to
+	// migrate the service to the long ARN. For more information, see [Migrate an Amazon ECS short service ARN to a long ARN]in the Amazon
+	// Elastic Container Service Developer Guide.
+	//
+	//     arn:aws:ecs:region:aws_account_id:service/service-name
+	//
+	// After the migration is complete, the service has the long ARN format, as shown
+	// below. Use this ARN to tag the service.
+	//
+	//     arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name
+	//
+	// If you try to tag a service with a short ARN, you receive an
+	// InvalidParameterException error.
+	//
+	// [Migrate an Amazon ECS short service ARN to a long ARN]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-arn-migration.html
+	//
 	// This member is required.
 	ResourceArn *string
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_UpdateService.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_UpdateService.go
index 4d46e2a90..3dd5e491d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_UpdateService.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/api_op_UpdateService.go
@@ -163,7 +163,7 @@ type UpdateServiceInput struct {
 	// Indicates whether to use Availability Zone rebalancing for the service.
 	//
 	// For more information, see [Balancing an Amazon ECS service across Availability Zones] in the Amazon Elastic Container Service Developer
-	// Guide.
+	// Guide .
 	//
 	// [Balancing an Amazon ECS service across Availability Zones]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
 	AvailabilityZoneRebalancing types.AvailabilityZoneRebalancing
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/generated.json
index 2a0af2dc6..0dd8a32fd 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/generated.json
@@ -3,8 +3,7 @@
         "github.com/aws/aws-sdk-go-v2": "v1.4.0",
         "github.com/aws/aws-sdk-go-v2/internal/configsources": "v0.0.0-00010101000000-000000000000",
         "github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000",
-        "github.com/aws/smithy-go": "v1.4.0",
-        "github.com/jmespath/go-jmespath": "v0.4.0"
+        "github.com/aws/smithy-go": "v1.4.0"
     },
     "files": [
         "api_client.go",
@@ -86,7 +85,7 @@
         "types/types.go",
         "validators.go"
     ],
-    "go": "1.15",
+    "go": "1.22",
     "module": "github.com/aws/aws-sdk-go-v2/service/ecs",
     "unstable": false
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/go_module_metadata.go
index 18db02442..6fe83d513 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ecs
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.53.0"
+const goModuleVersion = "1.53.16"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints/endpoints.go
index 75eb7d212..3f37a0517 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints/endpoints.go
@@ -175,6 +175,9 @@ var defaultPartitions = endpoints.Partitions{
 			endpoints.EndpointKey{
 				Region: "ap-southeast-5",
 			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "ap-southeast-7",
+			}: endpoints.Endpoint{},
 			endpoints.EndpointKey{
 				Region: "ca-central-1",
 			}: endpoints.Endpoint{},
@@ -250,6 +253,9 @@ var defaultPartitions = endpoints.Partitions{
 			endpoints.EndpointKey{
 				Region: "me-south-1",
 			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "mx-central-1",
+			}: endpoints.Endpoint{},
 			endpoints.EndpointKey{
 				Region: "sa-east-1",
 			}: endpoints.Endpoint{},
@@ -430,6 +436,14 @@ var defaultPartitions = endpoints.Partitions{
 		},
 		RegionRegex:    partitionRegexp.AwsIsoF,
 		IsRegionalized: true,
+		Endpoints: endpoints.Endpoints{
+			endpoints.EndpointKey{
+				Region: "us-isof-east-1",
+			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "us-isof-south-1",
+			}: endpoints.Endpoint{},
+		},
 	},
 	{
 		ID: "aws-us-gov",
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/errors.go
index ec66bf2cf..d133e7d37 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/errors.go
@@ -64,9 +64,9 @@ func (e *AttributeLimitExceededException) ErrorCode() string {
 }
 func (e *AttributeLimitExceededException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
-// Your Amazon Web Services account was blocked. For more information, contact [Amazon Web Services Support].
+// Your Amazon Web Services account was blocked. For more information, contact [Amazon Web ServicesSupport].
 //
-// [Amazon Web Services Support]: http://aws.amazon.com/contact-us/
+// [Amazon Web ServicesSupport]: http://aws.amazon.com/contact-us/
 type BlockedException struct {
 	Message *string
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/types.go
index 21fb301b5..9d571a8ed 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/types.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ecs/types/types.go
@@ -164,21 +164,27 @@ type AutoScalingGroupProviderUpdate struct {
 type AwsVpcConfiguration struct {
 
 	// The IDs of the subnets associated with the task or service. There's a limit of
-	// 16 subnets that can be specified per awsvpcConfiguration .
+	// 16 subnets that can be specified.
 	//
 	// All specified subnets must be from the same VPC.
 	//
 	// This member is required.
 	Subnets []string
 
-	// Whether the task's elastic network interface receives a public IP address. The
-	// default value is ENABLED .
+	// Whether the task's elastic network interface receives a public IP address.
+	//
+	// Consider the following when you set this value:
+	//
+	//   - When you use create-service or update-service , the default is DISABLED .
+	//
+	//   - When the service deploymentController is ECS , the value must be DISABLED .
+	//
+	//   - When you use create-service or update-service , the default is ENABLED .
 	AssignPublicIp AssignPublicIp
 
 	// The IDs of the security groups associated with the task or service. If you
 	// don't specify a security group, the default security group for the VPC is used.
-	// There's a limit of 5 security groups that can be specified per
-	// awsvpcConfiguration .
+	// There's a limit of 5 security groups that can be specified.
 	//
 	// All specified security groups must be from the same VPC.
 	SecurityGroups []string
@@ -957,8 +963,8 @@ type ContainerDefinition struct {
 	// and VPC settings.
 	Links []string
 
-	// Linux-specific modifications that are applied to the container, such as Linux
-	// kernel capabilities. For more information see [KernelCapabilities].
+	// Linux-specific modifications that are applied to the default Docker container
+	// configuration, such as Linux kernel capabilities. For more information see [KernelCapabilities].
 	//
 	// This parameter is not supported for Windows containers.
 	//
@@ -2497,8 +2503,13 @@ type FSxWindowsFileServerVolumeConfiguration struct {
 //   - Container health checks aren't supported for tasks that are part of a
 //     service that's configured to use a Classic Load Balancer.
 //
+// For an example of how to specify a task definition with multiple containers
+// where container dependency is specified, see [Container dependency]in the Amazon Elastic Container
+// Service Developer Guide.
+//
 // [Updating the Amazon ECS container agent]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html
 // [Fargate platform versions]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html
+// [Container dependency]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/example_task_definitions.html#example_task_definition-containerdependency
 type HealthCheck struct {
 
 	// A string array representing the command that the container runs to determine if
@@ -2524,17 +2535,19 @@ type HealthCheck struct {
 	Command []string
 
 	// The time period in seconds between each health check execution. You may specify
-	// between 5 and 300 seconds. The default value is 30 seconds.
+	// between 5 and 300 seconds. The default value is 30 seconds. This value applies
+	// only when you specify a command .
 	Interval *int32
 
 	// The number of times to retry a failed health check before the container is
 	// considered unhealthy. You may specify between 1 and 10 retries. The default
-	// value is 3.
+	// value is 3. This value applies only when you specify a command .
 	Retries *int32
 
 	// The optional grace period to provide containers time to bootstrap before failed
 	// health checks count towards the maximum number of retries. You can specify
-	// between 0 and 300 seconds. By default, the startPeriod is off.
+	// between 0 and 300 seconds. By default, the startPeriod is off. This value
+	// applies only when you specify a command .
 	//
 	// If a health check succeeds within the startPeriod , then the container is
 	// considered healthy and any subsequent failures count toward the maximum number
@@ -2543,7 +2556,7 @@ type HealthCheck struct {
 
 	// The time period in seconds to wait for a health check to succeed before it is
 	// considered a failure. You may specify between 2 and 60 seconds. The default
-	// value is 5.
+	// value is 5. This value applies only when you specify a command .
 	Timeout *int32
 
 	noSmithyDocumentSerde
@@ -2650,6 +2663,30 @@ type InstanceHealthCheckResult struct {
 // for a container defined in the task definition. For more detailed information
 // about these Linux capabilities, see the [capabilities(7)]Linux manual page.
 //
+// The following describes how Docker processes the Linux capabilities specified
+// in the add and drop request parameters. For information about the latest
+// behavior, see [Docker Compose: order of cap_drop and cap_add]in the Docker Community Forum.
+//
+//   - When the container is a privleged container, the container capabilities are
+//     all of the default Docker capabilities. The capabilities specified in the add
+//     request parameter, and the drop request parameter are ignored.
+//
+//   - When the add request parameter is set to ALL, the container capabilities are
+//     all of the default Docker capabilities, excluding those specified in the drop
+//     request parameter.
+//
+//   - When the drop request parameter is set to ALL, the container capabilities
+//     are the capabilities specified in the add request parameter.
+//
+//   - When the add request parameter and the drop request parameter are both
+//     empty, the capabilities the container capabilities are all of the default Docker
+//     capabilities.
+//
+//   - The default is to first drop the capabilities specified in the drop request
+//     parameter, and then add the capabilities specified in the add request
+//     parameter.
+//
+// [Docker Compose: order of cap_drop and cap_add]: https://forums.docker.com/t/docker-compose-order-of-cap-drop-and-cap-add/97136/1
 // [capabilities(7)]: http://man7.org/linux/man-pages/man7/capabilities.7.html
 type KernelCapabilities struct {
 
@@ -3163,9 +3200,13 @@ type ManagedScaling struct {
 type ManagedStorageConfiguration struct {
 
 	// Specify the Key Management Service key ID for the Fargate ephemeral storage.
+	//
+	// The key must be a single Region key.
 	FargateEphemeralStorageKmsKeyId *string
 
 	// Specify a Key Management Service key ID to encrypt the managed storage.
+	//
+	// The key must be a single Region key.
 	KmsKeyId *string
 
 	noSmithyDocumentSerde
@@ -3792,7 +3833,7 @@ type Service struct {
 	// Indicates whether to use Availability Zone rebalancing for the service.
 	//
 	// For more information, see [Balancing an Amazon ECS service across Availability Zones] in the Amazon Elastic Container Service Developer
-	// Guide.
+	// Guide .
 	//
 	// [Balancing an Amazon ECS service across Availability Zones]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-rebalancing.html
 	AvailabilityZoneRebalancing AvailabilityZoneRebalancing
@@ -4891,12 +4932,13 @@ type Task struct {
 	// values are converted to an integer that indicates the CPU units when the task
 	// definition is registered.
 	//
-	// If you use the EC2 launch type, this field is optional. Supported values are
-	// between 128 CPU units ( 0.125 vCPUs) and 10240 CPU units ( 10 vCPUs).
+	// If you're using the EC2 launch type or the external launch type, this field is
+	// optional. Supported values are between 128 CPU units ( 0.125 vCPUs) and 196608
+	// CPU units ( 192 vCPUs). If you do not specify a value, the parameter is ignored.
 	//
-	// If you use the Fargate launch type, this field is required. You must use one of
-	// the following values. These values determine the range of supported values for
-	// the memory parameter:
+	// If you're using the Fargate launch type, this field is required. You must use
+	// one of the following values. These values determine the range of supported
+	// values for the memory parameter:
 	//
 	// The CPU units cannot be less than 1 vCPU when you use Windows containers on
 	// Fargate.
@@ -5138,11 +5180,14 @@ type TaskDefinition struct {
 	// this field is required. You must use one of the following values. The value that
 	// you choose determines your range of valid values for the memory parameter.
 	//
-	// If you use the EC2 launch type, this field is optional. Supported values are
-	// between 128 CPU units ( 0.125 vCPUs) and 10240 CPU units ( 10 vCPUs).
+	// If you're using the EC2 launch type or the external launch type, this field is
+	// optional. Supported values are between 128 CPU units ( 0.125 vCPUs) and 196608
+	// CPU units ( 192 vCPUs).
 	//
-	// The CPU units cannot be less than 1 vCPU when you use Windows containers on
-	// Fargate.
+	// If you're using the Fargate launch type, this field is required and you must
+	// use one of the following values, which determines your range of supported values
+	// for the memory parameter. The CPU units cannot be less than 1 vCPU when you use
+	// Windows containers on Fargate.
 	//
 	//   - 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2
 	//   GB)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
index 9cf6cf22b..c81265a25 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
@@ -1,3 +1,31 @@
+# v1.12.3 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+
+# v1.12.2 (2025-01-24)
+
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.12.1 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+
+# v1.12.0 (2024-10-04)
+
+* **Feature**: Add support for HTTP client metrics.
+
+# v1.11.5 (2024-09-20)
+
+* No change notes available for this release.
+
+# v1.11.4 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+
+# v1.11.3 (2024-06-28)
+
+* No change notes available for this release.
+
 # v1.11.2 (2024-03-29)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
index 6339b5419..d83e533ef 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
@@ -3,4 +3,4 @@
 package acceptencoding
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.2"
+const goModuleVersion = "1.12.3"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index 14bb43611..cb83e7a6b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,104 @@
+# v1.12.14 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.13 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.12 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.11 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.10 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.12.9 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.8 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.7 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.6 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.5 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.4 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.3 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.2 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.1 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.12.0 (2024-10-04)
+
+* **Feature**: Add support for HTTP client metrics.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.20 (2024-09-20)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.19 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.18 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.17 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.16 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.15 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.14 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.13 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.12 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.11.11 (2024-06-07)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index c1a5e0da1..f419fe0a6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.11"
+const goModuleVersion = "1.12.14"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
index aaffd4f35..2b5b45cd1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md
@@ -1,3 +1,146 @@
+# v1.24.16 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.15 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.14 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.13 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.12 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.24.11 (2025-01-17)
+
+* **Bug Fix**: Fix bug where credentials weren't refreshed during retry loop.
+
+# v1.24.10 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.9 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.8 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.7 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.6 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.5 (2024-11-07)
+
+* **Bug Fix**: Adds case-insensitive handling of error message fields in service responses
+
+# v1.24.4 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.3 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.2 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.1 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.0 (2024-10-04)
+
+* **Feature**: Add support for HTTP client metrics.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.23.4 (2024-10-03)
+
+* No change notes available for this release.
+
+# v1.23.3 (2024-09-27)
+
+* No change notes available for this release.
+
+# v1.23.2 (2024-09-25)
+
+* No change notes available for this release.
+
+# v1.23.1 (2024-09-23)
+
+* No change notes available for this release.
+
+# v1.23.0 (2024-09-20)
+
+* **Feature**: Add tracing and metrics support to service clients.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.8 (2024-09-17)
+
+* **Bug Fix**: **BREAKFIX**: Only generate AccountIDEndpointMode config for services that use it. This is a compiler break, but removes no actual functionality, as no services currently use the account ID in endpoint resolution.
+
+# v1.22.7 (2024-09-04)
+
+* No change notes available for this release.
+
+# v1.22.6 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.5 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.4 (2024-07-18)
+
+* No change notes available for this release.
+
+# v1.22.3 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.2 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.1 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.22.0 (2024-06-26)
+
+* **Feature**: Support list-of-string endpoint parameter.
+
+# v1.21.1 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.21.0 (2024-06-18)
+
+* **Feature**: Track usage of various AWS SDK features in user-agent string.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.20.12 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.20.11 (2024-06-07)
 
 * **Bug Fix**: Add clock skew correction on all service clients
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
index 34f19ded2..0b244f142 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go
@@ -4,6 +4,7 @@ package sso
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/defaults"
@@ -16,9 +17,12 @@ import (
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
 	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	smithy "github.com/aws/smithy-go"
+	smithyauth "github.com/aws/smithy-go/auth"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
@@ -29,6 +33,133 @@ import (
 const ServiceID = "SSO"
 const ServiceAPIVersion = "2019-06-10"
 
+type operationMetrics struct {
+	Duration                metrics.Float64Histogram
+	SerializeDuration       metrics.Float64Histogram
+	ResolveIdentityDuration metrics.Float64Histogram
+	ResolveEndpointDuration metrics.Float64Histogram
+	SignRequestDuration     metrics.Float64Histogram
+	DeserializeDuration     metrics.Float64Histogram
+}
+
+func (m *operationMetrics) histogramFor(name string) metrics.Float64Histogram {
+	switch name {
+	case "client.call.duration":
+		return m.Duration
+	case "client.call.serialization_duration":
+		return m.SerializeDuration
+	case "client.call.resolve_identity_duration":
+		return m.ResolveIdentityDuration
+	case "client.call.resolve_endpoint_duration":
+		return m.ResolveEndpointDuration
+	case "client.call.signing_duration":
+		return m.SignRequestDuration
+	case "client.call.deserialization_duration":
+		return m.DeserializeDuration
+	default:
+		panic("unrecognized operation metric")
+	}
+}
+
+func timeOperationMetric[T any](
+	ctx context.Context, metric string, fn func() (T, error),
+	opts ...metrics.RecordMetricOption,
+) (T, error) {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	start := time.Now()
+	v, err := fn()
+	end := time.Now()
+
+	elapsed := end.Sub(start)
+	instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	return v, err
+}
+
+func startMetricTimer(ctx context.Context, metric string, opts ...metrics.RecordMetricOption) func() {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	var ended bool
+	start := time.Now()
+	return func() {
+		if ended {
+			return
+		}
+		ended = true
+
+		end := time.Now()
+
+		elapsed := end.Sub(start)
+		instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	}
+}
+
+func withOperationMetadata(ctx context.Context) metrics.RecordMetricOption {
+	return func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("rpc.service", middleware.GetServiceID(ctx))
+		o.Properties.Set("rpc.method", middleware.GetOperationName(ctx))
+	}
+}
+
+type operationMetricsKey struct{}
+
+func withOperationMetrics(parent context.Context, mp metrics.MeterProvider) (context.Context, error) {
+	meter := mp.Meter("github.com/aws/aws-sdk-go-v2/service/sso")
+	om := &operationMetrics{}
+
+	var err error
+
+	om.Duration, err = operationMetricTimer(meter, "client.call.duration",
+		"Overall call duration (including retries and time to send or receive request and response body)")
+	if err != nil {
+		return nil, err
+	}
+	om.SerializeDuration, err = operationMetricTimer(meter, "client.call.serialization_duration",
+		"The time it takes to serialize a message body")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveIdentityDuration, err = operationMetricTimer(meter, "client.call.auth.resolve_identity_duration",
+		"The time taken to acquire an identity (AWS credentials, bearer token, etc) from an Identity Provider")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveEndpointDuration, err = operationMetricTimer(meter, "client.call.resolve_endpoint_duration",
+		"The time it takes to resolve an endpoint (endpoint resolver, not DNS) for the request")
+	if err != nil {
+		return nil, err
+	}
+	om.SignRequestDuration, err = operationMetricTimer(meter, "client.call.auth.signing_duration",
+		"The time it takes to sign a request")
+	if err != nil {
+		return nil, err
+	}
+	om.DeserializeDuration, err = operationMetricTimer(meter, "client.call.deserialization_duration",
+		"The time it takes to deserialize a message body")
+	if err != nil {
+		return nil, err
+	}
+
+	return context.WithValue(parent, operationMetricsKey{}, om), nil
+}
+
+func operationMetricTimer(m metrics.Meter, name, desc string) (metrics.Float64Histogram, error) {
+	return m.Float64Histogram(name, func(o *metrics.InstrumentOptions) {
+		o.UnitLabel = "s"
+		o.Description = desc
+	})
+}
+
+func getOperationMetrics(ctx context.Context) *operationMetrics {
+	return ctx.Value(operationMetricsKey{}).(*operationMetrics)
+}
+
+func operationTracer(p tracing.TracerProvider) tracing.Tracer {
+	return p.Tracer("github.com/aws/aws-sdk-go-v2/service/sso")
+}
+
 // Client provides the API client to make operations call for AWS Single Sign-On.
 type Client struct {
 	options Options
@@ -55,6 +186,10 @@ func New(options Options, optFns ...func(*Options)) *Client {
 
 	resolveEndpointResolverV2(&options)
 
+	resolveTracerProvider(&options)
+
+	resolveMeterProvider(&options)
+
 	resolveAuthSchemeResolver(&options)
 
 	for _, fn := range optFns {
@@ -87,8 +222,15 @@ func (c *Client) Options() Options {
 	return c.options.Copy()
 }
 
-func (c *Client) invokeOperation(ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error) (result interface{}, metadata middleware.Metadata, err error) {
+func (c *Client) invokeOperation(
+	ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error,
+) (
+	result interface{}, metadata middleware.Metadata, err error,
+) {
 	ctx = middleware.ClearStackValues(ctx)
+	ctx = middleware.WithServiceID(ctx, ServiceID)
+	ctx = middleware.WithOperationName(ctx, opID)
+
 	stack := middleware.NewStack(opID, smithyhttp.NewStackRequest)
 	options := c.options.Copy()
 
@@ -112,15 +254,56 @@ func (c *Client) invokeOperation(ctx context.Context, opID string, params interf
 		}
 	}
 
-	handler := middleware.DecorateHandler(smithyhttp.NewClientHandler(options.HTTPClient), stack)
-	result, metadata, err = handler.Handle(ctx, params)
+	ctx, err = withOperationMetrics(ctx, options.MeterProvider)
 	if err != nil {
+		return nil, metadata, err
+	}
+
+	tracer := operationTracer(options.TracerProvider)
+	spanName := fmt.Sprintf("%s.%s", ServiceID, opID)
+
+	ctx = tracing.WithOperationTracer(ctx, tracer)
+
+	ctx, span := tracer.StartSpan(ctx, spanName, func(o *tracing.SpanOptions) {
+		o.Kind = tracing.SpanKindClient
+		o.Properties.Set("rpc.system", "aws-api")
+		o.Properties.Set("rpc.method", opID)
+		o.Properties.Set("rpc.service", ServiceID)
+	})
+	endTimer := startMetricTimer(ctx, "client.call.duration")
+	defer endTimer()
+	defer span.End()
+
+	handler := smithyhttp.NewClientHandlerWithOptions(options.HTTPClient, func(o *smithyhttp.ClientHandler) {
+		o.Meter = options.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/sso")
+	})
+	decorated := middleware.DecorateHandler(handler, stack)
+	result, metadata, err = decorated.Handle(ctx, params)
+	if err != nil {
+		span.SetProperty("exception.type", fmt.Sprintf("%T", err))
+		span.SetProperty("exception.message", err.Error())
+
+		var aerr smithy.APIError
+		if errors.As(err, &aerr) {
+			span.SetProperty("api.error_code", aerr.ErrorCode())
+			span.SetProperty("api.error_message", aerr.ErrorMessage())
+			span.SetProperty("api.error_fault", aerr.ErrorFault().String())
+		}
+
 		err = &smithy.OperationError{
 			ServiceID:     ServiceID,
 			OperationName: opID,
 			Err:           err,
 		}
 	}
+
+	span.SetProperty("error", err != nil)
+	if err == nil {
+		span.SetStatus(tracing.SpanStatusOK)
+	} else {
+		span.SetStatus(tracing.SpanStatusError)
+	}
+
 	return result, metadata, err
 }
 
@@ -158,7 +341,7 @@ func addProtocolFinalizerMiddlewares(stack *middleware.Stack, options Options, o
 	if err := stack.Finalize.Insert(&resolveEndpointV2Middleware{options: options}, "GetIdentity", middleware.After); err != nil {
 		return fmt.Errorf("add ResolveEndpointV2: %v", err)
 	}
-	if err := stack.Finalize.Insert(&signRequestMiddleware{}, "ResolveEndpointV2", middleware.After); err != nil {
+	if err := stack.Finalize.Insert(&signRequestMiddleware{options: options}, "ResolveEndpointV2", middleware.After); err != nil {
 		return fmt.Errorf("add Signing: %w", err)
 	}
 	return nil
@@ -432,6 +615,30 @@ func addRawResponseToMetadata(stack *middleware.Stack) error {
 func addRecordResponseTiming(stack *middleware.Stack) error {
 	return stack.Deserialize.Add(&awsmiddleware.RecordResponseTiming{}, middleware.After)
 }
+
+func addSpanRetryLoop(stack *middleware.Stack, options Options) error {
+	return stack.Finalize.Insert(&spanRetryLoop{options: options}, "Retry", middleware.Before)
+}
+
+type spanRetryLoop struct {
+	options Options
+}
+
+func (*spanRetryLoop) ID() string {
+	return "spanRetryLoop"
+}
+
+func (m *spanRetryLoop) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
+) (
+	middleware.FinalizeOutput, middleware.Metadata, error,
+) {
+	tracer := operationTracer(m.options.TracerProvider)
+	ctx, span := tracer.StartSpan(ctx, "RetryLoop")
+	defer span.End()
+
+	return next.HandleFinalize(ctx, in)
+}
 func addStreamingEventsPayload(stack *middleware.Stack) error {
 	return stack.Finalize.Add(&v4.StreamingEventsPayload{}, middleware.Before)
 }
@@ -448,11 +655,36 @@ func addContentSHA256Header(stack *middleware.Stack) error {
 	return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
 }
 
+func addIsWaiterUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
+		return nil
+	})
+}
+
+func addIsPaginatorUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
+		return nil
+	})
+}
+
 func addRetry(stack *middleware.Stack, o Options) error {
 	attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
 		m.LogAttempts = o.ClientLogMode.IsRetries()
+		m.OperationMeter = o.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/sso")
 	})
-	if err := stack.Finalize.Insert(attempt, "Signing", middleware.Before); err != nil {
+	if err := stack.Finalize.Insert(attempt, "ResolveAuthScheme", middleware.Before); err != nil {
 		return err
 	}
 	if err := stack.Finalize.Insert(&retry.MetricsHeader{}, attempt.ID(), middleware.After); err != nil {
@@ -491,6 +723,18 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
+	if mode == aws.AccountIDEndpointModeDisabled {
+		return nil
+	}
+
+	if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
+		return aws.String(ca.Credentials.AccountID)
+	}
+
+	return nil
+}
+
 func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
 	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
 	if err := stack.Build.Add(&mw, middleware.After); err != nil {
@@ -502,6 +746,33 @@ func initializeTimeOffsetResolver(c *Client) {
 	c.timeOffset = new(atomic.Int64)
 }
 
+func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
+	ua, err := getOrAddRequestUserAgent(stack)
+	if err != nil {
+		return err
+	}
+
+	switch options.Retryer.(type) {
+	case *retry.Standard:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
+	case *retry.AdaptiveMode:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
+	}
+	return nil
+}
+
+func resolveTracerProvider(options *Options) {
+	if options.TracerProvider == nil {
+		options.TracerProvider = &tracing.NopTracerProvider{}
+	}
+}
+
+func resolveMeterProvider(options *Options) {
+	if options.MeterProvider == nil {
+		options.MeterProvider = metrics.NopMeterProvider{}
+	}
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
@@ -553,3 +824,89 @@ func addDisableHTTPSMiddleware(stack *middleware.Stack, o Options) error {
 		DisableHTTPS: o.EndpointOptions.DisableHTTPS,
 	}, "ResolveEndpointV2", middleware.After)
 }
+
+type spanInitializeStart struct {
+}
+
+func (*spanInitializeStart) ID() string {
+	return "spanInitializeStart"
+}
+
+func (m *spanInitializeStart) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "Initialize")
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanInitializeEnd struct {
+}
+
+func (*spanInitializeEnd) ID() string {
+	return "spanInitializeEnd"
+}
+
+func (m *spanInitializeEnd) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanBuildRequestStart struct {
+}
+
+func (*spanBuildRequestStart) ID() string {
+	return "spanBuildRequestStart"
+}
+
+func (m *spanBuildRequestStart) HandleSerialize(
+	ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler,
+) (
+	middleware.SerializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "BuildRequest")
+
+	return next.HandleSerialize(ctx, in)
+}
+
+type spanBuildRequestEnd struct {
+}
+
+func (*spanBuildRequestEnd) ID() string {
+	return "spanBuildRequestEnd"
+}
+
+func (m *spanBuildRequestEnd) HandleBuild(
+	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+) (
+	middleware.BuildOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleBuild(ctx, in)
+}
+
+func addSpanInitializeStart(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeStart{}, middleware.Before)
+}
+
+func addSpanInitializeEnd(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeEnd{}, middleware.After)
+}
+
+func addSpanBuildRequestStart(stack *middleware.Stack) error {
+	return stack.Serialize.Add(&spanBuildRequestStart{}, middleware.Before)
+}
+
+func addSpanBuildRequestEnd(stack *middleware.Stack) error {
+	return stack.Build.Add(&spanBuildRequestEnd{}, middleware.After)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
index 77d54b9f1..a65602023 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go
@@ -102,6 +102,9 @@ func (c *Client) addOperationGetRoleCredentialsMiddlewares(stack *middleware.Sta
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -117,6 +120,9 @@ func (c *Client) addOperationGetRoleCredentialsMiddlewares(stack *middleware.Sta
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpGetRoleCredentialsValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -138,6 +144,18 @@ func (c *Client) addOperationGetRoleCredentialsMiddlewares(stack *middleware.Sta
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
index 77374f48f..315526ef1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go
@@ -107,6 +107,9 @@ func (c *Client) addOperationListAccountRolesMiddlewares(stack *middleware.Stack
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -122,6 +125,9 @@ func (c *Client) addOperationListAccountRolesMiddlewares(stack *middleware.Stack
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpListAccountRolesValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -143,17 +149,21 @@ func (c *Client) addOperationListAccountRolesMiddlewares(stack *middleware.Stack
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
-// ListAccountRolesAPIClient is a client that implements the ListAccountRoles
-// operation.
-type ListAccountRolesAPIClient interface {
-	ListAccountRoles(context.Context, *ListAccountRolesInput, ...func(*Options)) (*ListAccountRolesOutput, error)
-}
-
-var _ ListAccountRolesAPIClient = (*Client)(nil)
-
 // ListAccountRolesPaginatorOptions is the paginator options for ListAccountRoles
 type ListAccountRolesPaginatorOptions struct {
 	// The number of items that clients can request per page.
@@ -217,6 +227,9 @@ func (p *ListAccountRolesPaginator) NextPage(ctx context.Context, optFns ...func
 	}
 	params.MaxResults = limit
 
+	optFns = append([]func(*Options){
+		addIsPaginatorUserAgent,
+	}, optFns...)
 	result, err := p.client.ListAccountRoles(ctx, &params, optFns...)
 	if err != nil {
 		return nil, err
@@ -236,6 +249,14 @@ func (p *ListAccountRolesPaginator) NextPage(ctx context.Context, optFns ...func
 	return result, nil
 }
 
+// ListAccountRolesAPIClient is a client that implements the ListAccountRoles
+// operation.
+type ListAccountRolesAPIClient interface {
+	ListAccountRoles(context.Context, *ListAccountRolesInput, ...func(*Options)) (*ListAccountRolesOutput, error)
+}
+
+var _ ListAccountRolesAPIClient = (*Client)(nil)
+
 func newServiceMetadataMiddleware_opListAccountRoles(region string) *awsmiddleware.RegisterServiceMetadata {
 	return &awsmiddleware.RegisterServiceMetadata{
 		Region:        region,
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
index ac15831f9..d867b78a6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go
@@ -106,6 +106,9 @@ func (c *Client) addOperationListAccountsMiddlewares(stack *middleware.Stack, op
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -121,6 +124,9 @@ func (c *Client) addOperationListAccountsMiddlewares(stack *middleware.Stack, op
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpListAccountsValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -142,16 +148,21 @@ func (c *Client) addOperationListAccountsMiddlewares(stack *middleware.Stack, op
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
-// ListAccountsAPIClient is a client that implements the ListAccounts operation.
-type ListAccountsAPIClient interface {
-	ListAccounts(context.Context, *ListAccountsInput, ...func(*Options)) (*ListAccountsOutput, error)
-}
-
-var _ ListAccountsAPIClient = (*Client)(nil)
-
 // ListAccountsPaginatorOptions is the paginator options for ListAccounts
 type ListAccountsPaginatorOptions struct {
 	// This is the number of items clients can request per page.
@@ -215,6 +226,9 @@ func (p *ListAccountsPaginator) NextPage(ctx context.Context, optFns ...func(*Op
 	}
 	params.MaxResults = limit
 
+	optFns = append([]func(*Options){
+		addIsPaginatorUserAgent,
+	}, optFns...)
 	result, err := p.client.ListAccounts(ctx, &params, optFns...)
 	if err != nil {
 		return nil, err
@@ -234,6 +248,13 @@ func (p *ListAccountsPaginator) NextPage(ctx context.Context, optFns ...func(*Op
 	return result, nil
 }
 
+// ListAccountsAPIClient is a client that implements the ListAccounts operation.
+type ListAccountsAPIClient interface {
+	ListAccounts(context.Context, *ListAccountsInput, ...func(*Options)) (*ListAccountsOutput, error)
+}
+
+var _ ListAccountsAPIClient = (*Client)(nil)
+
 func newServiceMetadataMiddleware_opListAccounts(region string) *awsmiddleware.RegisterServiceMetadata {
 	return &awsmiddleware.RegisterServiceMetadata{
 		Region:        region,
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
index a9e349c5d..434b43085 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go
@@ -101,6 +101,9 @@ func (c *Client) addOperationLogoutMiddlewares(stack *middleware.Stack, options
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -116,6 +119,9 @@ func (c *Client) addOperationLogoutMiddlewares(stack *middleware.Stack, options
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpLogoutValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -137,6 +143,18 @@ func (c *Client) addOperationLogoutMiddlewares(stack *middleware.Stack, options
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go
index 3b28e825d..366963b49 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go
@@ -8,11 +8,13 @@ import (
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	smithy "github.com/aws/smithy-go"
 	smithyauth "github.com/aws/smithy-go/auth"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
+func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
 	params.Region = options.Region
 }
 
@@ -90,12 +92,12 @@ type AuthResolverParameters struct {
 	Region string
 }
 
-func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
+func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
 	params := &AuthResolverParameters{
 		Operation: operation,
 	}
 
-	bindAuthParamsRegion(params, input, options)
+	bindAuthParamsRegion(ctx, params, input, options)
 
 	return params
 }
@@ -169,7 +171,10 @@ func (*resolveAuthSchemeMiddleware) ID() string {
 func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
+	_, span := tracing.StartSpan(ctx, "ResolveAuthScheme")
+	defer span.End()
+
+	params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
 	options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
 	if err != nil {
 		return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
@@ -181,6 +186,9 @@ func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in mid
 	}
 
 	ctx = setResolvedAuthScheme(ctx, scheme)
+
+	span.SetProperty("auth.scheme_id", scheme.Scheme.SchemeID())
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -240,7 +248,10 @@ func (*getIdentityMiddleware) ID() string {
 func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	rscheme := getResolvedAuthScheme(ctx)
+	innerCtx, span := tracing.StartSpan(ctx, "GetIdentity")
+	defer span.End()
+
+	rscheme := getResolvedAuthScheme(innerCtx)
 	if rscheme == nil {
 		return out, metadata, fmt.Errorf("no resolved auth scheme")
 	}
@@ -250,12 +261,20 @@ func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no identity resolver")
 	}
 
-	identity, err := resolver.GetIdentity(ctx, rscheme.IdentityProperties)
+	identity, err := timeOperationMetric(ctx, "client.call.resolve_identity_duration",
+		func() (smithyauth.Identity, error) {
+			return resolver.GetIdentity(innerCtx, rscheme.IdentityProperties)
+		},
+		func(o *metrics.RecordMetricOptions) {
+			o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("get identity: %w", err)
 	}
 
 	ctx = setIdentity(ctx, identity)
+
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -271,6 +290,7 @@ func getIdentity(ctx context.Context) smithyauth.Identity {
 }
 
 type signRequestMiddleware struct {
+	options Options
 }
 
 func (*signRequestMiddleware) ID() string {
@@ -280,6 +300,9 @@ func (*signRequestMiddleware) ID() string {
 func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "SignRequest")
+	defer span.End()
+
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, fmt.Errorf("unexpected transport type %T", in.Request)
@@ -300,9 +323,15 @@ func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no signer")
 	}
 
-	if err := signer.SignRequest(ctx, req, identity, rscheme.SignerProperties); err != nil {
+	_, err = timeOperationMetric(ctx, "client.call.signing_duration", func() (any, error) {
+		return nil, signer.SignRequest(ctx, req, identity, rscheme.SignerProperties)
+	}, func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+	})
+	if err != nil {
 		return out, metadata, fmt.Errorf("sign request: %w", err)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go
index d6297fa6a..ec23c36f5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go
@@ -14,6 +14,7 @@ import (
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
 	smithytime "github.com/aws/smithy-go/time"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"io"
 	"io/ioutil"
@@ -44,6 +45,10 @@ func (m *awsRestjson1_deserializeOpGetRoleCredentials) HandleDeserialize(ctx con
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -83,6 +88,7 @@ func (m *awsRestjson1_deserializeOpGetRoleCredentials) HandleDeserialize(ctx con
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -200,6 +206,10 @@ func (m *awsRestjson1_deserializeOpListAccountRoles) HandleDeserialize(ctx conte
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -239,6 +249,7 @@ func (m *awsRestjson1_deserializeOpListAccountRoles) HandleDeserialize(ctx conte
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -365,6 +376,10 @@ func (m *awsRestjson1_deserializeOpListAccounts) HandleDeserialize(ctx context.C
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -404,6 +419,7 @@ func (m *awsRestjson1_deserializeOpListAccounts) HandleDeserialize(ctx context.C
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -530,6 +546,10 @@ func (m *awsRestjson1_deserializeOpLogout) HandleDeserialize(ctx context.Context
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -547,6 +567,7 @@ func (m *awsRestjson1_deserializeOpLogout) HandleDeserialize(ctx context.Context
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -868,7 +889,7 @@ func awsRestjson1_deserializeDocumentInvalidRequestException(v **types.InvalidRe
 
 	for key, value := range shape {
 		switch key {
-		case "message":
+		case "message", "Message":
 			if value != nil {
 				jtv, ok := value.(string)
 				if !ok {
@@ -908,7 +929,7 @@ func awsRestjson1_deserializeDocumentResourceNotFoundException(v **types.Resourc
 
 	for key, value := range shape {
 		switch key {
-		case "message":
+		case "message", "Message":
 			if value != nil {
 				jtv, ok := value.(string)
 				if !ok {
@@ -1102,7 +1123,7 @@ func awsRestjson1_deserializeDocumentTooManyRequestsException(v **types.TooManyR
 
 	for key, value := range shape {
 		switch key {
-		case "message":
+		case "message", "Message":
 			if value != nil {
 				jtv, ok := value.(string)
 				if !ok {
@@ -1142,7 +1163,7 @@ func awsRestjson1_deserializeDocumentUnauthorizedException(v **types.Unauthorize
 
 	for key, value := range shape {
 		switch key {
-		case "message":
+		case "message", "Message":
 			if value != nil {
 				jtv, ok := value.(string)
 				if !ok {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go
index 76521eec0..53c6bc756 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go
@@ -16,6 +16,7 @@ import (
 	smithyendpoints "github.com/aws/smithy-go/endpoints"
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 	"net/url"
@@ -288,6 +289,17 @@ func (p EndpointParameters) WithDefaults() EndpointParameters {
 	return p
 }
 
+type stringSlice []string
+
+func (s stringSlice) Get(i int) *string {
+	if i < 0 || i >= len(s) {
+		return nil
+	}
+
+	v := s[i]
+	return &v
+}
+
 // EndpointResolverV2 provides the interface for resolving service endpoints.
 type EndpointResolverV2 interface {
 	// ResolveEndpoint attempts to resolve the endpoint with the provided options,
@@ -465,7 +477,7 @@ type endpointParamsBinder interface {
 	bindEndpointParams(*EndpointParameters)
 }
 
-func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
+func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
 	params := &EndpointParameters{}
 
 	params.Region = bindRegion(options.Region)
@@ -491,6 +503,9 @@ func (*resolveEndpointV2Middleware) ID() string {
 func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "ResolveEndpoint")
+	defer span.End()
+
 	if awsmiddleware.GetRequiresLegacyEndpoints(ctx) {
 		return next.HandleFinalize(ctx, in)
 	}
@@ -504,12 +519,17 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
 	}
 
-	params := bindEndpointParams(getOperationInput(ctx), m.options)
-	endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+	params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
+	endpt, err := timeOperationMetric(ctx, "client.call.resolve_endpoint_duration",
+		func() (smithyendpoints.Endpoint, error) {
+			return m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)
 	}
 
+	span.SetProperty("client.call.resolved_endpoint", endpt.URI.String())
+
 	if endpt.URI.RawPath == "" && req.URL.RawPath != "" {
 		endpt.URI.RawPath = endpt.URI.Path
 	}
@@ -531,5 +551,6 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		rscheme.SignerProperties.SetAll(&o.SignerProperties)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json
index 936253d7c..abbb7ea18 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json
@@ -29,7 +29,7 @@
         "types/types.go",
         "validators.go"
     ],
-    "go": "1.15",
+    "go": "1.22",
     "module": "github.com/aws/aws-sdk-go-v2/service/sso",
     "unstable": false
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
index ad5b48930..007dfdc66 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sso
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.20.11"
+const goModuleVersion = "1.24.16"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go
index 2c3a77ce3..081867b3d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go
@@ -94,7 +94,7 @@ var partitionRegexp = struct {
 	AwsUsGov *regexp.Regexp
 }{
 
-	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$"),
+	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il|mx)\\-\\w+\\-\\d+$"),
 	AwsCn:    regexp.MustCompile("^cn\\-\\w+\\-\\d+$"),
 	AwsIso:   regexp.MustCompile("^us\\-iso\\-\\w+\\-\\d+$"),
 	AwsIsoB:  regexp.MustCompile("^us\\-isob\\-\\w+\\-\\d+$"),
@@ -235,6 +235,14 @@ var defaultPartitions = endpoints.Partitions{
 					Region: "ca-central-1",
 				},
 			},
+			endpoints.EndpointKey{
+				Region: "ca-west-1",
+			}: endpoints.Endpoint{
+				Hostname: "portal.sso.ca-west-1.amazonaws.com",
+				CredentialScope: endpoints.CredentialScope{
+					Region: "ca-west-1",
+				},
+			},
 			endpoints.EndpointKey{
 				Region: "eu-central-1",
 			}: endpoints.Endpoint{
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go
index 3561c4430..aa744f159 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go
@@ -9,7 +9,9 @@ import (
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	smithyauth "github.com/aws/smithy-go/auth"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 )
@@ -66,6 +68,9 @@ type Options struct {
 	// The logger writer interface to write logging messages to.
 	Logger logging.Logger
 
+	// The client meter provider.
+	MeterProvider metrics.MeterProvider
+
 	// The region to send requests to. (Required)
 	Region string
 
@@ -100,6 +105,9 @@ type Options struct {
 	// within your applications.
 	RuntimeEnvironment aws.RuntimeEnvironment
 
+	// The client tracer provider.
+	TracerProvider tracing.TracerProvider
+
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
 	// value was at that point in time.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go
index 02e314115..a7a5b57de 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go
@@ -8,6 +8,7 @@ import (
 	smithy "github.com/aws/smithy-go"
 	"github.com/aws/smithy-go/encoding/httpbinding"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
@@ -21,6 +22,10 @@ func (*awsRestjson1_serializeOpGetRoleCredentials) ID() string {
 func (m *awsRestjson1_serializeOpGetRoleCredentials) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -57,6 +62,8 @@ func (m *awsRestjson1_serializeOpGetRoleCredentials) HandleSerialize(ctx context
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsGetRoleCredentialsInput(v *GetRoleCredentialsInput, encoder *httpbinding.Encoder) error {
@@ -64,7 +71,7 @@ func awsRestjson1_serializeOpHttpBindingsGetRoleCredentialsInput(v *GetRoleCrede
 		return fmt.Errorf("unsupported serialization of nil %T", v)
 	}
 
-	if v.AccessToken != nil && len(*v.AccessToken) > 0 {
+	if v.AccessToken != nil {
 		locationName := "X-Amz-Sso_bearer_token"
 		encoder.SetHeader(locationName).String(*v.AccessToken)
 	}
@@ -90,6 +97,10 @@ func (*awsRestjson1_serializeOpListAccountRoles) ID() string {
 func (m *awsRestjson1_serializeOpListAccountRoles) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -126,6 +137,8 @@ func (m *awsRestjson1_serializeOpListAccountRoles) HandleSerialize(ctx context.C
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsListAccountRolesInput(v *ListAccountRolesInput, encoder *httpbinding.Encoder) error {
@@ -133,7 +146,7 @@ func awsRestjson1_serializeOpHttpBindingsListAccountRolesInput(v *ListAccountRol
 		return fmt.Errorf("unsupported serialization of nil %T", v)
 	}
 
-	if v.AccessToken != nil && len(*v.AccessToken) > 0 {
+	if v.AccessToken != nil {
 		locationName := "X-Amz-Sso_bearer_token"
 		encoder.SetHeader(locationName).String(*v.AccessToken)
 	}
@@ -163,6 +176,10 @@ func (*awsRestjson1_serializeOpListAccounts) ID() string {
 func (m *awsRestjson1_serializeOpListAccounts) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -199,6 +216,8 @@ func (m *awsRestjson1_serializeOpListAccounts) HandleSerialize(ctx context.Conte
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsListAccountsInput(v *ListAccountsInput, encoder *httpbinding.Encoder) error {
@@ -206,7 +225,7 @@ func awsRestjson1_serializeOpHttpBindingsListAccountsInput(v *ListAccountsInput,
 		return fmt.Errorf("unsupported serialization of nil %T", v)
 	}
 
-	if v.AccessToken != nil && len(*v.AccessToken) > 0 {
+	if v.AccessToken != nil {
 		locationName := "X-Amz-Sso_bearer_token"
 		encoder.SetHeader(locationName).String(*v.AccessToken)
 	}
@@ -232,6 +251,10 @@ func (*awsRestjson1_serializeOpLogout) ID() string {
 func (m *awsRestjson1_serializeOpLogout) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -268,6 +291,8 @@ func (m *awsRestjson1_serializeOpLogout) HandleSerialize(ctx context.Context, in
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsLogoutInput(v *LogoutInput, encoder *httpbinding.Encoder) error {
@@ -275,7 +300,7 @@ func awsRestjson1_serializeOpHttpBindingsLogoutInput(v *LogoutInput, encoder *ht
 		return fmt.Errorf("unsupported serialization of nil %T", v)
 	}
 
-	if v.AccessToken != nil && len(*v.AccessToken) > 0 {
+	if v.AccessToken != nil {
 		locationName := "X-Amz-Sso_bearer_token"
 		encoder.SetHeader(locationName).String(*v.AccessToken)
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
index d82a89482..ac92dae97 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md
@@ -1,3 +1,143 @@
+# v1.28.15 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.14 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.13 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.12 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.11 (2025-01-24)
+
+* **Documentation**: Fixed typos in the descriptions.
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.28.10 (2025-01-17)
+
+* **Bug Fix**: Fix bug where credentials weren't refreshed during retry loop.
+
+# v1.28.9 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.8 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.7 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.6 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.5 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.4 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.3 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.2 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.1 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.0 (2024-10-04)
+
+* **Feature**: Add support for HTTP client metrics.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.4 (2024-10-03)
+
+* No change notes available for this release.
+
+# v1.27.3 (2024-09-27)
+
+* No change notes available for this release.
+
+# v1.27.2 (2024-09-25)
+
+* No change notes available for this release.
+
+# v1.27.1 (2024-09-23)
+
+* No change notes available for this release.
+
+# v1.27.0 (2024-09-20)
+
+* **Feature**: Add tracing and metrics support to service clients.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.8 (2024-09-17)
+
+* **Bug Fix**: **BREAKFIX**: Only generate AccountIDEndpointMode config for services that use it. This is a compiler break, but removes no actual functionality, as no services currently use the account ID in endpoint resolution.
+
+# v1.26.7 (2024-09-04)
+
+* No change notes available for this release.
+
+# v1.26.6 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.5 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.4 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.3 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.2 (2024-07-03)
+
+* No change notes available for this release.
+
+# v1.26.1 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.26.0 (2024-06-26)
+
+* **Feature**: Support list-of-string endpoint parameter.
+
+# v1.25.1 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.25.0 (2024-06-18)
+
+* **Feature**: Track usage of various AWS SDK features in user-agent string.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.6 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.24.5 (2024-06-07)
 
 * **Bug Fix**: Add clock skew correction on all service clients
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
index bfd5c68c4..9b7f4acc8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go
@@ -4,6 +4,7 @@ package ssooidc
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/defaults"
@@ -16,9 +17,12 @@ import (
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
 	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	smithy "github.com/aws/smithy-go"
+	smithyauth "github.com/aws/smithy-go/auth"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
@@ -29,6 +33,133 @@ import (
 const ServiceID = "SSO OIDC"
 const ServiceAPIVersion = "2019-06-10"
 
+type operationMetrics struct {
+	Duration                metrics.Float64Histogram
+	SerializeDuration       metrics.Float64Histogram
+	ResolveIdentityDuration metrics.Float64Histogram
+	ResolveEndpointDuration metrics.Float64Histogram
+	SignRequestDuration     metrics.Float64Histogram
+	DeserializeDuration     metrics.Float64Histogram
+}
+
+func (m *operationMetrics) histogramFor(name string) metrics.Float64Histogram {
+	switch name {
+	case "client.call.duration":
+		return m.Duration
+	case "client.call.serialization_duration":
+		return m.SerializeDuration
+	case "client.call.resolve_identity_duration":
+		return m.ResolveIdentityDuration
+	case "client.call.resolve_endpoint_duration":
+		return m.ResolveEndpointDuration
+	case "client.call.signing_duration":
+		return m.SignRequestDuration
+	case "client.call.deserialization_duration":
+		return m.DeserializeDuration
+	default:
+		panic("unrecognized operation metric")
+	}
+}
+
+func timeOperationMetric[T any](
+	ctx context.Context, metric string, fn func() (T, error),
+	opts ...metrics.RecordMetricOption,
+) (T, error) {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	start := time.Now()
+	v, err := fn()
+	end := time.Now()
+
+	elapsed := end.Sub(start)
+	instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	return v, err
+}
+
+func startMetricTimer(ctx context.Context, metric string, opts ...metrics.RecordMetricOption) func() {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	var ended bool
+	start := time.Now()
+	return func() {
+		if ended {
+			return
+		}
+		ended = true
+
+		end := time.Now()
+
+		elapsed := end.Sub(start)
+		instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	}
+}
+
+func withOperationMetadata(ctx context.Context) metrics.RecordMetricOption {
+	return func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("rpc.service", middleware.GetServiceID(ctx))
+		o.Properties.Set("rpc.method", middleware.GetOperationName(ctx))
+	}
+}
+
+type operationMetricsKey struct{}
+
+func withOperationMetrics(parent context.Context, mp metrics.MeterProvider) (context.Context, error) {
+	meter := mp.Meter("github.com/aws/aws-sdk-go-v2/service/ssooidc")
+	om := &operationMetrics{}
+
+	var err error
+
+	om.Duration, err = operationMetricTimer(meter, "client.call.duration",
+		"Overall call duration (including retries and time to send or receive request and response body)")
+	if err != nil {
+		return nil, err
+	}
+	om.SerializeDuration, err = operationMetricTimer(meter, "client.call.serialization_duration",
+		"The time it takes to serialize a message body")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveIdentityDuration, err = operationMetricTimer(meter, "client.call.auth.resolve_identity_duration",
+		"The time taken to acquire an identity (AWS credentials, bearer token, etc) from an Identity Provider")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveEndpointDuration, err = operationMetricTimer(meter, "client.call.resolve_endpoint_duration",
+		"The time it takes to resolve an endpoint (endpoint resolver, not DNS) for the request")
+	if err != nil {
+		return nil, err
+	}
+	om.SignRequestDuration, err = operationMetricTimer(meter, "client.call.auth.signing_duration",
+		"The time it takes to sign a request")
+	if err != nil {
+		return nil, err
+	}
+	om.DeserializeDuration, err = operationMetricTimer(meter, "client.call.deserialization_duration",
+		"The time it takes to deserialize a message body")
+	if err != nil {
+		return nil, err
+	}
+
+	return context.WithValue(parent, operationMetricsKey{}, om), nil
+}
+
+func operationMetricTimer(m metrics.Meter, name, desc string) (metrics.Float64Histogram, error) {
+	return m.Float64Histogram(name, func(o *metrics.InstrumentOptions) {
+		o.UnitLabel = "s"
+		o.Description = desc
+	})
+}
+
+func getOperationMetrics(ctx context.Context) *operationMetrics {
+	return ctx.Value(operationMetricsKey{}).(*operationMetrics)
+}
+
+func operationTracer(p tracing.TracerProvider) tracing.Tracer {
+	return p.Tracer("github.com/aws/aws-sdk-go-v2/service/ssooidc")
+}
+
 // Client provides the API client to make operations call for AWS SSO OIDC.
 type Client struct {
 	options Options
@@ -55,6 +186,10 @@ func New(options Options, optFns ...func(*Options)) *Client {
 
 	resolveEndpointResolverV2(&options)
 
+	resolveTracerProvider(&options)
+
+	resolveMeterProvider(&options)
+
 	resolveAuthSchemeResolver(&options)
 
 	for _, fn := range optFns {
@@ -87,8 +222,15 @@ func (c *Client) Options() Options {
 	return c.options.Copy()
 }
 
-func (c *Client) invokeOperation(ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error) (result interface{}, metadata middleware.Metadata, err error) {
+func (c *Client) invokeOperation(
+	ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error,
+) (
+	result interface{}, metadata middleware.Metadata, err error,
+) {
 	ctx = middleware.ClearStackValues(ctx)
+	ctx = middleware.WithServiceID(ctx, ServiceID)
+	ctx = middleware.WithOperationName(ctx, opID)
+
 	stack := middleware.NewStack(opID, smithyhttp.NewStackRequest)
 	options := c.options.Copy()
 
@@ -112,15 +254,56 @@ func (c *Client) invokeOperation(ctx context.Context, opID string, params interf
 		}
 	}
 
-	handler := middleware.DecorateHandler(smithyhttp.NewClientHandler(options.HTTPClient), stack)
-	result, metadata, err = handler.Handle(ctx, params)
+	ctx, err = withOperationMetrics(ctx, options.MeterProvider)
 	if err != nil {
+		return nil, metadata, err
+	}
+
+	tracer := operationTracer(options.TracerProvider)
+	spanName := fmt.Sprintf("%s.%s", ServiceID, opID)
+
+	ctx = tracing.WithOperationTracer(ctx, tracer)
+
+	ctx, span := tracer.StartSpan(ctx, spanName, func(o *tracing.SpanOptions) {
+		o.Kind = tracing.SpanKindClient
+		o.Properties.Set("rpc.system", "aws-api")
+		o.Properties.Set("rpc.method", opID)
+		o.Properties.Set("rpc.service", ServiceID)
+	})
+	endTimer := startMetricTimer(ctx, "client.call.duration")
+	defer endTimer()
+	defer span.End()
+
+	handler := smithyhttp.NewClientHandlerWithOptions(options.HTTPClient, func(o *smithyhttp.ClientHandler) {
+		o.Meter = options.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/ssooidc")
+	})
+	decorated := middleware.DecorateHandler(handler, stack)
+	result, metadata, err = decorated.Handle(ctx, params)
+	if err != nil {
+		span.SetProperty("exception.type", fmt.Sprintf("%T", err))
+		span.SetProperty("exception.message", err.Error())
+
+		var aerr smithy.APIError
+		if errors.As(err, &aerr) {
+			span.SetProperty("api.error_code", aerr.ErrorCode())
+			span.SetProperty("api.error_message", aerr.ErrorMessage())
+			span.SetProperty("api.error_fault", aerr.ErrorFault().String())
+		}
+
 		err = &smithy.OperationError{
 			ServiceID:     ServiceID,
 			OperationName: opID,
 			Err:           err,
 		}
 	}
+
+	span.SetProperty("error", err != nil)
+	if err == nil {
+		span.SetStatus(tracing.SpanStatusOK)
+	} else {
+		span.SetStatus(tracing.SpanStatusError)
+	}
+
 	return result, metadata, err
 }
 
@@ -158,7 +341,7 @@ func addProtocolFinalizerMiddlewares(stack *middleware.Stack, options Options, o
 	if err := stack.Finalize.Insert(&resolveEndpointV2Middleware{options: options}, "GetIdentity", middleware.After); err != nil {
 		return fmt.Errorf("add ResolveEndpointV2: %v", err)
 	}
-	if err := stack.Finalize.Insert(&signRequestMiddleware{}, "ResolveEndpointV2", middleware.After); err != nil {
+	if err := stack.Finalize.Insert(&signRequestMiddleware{options: options}, "ResolveEndpointV2", middleware.After); err != nil {
 		return fmt.Errorf("add Signing: %w", err)
 	}
 	return nil
@@ -432,6 +615,30 @@ func addRawResponseToMetadata(stack *middleware.Stack) error {
 func addRecordResponseTiming(stack *middleware.Stack) error {
 	return stack.Deserialize.Add(&awsmiddleware.RecordResponseTiming{}, middleware.After)
 }
+
+func addSpanRetryLoop(stack *middleware.Stack, options Options) error {
+	return stack.Finalize.Insert(&spanRetryLoop{options: options}, "Retry", middleware.Before)
+}
+
+type spanRetryLoop struct {
+	options Options
+}
+
+func (*spanRetryLoop) ID() string {
+	return "spanRetryLoop"
+}
+
+func (m *spanRetryLoop) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
+) (
+	middleware.FinalizeOutput, middleware.Metadata, error,
+) {
+	tracer := operationTracer(m.options.TracerProvider)
+	ctx, span := tracer.StartSpan(ctx, "RetryLoop")
+	defer span.End()
+
+	return next.HandleFinalize(ctx, in)
+}
 func addStreamingEventsPayload(stack *middleware.Stack) error {
 	return stack.Finalize.Add(&v4.StreamingEventsPayload{}, middleware.Before)
 }
@@ -448,11 +655,36 @@ func addContentSHA256Header(stack *middleware.Stack) error {
 	return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
 }
 
+func addIsWaiterUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
+		return nil
+	})
+}
+
+func addIsPaginatorUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
+		return nil
+	})
+}
+
 func addRetry(stack *middleware.Stack, o Options) error {
 	attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
 		m.LogAttempts = o.ClientLogMode.IsRetries()
+		m.OperationMeter = o.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/ssooidc")
 	})
-	if err := stack.Finalize.Insert(attempt, "Signing", middleware.Before); err != nil {
+	if err := stack.Finalize.Insert(attempt, "ResolveAuthScheme", middleware.Before); err != nil {
 		return err
 	}
 	if err := stack.Finalize.Insert(&retry.MetricsHeader{}, attempt.ID(), middleware.After); err != nil {
@@ -491,6 +723,18 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
+	if mode == aws.AccountIDEndpointModeDisabled {
+		return nil
+	}
+
+	if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
+		return aws.String(ca.Credentials.AccountID)
+	}
+
+	return nil
+}
+
 func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
 	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
 	if err := stack.Build.Add(&mw, middleware.After); err != nil {
@@ -502,6 +746,33 @@ func initializeTimeOffsetResolver(c *Client) {
 	c.timeOffset = new(atomic.Int64)
 }
 
+func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
+	ua, err := getOrAddRequestUserAgent(stack)
+	if err != nil {
+		return err
+	}
+
+	switch options.Retryer.(type) {
+	case *retry.Standard:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
+	case *retry.AdaptiveMode:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
+	}
+	return nil
+}
+
+func resolveTracerProvider(options *Options) {
+	if options.TracerProvider == nil {
+		options.TracerProvider = &tracing.NopTracerProvider{}
+	}
+}
+
+func resolveMeterProvider(options *Options) {
+	if options.MeterProvider == nil {
+		options.MeterProvider = metrics.NopMeterProvider{}
+	}
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
@@ -553,3 +824,89 @@ func addDisableHTTPSMiddleware(stack *middleware.Stack, o Options) error {
 		DisableHTTPS: o.EndpointOptions.DisableHTTPS,
 	}, "ResolveEndpointV2", middleware.After)
 }
+
+type spanInitializeStart struct {
+}
+
+func (*spanInitializeStart) ID() string {
+	return "spanInitializeStart"
+}
+
+func (m *spanInitializeStart) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "Initialize")
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanInitializeEnd struct {
+}
+
+func (*spanInitializeEnd) ID() string {
+	return "spanInitializeEnd"
+}
+
+func (m *spanInitializeEnd) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanBuildRequestStart struct {
+}
+
+func (*spanBuildRequestStart) ID() string {
+	return "spanBuildRequestStart"
+}
+
+func (m *spanBuildRequestStart) HandleSerialize(
+	ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler,
+) (
+	middleware.SerializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "BuildRequest")
+
+	return next.HandleSerialize(ctx, in)
+}
+
+type spanBuildRequestEnd struct {
+}
+
+func (*spanBuildRequestEnd) ID() string {
+	return "spanBuildRequestEnd"
+}
+
+func (m *spanBuildRequestEnd) HandleBuild(
+	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+) (
+	middleware.BuildOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleBuild(ctx, in)
+}
+
+func addSpanInitializeStart(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeStart{}, middleware.Before)
+}
+
+func addSpanInitializeEnd(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeEnd{}, middleware.After)
+}
+
+func addSpanBuildRequestStart(stack *middleware.Stack) error {
+	return stack.Serialize.Add(&spanBuildRequestStart{}, middleware.Before)
+}
+
+func addSpanBuildRequestEnd(stack *middleware.Stack) error {
+	return stack.Build.Add(&spanBuildRequestEnd{}, middleware.After)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
index e33f3f059..2ab352447 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go
@@ -12,7 +12,7 @@ import (
 
 // Creates and returns access and refresh tokens for clients that are
 // authenticated using client secrets. The access token can be used to fetch
-// short-term credentials for the assigned AWS accounts or to access application
+// short-lived credentials for the assigned AWS accounts or to access application
 // APIs using bearer authentication.
 func (c *Client) CreateToken(ctx context.Context, params *CreateTokenInput, optFns ...func(*Options)) (*CreateTokenOutput, error) {
 	if params == nil {
@@ -43,22 +43,21 @@ type CreateTokenInput struct {
 	// This member is required.
 	ClientSecret *string
 
-	// Supports the following OAuth grant types: Device Code and Refresh Token.
-	// Specify either of the following values, depending on the grant type that you
-	// want:
+	// Supports the following OAuth grant types: Authorization Code, Device Code, and
+	// Refresh Token. Specify one of the following values, depending on the grant type
+	// that you want:
+	//
+	// * Authorization Code - authorization_code
 	//
 	// * Device Code - urn:ietf:params:oauth:grant-type:device_code
 	//
 	// * Refresh Token - refresh_token
 	//
-	// For information about how to obtain the device code, see the StartDeviceAuthorization topic.
-	//
 	// This member is required.
 	GrantType *string
 
 	// Used only when calling this API for the Authorization Code grant type. The
-	// short-term code is used to identify this authorization request. This grant type
-	// is currently unsupported for the CreateTokenAPI.
+	// short-lived code is used to identify this authorization request.
 	Code *string
 
 	// Used only when calling this API for the Authorization Code grant type. This
@@ -66,9 +65,9 @@ type CreateTokenInput struct {
 	// challenge value the client passed at authorization time.
 	CodeVerifier *string
 
-	// Used only when calling this API for the Device Code grant type. This short-term
-	// code is used to identify this authorization request. This comes from the result
-	// of the StartDeviceAuthorizationAPI.
+	// Used only when calling this API for the Device Code grant type. This
+	// short-lived code is used to identify this authorization request. This comes from
+	// the result of the StartDeviceAuthorizationAPI.
 	DeviceCode *string
 
 	// Used only when calling this API for the Authorization Code grant type. This
@@ -77,7 +76,7 @@ type CreateTokenInput struct {
 	RedirectUri *string
 
 	// Used only when calling this API for the Refresh Token grant type. This token is
-	// used to refresh short-term tokens, such as the access token, that might expire.
+	// used to refresh short-lived tokens, such as the access token, that might expire.
 	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide in
@@ -174,6 +173,9 @@ func (c *Client) addOperationCreateTokenMiddlewares(stack *middleware.Stack, opt
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -189,6 +191,9 @@ func (c *Client) addOperationCreateTokenMiddlewares(stack *middleware.Stack, opt
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpCreateTokenValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -210,6 +215,18 @@ func (c *Client) addOperationCreateTokenMiddlewares(stack *middleware.Stack, opt
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
index 9159db93b..e5253ce88 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go
@@ -12,7 +12,7 @@ import (
 
 // Creates and returns access and refresh tokens for clients and applications that
 // are authenticated using IAM entities. The access token can be used to fetch
-// short-term credentials for the assigned Amazon Web Services accounts or to
+// short-lived credentials for the assigned Amazon Web Services accounts or to
 // access application APIs using bearer authentication.
 func (c *Client) CreateTokenWithIAM(ctx context.Context, params *CreateTokenWithIAMInput, optFns ...func(*Options)) (*CreateTokenWithIAMOutput, error) {
 	if params == nil {
@@ -59,7 +59,7 @@ type CreateTokenWithIAMInput struct {
 	Assertion *string
 
 	// Used only when calling this API for the Authorization Code grant type. This
-	// short-term code is used to identify this authorization request. The code is
+	// short-lived code is used to identify this authorization request. The code is
 	// obtained through a redirect from IAM Identity Center to a redirect URI persisted
 	// in the Authorization Code GrantOptions for the application.
 	Code *string
@@ -75,7 +75,7 @@ type CreateTokenWithIAMInput struct {
 	RedirectUri *string
 
 	// Used only when calling this API for the Refresh Token grant type. This token is
-	// used to refresh short-term tokens, such as the access token, that might expire.
+	// used to refresh short-lived tokens, such as the access token, that might expire.
 	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide in
@@ -205,6 +205,9 @@ func (c *Client) addOperationCreateTokenWithIAMMiddlewares(stack *middleware.Sta
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -220,6 +223,9 @@ func (c *Client) addOperationCreateTokenWithIAMMiddlewares(stack *middleware.Sta
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpCreateTokenWithIAMValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -241,6 +247,18 @@ func (c *Client) addOperationCreateTokenWithIAMMiddlewares(stack *middleware.Sta
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
index 9820fae48..2022270db 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go
@@ -10,9 +10,9 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-// Registers a client with IAM Identity Center. This allows clients to initiate
-// device authorization. The output should be persisted for reuse through many
-// authentication requests.
+// Registers a public client with IAM Identity Center. This allows clients to
+// perform authorization using the authorization code grant with Proof Key for Code
+// Exchange (PKCE) or the device code grant.
 func (c *Client) RegisterClient(ctx context.Context, params *RegisterClientInput, optFns ...func(*Options)) (*RegisterClientOutput, error) {
 	if params == nil {
 		params = &RegisterClientInput{}
@@ -48,7 +48,15 @@ type RegisterClientInput struct {
 	EntitledApplicationArn *string
 
 	// The list of OAuth 2.0 grant types that are defined by the client. This list is
-	// used to restrict the token granting flows available to the client.
+	// used to restrict the token granting flows available to the client. Supports the
+	// following OAuth 2.0 grant types: Authorization Code, Device Code, and Refresh
+	// Token.
+	//
+	// * Authorization Code - authorization_code
+	//
+	// * Device Code - urn:ietf:params:oauth:grant-type:device_code
+	//
+	// * Refresh Token - refresh_token
 	GrantTypes []string
 
 	// The IAM Identity Center Issuer URL associated with an instance of IAM Identity
@@ -135,6 +143,9 @@ func (c *Client) addOperationRegisterClientMiddlewares(stack *middleware.Stack,
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -150,6 +161,9 @@ func (c *Client) addOperationRegisterClientMiddlewares(stack *middleware.Stack,
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpRegisterClientValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -171,6 +185,18 @@ func (c *Client) addOperationRegisterClientMiddlewares(stack *middleware.Stack,
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
index a3bae9912..203ca5e67 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go
@@ -125,6 +125,9 @@ func (c *Client) addOperationStartDeviceAuthorizationMiddlewares(stack *middlewa
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -140,6 +143,9 @@ func (c *Client) addOperationStartDeviceAuthorizationMiddlewares(stack *middlewa
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpStartDeviceAuthorizationValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -161,6 +167,18 @@ func (c *Client) addOperationStartDeviceAuthorizationMiddlewares(stack *middlewa
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go
index 40b3becb9..e4b87f5bc 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go
@@ -8,11 +8,13 @@ import (
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	smithy "github.com/aws/smithy-go"
 	smithyauth "github.com/aws/smithy-go/auth"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
+func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
 	params.Region = options.Region
 }
 
@@ -90,12 +92,12 @@ type AuthResolverParameters struct {
 	Region string
 }
 
-func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
+func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
 	params := &AuthResolverParameters{
 		Operation: operation,
 	}
 
-	bindAuthParamsRegion(params, input, options)
+	bindAuthParamsRegion(ctx, params, input, options)
 
 	return params
 }
@@ -163,7 +165,10 @@ func (*resolveAuthSchemeMiddleware) ID() string {
 func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
+	_, span := tracing.StartSpan(ctx, "ResolveAuthScheme")
+	defer span.End()
+
+	params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
 	options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
 	if err != nil {
 		return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
@@ -175,6 +180,9 @@ func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in mid
 	}
 
 	ctx = setResolvedAuthScheme(ctx, scheme)
+
+	span.SetProperty("auth.scheme_id", scheme.Scheme.SchemeID())
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -234,7 +242,10 @@ func (*getIdentityMiddleware) ID() string {
 func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	rscheme := getResolvedAuthScheme(ctx)
+	innerCtx, span := tracing.StartSpan(ctx, "GetIdentity")
+	defer span.End()
+
+	rscheme := getResolvedAuthScheme(innerCtx)
 	if rscheme == nil {
 		return out, metadata, fmt.Errorf("no resolved auth scheme")
 	}
@@ -244,12 +255,20 @@ func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no identity resolver")
 	}
 
-	identity, err := resolver.GetIdentity(ctx, rscheme.IdentityProperties)
+	identity, err := timeOperationMetric(ctx, "client.call.resolve_identity_duration",
+		func() (smithyauth.Identity, error) {
+			return resolver.GetIdentity(innerCtx, rscheme.IdentityProperties)
+		},
+		func(o *metrics.RecordMetricOptions) {
+			o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("get identity: %w", err)
 	}
 
 	ctx = setIdentity(ctx, identity)
+
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -265,6 +284,7 @@ func getIdentity(ctx context.Context) smithyauth.Identity {
 }
 
 type signRequestMiddleware struct {
+	options Options
 }
 
 func (*signRequestMiddleware) ID() string {
@@ -274,6 +294,9 @@ func (*signRequestMiddleware) ID() string {
 func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "SignRequest")
+	defer span.End()
+
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, fmt.Errorf("unexpected transport type %T", in.Request)
@@ -294,9 +317,15 @@ func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no signer")
 	}
 
-	if err := signer.SignRequest(ctx, req, identity, rscheme.SignerProperties); err != nil {
+	_, err = timeOperationMetric(ctx, "client.call.signing_duration", func() (any, error) {
+		return nil, signer.SignRequest(ctx, req, identity, rscheme.SignerProperties)
+	}, func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+	})
+	if err != nil {
 		return out, metadata, fmt.Errorf("sign request: %w", err)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go
index 05e8c6b7e..ae9f145e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go
@@ -14,6 +14,7 @@ import (
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
 	smithytime "github.com/aws/smithy-go/time"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"io"
 	"strings"
@@ -43,6 +44,10 @@ func (m *awsRestjson1_deserializeOpCreateToken) HandleDeserialize(ctx context.Co
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -82,6 +87,7 @@ func (m *awsRestjson1_deserializeOpCreateToken) HandleDeserialize(ctx context.Co
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -264,6 +270,10 @@ func (m *awsRestjson1_deserializeOpCreateTokenWithIAM) HandleDeserialize(ctx con
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -303,6 +313,7 @@ func (m *awsRestjson1_deserializeOpCreateTokenWithIAM) HandleDeserialize(ctx con
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -502,6 +513,10 @@ func (m *awsRestjson1_deserializeOpRegisterClient) HandleDeserialize(ctx context
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -541,6 +556,7 @@ func (m *awsRestjson1_deserializeOpRegisterClient) HandleDeserialize(ctx context
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
@@ -721,6 +737,10 @@ func (m *awsRestjson1_deserializeOpStartDeviceAuthorization) HandleDeserialize(c
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -760,6 +780,7 @@ func (m *awsRestjson1_deserializeOpStartDeviceAuthorization) HandleDeserialize(c
 		}
 	}
 
+	span.End()
 	return out, metadata, err
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go
index 1d258e567..f3510b18c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go
@@ -8,9 +8,12 @@
 // Center. The service also enables the client to fetch the user’s access token
 // upon successful authentication and authorization with IAM Identity Center.
 //
-// IAM Identity Center uses the sso and identitystore API namespaces.
+// # API namespaces
 //
-// # Considerations for Using This Guide
+// IAM Identity Center uses the sso and identitystore API namespaces. IAM Identity
+// Center OpenID Connect uses the sso-oidc namespace.
+//
+// # Considerations for using this guide
 //
 // Before you begin using this guide, we recommend that you first review the
 // following important information about how the IAM Identity Center OIDC service
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go
index 94e835e71..6feea0c9f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go
@@ -16,6 +16,7 @@ import (
 	smithyendpoints "github.com/aws/smithy-go/endpoints"
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 	"net/url"
@@ -288,6 +289,17 @@ func (p EndpointParameters) WithDefaults() EndpointParameters {
 	return p
 }
 
+type stringSlice []string
+
+func (s stringSlice) Get(i int) *string {
+	if i < 0 || i >= len(s) {
+		return nil
+	}
+
+	v := s[i]
+	return &v
+}
+
 // EndpointResolverV2 provides the interface for resolving service endpoints.
 type EndpointResolverV2 interface {
 	// ResolveEndpoint attempts to resolve the endpoint with the provided options,
@@ -465,7 +477,7 @@ type endpointParamsBinder interface {
 	bindEndpointParams(*EndpointParameters)
 }
 
-func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
+func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
 	params := &EndpointParameters{}
 
 	params.Region = bindRegion(options.Region)
@@ -491,6 +503,9 @@ func (*resolveEndpointV2Middleware) ID() string {
 func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "ResolveEndpoint")
+	defer span.End()
+
 	if awsmiddleware.GetRequiresLegacyEndpoints(ctx) {
 		return next.HandleFinalize(ctx, in)
 	}
@@ -504,12 +519,17 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
 	}
 
-	params := bindEndpointParams(getOperationInput(ctx), m.options)
-	endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+	params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
+	endpt, err := timeOperationMetric(ctx, "client.call.resolve_endpoint_duration",
+		func() (smithyendpoints.Endpoint, error) {
+			return m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)
 	}
 
+	span.SetProperty("client.call.resolved_endpoint", endpt.URI.String())
+
 	if endpt.URI.RawPath == "" && req.URL.RawPath != "" {
 		endpt.URI.RawPath = endpt.URI.Path
 	}
@@ -531,5 +551,6 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		rscheme.SignerProperties.SetAll(&o.SignerProperties)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json
index b2a52633b..23d72cf0f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json
@@ -29,7 +29,7 @@
         "types/types.go",
         "validators.go"
     ],
-    "go": "1.15",
+    "go": "1.22",
     "module": "github.com/aws/aws-sdk-go-v2/service/ssooidc",
     "unstable": false
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
index b05fd1174..572dc2567 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go
@@ -3,4 +3,4 @@
 package ssooidc
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.24.5"
+const goModuleVersion = "1.28.15"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go
index 843edb074..b4c61ebad 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go
@@ -94,7 +94,7 @@ var partitionRegexp = struct {
 	AwsUsGov *regexp.Regexp
 }{
 
-	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$"),
+	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il|mx)\\-\\w+\\-\\d+$"),
 	AwsCn:    regexp.MustCompile("^cn\\-\\w+\\-\\d+$"),
 	AwsIso:   regexp.MustCompile("^us\\-iso\\-\\w+\\-\\d+$"),
 	AwsIsoB:  regexp.MustCompile("^us\\-isob\\-\\w+\\-\\d+$"),
@@ -235,6 +235,14 @@ var defaultPartitions = endpoints.Partitions{
 					Region: "ca-central-1",
 				},
 			},
+			endpoints.EndpointKey{
+				Region: "ca-west-1",
+			}: endpoints.Endpoint{
+				Hostname: "oidc.ca-west-1.amazonaws.com",
+				CredentialScope: endpoints.CredentialScope{
+					Region: "ca-west-1",
+				},
+			},
 			endpoints.EndpointKey{
 				Region: "eu-central-1",
 			}: endpoints.Endpoint{
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go
index 69ded47c7..55dd80d0e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go
@@ -9,7 +9,9 @@ import (
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	smithyauth "github.com/aws/smithy-go/auth"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 )
@@ -66,6 +68,9 @@ type Options struct {
 	// The logger writer interface to write logging messages to.
 	Logger logging.Logger
 
+	// The client meter provider.
+	MeterProvider metrics.MeterProvider
+
 	// The region to send requests to. (Required)
 	Region string
 
@@ -100,6 +105,9 @@ type Options struct {
 	// within your applications.
 	RuntimeEnvironment aws.RuntimeEnvironment
 
+	// The client tracer provider.
+	TracerProvider tracing.TracerProvider
+
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
 	// value was at that point in time.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go
index 04411bd61..1ad103d1e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go
@@ -10,6 +10,7 @@ import (
 	"github.com/aws/smithy-go/encoding/httpbinding"
 	smithyjson "github.com/aws/smithy-go/encoding/json"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
@@ -23,6 +24,10 @@ func (*awsRestjson1_serializeOpCreateToken) ID() string {
 func (m *awsRestjson1_serializeOpCreateToken) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -66,6 +71,8 @@ func (m *awsRestjson1_serializeOpCreateToken) HandleSerialize(ctx context.Contex
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsCreateTokenInput(v *CreateTokenInput, encoder *httpbinding.Encoder) error {
@@ -140,6 +147,10 @@ func (*awsRestjson1_serializeOpCreateTokenWithIAM) ID() string {
 func (m *awsRestjson1_serializeOpCreateTokenWithIAM) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -183,6 +194,8 @@ func (m *awsRestjson1_serializeOpCreateTokenWithIAM) HandleSerialize(ctx context
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsCreateTokenWithIAMInput(v *CreateTokenWithIAMInput, encoder *httpbinding.Encoder) error {
@@ -267,6 +280,10 @@ func (*awsRestjson1_serializeOpRegisterClient) ID() string {
 func (m *awsRestjson1_serializeOpRegisterClient) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -310,6 +327,8 @@ func (m *awsRestjson1_serializeOpRegisterClient) HandleSerialize(ctx context.Con
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsRegisterClientInput(v *RegisterClientInput, encoder *httpbinding.Encoder) error {
@@ -378,6 +397,10 @@ func (*awsRestjson1_serializeOpStartDeviceAuthorization) ID() string {
 func (m *awsRestjson1_serializeOpStartDeviceAuthorization) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -421,6 +444,8 @@ func (m *awsRestjson1_serializeOpStartDeviceAuthorization) HandleSerialize(ctx c
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsRestjson1_serializeOpHttpBindingsStartDeviceAuthorizationInput(v *StartDeviceAuthorizationInput, encoder *httpbinding.Encoder) error {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index e43842793..156004c49 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,162 @@
+# v1.33.15 (2025-02-18)
+
+* **Bug Fix**: Bump go version to 1.22
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.14 (2025-02-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.13 (2025-02-04)
+
+* No change notes available for this release.
+
+# v1.33.12 (2025-01-31)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.11 (2025-01-30)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.10 (2025-01-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+* **Dependency Update**: Upgrade to smithy-go v1.22.2.
+
+# v1.33.9 (2025-01-17)
+
+* **Bug Fix**: Fix bug where credentials weren't refreshed during retry loop.
+
+# v1.33.8 (2025-01-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.7 (2025-01-14)
+
+* No change notes available for this release.
+
+# v1.33.6 (2025-01-10)
+
+* **Documentation**: Fixed typos in the descriptions.
+
+# v1.33.5 (2025-01-09)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.4 (2025-01-08)
+
+* No change notes available for this release.
+
+# v1.33.3 (2024-12-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.2 (2024-12-02)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.1 (2024-11-18)
+
+* **Dependency Update**: Update to smithy-go v1.22.1.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.33.0 (2024-11-14)
+
+* **Feature**: This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.
+
+# v1.32.4 (2024-11-06)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.32.3 (2024-10-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.32.2 (2024-10-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.32.1 (2024-10-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.32.0 (2024-10-04)
+
+* **Feature**: Add support for HTTP client metrics.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.31.4 (2024-10-03)
+
+* No change notes available for this release.
+
+# v1.31.3 (2024-09-27)
+
+* No change notes available for this release.
+
+# v1.31.2 (2024-09-25)
+
+* No change notes available for this release.
+
+# v1.31.1 (2024-09-23)
+
+* No change notes available for this release.
+
+# v1.31.0 (2024-09-20)
+
+* **Feature**: Add tracing and metrics support to service clients.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.8 (2024-09-17)
+
+* **Bug Fix**: **BREAKFIX**: Only generate AccountIDEndpointMode config for services that use it. This is a compiler break, but removes no actual functionality, as no services currently use the account ID in endpoint resolution.
+
+# v1.30.7 (2024-09-04)
+
+* No change notes available for this release.
+
+# v1.30.6 (2024-09-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.5 (2024-08-22)
+
+* No change notes available for this release.
+
+# v1.30.4 (2024-08-15)
+
+* **Dependency Update**: Bump minimum Go version to 1.21.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.3 (2024-07-10.2)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.2 (2024-07-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.1 (2024-06-28)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.30.0 (2024-06-26)
+
+* **Feature**: Support list-of-string endpoint parameter.
+
+# v1.29.1 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.29.0 (2024-06-18)
+
+* **Feature**: Track usage of various AWS SDK features in user-agent string.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.13 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.28.12 (2024-06-07)
 
 * **Bug Fix**: Add clock skew correction on all service clients
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
index b281ba293..25787325f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
@@ -4,6 +4,7 @@ package sts
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/defaults"
@@ -19,9 +20,12 @@ import (
 	acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
 	presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
 	smithy "github.com/aws/smithy-go"
+	smithyauth "github.com/aws/smithy-go/auth"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
@@ -32,6 +36,133 @@ import (
 const ServiceID = "STS"
 const ServiceAPIVersion = "2011-06-15"
 
+type operationMetrics struct {
+	Duration                metrics.Float64Histogram
+	SerializeDuration       metrics.Float64Histogram
+	ResolveIdentityDuration metrics.Float64Histogram
+	ResolveEndpointDuration metrics.Float64Histogram
+	SignRequestDuration     metrics.Float64Histogram
+	DeserializeDuration     metrics.Float64Histogram
+}
+
+func (m *operationMetrics) histogramFor(name string) metrics.Float64Histogram {
+	switch name {
+	case "client.call.duration":
+		return m.Duration
+	case "client.call.serialization_duration":
+		return m.SerializeDuration
+	case "client.call.resolve_identity_duration":
+		return m.ResolveIdentityDuration
+	case "client.call.resolve_endpoint_duration":
+		return m.ResolveEndpointDuration
+	case "client.call.signing_duration":
+		return m.SignRequestDuration
+	case "client.call.deserialization_duration":
+		return m.DeserializeDuration
+	default:
+		panic("unrecognized operation metric")
+	}
+}
+
+func timeOperationMetric[T any](
+	ctx context.Context, metric string, fn func() (T, error),
+	opts ...metrics.RecordMetricOption,
+) (T, error) {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	start := time.Now()
+	v, err := fn()
+	end := time.Now()
+
+	elapsed := end.Sub(start)
+	instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	return v, err
+}
+
+func startMetricTimer(ctx context.Context, metric string, opts ...metrics.RecordMetricOption) func() {
+	instr := getOperationMetrics(ctx).histogramFor(metric)
+	opts = append([]metrics.RecordMetricOption{withOperationMetadata(ctx)}, opts...)
+
+	var ended bool
+	start := time.Now()
+	return func() {
+		if ended {
+			return
+		}
+		ended = true
+
+		end := time.Now()
+
+		elapsed := end.Sub(start)
+		instr.Record(ctx, float64(elapsed)/1e9, opts...)
+	}
+}
+
+func withOperationMetadata(ctx context.Context) metrics.RecordMetricOption {
+	return func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("rpc.service", middleware.GetServiceID(ctx))
+		o.Properties.Set("rpc.method", middleware.GetOperationName(ctx))
+	}
+}
+
+type operationMetricsKey struct{}
+
+func withOperationMetrics(parent context.Context, mp metrics.MeterProvider) (context.Context, error) {
+	meter := mp.Meter("github.com/aws/aws-sdk-go-v2/service/sts")
+	om := &operationMetrics{}
+
+	var err error
+
+	om.Duration, err = operationMetricTimer(meter, "client.call.duration",
+		"Overall call duration (including retries and time to send or receive request and response body)")
+	if err != nil {
+		return nil, err
+	}
+	om.SerializeDuration, err = operationMetricTimer(meter, "client.call.serialization_duration",
+		"The time it takes to serialize a message body")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveIdentityDuration, err = operationMetricTimer(meter, "client.call.auth.resolve_identity_duration",
+		"The time taken to acquire an identity (AWS credentials, bearer token, etc) from an Identity Provider")
+	if err != nil {
+		return nil, err
+	}
+	om.ResolveEndpointDuration, err = operationMetricTimer(meter, "client.call.resolve_endpoint_duration",
+		"The time it takes to resolve an endpoint (endpoint resolver, not DNS) for the request")
+	if err != nil {
+		return nil, err
+	}
+	om.SignRequestDuration, err = operationMetricTimer(meter, "client.call.auth.signing_duration",
+		"The time it takes to sign a request")
+	if err != nil {
+		return nil, err
+	}
+	om.DeserializeDuration, err = operationMetricTimer(meter, "client.call.deserialization_duration",
+		"The time it takes to deserialize a message body")
+	if err != nil {
+		return nil, err
+	}
+
+	return context.WithValue(parent, operationMetricsKey{}, om), nil
+}
+
+func operationMetricTimer(m metrics.Meter, name, desc string) (metrics.Float64Histogram, error) {
+	return m.Float64Histogram(name, func(o *metrics.InstrumentOptions) {
+		o.UnitLabel = "s"
+		o.Description = desc
+	})
+}
+
+func getOperationMetrics(ctx context.Context) *operationMetrics {
+	return ctx.Value(operationMetricsKey{}).(*operationMetrics)
+}
+
+func operationTracer(p tracing.TracerProvider) tracing.Tracer {
+	return p.Tracer("github.com/aws/aws-sdk-go-v2/service/sts")
+}
+
 // Client provides the API client to make operations call for AWS Security Token
 // Service.
 type Client struct {
@@ -59,6 +190,10 @@ func New(options Options, optFns ...func(*Options)) *Client {
 
 	resolveEndpointResolverV2(&options)
 
+	resolveTracerProvider(&options)
+
+	resolveMeterProvider(&options)
+
 	resolveAuthSchemeResolver(&options)
 
 	for _, fn := range optFns {
@@ -91,8 +226,15 @@ func (c *Client) Options() Options {
 	return c.options.Copy()
 }
 
-func (c *Client) invokeOperation(ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error) (result interface{}, metadata middleware.Metadata, err error) {
+func (c *Client) invokeOperation(
+	ctx context.Context, opID string, params interface{}, optFns []func(*Options), stackFns ...func(*middleware.Stack, Options) error,
+) (
+	result interface{}, metadata middleware.Metadata, err error,
+) {
 	ctx = middleware.ClearStackValues(ctx)
+	ctx = middleware.WithServiceID(ctx, ServiceID)
+	ctx = middleware.WithOperationName(ctx, opID)
+
 	stack := middleware.NewStack(opID, smithyhttp.NewStackRequest)
 	options := c.options.Copy()
 
@@ -116,15 +258,56 @@ func (c *Client) invokeOperation(ctx context.Context, opID string, params interf
 		}
 	}
 
-	handler := middleware.DecorateHandler(smithyhttp.NewClientHandler(options.HTTPClient), stack)
-	result, metadata, err = handler.Handle(ctx, params)
+	ctx, err = withOperationMetrics(ctx, options.MeterProvider)
 	if err != nil {
+		return nil, metadata, err
+	}
+
+	tracer := operationTracer(options.TracerProvider)
+	spanName := fmt.Sprintf("%s.%s", ServiceID, opID)
+
+	ctx = tracing.WithOperationTracer(ctx, tracer)
+
+	ctx, span := tracer.StartSpan(ctx, spanName, func(o *tracing.SpanOptions) {
+		o.Kind = tracing.SpanKindClient
+		o.Properties.Set("rpc.system", "aws-api")
+		o.Properties.Set("rpc.method", opID)
+		o.Properties.Set("rpc.service", ServiceID)
+	})
+	endTimer := startMetricTimer(ctx, "client.call.duration")
+	defer endTimer()
+	defer span.End()
+
+	handler := smithyhttp.NewClientHandlerWithOptions(options.HTTPClient, func(o *smithyhttp.ClientHandler) {
+		o.Meter = options.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/sts")
+	})
+	decorated := middleware.DecorateHandler(handler, stack)
+	result, metadata, err = decorated.Handle(ctx, params)
+	if err != nil {
+		span.SetProperty("exception.type", fmt.Sprintf("%T", err))
+		span.SetProperty("exception.message", err.Error())
+
+		var aerr smithy.APIError
+		if errors.As(err, &aerr) {
+			span.SetProperty("api.error_code", aerr.ErrorCode())
+			span.SetProperty("api.error_message", aerr.ErrorMessage())
+			span.SetProperty("api.error_fault", aerr.ErrorFault().String())
+		}
+
 		err = &smithy.OperationError{
 			ServiceID:     ServiceID,
 			OperationName: opID,
 			Err:           err,
 		}
 	}
+
+	span.SetProperty("error", err != nil)
+	if err == nil {
+		span.SetStatus(tracing.SpanStatusOK)
+	} else {
+		span.SetStatus(tracing.SpanStatusError)
+	}
+
 	return result, metadata, err
 }
 
@@ -162,7 +345,7 @@ func addProtocolFinalizerMiddlewares(stack *middleware.Stack, options Options, o
 	if err := stack.Finalize.Insert(&resolveEndpointV2Middleware{options: options}, "GetIdentity", middleware.After); err != nil {
 		return fmt.Errorf("add ResolveEndpointV2: %v", err)
 	}
-	if err := stack.Finalize.Insert(&signRequestMiddleware{}, "ResolveEndpointV2", middleware.After); err != nil {
+	if err := stack.Finalize.Insert(&signRequestMiddleware{options: options}, "ResolveEndpointV2", middleware.After); err != nil {
 		return fmt.Errorf("add Signing: %w", err)
 	}
 	return nil
@@ -436,6 +619,30 @@ func addRawResponseToMetadata(stack *middleware.Stack) error {
 func addRecordResponseTiming(stack *middleware.Stack) error {
 	return stack.Deserialize.Add(&awsmiddleware.RecordResponseTiming{}, middleware.After)
 }
+
+func addSpanRetryLoop(stack *middleware.Stack, options Options) error {
+	return stack.Finalize.Insert(&spanRetryLoop{options: options}, "Retry", middleware.Before)
+}
+
+type spanRetryLoop struct {
+	options Options
+}
+
+func (*spanRetryLoop) ID() string {
+	return "spanRetryLoop"
+}
+
+func (m *spanRetryLoop) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
+) (
+	middleware.FinalizeOutput, middleware.Metadata, error,
+) {
+	tracer := operationTracer(m.options.TracerProvider)
+	ctx, span := tracer.StartSpan(ctx, "RetryLoop")
+	defer span.End()
+
+	return next.HandleFinalize(ctx, in)
+}
 func addStreamingEventsPayload(stack *middleware.Stack) error {
 	return stack.Finalize.Add(&v4.StreamingEventsPayload{}, middleware.Before)
 }
@@ -452,11 +659,36 @@ func addContentSHA256Header(stack *middleware.Stack) error {
 	return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
 }
 
+func addIsWaiterUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
+		return nil
+	})
+}
+
+func addIsPaginatorUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
+		return nil
+	})
+}
+
 func addRetry(stack *middleware.Stack, o Options) error {
 	attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
 		m.LogAttempts = o.ClientLogMode.IsRetries()
+		m.OperationMeter = o.MeterProvider.Meter("github.com/aws/aws-sdk-go-v2/service/sts")
 	})
-	if err := stack.Finalize.Insert(attempt, "Signing", middleware.Before); err != nil {
+	if err := stack.Finalize.Insert(attempt, "ResolveAuthScheme", middleware.Before); err != nil {
 		return err
 	}
 	if err := stack.Finalize.Insert(&retry.MetricsHeader{}, attempt.ID(), middleware.After); err != nil {
@@ -495,6 +727,18 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
+	if mode == aws.AccountIDEndpointModeDisabled {
+		return nil
+	}
+
+	if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
+		return aws.String(ca.Credentials.AccountID)
+	}
+
+	return nil
+}
+
 func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
 	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
 	if err := stack.Build.Add(&mw, middleware.After); err != nil {
@@ -506,6 +750,33 @@ func initializeTimeOffsetResolver(c *Client) {
 	c.timeOffset = new(atomic.Int64)
 }
 
+func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
+	ua, err := getOrAddRequestUserAgent(stack)
+	if err != nil {
+		return err
+	}
+
+	switch options.Retryer.(type) {
+	case *retry.Standard:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
+	case *retry.AdaptiveMode:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
+	}
+	return nil
+}
+
+func resolveTracerProvider(options *Options) {
+	if options.TracerProvider == nil {
+		options.TracerProvider = &tracing.NopTracerProvider{}
+	}
+}
+
+func resolveMeterProvider(options *Options) {
+	if options.MeterProvider == nil {
+		options.MeterProvider = metrics.NopMeterProvider{}
+	}
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
@@ -705,3 +976,89 @@ func addDisableHTTPSMiddleware(stack *middleware.Stack, o Options) error {
 		DisableHTTPS: o.EndpointOptions.DisableHTTPS,
 	}, "ResolveEndpointV2", middleware.After)
 }
+
+type spanInitializeStart struct {
+}
+
+func (*spanInitializeStart) ID() string {
+	return "spanInitializeStart"
+}
+
+func (m *spanInitializeStart) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "Initialize")
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanInitializeEnd struct {
+}
+
+func (*spanInitializeEnd) ID() string {
+	return "spanInitializeEnd"
+}
+
+func (m *spanInitializeEnd) HandleInitialize(
+	ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler,
+) (
+	middleware.InitializeOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleInitialize(ctx, in)
+}
+
+type spanBuildRequestStart struct {
+}
+
+func (*spanBuildRequestStart) ID() string {
+	return "spanBuildRequestStart"
+}
+
+func (m *spanBuildRequestStart) HandleSerialize(
+	ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler,
+) (
+	middleware.SerializeOutput, middleware.Metadata, error,
+) {
+	ctx, _ = tracing.StartSpan(ctx, "BuildRequest")
+
+	return next.HandleSerialize(ctx, in)
+}
+
+type spanBuildRequestEnd struct {
+}
+
+func (*spanBuildRequestEnd) ID() string {
+	return "spanBuildRequestEnd"
+}
+
+func (m *spanBuildRequestEnd) HandleBuild(
+	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+) (
+	middleware.BuildOutput, middleware.Metadata, error,
+) {
+	ctx, span := tracing.PopSpan(ctx)
+	span.End()
+
+	return next.HandleBuild(ctx, in)
+}
+
+func addSpanInitializeStart(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeStart{}, middleware.Before)
+}
+
+func addSpanInitializeEnd(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&spanInitializeEnd{}, middleware.After)
+}
+
+func addSpanBuildRequestStart(stack *middleware.Stack) error {
+	return stack.Serialize.Add(&spanBuildRequestStart{}, middleware.Before)
+}
+
+func addSpanBuildRequestEnd(stack *middleware.Stack) error {
+	return stack.Build.Add(&spanBuildRequestEnd{}, middleware.After)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
index ddad1cdfc..d05632774 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
@@ -16,7 +16,7 @@ import (
 // Amazon Web Services resources. These temporary credentials consist of an access
 // key ID, a secret access key, and a security token. Typically, you use AssumeRole
 // within your account or for cross-account access. For a comparison of AssumeRole
-// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
+// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the
 // IAM User Guide.
 //
 // # Permissions
@@ -26,16 +26,16 @@ import (
 // cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
 // API operations.
 //
-// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
-// single JSON policy document to use as an inline session policy. You can also
-// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
-// session policies. The plaintext that you use for both inline and managed session
-// policies can't exceed 2,048 characters. Passing policies to this operation
-// returns new temporary credentials. The resulting session's permissions are the
-// intersection of the role's identity-based policy and the session policies. You
-// can use the role's temporary credentials in subsequent Amazon Web Services API
-// calls to access resources in the account that owns the role. You cannot use
-// session policies to grant more permissions than those allowed by the
+// (Optional) You can pass inline or managed session policies to this operation.
+// You can pass a single JSON policy document to use as an inline session policy.
+// You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use
+// as managed session policies. The plaintext that you use for both inline and
+// managed session policies can't exceed 2,048 characters. Passing policies to this
+// operation returns new temporary credentials. The resulting session's permissions
+// are the intersection of the role's identity-based policy and the session
+// policies. You can use the role's temporary credentials in subsequent Amazon Web
+// Services API calls to access resources in the account that owns the role. You
+// cannot use session policies to grant more permissions than those allowed by the
 // identity-based policy of the role that is being assumed. For more information,
 // see [Session Policies]in the IAM User Guide.
 //
@@ -104,10 +104,9 @@ import (
 // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 // [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
 // [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
-// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 // [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
 // [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
 	if params == nil {
@@ -141,10 +140,18 @@ type AssumeRoleInput struct {
 	// the temporary security credentials will expose the role session name to the
 	// external account in their CloudTrail logs.
 	//
+	// For security purposes, administrators can view this field in [CloudTrail logs] to help identify
+	// who performed an action in Amazon Web Services. Your administrator might require
+	// that you specify your user name as the session name when you assume the role.
+	// For more information, see [sts:RoleSessionName]sts:RoleSessionName .
+	//
 	// The regex used to validate this parameter is a string of characters consisting
 	// of upper- and lower-case alphanumeric characters with no spaces. You can also
 	// include underscores or any of the following characters: =,.@-
 	//
+	// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+	// [sts:RoleSessionName]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
+	//
 	// This member is required.
 	RoleSessionName *string
 
@@ -163,7 +170,7 @@ type AssumeRoleInput struct {
 	// 43200 seconds (12 hours), depending on the maximum session duration setting for
 	// your role. However, if you assume a role using role chaining and provide a
 	// DurationSeconds parameter value greater than one hour, the operation fails. To
-	// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+	// learn how to view the maximum value for your role, see [Update the maximum session duration for a role].
 	//
 	// By default, the value is set to 3600 seconds.
 	//
@@ -173,7 +180,7 @@ type AssumeRoleInput struct {
 	// parameter that specifies the maximum length of the console session. For more
 	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
 	//
-	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Update the maximum session duration for a role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
 	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
@@ -218,7 +225,10 @@ type AssumeRoleInput struct {
 	// by percentage how close the policies and tags for your request are to the upper
 	// size limit.
 	//
+	// For more information about role session permissions, see [Session policies].
+	//
 	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@@ -273,10 +283,10 @@ type AssumeRoleInput struct {
 	SerialNumber *string
 
 	// The source identity specified by the principal that is calling the AssumeRole
-	// operation.
+	// operation. The source identity value persists across [chained role]sessions.
 	//
 	// You can require users to specify a source identity when they assume a role. You
-	// do this by using the sts:SourceIdentity condition key in a role trust policy.
+	// do this by using the [sts:SourceIdentity]sts:SourceIdentity condition key in a role trust policy.
 	// You can use source identity information in CloudTrail logs to determine who took
 	// actions with a role. You can use the aws:SourceIdentity condition key to
 	// further control access to Amazon Web Services resources based on the value of
@@ -285,11 +295,13 @@ type AssumeRoleInput struct {
 	//
 	// The regex used to validate this parameter is a string of characters consisting
 	// of upper- and lower-case alphanumeric characters with no spaces. You can also
-	// include underscores or any of the following characters: =,.@-. You cannot use a
+	// include underscores or any of the following characters: +=,.@-. You cannot use a
 	// value that begins with the text aws: . This prefix is reserved for Amazon Web
 	// Services internal use.
 	//
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
 	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+	// [sts:SourceIdentity]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
 	SourceIdentity *string
 
 	// A list of session tags that you want to pass. Each session tag consists of a
@@ -342,8 +354,8 @@ type AssumeRoleInput struct {
 	// a tag key as transitive, the corresponding key and value passes to subsequent
 	// sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
 	//
-	// This parameter is optional. When you set session tags as transitive, the
-	// session policy and session tags packed binary limit is not affected.
+	// This parameter is optional. The transitive status of a session tag does not
+	// impact its packed binary size.
 	//
 	// If you choose not to specify a transitive tag key, then no tags are passed from
 	// this session to any subsequent sessions.
@@ -445,6 +457,9 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -460,6 +475,9 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -481,6 +499,18 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
index 31b7ba5c4..d0e117ac9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
@@ -16,7 +16,7 @@ import (
 // mechanism for tying an enterprise identity store or directory to role-based
 // Amazon Web Services access without user-specific credentials or configuration.
 // For a comparison of AssumeRoleWithSAML with the other API operations that
-// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide.
 //
 // The temporary security credentials returned by this operation consist of an
 // access key ID, a secret access key, and a security token. Applications can use
@@ -130,10 +130,10 @@ import (
 // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
 // [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
 // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
 // [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
 // [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
 // [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 // [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
 // [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
@@ -219,6 +219,8 @@ type AssumeRoleWithSAMLInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
+	// For more information about role session permissions, see [Session policies].
+	//
 	// An Amazon Web Services conversion compresses the passed inline session policy,
 	// managed policy ARNs, and session tags into a packed binary format that has a
 	// separate limit. Your request can fail for this limit even if your plaintext
@@ -227,6 +229,7 @@ type AssumeRoleWithSAMLInput struct {
 	// size limit.
 	//
 	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@@ -304,7 +307,8 @@ type AssumeRoleWithSAMLOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The value in the SourceIdentity attribute in the SAML assertion.
+	// The value in the SourceIdentity attribute in the SAML assertion. The source
+	// identity value persists across [chained role]sessions.
 	//
 	// You can require users to set a source identity value when they assume a role.
 	// You do this by using the sts:SourceIdentity condition key in a role trust
@@ -321,7 +325,7 @@ type AssumeRoleWithSAMLOutput struct {
 	// of upper- and lower-case alphanumeric characters with no spaces. You can also
 	// include underscores or any of the following characters: =,.@-
 	//
-	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
 	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
@@ -385,6 +389,9 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -400,6 +407,9 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -421,6 +431,18 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
index 30dac8c6f..0ae4bc173 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
@@ -31,7 +31,7 @@ import (
 // Services credentials. Instead, the identity of the caller is validated by using
 // a token from the web identity provider. For a comparison of
 // AssumeRoleWithWebIdentity with the other API operations that produce temporary
-// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+// credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide.
 //
 // The temporary security credentials returned by this API consist of an access
 // key ID, a secret access key, and a security token. Applications can use these
@@ -45,7 +45,7 @@ import (
 // DurationSeconds parameter to specify the duration of your session. You can
 // provide a value from 900 seconds (15 minutes) up to the maximum session duration
 // setting for the role. This setting can have a value from 1 hour to 12 hours. To
-// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+// learn how to view the maximum value for your role, see [Update the maximum session duration for a role]in the IAM User Guide.
 // The maximum session duration limit applies when you use the AssumeRole* API
 // operations or the assume-role* CLI commands. However the limit does not apply
 // when you use those operations to create a console URL. For more information, see
@@ -111,34 +111,23 @@ import (
 // that you avoid using any personally identifiable information (PII) in this
 // field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
 //
-// For more information about how to use web identity federation and the
+// For more information about how to use OIDC federation and the
 // AssumeRoleWithWebIdentity API, see the following resources:
 //
 // [Using Web Identity Federation API Operations for Mobile Apps]
 //   - and [Federation Through a Web-based Identity Provider].
 //
-// [Web Identity Federation Playground]
-//   - . Walk through the process of authenticating through Login with Amazon,
-//     Facebook, or Google, getting temporary security credentials, and then using
-//     those credentials to make a request to Amazon Web Services.
-//
 // [Amazon Web Services SDK for iOS Developer Guide]
 //   - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
 //     identity providers. The toolkits then show how to use the information from these
 //     providers to get and use temporary security credentials.
 //
-// [Web Identity Federation with Mobile Applications]
-//   - . This article discusses web identity federation and shows an example of
-//     how to use web identity federation to get access to content in Amazon S3.
-//
 // [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
-// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
 // [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
 // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
 // [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
 // [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
 // [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 // [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
@@ -148,7 +137,7 @@ import (
 // [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
 // [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
 // [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
-// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+// [Update the maximum session duration for a role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
 // [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
 // [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
 func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
@@ -170,6 +159,17 @@ type AssumeRoleWithWebIdentityInput struct {
 
 	// The Amazon Resource Name (ARN) of the role that the caller is assuming.
 	//
+	// Additional considerations apply to Amazon Cognito identity pools that assume [cross-account IAM roles].
+	// The trust policies of these roles must accept the cognito-identity.amazonaws.com
+	// service principal and must contain the cognito-identity.amazonaws.com:aud
+	// condition key to restrict role assumption to users from your intended identity
+	// pools. A policy that trusts Amazon Cognito identity pools without this condition
+	// creates a risk that a user from an unintended identity pool can assume the role.
+	// For more information, see [Trust policies for IAM roles in Basic (Classic) authentication]in the Amazon Cognito Developer Guide.
+	//
+	// [cross-account IAM roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
+	// [Trust policies for IAM roles in Basic (Classic) authentication]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
+	//
 	// This member is required.
 	RoleArn *string
 
@@ -179,18 +179,28 @@ type AssumeRoleWithWebIdentityInput struct {
 	// associated with that user. This session name is included as part of the ARN and
 	// assumed role ID in the AssumedRoleUser response element.
 	//
+	// For security purposes, administrators can view this field in [CloudTrail logs] to help identify
+	// who performed an action in Amazon Web Services. Your administrator might require
+	// that you specify your user name as the session name when you assume the role.
+	// For more information, see [sts:RoleSessionName]sts:RoleSessionName .
+	//
 	// The regex used to validate this parameter is a string of characters consisting
 	// of upper- and lower-case alphanumeric characters with no spaces. You can also
 	// include underscores or any of the following characters: =,.@-
 	//
+	// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+	// [sts:RoleSessionName]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
+	//
 	// This member is required.
 	RoleSessionName *string
 
 	// The OAuth 2.0 access token or OpenID Connect ID token that is provided by the
 	// identity provider. Your application must get this token by authenticating the
 	// user who is using your application with a web identity provider before the
-	// application makes an AssumeRoleWithWebIdentity call. Only tokens with RSA
-	// algorithms (RS256) are supported.
+	// application makes an AssumeRoleWithWebIdentity call. Timestamps in the token
+	// must be formatted as either an integer or a long integer. Tokens must be signed
+	// using either RSA keys (RS256, RS384, or RS512) or ECDSA keys (ES256, ES384, or
+	// ES512).
 	//
 	// This member is required.
 	WebIdentityToken *string
@@ -232,6 +242,8 @@ type AssumeRoleWithWebIdentityInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
+	// For more information about role session permissions, see [Session policies].
+	//
 	// An Amazon Web Services conversion compresses the passed inline session policy,
 	// managed policy ARNs, and session tags into a packed binary format that has a
 	// separate limit. Your request can fail for this limit even if your plaintext
@@ -240,6 +252,7 @@ type AssumeRoleWithWebIdentityInput struct {
 	// size limit.
 	//
 	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@@ -337,7 +350,7 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// of upper- and lower-case alphanumeric characters with no spaces. You can also
 	// include underscores or any of the following characters: =,.@-
 	//
-	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
 	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	// [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
 	SourceIdentity *string
@@ -396,6 +409,9 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -411,6 +427,9 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -432,6 +451,18 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go
new file mode 100644
index 000000000..cd976e573
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go
@@ -0,0 +1,220 @@
+// Code generated by smithy-go-codegen DO NOT EDIT.
+
+package sts
+
+import (
+	"context"
+	"fmt"
+	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+)
+
+// Returns a set of short term credentials you can use to perform privileged tasks
+// on a member account in your organization.
+//
+// Before you can launch a privileged session, you must have centralized root
+// access in your organization. For steps to enable this feature, see [Centralize root access for member accounts]in the IAM
+// User Guide.
+//
+// The STS global endpoint is not supported for AssumeRoot. You must send this
+// request to a Regional STS endpoint. For more information, see [Endpoints].
+//
+// You can track AssumeRoot in CloudTrail logs to determine what actions were
+// performed in a session. For more information, see [Track privileged tasks in CloudTrail]in the IAM User Guide.
+//
+// [Endpoints]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
+// [Track privileged tasks in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
+// [Centralize root access for member accounts]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
+func (c *Client) AssumeRoot(ctx context.Context, params *AssumeRootInput, optFns ...func(*Options)) (*AssumeRootOutput, error) {
+	if params == nil {
+		params = &AssumeRootInput{}
+	}
+
+	result, metadata, err := c.invokeOperation(ctx, "AssumeRoot", params, optFns, c.addOperationAssumeRootMiddlewares)
+	if err != nil {
+		return nil, err
+	}
+
+	out := result.(*AssumeRootOutput)
+	out.ResultMetadata = metadata
+	return out, nil
+}
+
+type AssumeRootInput struct {
+
+	// The member account principal ARN or account ID.
+	//
+	// This member is required.
+	TargetPrincipal *string
+
+	// The identity based policy that scopes the session to the privileged tasks that
+	// can be performed. You can use one of following Amazon Web Services managed
+	// policies to scope root session actions.
+	//
+	// [IAMAuditRootUserCredentials]
+	//
+	// [IAMCreateRootUserPassword]
+	//
+	// [IAMDeleteRootUserCredentials]
+	//
+	// [S3UnlockBucketPolicy]
+	//
+	// [SQSUnlockQueuePolicy]
+	//
+	// [IAMDeleteRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
+	// [IAMCreateRootUserPassword]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
+	// [IAMAuditRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
+	// [S3UnlockBucketPolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
+	// [SQSUnlockQueuePolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
+	//
+	// This member is required.
+	TaskPolicyArn *types.PolicyDescriptorType
+
+	// The duration, in seconds, of the privileged session. The value can range from 0
+	// seconds up to the maximum session duration of 900 seconds (15 minutes). If you
+	// specify a value higher than this setting, the operation fails.
+	//
+	// By default, the value is set to 900 seconds.
+	DurationSeconds *int32
+
+	noSmithyDocumentSerde
+}
+
+type AssumeRootOutput struct {
+
+	// The temporary security credentials, which include an access key ID, a secret
+	// access key, and a security token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
+	Credentials *types.Credentials
+
+	// The source identity specified by the principal that is calling the AssumeRoot
+	// operation.
+	//
+	// You can use the aws:SourceIdentity condition key to control access based on the
+	// value of source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+	SourceIdentity *string
+
+	// Metadata pertaining to the operation's result.
+	ResultMetadata middleware.Metadata
+
+	noSmithyDocumentSerde
+}
+
+func (c *Client) addOperationAssumeRootMiddlewares(stack *middleware.Stack, options Options) (err error) {
+	if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
+		return err
+	}
+	err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRoot{}, middleware.After)
+	if err != nil {
+		return err
+	}
+	err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRoot{}, middleware.After)
+	if err != nil {
+		return err
+	}
+	if err := addProtocolFinalizerMiddlewares(stack, options, "AssumeRoot"); err != nil {
+		return fmt.Errorf("add protocol finalizers: %v", err)
+	}
+
+	if err = addlegacyEndpointContextSetter(stack, options); err != nil {
+		return err
+	}
+	if err = addSetLoggerMiddleware(stack, options); err != nil {
+		return err
+	}
+	if err = addClientRequestID(stack); err != nil {
+		return err
+	}
+	if err = addComputeContentLength(stack); err != nil {
+		return err
+	}
+	if err = addResolveEndpointMiddleware(stack, options); err != nil {
+		return err
+	}
+	if err = addComputePayloadSHA256(stack); err != nil {
+		return err
+	}
+	if err = addRetry(stack, options); err != nil {
+		return err
+	}
+	if err = addRawResponseToMetadata(stack); err != nil {
+		return err
+	}
+	if err = addRecordResponseTiming(stack); err != nil {
+		return err
+	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
+	if err = addClientUserAgent(stack, options); err != nil {
+		return err
+	}
+	if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
+		return err
+	}
+	if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
+		return err
+	}
+	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
+		return err
+	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
+	if err = addOpAssumeRootValidationMiddleware(stack); err != nil {
+		return err
+	}
+	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoot(options.Region), middleware.Before); err != nil {
+		return err
+	}
+	if err = addRecursionDetection(stack); err != nil {
+		return err
+	}
+	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
+		return err
+	}
+	if err = addResponseErrorMiddleware(stack); err != nil {
+		return err
+	}
+	if err = addRequestResponseLogging(stack, options); err != nil {
+		return err
+	}
+	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
+		return err
+	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
+	return nil
+}
+
+func newServiceMetadataMiddleware_opAssumeRoot(region string) *awsmiddleware.RegisterServiceMetadata {
+	return &awsmiddleware.RegisterServiceMetadata{
+		Region:        region,
+		ServiceID:     ServiceID,
+		OperationName: "AssumeRoot",
+	}
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
index 925ee2eeb..a56840e1b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
@@ -126,6 +126,9 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -141,6 +144,9 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -162,6 +168,18 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
index 75da47597..c80b0550b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
@@ -117,6 +117,9 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -132,6 +135,9 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -153,6 +159,18 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
index ea90ff7d4..49304bdaf 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
@@ -108,6 +108,9 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -123,6 +126,9 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
 		return err
 	}
@@ -141,6 +147,18 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
index a0b5ebdba..e2ecc792a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
@@ -20,7 +20,7 @@ import (
 // credentials of an IAM user. As a result, this call is appropriate in contexts
 // where those credentials can be safeguarded, usually in a server-based
 // application. For a comparison of GetFederationToken with the other API
-// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide.
 //
 // Although it is possible to call GetFederationToken using the security
 // credentials of an Amazon Web Services account root user rather than an IAM user
@@ -104,9 +104,9 @@ import (
 // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 // [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
 // [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
-// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
 // [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
 // [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
 	if params == nil {
@@ -330,6 +330,9 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -345,6 +348,9 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
 		return err
 	}
@@ -366,6 +372,18 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
index 645ccaeb2..fdc451117 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
@@ -22,7 +22,7 @@ import (
 // the call returns, IAM users can then make programmatic calls to API operations
 // that require MFA authentication. An incorrect MFA code causes the API to return
 // an access denied error. For a comparison of GetSessionToken with the other API
-// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide.
 //
 // No permissions are required for users to perform this operation. The purpose of
 // the sts:GetSessionToken operation is to authenticate the user using MFA. You
@@ -63,10 +63,10 @@ import (
 // credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
 //
 // [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
-// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
 // [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
 // [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
 	if params == nil {
 		params = &GetSessionTokenInput{}
@@ -179,6 +179,9 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = addRecordResponseTiming(stack); err != nil {
 		return err
 	}
+	if err = addSpanRetryLoop(stack, options); err != nil {
+		return err
+	}
 	if err = addClientUserAgent(stack, options); err != nil {
 		return err
 	}
@@ -194,6 +197,9 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = addTimeOffsetBuild(stack, c); err != nil {
 		return err
 	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
 		return err
 	}
@@ -212,6 +218,18 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = addDisableHTTPSMiddleware(stack, options); err != nil {
 		return err
 	}
+	if err = addSpanInitializeStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanInitializeEnd(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestStart(stack); err != nil {
+		return err
+	}
+	if err = addSpanBuildRequestEnd(stack); err != nil {
+		return err
+	}
 	return nil
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
index 9db5bfd43..a90b2b736 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
@@ -8,11 +8,13 @@ import (
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	smithy "github.com/aws/smithy-go"
 	smithyauth "github.com/aws/smithy-go/auth"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
+func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
 	params.Region = options.Region
 }
 
@@ -90,12 +92,12 @@ type AuthResolverParameters struct {
 	Region string
 }
 
-func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
+func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
 	params := &AuthResolverParameters{
 		Operation: operation,
 	}
 
-	bindAuthParamsRegion(params, input, options)
+	bindAuthParamsRegion(ctx, params, input, options)
 
 	return params
 }
@@ -157,7 +159,10 @@ func (*resolveAuthSchemeMiddleware) ID() string {
 func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
+	_, span := tracing.StartSpan(ctx, "ResolveAuthScheme")
+	defer span.End()
+
+	params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
 	options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
 	if err != nil {
 		return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
@@ -169,6 +174,9 @@ func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in mid
 	}
 
 	ctx = setResolvedAuthScheme(ctx, scheme)
+
+	span.SetProperty("auth.scheme_id", scheme.Scheme.SchemeID())
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -228,7 +236,10 @@ func (*getIdentityMiddleware) ID() string {
 func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	rscheme := getResolvedAuthScheme(ctx)
+	innerCtx, span := tracing.StartSpan(ctx, "GetIdentity")
+	defer span.End()
+
+	rscheme := getResolvedAuthScheme(innerCtx)
 	if rscheme == nil {
 		return out, metadata, fmt.Errorf("no resolved auth scheme")
 	}
@@ -238,12 +249,20 @@ func (m *getIdentityMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no identity resolver")
 	}
 
-	identity, err := resolver.GetIdentity(ctx, rscheme.IdentityProperties)
+	identity, err := timeOperationMetric(ctx, "client.call.resolve_identity_duration",
+		func() (smithyauth.Identity, error) {
+			return resolver.GetIdentity(innerCtx, rscheme.IdentityProperties)
+		},
+		func(o *metrics.RecordMetricOptions) {
+			o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("get identity: %w", err)
 	}
 
 	ctx = setIdentity(ctx, identity)
+
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
 
@@ -259,6 +278,7 @@ func getIdentity(ctx context.Context) smithyauth.Identity {
 }
 
 type signRequestMiddleware struct {
+	options Options
 }
 
 func (*signRequestMiddleware) ID() string {
@@ -268,6 +288,9 @@ func (*signRequestMiddleware) ID() string {
 func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "SignRequest")
+	defer span.End()
+
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, fmt.Errorf("unexpected transport type %T", in.Request)
@@ -288,9 +311,15 @@ func (m *signRequestMiddleware) HandleFinalize(ctx context.Context, in middlewar
 		return out, metadata, fmt.Errorf("no signer")
 	}
 
-	if err := signer.SignRequest(ctx, req, identity, rscheme.SignerProperties); err != nil {
+	_, err = timeOperationMetric(ctx, "client.call.signing_duration", func() (any, error) {
+		return nil, signer.SignRequest(ctx, req, identity, rscheme.SignerProperties)
+	}, func(o *metrics.RecordMetricOptions) {
+		o.Properties.Set("auth.scheme_id", rscheme.Scheme.SchemeID())
+	})
+	if err != nil {
 		return out, metadata, fmt.Errorf("sign request: %w", err)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
index 7e4346ec9..59349890f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
@@ -16,6 +16,7 @@ import (
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
 	smithytime "github.com/aws/smithy-go/time"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"io"
 	"strconv"
@@ -46,6 +47,10 @@ func (m *awsAwsquery_deserializeOpAssumeRole) HandleDeserialize(ctx context.Cont
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -163,6 +168,10 @@ func (m *awsAwsquery_deserializeOpAssumeRoleWithSAML) HandleDeserialize(ctx cont
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -286,6 +295,10 @@ func (m *awsAwsquery_deserializeOpAssumeRoleWithWebIdentity) HandleDeserialize(c
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -397,6 +410,121 @@ func awsAwsquery_deserializeOpErrorAssumeRoleWithWebIdentity(response *smithyhtt
 	}
 }
 
+type awsAwsquery_deserializeOpAssumeRoot struct {
+}
+
+func (*awsAwsquery_deserializeOpAssumeRoot) ID() string {
+	return "OperationDeserializer"
+}
+
+func (m *awsAwsquery_deserializeOpAssumeRoot) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
+	out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
+) {
+	out, metadata, err = next.HandleDeserialize(ctx, in)
+	if err != nil {
+		return out, metadata, err
+	}
+
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
+	response, ok := out.RawResponse.(*smithyhttp.Response)
+	if !ok {
+		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
+	}
+
+	if response.StatusCode < 200 || response.StatusCode >= 300 {
+		return out, metadata, awsAwsquery_deserializeOpErrorAssumeRoot(response, &metadata)
+	}
+	output := &AssumeRootOutput{}
+	out.Result = output
+
+	var buff [1024]byte
+	ringBuffer := smithyio.NewRingBuffer(buff[:])
+	body := io.TeeReader(response.Body, ringBuffer)
+	rootDecoder := xml.NewDecoder(body)
+	t, err := smithyxml.FetchRootElement(rootDecoder)
+	if err == io.EOF {
+		return out, metadata, nil
+	}
+	if err != nil {
+		var snapshot bytes.Buffer
+		io.Copy(&snapshot, ringBuffer)
+		return out, metadata, &smithy.DeserializationError{
+			Err:      fmt.Errorf("failed to decode response body, %w", err),
+			Snapshot: snapshot.Bytes(),
+		}
+	}
+
+	decoder := smithyxml.WrapNodeDecoder(rootDecoder, t)
+	t, err = decoder.GetElement("AssumeRootResult")
+	if err != nil {
+		var snapshot bytes.Buffer
+		io.Copy(&snapshot, ringBuffer)
+		err = &smithy.DeserializationError{
+			Err:      fmt.Errorf("failed to decode response body, %w", err),
+			Snapshot: snapshot.Bytes(),
+		}
+		return out, metadata, err
+	}
+
+	decoder = smithyxml.WrapNodeDecoder(decoder.Decoder, t)
+	err = awsAwsquery_deserializeOpDocumentAssumeRootOutput(&output, decoder)
+	if err != nil {
+		var snapshot bytes.Buffer
+		io.Copy(&snapshot, ringBuffer)
+		err = &smithy.DeserializationError{
+			Err:      fmt.Errorf("failed to decode response body, %w", err),
+			Snapshot: snapshot.Bytes(),
+		}
+		return out, metadata, err
+	}
+
+	return out, metadata, err
+}
+
+func awsAwsquery_deserializeOpErrorAssumeRoot(response *smithyhttp.Response, metadata *middleware.Metadata) error {
+	var errorBuffer bytes.Buffer
+	if _, err := io.Copy(&errorBuffer, response.Body); err != nil {
+		return &smithy.DeserializationError{Err: fmt.Errorf("failed to copy error response body, %w", err)}
+	}
+	errorBody := bytes.NewReader(errorBuffer.Bytes())
+
+	errorCode := "UnknownError"
+	errorMessage := errorCode
+
+	errorComponents, err := awsxml.GetErrorResponseComponents(errorBody, false)
+	if err != nil {
+		return err
+	}
+	if reqID := errorComponents.RequestID; len(reqID) != 0 {
+		awsmiddleware.SetRequestIDMetadata(metadata, reqID)
+	}
+	if len(errorComponents.Code) != 0 {
+		errorCode = errorComponents.Code
+	}
+	if len(errorComponents.Message) != 0 {
+		errorMessage = errorComponents.Message
+	}
+	errorBody.Seek(0, io.SeekStart)
+	switch {
+	case strings.EqualFold("ExpiredTokenException", errorCode):
+		return awsAwsquery_deserializeErrorExpiredTokenException(response, errorBody)
+
+	case strings.EqualFold("RegionDisabledException", errorCode):
+		return awsAwsquery_deserializeErrorRegionDisabledException(response, errorBody)
+
+	default:
+		genericError := &smithy.GenericAPIError{
+			Code:    errorCode,
+			Message: errorMessage,
+		}
+		return genericError
+
+	}
+}
+
 type awsAwsquery_deserializeOpDecodeAuthorizationMessage struct {
 }
 
@@ -412,6 +540,10 @@ func (m *awsAwsquery_deserializeOpDecodeAuthorizationMessage) HandleDeserialize(
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -520,6 +652,10 @@ func (m *awsAwsquery_deserializeOpGetAccessKeyInfo) HandleDeserialize(ctx contex
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -625,6 +761,10 @@ func (m *awsAwsquery_deserializeOpGetCallerIdentity) HandleDeserialize(ctx conte
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -730,6 +870,10 @@ func (m *awsAwsquery_deserializeOpGetFederationToken) HandleDeserialize(ctx cont
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -844,6 +988,10 @@ func (m *awsAwsquery_deserializeOpGetSessionToken) HandleDeserialize(ctx context
 		return out, metadata, err
 	}
 
+	_, span := tracing.StartSpan(ctx, "OperationDeserializer")
+	endTimer := startMetricTimer(ctx, "client.call.deserialization_duration")
+	defer endTimer()
+	defer span.End()
 	response, ok := out.RawResponse.(*smithyhttp.Response)
 	if !ok {
 		return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
@@ -2235,6 +2383,61 @@ func awsAwsquery_deserializeOpDocumentAssumeRoleWithWebIdentityOutput(v **Assume
 	return nil
 }
 
+func awsAwsquery_deserializeOpDocumentAssumeRootOutput(v **AssumeRootOutput, decoder smithyxml.NodeDecoder) error {
+	if v == nil {
+		return fmt.Errorf("unexpected nil of type %T", v)
+	}
+	var sv *AssumeRootOutput
+	if *v == nil {
+		sv = &AssumeRootOutput{}
+	} else {
+		sv = *v
+	}
+
+	for {
+		t, done, err := decoder.Token()
+		if err != nil {
+			return err
+		}
+		if done {
+			break
+		}
+		originalDecoder := decoder
+		decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t)
+		switch {
+		case strings.EqualFold("Credentials", t.Name.Local):
+			nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t)
+			if err := awsAwsquery_deserializeDocumentCredentials(&sv.Credentials, nodeDecoder); err != nil {
+				return err
+			}
+
+		case strings.EqualFold("SourceIdentity", t.Name.Local):
+			val, err := decoder.Value()
+			if err != nil {
+				return err
+			}
+			if val == nil {
+				break
+			}
+			{
+				xtv := string(val)
+				sv.SourceIdentity = ptr.String(xtv)
+			}
+
+		default:
+			// Do nothing and ignore the unexpected tag element
+			err = decoder.Decoder.Skip()
+			if err != nil {
+				return err
+			}
+
+		}
+		decoder = originalDecoder
+	}
+	*v = sv
+	return nil
+}
+
 func awsAwsquery_deserializeOpDocumentDecodeAuthorizationMessageOutput(v **DecodeAuthorizationMessageOutput, decoder smithyxml.NodeDecoder) error {
 	if v == nil {
 		return fmt.Errorf("unexpected nil of type %T", v)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
index 32e2d5435..dca2ce359 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
@@ -17,6 +17,7 @@ import (
 	smithyendpoints "github.com/aws/smithy-go/endpoints"
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 	"net/url"
@@ -306,6 +307,17 @@ func (p EndpointParameters) WithDefaults() EndpointParameters {
 	return p
 }
 
+type stringSlice []string
+
+func (s stringSlice) Get(i int) *string {
+	if i < 0 || i >= len(s) {
+		return nil
+	}
+
+	v := s[i]
+	return &v
+}
+
 // EndpointResolverV2 provides the interface for resolving service endpoints.
 type EndpointResolverV2 interface {
 	// ResolveEndpoint attempts to resolve the endpoint with the provided options,
@@ -1045,7 +1057,7 @@ type endpointParamsBinder interface {
 	bindEndpointParams(*EndpointParameters)
 }
 
-func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
+func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
 	params := &EndpointParameters{}
 
 	params.Region = bindRegion(options.Region)
@@ -1071,6 +1083,9 @@ func (*resolveEndpointV2Middleware) ID() string {
 func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "ResolveEndpoint")
+	defer span.End()
+
 	if awsmiddleware.GetRequiresLegacyEndpoints(ctx) {
 		return next.HandleFinalize(ctx, in)
 	}
@@ -1084,12 +1099,17 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
 	}
 
-	params := bindEndpointParams(getOperationInput(ctx), m.options)
-	endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+	params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
+	endpt, err := timeOperationMetric(ctx, "client.call.resolve_endpoint_duration",
+		func() (smithyendpoints.Endpoint, error) {
+			return m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
+		})
 	if err != nil {
 		return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)
 	}
 
+	span.SetProperty("client.call.resolved_endpoint", endpt.URI.String())
+
 	if endpt.URI.RawPath == "" && req.URL.RawPath != "" {
 		endpt.URI.RawPath = endpt.URI.Path
 	}
@@ -1111,5 +1131,6 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		rscheme.SignerProperties.SetAll(&o.SignerProperties)
 	}
 
+	span.End()
 	return next.HandleFinalize(ctx, in)
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
index 6b6e839e6..643c5c694 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
@@ -13,6 +13,7 @@
         "api_op_AssumeRole.go",
         "api_op_AssumeRoleWithSAML.go",
         "api_op_AssumeRoleWithWebIdentity.go",
+        "api_op_AssumeRoot.go",
         "api_op_DecodeAuthorizationMessage.go",
         "api_op_GetAccessKeyInfo.go",
         "api_op_GetCallerIdentity.go",
@@ -35,7 +36,7 @@
         "types/types.go",
         "validators.go"
     ],
-    "go": "1.15",
+    "go": "1.22",
     "module": "github.com/aws/aws-sdk-go-v2/service/sts",
     "unstable": false
 }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index acc380e98..12500e7a1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.28.12"
+const goModuleVersion = "1.33.15"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go
index 3dbd993b5..8fc2012a6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go
@@ -94,7 +94,7 @@ var partitionRegexp = struct {
 	AwsUsGov *regexp.Regexp
 }{
 
-	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$"),
+	Aws:      regexp.MustCompile("^(us|eu|ap|sa|ca|me|af|il|mx)\\-\\w+\\-\\d+$"),
 	AwsCn:    regexp.MustCompile("^cn\\-\\w+\\-\\d+$"),
 	AwsIso:   regexp.MustCompile("^us\\-iso\\-\\w+\\-\\d+$"),
 	AwsIsoB:  regexp.MustCompile("^us\\-isob\\-\\w+\\-\\d+$"),
@@ -172,6 +172,12 @@ var defaultPartitions = endpoints.Partitions{
 			endpoints.EndpointKey{
 				Region: "ap-southeast-4",
 			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "ap-southeast-5",
+			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "ap-southeast-7",
+			}: endpoints.Endpoint{},
 			endpoints.EndpointKey{
 				Region: "aws-global",
 			}: endpoints.Endpoint{
@@ -219,6 +225,9 @@ var defaultPartitions = endpoints.Partitions{
 			endpoints.EndpointKey{
 				Region: "me-south-1",
 			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "mx-central-1",
+			}: endpoints.Endpoint{},
 			endpoints.EndpointKey{
 				Region: "sa-east-1",
 			}: endpoints.Endpoint{},
@@ -435,6 +444,14 @@ var defaultPartitions = endpoints.Partitions{
 		},
 		RegionRegex:    partitionRegexp.AwsIsoF,
 		IsRegionalized: true,
+		Endpoints: endpoints.Endpoints{
+			endpoints.EndpointKey{
+				Region: "us-isof-east-1",
+			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "us-isof-south-1",
+			}: endpoints.Endpoint{},
+		},
 	},
 	{
 		ID: "aws-us-gov",
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
index bb291161a..e1398f3bb 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
@@ -9,7 +9,9 @@ import (
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	smithyauth "github.com/aws/smithy-go/auth"
 	"github.com/aws/smithy-go/logging"
+	"github.com/aws/smithy-go/metrics"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net/http"
 )
@@ -66,6 +68,9 @@ type Options struct {
 	// The logger writer interface to write logging messages to.
 	Logger logging.Logger
 
+	// The client meter provider.
+	MeterProvider metrics.MeterProvider
+
 	// The region to send requests to. (Required)
 	Region string
 
@@ -100,6 +105,9 @@ type Options struct {
 	// within your applications.
 	RuntimeEnvironment aws.RuntimeEnvironment
 
+	// The client tracer provider.
+	TracerProvider tracing.TracerProvider
+
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
 	// value was at that point in time.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go
index 4c08061c0..96b222136 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go
@@ -11,6 +11,7 @@ import (
 	smithy "github.com/aws/smithy-go"
 	"github.com/aws/smithy-go/encoding/httpbinding"
 	"github.com/aws/smithy-go/middleware"
+	"github.com/aws/smithy-go/tracing"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"path"
 )
@@ -25,6 +26,10 @@ func (*awsAwsquery_serializeOpAssumeRole) ID() string {
 func (m *awsAwsquery_serializeOpAssumeRole) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -76,6 +81,8 @@ func (m *awsAwsquery_serializeOpAssumeRole) HandleSerialize(ctx context.Context,
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -89,6 +96,10 @@ func (*awsAwsquery_serializeOpAssumeRoleWithSAML) ID() string {
 func (m *awsAwsquery_serializeOpAssumeRoleWithSAML) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -140,6 +151,8 @@ func (m *awsAwsquery_serializeOpAssumeRoleWithSAML) HandleSerialize(ctx context.
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -153,6 +166,10 @@ func (*awsAwsquery_serializeOpAssumeRoleWithWebIdentity) ID() string {
 func (m *awsAwsquery_serializeOpAssumeRoleWithWebIdentity) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -204,6 +221,78 @@ func (m *awsAwsquery_serializeOpAssumeRoleWithWebIdentity) HandleSerialize(ctx c
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
+	return next.HandleSerialize(ctx, in)
+}
+
+type awsAwsquery_serializeOpAssumeRoot struct {
+}
+
+func (*awsAwsquery_serializeOpAssumeRoot) ID() string {
+	return "OperationSerializer"
+}
+
+func (m *awsAwsquery_serializeOpAssumeRoot) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
+	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
+) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
+	request, ok := in.Request.(*smithyhttp.Request)
+	if !ok {
+		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
+	}
+
+	input, ok := in.Parameters.(*AssumeRootInput)
+	_ = input
+	if !ok {
+		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown input parameters type %T", in.Parameters)}
+	}
+
+	operationPath := "/"
+	if len(request.Request.URL.Path) == 0 {
+		request.Request.URL.Path = operationPath
+	} else {
+		request.Request.URL.Path = path.Join(request.Request.URL.Path, operationPath)
+		if request.Request.URL.Path != "/" && operationPath[len(operationPath)-1] == '/' {
+			request.Request.URL.Path += "/"
+		}
+	}
+	request.Request.Method = "POST"
+	httpBindingEncoder, err := httpbinding.NewEncoder(request.URL.Path, request.URL.RawQuery, request.Header)
+	if err != nil {
+		return out, metadata, &smithy.SerializationError{Err: err}
+	}
+	httpBindingEncoder.SetHeader("Content-Type").String("application/x-www-form-urlencoded")
+
+	bodyWriter := bytes.NewBuffer(nil)
+	bodyEncoder := query.NewEncoder(bodyWriter)
+	body := bodyEncoder.Object()
+	body.Key("Action").String("AssumeRoot")
+	body.Key("Version").String("2011-06-15")
+
+	if err := awsAwsquery_serializeOpDocumentAssumeRootInput(input, bodyEncoder.Value); err != nil {
+		return out, metadata, &smithy.SerializationError{Err: err}
+	}
+
+	err = bodyEncoder.Encode()
+	if err != nil {
+		return out, metadata, &smithy.SerializationError{Err: err}
+	}
+
+	if request, err = request.SetStream(bytes.NewReader(bodyWriter.Bytes())); err != nil {
+		return out, metadata, &smithy.SerializationError{Err: err}
+	}
+
+	if request.Request, err = httpBindingEncoder.Encode(request.Request); err != nil {
+		return out, metadata, &smithy.SerializationError{Err: err}
+	}
+	in.Request = request
+
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -217,6 +306,10 @@ func (*awsAwsquery_serializeOpDecodeAuthorizationMessage) ID() string {
 func (m *awsAwsquery_serializeOpDecodeAuthorizationMessage) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -268,6 +361,8 @@ func (m *awsAwsquery_serializeOpDecodeAuthorizationMessage) HandleSerialize(ctx
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -281,6 +376,10 @@ func (*awsAwsquery_serializeOpGetAccessKeyInfo) ID() string {
 func (m *awsAwsquery_serializeOpGetAccessKeyInfo) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -332,6 +431,8 @@ func (m *awsAwsquery_serializeOpGetAccessKeyInfo) HandleSerialize(ctx context.Co
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -345,6 +446,10 @@ func (*awsAwsquery_serializeOpGetCallerIdentity) ID() string {
 func (m *awsAwsquery_serializeOpGetCallerIdentity) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -392,6 +497,8 @@ func (m *awsAwsquery_serializeOpGetCallerIdentity) HandleSerialize(ctx context.C
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -405,6 +512,10 @@ func (*awsAwsquery_serializeOpGetFederationToken) ID() string {
 func (m *awsAwsquery_serializeOpGetFederationToken) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -456,6 +567,8 @@ func (m *awsAwsquery_serializeOpGetFederationToken) HandleSerialize(ctx context.
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 
@@ -469,6 +582,10 @@ func (*awsAwsquery_serializeOpGetSessionToken) ID() string {
 func (m *awsAwsquery_serializeOpGetSessionToken) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
 	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
 ) {
+	_, span := tracing.StartSpan(ctx, "OperationSerializer")
+	endTimer := startMetricTimer(ctx, "client.call.serialization_duration")
+	defer endTimer()
+	defer span.End()
 	request, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &smithy.SerializationError{Err: fmt.Errorf("unknown transport type %T", in.Request)}
@@ -520,6 +637,8 @@ func (m *awsAwsquery_serializeOpGetSessionToken) HandleSerialize(ctx context.Con
 	}
 	in.Request = request
 
+	endTimer()
+	span.End()
 	return next.HandleSerialize(ctx, in)
 }
 func awsAwsquery_serializeDocumentPolicyDescriptorListType(v []types.PolicyDescriptorType, value query.Value) error {
@@ -772,6 +891,30 @@ func awsAwsquery_serializeOpDocumentAssumeRoleWithWebIdentityInput(v *AssumeRole
 	return nil
 }
 
+func awsAwsquery_serializeOpDocumentAssumeRootInput(v *AssumeRootInput, value query.Value) error {
+	object := value.Object()
+	_ = object
+
+	if v.DurationSeconds != nil {
+		objectKey := object.Key("DurationSeconds")
+		objectKey.Integer(*v.DurationSeconds)
+	}
+
+	if v.TargetPrincipal != nil {
+		objectKey := object.Key("TargetPrincipal")
+		objectKey.String(*v.TargetPrincipal)
+	}
+
+	if v.TaskPolicyArn != nil {
+		objectKey := object.Key("TaskPolicyArn")
+		if err := awsAwsquery_serializeDocumentPolicyDescriptorType(v.TaskPolicyArn, objectKey); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func awsAwsquery_serializeOpDocumentDecodeAuthorizationMessageInput(v *DecodeAuthorizationMessageInput, value query.Value) error {
 	object := value.Object()
 	_ = object
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
index 9573a4b64..041629bba 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
@@ -95,8 +95,8 @@ func (e *IDPRejectedClaimException) ErrorCode() string {
 func (e *IDPRejectedClaimException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
 // The error returned if the message passed to DecodeAuthorizationMessage was
-// invalid. This can happen if the token contains invalid characters, such as
-// linebreaks.
+// invalid. This can happen if the token contains invalid characters, such as line
+// breaks, or if the message has expired.
 type InvalidAuthorizationMessageException struct {
 	Message *string
 
@@ -218,10 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
 
 // STS is not activated in the requested region for the account that is being
 // asked to generate credentials. The account administrator must use the IAM
-// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
+// console to activate STS in that region. For more information, see [Activating and Deactivating STS in an Amazon Web Services Region]in the IAM
 // User Guide.
 //
-// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+// [Activating and Deactivating STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
 type RegionDisabledException struct {
 	Message *string
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go
index 3e4bad2a9..1026e2211 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go
@@ -70,6 +70,26 @@ func (m *validateOpAssumeRoleWithWebIdentity) HandleInitialize(ctx context.Conte
 	return next.HandleInitialize(ctx, in)
 }
 
+type validateOpAssumeRoot struct {
+}
+
+func (*validateOpAssumeRoot) ID() string {
+	return "OperationInputValidation"
+}
+
+func (m *validateOpAssumeRoot) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) (
+	out middleware.InitializeOutput, metadata middleware.Metadata, err error,
+) {
+	input, ok := in.Parameters.(*AssumeRootInput)
+	if !ok {
+		return out, metadata, fmt.Errorf("unknown input parameters type %T", in.Parameters)
+	}
+	if err := validateOpAssumeRootInput(input); err != nil {
+		return out, metadata, err
+	}
+	return next.HandleInitialize(ctx, in)
+}
+
 type validateOpDecodeAuthorizationMessage struct {
 }
 
@@ -142,6 +162,10 @@ func addOpAssumeRoleWithWebIdentityValidationMiddleware(stack *middleware.Stack)
 	return stack.Initialize.Add(&validateOpAssumeRoleWithWebIdentity{}, middleware.After)
 }
 
+func addOpAssumeRootValidationMiddleware(stack *middleware.Stack) error {
+	return stack.Initialize.Add(&validateOpAssumeRoot{}, middleware.After)
+}
+
 func addOpDecodeAuthorizationMessageValidationMiddleware(stack *middleware.Stack) error {
 	return stack.Initialize.Add(&validateOpDecodeAuthorizationMessage{}, middleware.After)
 }
@@ -254,6 +278,24 @@ func validateOpAssumeRoleWithWebIdentityInput(v *AssumeRoleWithWebIdentityInput)
 	}
 }
 
+func validateOpAssumeRootInput(v *AssumeRootInput) error {
+	if v == nil {
+		return nil
+	}
+	invalidParams := smithy.InvalidParamsError{Context: "AssumeRootInput"}
+	if v.TargetPrincipal == nil {
+		invalidParams.Add(smithy.NewErrParamRequired("TargetPrincipal"))
+	}
+	if v.TaskPolicyArn == nil {
+		invalidParams.Add(smithy.NewErrParamRequired("TaskPolicyArn"))
+	}
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	} else {
+		return nil
+	}
+}
+
 func validateOpDecodeAuthorizationMessageInput(v *DecodeAuthorizationMessageInput) error {
 	if v == nil {
 		return nil
diff --git a/vendor/github.com/aws/smithy-go/CHANGELOG.md b/vendor/github.com/aws/smithy-go/CHANGELOG.md
index 56b19e3a1..4df632dce 100644
--- a/vendor/github.com/aws/smithy-go/CHANGELOG.md
+++ b/vendor/github.com/aws/smithy-go/CHANGELOG.md
@@ -1,3 +1,23 @@
+# Release (2025-02-17)
+
+## General Highlights
+* **Dependency Update**: Updated to the latest SDK module versions
+
+## Module Highlights
+* `github.com/aws/smithy-go`: v1.22.3
+  * **Bug Fix**: Fix HTTP metrics data race.
+  * **Bug Fix**: Replace usages of deprecated ioutil package.
+
+# Release (2025-01-21)
+
+## General Highlights
+* **Dependency Update**: Updated to the latest SDK module versions
+
+## Module Highlights
+* `github.com/aws/smithy-go`: v1.22.2
+  * **Bug Fix**: Fix HTTP metrics data race.
+  * **Bug Fix**: Replace usages of deprecated ioutil package.
+
 # Release (2024-11-15)
 
 ## General Highlights
diff --git a/vendor/github.com/aws/smithy-go/CONTRIBUTING.md b/vendor/github.com/aws/smithy-go/CONTRIBUTING.md
index c4b6a1c50..1f8d01ff6 100644
--- a/vendor/github.com/aws/smithy-go/CONTRIBUTING.md
+++ b/vendor/github.com/aws/smithy-go/CONTRIBUTING.md
@@ -39,6 +39,37 @@ To send us a pull request, please:
 GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
 [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
 
+### Changelog Documents
+
+(You can SKIP this step if you are only changing the code generator, and not the runtime).
+
+When submitting a pull request please include a changelog file on a folder named `.changelog`.
+These are used to generate the content `CHANGELOG.md` and Release Notes. The format of the file is as follows:
+
+```
+{
+    "id": "12345678-1234-1234-1234-123456789012"
+    "type": "bugfix"
+    "collapse": true
+    "description": "Fix improper use of printf-style functions.",
+    "modules": [
+        "."
+    ]
+}
+```
+
+* id: a UUID. This should also be used for the name of the file, so if your id is `12345678-1234-1234-1234-123456789012` the file should be named `12345678-1234-1234-1234-123456789012.json/`
+* type: one of the following:
+ * bugfix: Fixing an existing bug
+ * Feature: Adding a new feature to an existing service
+ * Release: Releasing a new module
+ * Dependency: Updating dependencies
+ * Announcement: Making an announcement, like deprecation of a module
+* collapse: whether this change should appear separately on the release notes on every module listed on `modules` (`"collapse": false`), or if it should show up as a single entry (`"collapse": true`)
+ * For the smithy-go repository this should always be `false`
+* description: Description of this change. Most of the times is the same as the title of the PR
+* modules: which Go modules does this change impact. The root module is expressed as "."
+
 
 ## Finding contributions to work on
 Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
diff --git a/vendor/github.com/aws/smithy-go/Makefile b/vendor/github.com/aws/smithy-go/Makefile
index e66fa8cac..a3c2cf173 100644
--- a/vendor/github.com/aws/smithy-go/Makefile
+++ b/vendor/github.com/aws/smithy-go/Makefile
@@ -98,5 +98,12 @@ module-version:
 ##############
 .PHONY: install-changelog
 
+external-changelog:
+	mkdir -p .changelog
+	cp changelog-template.json .changelog/00000000-0000-0000-0000-000000000000.json
+	@echo "Generate a new UUID and update the file at .changelog/00000000-0000-0000-0000-000000000000.json"
+	@echo "Make sure to rename the file with your new id, like .changelog/12345678-1234-1234-1234-123456789012.json"
+	@echo "See CONTRIBUTING.md 'Changelog Documents' and an example at https://github.com/aws/smithy-go/pull/543/files"
+
 install-changelog:
 	go install ${REPOTOOLS_MODULE}/cmd/changelog@${REPOTOOLS_VERSION}
diff --git a/vendor/github.com/aws/smithy-go/changelog-template.json b/vendor/github.com/aws/smithy-go/changelog-template.json
new file mode 100644
index 000000000..d36e2b3e1
--- /dev/null
+++ b/vendor/github.com/aws/smithy-go/changelog-template.json
@@ -0,0 +1,9 @@
+{
+    "id": "00000000-0000-0000-0000-000000000000",
+    "type": "feature|bugfix|dependency",
+    "description": "Description of your changes",
+    "collapse": false,
+    "modules": [
+        "."
+    ]
+}
diff --git a/vendor/github.com/aws/smithy-go/go_module_metadata.go b/vendor/github.com/aws/smithy-go/go_module_metadata.go
index 212eae4fa..d12d95891 100644
--- a/vendor/github.com/aws/smithy-go/go_module_metadata.go
+++ b/vendor/github.com/aws/smithy-go/go_module_metadata.go
@@ -3,4 +3,4 @@
 package smithy
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.22.1"
+const goModuleVersion = "1.22.3"
diff --git a/vendor/github.com/aws/smithy-go/transport/http/host.go b/vendor/github.com/aws/smithy-go/transport/http/host.go
index 6b290fec0..db9801bea 100644
--- a/vendor/github.com/aws/smithy-go/transport/http/host.go
+++ b/vendor/github.com/aws/smithy-go/transport/http/host.go
@@ -69,7 +69,7 @@ func ValidPortNumber(port string) bool {
 	return true
 }
 
-// ValidHostLabel returns whether the label is a valid RFC 3986 host abel.
+// ValidHostLabel returns whether the label is a valid RFC 3986 host label.
 func ValidHostLabel(label string) bool {
 	if l := len(label); l == 0 || l > 63 {
 		return false
diff --git a/vendor/github.com/aws/smithy-go/transport/http/metrics.go b/vendor/github.com/aws/smithy-go/transport/http/metrics.go
index ab1101394..d1beaa595 100644
--- a/vendor/github.com/aws/smithy-go/transport/http/metrics.go
+++ b/vendor/github.com/aws/smithy-go/transport/http/metrics.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"net/http"
 	"net/http/httptrace"
+	"sync/atomic"
 	"time"
 
 	"github.com/aws/smithy-go/metrics"
@@ -42,10 +43,10 @@ type timedClientDo struct {
 }
 
 func (c *timedClientDo) Do(r *http.Request) (*http.Response, error) {
-	c.hm.doStart = now()
+	c.hm.doStart.Store(now())
 	resp, err := c.ClientDo.Do(r)
 
-	c.hm.DoRequestDuration.Record(r.Context(), elapsed(c.hm.doStart))
+	c.hm.DoRequestDuration.Record(r.Context(), c.hm.doStart.Elapsed())
 	return resp, err
 }
 
@@ -58,10 +59,10 @@ type httpMetrics struct {
 	DoRequestDuration metrics.Float64Histogram // client.http.do_request_duration
 	TimeToFirstByte   metrics.Float64Histogram // client.http.time_to_first_byte
 
-	doStart      time.Time
-	dnsStart     time.Time
-	connectStart time.Time
-	tlsStart     time.Time
+	doStart      safeTime
+	dnsStart     safeTime
+	connectStart safeTime
+	tlsStart     safeTime
 }
 
 func newHTTPMetrics(meter metrics.Meter) (*httpMetrics, error) {
@@ -115,15 +116,15 @@ func newHTTPMetrics(meter metrics.Meter) (*httpMetrics, error) {
 }
 
 func (m *httpMetrics) DNSStart(httptrace.DNSStartInfo) {
-	m.dnsStart = now()
+	m.dnsStart.Store(now())
 }
 
 func (m *httpMetrics) ConnectStart(string, string) {
-	m.connectStart = now()
+	m.connectStart.Store(now())
 }
 
 func (m *httpMetrics) TLSHandshakeStart() {
-	m.tlsStart = now()
+	m.tlsStart.Store(now())
 }
 
 func (m *httpMetrics) GotConn(ctx context.Context) func(httptrace.GotConnInfo) {
@@ -140,25 +141,25 @@ func (m *httpMetrics) PutIdleConn(ctx context.Context) func(error) {
 
 func (m *httpMetrics) DNSDone(ctx context.Context) func(httptrace.DNSDoneInfo) {
 	return func(httptrace.DNSDoneInfo) {
-		m.DNSLookupDuration.Record(ctx, elapsed(m.dnsStart))
+		m.DNSLookupDuration.Record(ctx, m.dnsStart.Elapsed())
 	}
 }
 
 func (m *httpMetrics) ConnectDone(ctx context.Context) func(string, string, error) {
 	return func(string, string, error) {
-		m.ConnectDuration.Record(ctx, elapsed(m.connectStart))
+		m.ConnectDuration.Record(ctx, m.connectStart.Elapsed())
 	}
 }
 
 func (m *httpMetrics) TLSHandshakeDone(ctx context.Context) func(tls.ConnectionState, error) {
 	return func(tls.ConnectionState, error) {
-		m.TLSHandshakeDuration.Record(ctx, elapsed(m.tlsStart))
+		m.TLSHandshakeDuration.Record(ctx, m.tlsStart.Elapsed())
 	}
 }
 
 func (m *httpMetrics) GotFirstResponseByte(ctx context.Context) func() {
 	return func() {
-		m.TimeToFirstByte.Record(ctx, elapsed(m.doStart))
+		m.TimeToFirstByte.Record(ctx, m.doStart.Elapsed())
 	}
 }
 
@@ -177,8 +178,21 @@ func (m *httpMetrics) addConnIdle(ctx context.Context, incr int64) {
 	})
 }
 
-func elapsed(start time.Time) float64 {
+type safeTime struct {
+	atomic.Value // time.Time
+}
+
+func (st *safeTime) Store(v time.Time) {
+	st.Value.Store(v)
+}
+
+func (st *safeTime) Load() time.Time {
+	t, _ := st.Value.Load().(time.Time)
+	return t
+}
+
+func (st *safeTime) Elapsed() float64 {
 	end := now()
-	elapsed := end.Sub(start)
+	elapsed := end.Sub(st.Load())
 	return float64(elapsed) / 1e9
 }
diff --git a/vendor/github.com/aws/smithy-go/transport/http/middleware_close_response_body.go b/vendor/github.com/aws/smithy-go/transport/http/middleware_close_response_body.go
index 1d3b218a1..914338f2e 100644
--- a/vendor/github.com/aws/smithy-go/transport/http/middleware_close_response_body.go
+++ b/vendor/github.com/aws/smithy-go/transport/http/middleware_close_response_body.go
@@ -2,10 +2,10 @@ package http
 
 import (
 	"context"
+	"io"
+
 	"github.com/aws/smithy-go/logging"
 	"github.com/aws/smithy-go/middleware"
-	"io"
-	"io/ioutil"
 )
 
 // AddErrorCloseResponseBodyMiddleware adds the middleware to automatically
@@ -30,7 +30,7 @@ func (m *errorCloseResponseBodyMiddleware) HandleDeserialize(
 	if err != nil {
 		if resp, ok := out.RawResponse.(*Response); ok && resp != nil && resp.Body != nil {
 			// Consume the full body to prevent TCP connection resets on some platforms
-			_, _ = io.Copy(ioutil.Discard, resp.Body)
+			_, _ = io.Copy(io.Discard, resp.Body)
 			// Do not validate that the response closes successfully.
 			resp.Body.Close()
 		}
@@ -64,7 +64,7 @@ func (m *closeResponseBody) HandleDeserialize(
 
 	if resp, ok := out.RawResponse.(*Response); ok {
 		// Consume the full body to prevent TCP connection resets on some platforms
-		_, copyErr := io.Copy(ioutil.Discard, resp.Body)
+		_, copyErr := io.Copy(io.Discard, resp.Body)
 		if copyErr != nil {
 			middleware.GetLogger(ctx).Logf(logging.Warn, "failed to discard remaining HTTP response body, this may affect connection reuse")
 		}
diff --git a/vendor/github.com/aws/smithy-go/transport/http/request.go b/vendor/github.com/aws/smithy-go/transport/http/request.go
index 7177d6f95..5cbf6f10a 100644
--- a/vendor/github.com/aws/smithy-go/transport/http/request.go
+++ b/vendor/github.com/aws/smithy-go/transport/http/request.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -167,7 +166,7 @@ func (r *Request) Build(ctx context.Context) *http.Request {
 
 	switch stream := r.stream.(type) {
 	case *io.PipeReader:
-		req.Body = ioutil.NopCloser(stream)
+		req.Body = io.NopCloser(stream)
 		req.ContentLength = -1
 	default:
 		// HTTP Client Request must only have a non-nil body if the
@@ -175,7 +174,7 @@ func (r *Request) Build(ctx context.Context) *http.Request {
 		// Client will interpret a non-nil body and ContentLength 0 as
 		// "unknown". This is unwanted behavior.
 		if req.ContentLength != 0 && r.stream != nil {
-			req.Body = iointernal.NewSafeReadCloser(ioutil.NopCloser(stream))
+			req.Body = iointernal.NewSafeReadCloser(io.NopCloser(stream))
 		}
 	}
 
diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
new file mode 100644
index 000000000..cb1252b53
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
@@ -0,0 +1,209 @@
+# Changelog #
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased] ##
+
+## [0.3.6] - 2024-12-17 ##
+
+### Compatibility ###
+- The minimum Go version requirement for `filepath-securejoin` is now Go 1.18
+  (we use generics internally).
+
+  For reference, `filepath-securejoin@v0.3.0` somewhat-arbitrarily bumped the
+  Go version requirement to 1.21.
+
+  While we did make some use of Go 1.21 stdlib features (and in principle Go
+  versions <= 1.21 are no longer even supported by upstream anymore), some
+  downstreams have complained that the version bump has meant that they have to
+  do workarounds when backporting fixes that use the new `filepath-securejoin`
+  API onto old branches. This is not an ideal situation, but since using this
+  library is probably better for most downstreams than a hand-rolled
+  workaround, we now have compatibility shims that allow us to build on older
+  Go versions.
+- Lower minimum version requirement for `golang.org/x/sys` to `v0.18.0` (we
+  need the wrappers for `fsconfig(2)`), which should also make backporting
+  patches to older branches easier.
+
+## [0.3.5] - 2024-12-06 ##
+
+### Fixed ###
+- `MkdirAll` will now no longer return an `EEXIST` error if two racing
+  processes are creating the same directory. We will still verify that the path
+  is a directory, but this will avoid spurious errors when multiple threads or
+  programs are trying to `MkdirAll` the same path. opencontainers/runc#4543
+
+## [0.3.4] - 2024-10-09 ##
+
+### Fixed ###
+- Previously, some testing mocks we had resulted in us doing `import "testing"`
+  in non-`_test.go` code, which made some downstreams like Kubernetes unhappy.
+  This has been fixed. (#32)
+
+## [0.3.3] - 2024-09-30 ##
+
+### Fixed ###
+- The mode and owner verification logic in `MkdirAll` has been removed. This
+  was originally intended to protect against some theoretical attacks but upon
+  further consideration these protections don't actually buy us anything and
+  they were causing spurious errors with more complicated filesystem setups.
+- The "is the created directory empty" logic in `MkdirAll` has also been
+  removed. This was not causing us issues yet, but some pseudofilesystems (such
+  as `cgroup`) create non-empty directories and so this logic would've been
+  wrong for such cases.
+
+## [0.3.2] - 2024-09-13 ##
+
+### Changed ###
+- Passing the `S_ISUID` or `S_ISGID` modes to `MkdirAllInRoot` will now return
+  an explicit error saying that those bits are ignored by `mkdirat(2)`. In the
+  past a different error was returned, but since the silent ignoring behaviour
+  is codified in the man pages a more explicit error seems apt. While silently
+  ignoring these bits would be the most compatible option, it could lead to
+  users thinking their code sets these bits when it doesn't. Programs that need
+  to deal with compatibility can mask the bits themselves. (#23, #25)
+
+### Fixed ###
+- If a directory has `S_ISGID` set, then all child directories will have
+  `S_ISGID` set when created and a different gid will be used for any inode
+  created under the directory. Previously, the "expected owner and mode"
+  validation in `securejoin.MkdirAll` did not correctly handle this. We now
+  correctly handle this case. (#24, #25)
+
+## [0.3.1] - 2024-07-23 ##
+
+### Changed ###
+- By allowing `Open(at)InRoot` to opt-out of the extra work done by `MkdirAll`
+  to do the necessary "partial lookups", `Open(at)InRoot` now does less work
+  for both implementations (resulting in a many-fold decrease in the number of
+  operations for `openat2`, and a modest improvement for non-`openat2`) and is
+  far more guaranteed to match the correct `openat2(RESOLVE_IN_ROOT)`
+  behaviour.
+- We now use `readlinkat(fd, "")` where possible. For `Open(at)InRoot` this
+  effectively just means that we no longer risk getting spurious errors during
+  rename races. However, for our hardened procfs handler, this in theory should
+  prevent mount attacks from tricking us when doing magic-link readlinks (even
+  when using the unsafe host `/proc` handle). Unfortunately `Reopen` is still
+  potentially vulnerable to those kinds of somewhat-esoteric attacks.
+
+  Technically this [will only work on post-2.6.39 kernels][linux-readlinkat-emptypath]
+  but it seems incredibly unlikely anyone is using `filepath-securejoin` on a
+  pre-2011 kernel.
+
+### Fixed ###
+- Several improvements were made to the errors returned by `Open(at)InRoot` and
+  `MkdirAll` when dealing with invalid paths under the emulated (ie.
+  non-`openat2`) implementation. Previously, some paths would return the wrong
+  error (`ENOENT` when the last component was a non-directory), and other paths
+  would be returned as though they were acceptable (trailing-slash components
+  after a non-directory would be ignored by `Open(at)InRoot`).
+
+  These changes were done to match `openat2`'s behaviour and purely is a
+  consistency fix (most users are going to be using `openat2` anyway).
+
+[linux-readlinkat-emptypath]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=65cfc6722361570bfe255698d9cd4dccaf47570d
+
+## [0.3.0] - 2024-07-11 ##
+
+### Added ###
+- A new set of `*os.File`-based APIs have been added. These are adapted from
+  [libpathrs][] and we strongly suggest using them if possible (as they provide
+  far more protection against attacks than `SecureJoin`):
+
+   - `Open(at)InRoot` resolves a path inside a rootfs and returns an `*os.File`
+     handle to the path. Note that the handle returned is an `O_PATH` handle,
+     which cannot be used for reading or writing (as well as some other
+     operations -- [see open(2) for more details][open.2])
+
+   - `Reopen` takes an `O_PATH` file handle and safely re-opens it to upgrade
+     it to a regular handle. This can also be used with non-`O_PATH` handles,
+     but `O_PATH` is the most obvious application.
+
+   - `MkdirAll` is an implementation of `os.MkdirAll` that is safe to use to
+     create a directory tree within a rootfs.
+
+  As these are new APIs, they may change in the future. However, they should be
+  safe to start migrating to as we have extensive tests ensuring they behave
+  correctly and are safe against various races and other attacks.
+
+[libpathrs]: https://github.com/openSUSE/libpathrs
+[open.2]: https://www.man7.org/linux/man-pages/man2/open.2.html
+
+## [0.2.5] - 2024-05-03 ##
+
+### Changed ###
+- Some minor changes were made to how lexical components (like `..` and `.`)
+  are handled during path generation in `SecureJoin`. There is no behaviour
+  change as a result of this fix (the resulting paths are the same).
+
+### Fixed ###
+- The error returned when we hit a symlink loop now references the correct
+  path. (#10)
+
+## [0.2.4] - 2023-09-06 ##
+
+### Security ###
+- This release fixes a potential security issue in filepath-securejoin when
+  used on Windows ([GHSA-6xv5-86q9-7xr8][], which could be used to generate
+  paths outside of the provided rootfs in certain cases), as well as improving
+  the overall behaviour of filepath-securejoin when dealing with Windows paths
+  that contain volume names. Thanks to Paulo Gomes for discovering and fixing
+  these issues.
+
+### Fixed ###
+- Switch to GitHub Actions for CI so we can test on Windows as well as Linux
+  and MacOS.
+
+[GHSA-6xv5-86q9-7xr8]: https://github.com/advisories/GHSA-6xv5-86q9-7xr8
+
+## [0.2.3] - 2021-06-04 ##
+
+### Changed ###
+- Switch to Go 1.13-style `%w` error wrapping, letting us drop the dependency
+  on `github.com/pkg/errors`.
+
+## [0.2.2] - 2018-09-05 ##
+
+### Changed ###
+- Use `syscall.ELOOP` as the base error for symlink loops, rather than our own
+  (internal) error. This allows callers to more easily use `errors.Is` to check
+  for this case.
+
+## [0.2.1] - 2018-09-05 ##
+
+### Fixed ###
+- Use our own `IsNotExist` implementation, which lets us handle `ENOTDIR`
+  properly within `SecureJoin`.
+
+## [0.2.0] - 2017-07-19 ##
+
+We now have 100% test coverage!
+
+### Added ###
+- Add a `SecureJoinVFS` API that can be used for mocking (as we do in our new
+  tests) or for implementing custom handling of lookup operations (such as for
+  rootless containers, where work is necessary to access directories with weird
+  modes because we don't have `CAP_DAC_READ_SEARCH` or `CAP_DAC_OVERRIDE`).
+
+## 0.1.0 - 2017-07-19
+
+This is our first release of `github.com/cyphar/filepath-securejoin`,
+containing a full implementation with a coverage of 93.5% (the only missing
+cases are the error cases, which are hard to mocktest at the moment).
+
+[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.6...HEAD
+[0.3.6]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6
+[0.3.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.4...v0.3.5
+[0.3.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.3...v0.3.4
+[0.3.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.2...v0.3.3
+[0.3.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.1...v0.3.2
+[0.3.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.5...v0.3.0
+[0.2.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.1...v0.2.2
+[0.2.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.0...v0.2.1
+[0.2.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.1.0...v0.2.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
index bec842f29..cb1ab88da 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/LICENSE
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -1,5 +1,5 @@
 Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-Copyright (C) 2017 SUSE LLC. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md
index 4eca0f235..eaeb53fcd 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/README.md
+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -1,32 +1,26 @@
 ## `filepath-securejoin` ##
 
+[![Go Documentation](https://pkg.go.dev/badge/github.com/cyphar/filepath-securejoin.svg)](https://pkg.go.dev/github.com/cyphar/filepath-securejoin)
 [![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml)
 
-An implementation of `SecureJoin`, a [candidate for inclusion in the Go
-standard library][go#20126]. The purpose of this function is to be a "secure"
-alternative to `filepath.Join`, and in particular it provides certain
-guarantees that are not provided by `filepath.Join`.
-
-> **NOTE**: This code is *only* safe if you are not at risk of other processes
-> modifying path components after you've used `SecureJoin`. If it is possible
-> for a malicious process to modify path components of the resolved path, then
-> you will be vulnerable to some fairly trivial TOCTOU race conditions. [There
-> are some Linux kernel patches I'm working on which might allow for a better
-> solution.][lwn-obeneath]
->
-> In addition, with a slightly modified API it might be possible to use
-> `O_PATH` and verify that the opened path is actually the resolved one -- but
-> I have not done that yet. I might add it in the future as a helper function
-> to help users verify the path (we can't just return `/proc/self/fd/<foo>`
-> because that doesn't always work transparently for all users).
-
-This is the function prototype:
+### Old API ###
 
-```go
-func SecureJoin(root, unsafePath string) (string, error)
-```
+This library was originally just an implementation of `SecureJoin` which was
+[intended to be included in the Go standard library][go#20126] as a safer
+`filepath.Join` that would restrict the path lookup to be inside a root
+directory.
+
+The implementation was based on code that existed in several container
+runtimes. Unfortunately, this API is **fundamentally unsafe** against attackers
+that can modify path components after `SecureJoin` returns and before the
+caller uses the path, allowing for some fairly trivial TOCTOU attacks.
+
+`SecureJoin` (and `SecureJoinVFS`) are still provided by this library to
+support legacy users, but new users are strongly suggested to avoid using
+`SecureJoin` and instead use the [new api](#new-api) or switch to
+[libpathrs][libpathrs].
 
-This library **guarantees** the following:
+With the above limitations in mind, this library guarantees the following:
 
 * If no error is set, the resulting string **must** be a child path of
   `root` and will not contain any symlink path components (they will all be
@@ -47,7 +41,7 @@ This library **guarantees** the following:
 A (trivial) implementation of this function on GNU/Linux systems could be done
 with the following (note that this requires root privileges and is far more
 opaque than the implementation in this library, and also requires that
-`readlink` is inside the `root` path):
+`readlink` is inside the `root` path and is trustworthy):
 
 ```go
 package securejoin
@@ -70,9 +64,105 @@ func SecureJoin(root, unsafePath string) (string, error) {
 }
 ```
 
-[lwn-obeneath]: https://lwn.net/Articles/767547/
+[libpathrs]: https://github.com/openSUSE/libpathrs
 [go#20126]: https://github.com/golang/go/issues/20126
 
+### New API ###
+
+While we recommend users switch to [libpathrs][libpathrs] as soon as it has a
+stable release, some methods implemented by libpathrs have been ported to this
+library to ease the transition. These APIs are only supported on Linux.
+
+These APIs are implemented such that `filepath-securejoin` will
+opportunistically use certain newer kernel APIs that make these operations far
+more secure. In particular:
+
+* All of the lookup operations will use [`openat2`][openat2.2] on new enough
+  kernels (Linux 5.6 or later) to restrict lookups through magic-links and
+  bind-mounts (for certain operations) and to make use of `RESOLVE_IN_ROOT` to
+  efficiently resolve symlinks within a rootfs.
+
+* The APIs provide hardening against a malicious `/proc` mount to either detect
+  or avoid being tricked by a `/proc` that is not legitimate. This is done
+  using [`openat2`][openat2.2] for all users, and privileged users will also be
+  further protected by using [`fsopen`][fsopen.2] and [`open_tree`][open_tree.2]
+  (Linux 5.2 or later).
+
+[openat2.2]: https://www.man7.org/linux/man-pages/man2/openat2.2.html
+[fsopen.2]: https://github.com/brauner/man-pages-md/blob/main/fsopen.md
+[open_tree.2]: https://github.com/brauner/man-pages-md/blob/main/open_tree.md
+
+#### `OpenInRoot` ####
+
+```go
+func OpenInRoot(root, unsafePath string) (*os.File, error)
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error)
+func Reopen(handle *os.File, flags int) (*os.File, error)
+```
+
+`OpenInRoot` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+file, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+```
+
+that protects against various race attacks that could lead to serious security
+issues, depending on the application. Note that the returned `*os.File` is an
+`O_PATH` file descriptor, which is quite restricted. Callers will probably need
+to use `Reopen` to get a more usable handle (this split is done to provide
+useful features like PTY spawning and to avoid users accidentally opening bad
+inodes that could cause a DoS).
+
+Callers need to be careful in how they use the returned `*os.File`. Usually it
+is only safe to operate on the handle directly, and it is very easy to create a
+security issue. [libpathrs][libpathrs] provides far more helpers to make using
+these handles safer -- there is currently no plan to port them to
+`filepath-securejoin`.
+
+`OpenatInRoot` is like `OpenInRoot` except that the root is provided using an
+`*os.File`. This allows you to ensure that multiple `OpenatInRoot` (or
+`MkdirAllHandle`) calls are operating on the same rootfs.
+
+> **NOTE**: Unlike `SecureJoin`, `OpenInRoot` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed.
+
+#### `MkdirAll` ####
+
+```go
+func MkdirAll(root, unsafePath string, mode int) error
+func MkdirAllHandle(root *os.File, unsafePath string, mode int) (*os.File, error)
+```
+
+`MkdirAll` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+err = os.MkdirAll(path, mode)
+```
+
+that protects against the same kinds of races that `OpenInRoot` protects
+against.
+
+`MkdirAllHandle` is like `MkdirAll` except that the root is provided using an
+`*os.File` (the reason for this is the same as with `OpenatInRoot`) and an
+`*os.File` of the final created directory is returned (this directory is
+guaranteed to be effectively identical to the directory created by
+`MkdirAllHandle`, which is not possible to ensure by just using `OpenatInRoot`
+after `MkdirAll`).
+
+> **NOTE**: Unlike `SecureJoin`, `MkdirAll` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed. This means that `MkdirAll` will not
+> create non-existent directories referenced by a dangling symlink.
+
 ### License ###
 
 The license of this project is the same as Go, which is a BSD 3-clause license
diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION
index 3a4036fb4..449d7e73a 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/VERSION
+++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -1 +1 @@
-0.2.5
+0.3.6
diff --git a/vendor/github.com/cyphar/filepath-securejoin/doc.go b/vendor/github.com/cyphar/filepath-securejoin/doc.go
new file mode 100644
index 000000000..1ec7d065e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/doc.go
@@ -0,0 +1,39 @@
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package securejoin implements a set of helpers to make it easier to write Go
+// code that is safe against symlink-related escape attacks. The primary idea
+// is to let you resolve a path within a rootfs directory as if the rootfs was
+// a chroot.
+//
+// securejoin has two APIs, a "legacy" API and a "modern" API.
+//
+// The legacy API is [SecureJoin] and [SecureJoinVFS]. These methods are
+// **not** safe against race conditions where an attacker changes the
+// filesystem after (or during) the [SecureJoin] operation.
+//
+// The new API is made up of [OpenInRoot] and [MkdirAll] (and derived
+// functions). These are safe against racing attackers and have several other
+// protections that are not provided by the legacy API. There are many more
+// operations that most programs expect to be able to do safely, but we do not
+// provide explicit support for them because we want to encourage users to
+// switch to [libpathrs](https://github.com/openSUSE/libpathrs) which is a
+// cross-language next-generation library that is entirely designed around
+// operating on paths safely.
+//
+// securejoin has been used by several container runtimes (Docker, runc,
+// Kubernetes, etc) for quite a few years as a de-facto standard for operating
+// on container filesystem paths "safely". However, most users still use the
+// legacy API which is unsafe against various attacks (there is a fairly long
+// history of CVEs in dependent as a result). Users should switch to the modern
+// API as soon as possible (or even better, switch to libpathrs).
+//
+// This project was initially intended to be included in the Go standard
+// library, but [it was rejected](https://go.dev/issue/20126). There is now a
+// [new Go proposal](https://go.dev/issue/67002) for a safe path resolution API
+// that shares some of the goals of filepath-securejoin. However, that design
+// is intended to work like `openat2(RESOLVE_BENEATH)` which does not fit the
+// usecase of container runtimes and most system tools.
+package securejoin
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
new file mode 100644
index 000000000..42452bbf9
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
@@ -0,0 +1,18 @@
+//go:build linux && go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+)
+
+// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func wrapBaseError(baseErr, extraErr error) error {
+	return fmt.Errorf("%w: %w", extraErr, baseErr)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
new file mode 100644
index 000000000..e7adca3fd
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
@@ -0,0 +1,38 @@
+//go:build linux && !go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+)
+
+type wrappedError struct {
+	inner   error
+	isError error
+}
+
+func (err wrappedError) Is(target error) bool {
+	return err.isError == target
+}
+
+func (err wrappedError) Unwrap() error {
+	return err.inner
+}
+
+func (err wrappedError) Error() string {
+	return fmt.Sprintf("%v: %v", err.isError, err.inner)
+}
+
+// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func wrapBaseError(baseErr, extraErr error) error {
+	return wrappedError{
+		inner:   baseErr,
+		isError: extraErr,
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
new file mode 100644
index 000000000..ddd6fa9a4
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
@@ -0,0 +1,32 @@
+//go:build linux && go1.21
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"slices"
+	"sync"
+)
+
+func slices_DeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S {
+	return slices.DeleteFunc(slice, delFn)
+}
+
+func slices_Contains[S ~[]E, E comparable](slice S, val E) bool {
+	return slices.Contains(slice, val)
+}
+
+func slices_Clone[S ~[]E, E any](slice S) S {
+	return slices.Clone(slice)
+}
+
+func sync_OnceValue[T any](f func() T) func() T {
+	return sync.OnceValue(f)
+}
+
+func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	return sync.OnceValues(f)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
new file mode 100644
index 000000000..f1e6fe7e7
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
@@ -0,0 +1,124 @@
+//go:build linux && !go1.21
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"sync"
+)
+
+// These are very minimal implementations of functions that appear in Go 1.21's
+// stdlib, included so that we can build on older Go versions. Most are
+// borrowed directly from the stdlib, and a few are modified to be "obviously
+// correct" without needing to copy too many other helpers.
+
+// clearSlice is equivalent to the builtin clear from Go 1.21.
+// Copied from the Go 1.24 stdlib implementation.
+func clearSlice[S ~[]E, E any](slice S) {
+	var zero E
+	for i := range slice {
+		slice[i] = zero
+	}
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_IndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
+	for i := range s {
+		if f(s[i]) {
+			return i
+		}
+	}
+	return -1
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_DeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
+	i := slices_IndexFunc(s, del)
+	if i == -1 {
+		return s
+	}
+	// Don't start copying elements until we find one to delete.
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; !del(v) {
+			s[i] = v
+			i++
+		}
+	}
+	clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC
+	return s[:i]
+}
+
+// Similar to the stdlib slices.Contains, except that we don't have
+// slices.Index so we need to use slices.IndexFunc for this non-Func helper.
+func slices_Contains[S ~[]E, E comparable](s S, v E) bool {
+	return slices_IndexFunc(s, func(e E) bool { return e == v }) >= 0
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_Clone[S ~[]E, E any](s S) S {
+	// Preserve nil in case it matters.
+	if s == nil {
+		return nil
+	}
+	return append(S([]E{}), s...)
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func sync_OnceValue[T any](f func() T) func() T {
+	var (
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		result = f()
+		f = nil
+		valid = true
+	}
+	return func() T {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return result
+	}
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		r1, r2 = f()
+		f = nil
+		valid = true
+	}
+	return func() (T1, T2) {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return r1, r2
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
index 5ac23b998..e0ee3f2b5 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/join.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -1,13 +1,8 @@
 // Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package securejoin is an implementation of the hopefully-soon-to-be-included
-// SecureJoin helper that is meant to be part of the "path/filepath" package.
-// The purpose of this project is to provide a PoC implementation to make the
-// SecureJoin proposal (https://github.com/golang/go/issues/20126) more
-// tangible.
 package securejoin
 
 import (
@@ -22,24 +17,30 @@ const maxSymlinkLimit = 255
 
 // IsNotExist tells you if err is an error that implies that either the path
 // accessed does not exist (or path components don't exist). This is
-// effectively a more broad version of os.IsNotExist.
+// effectively a more broad version of [os.IsNotExist].
 func IsNotExist(err error) bool {
 	// Check that it's not actually an ENOTDIR, which in some cases is a more
 	// convoluted case of ENOENT (usually involving weird paths).
 	return errors.Is(err, os.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) || errors.Is(err, syscall.ENOENT)
 }
 
-// SecureJoinVFS joins the two given path components (similar to Join) except
+// SecureJoinVFS joins the two given path components (similar to [filepath.Join]) except
 // that the returned path is guaranteed to be scoped inside the provided root
 // path (when evaluated). Any symbolic links in the path are evaluated with the
 // given root treated as the root of the filesystem, similar to a chroot. The
-// filesystem state is evaluated through the given VFS interface (if nil, the
-// standard os.* family of functions are used).
+// filesystem state is evaluated through the given [VFS] interface (if nil, the
+// standard [os].* family of functions are used).
 //
 // Note that the guarantees provided by this function only apply if the path
 // components in the returned string are not modified (in other words are not
 // replaced with symlinks on the filesystem) after this function has returned.
-// Such a symlink race is necessarily out-of-scope of SecureJoin.
+// Such a symlink race is necessarily out-of-scope of SecureJoinVFS.
+//
+// NOTE: Due to the above limitation, Linux users are strongly encouraged to
+// use [OpenInRoot] instead, which does safely protect against these kinds of
+// attacks. There is no way to solve this problem with SecureJoinVFS because
+// the API is fundamentally wrong (you cannot return a "safe" path string and
+// guarantee it won't be modified afterwards).
 //
 // Volume names in unsafePath are always discarded, regardless if they are
 // provided via direct input or when evaluating symlinks. Therefore:
@@ -117,8 +118,8 @@ func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
 	return filepath.Join(root, finalPath), nil
 }
 
-// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library
-// of functions as the VFS. If in doubt, use this function over SecureJoinVFS.
+// SecureJoin is a wrapper around [SecureJoinVFS] that just uses the [os].* library
+// of functions as the [VFS]. If in doubt, use this function over [SecureJoinVFS].
 func SecureJoin(root, unsafePath string) (string, error) {
 	return SecureJoinVFS(root, unsafePath, nil)
 }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
new file mode 100644
index 000000000..be81e498d
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
@@ -0,0 +1,388 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+type symlinkStackEntry struct {
+	// (dir, remainingPath) is what we would've returned if the link didn't
+	// exist. This matches what openat2(RESOLVE_IN_ROOT) would return in
+	// this case.
+	dir           *os.File
+	remainingPath string
+	// linkUnwalked is the remaining path components from the original
+	// Readlink which we have yet to walk. When this slice is empty, we
+	// drop the link from the stack.
+	linkUnwalked []string
+}
+
+func (se symlinkStackEntry) String() string {
+	return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/"))
+}
+
+func (se symlinkStackEntry) Close() {
+	_ = se.dir.Close()
+}
+
+type symlinkStack []*symlinkStackEntry
+
+func (s *symlinkStack) IsEmpty() bool {
+	return s == nil || len(*s) == 0
+}
+
+func (s *symlinkStack) Close() {
+	if s != nil {
+		for _, link := range *s {
+			link.Close()
+		}
+		// TODO: Switch to clear once we switch to Go 1.21.
+		*s = nil
+	}
+}
+
+var (
+	errEmptyStack         = errors.New("[internal] stack is empty")
+	errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack")
+)
+
+func (s *symlinkStack) popPart(part string) error {
+	if s == nil || s.IsEmpty() {
+		// If there is nothing in the symlink stack, then the part was from the
+		// real path provided by the user, and this is a no-op.
+		return errEmptyStack
+	}
+	if part == "." {
+		// "." components are no-ops -- we drop them when doing SwapLink.
+		return nil
+	}
+
+	tailEntry := (*s)[len(*s)-1]
+
+	// Double-check that we are popping the component we expect.
+	if len(tailEntry.linkUnwalked) == 0 {
+		return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry)
+	}
+	headPart := tailEntry.linkUnwalked[0]
+	if headPart != part {
+		return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart)
+	}
+
+	// Drop the component, but keep the entry around in case we are dealing
+	// with a "tail-chained" symlink.
+	tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:]
+	return nil
+}
+
+func (s *symlinkStack) PopPart(part string) error {
+	if err := s.popPart(part); err != nil {
+		if errors.Is(err, errEmptyStack) {
+			// Skip empty stacks.
+			err = nil
+		}
+		return err
+	}
+
+	// Clean up any of the trailing stack entries that are empty.
+	for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- {
+		entry := (*s)[lastGood]
+		if len(entry.linkUnwalked) > 0 {
+			break
+		}
+		entry.Close()
+		(*s) = (*s)[:lastGood]
+	}
+	return nil
+}
+
+func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error {
+	if s == nil {
+		return nil
+	}
+	// Split the link target and clean up any "" parts.
+	linkTargetParts := slices_DeleteFunc(
+		strings.Split(linkTarget, "/"),
+		func(part string) bool { return part == "" || part == "." })
+
+	// Copy the directory so the caller doesn't close our copy.
+	dirCopy, err := dupFile(dir)
+	if err != nil {
+		return err
+	}
+
+	// Add to the stack.
+	*s = append(*s, &symlinkStackEntry{
+		dir:           dirCopy,
+		remainingPath: remainingPath,
+		linkUnwalked:  linkTargetParts,
+	})
+	return nil
+}
+
+func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error {
+	// If we are currently inside a symlink resolution, remove the symlink
+	// component from the last symlink entry, but don't remove the entry even
+	// if it's empty. If we are a "tail-chained" symlink (a trailing symlink we
+	// hit during a symlink resolution) we need to keep the old symlink until
+	// we finish the resolution.
+	if err := s.popPart(linkPart); err != nil {
+		if !errors.Is(err, errEmptyStack) {
+			return err
+		}
+		// Push the component regardless of whether the stack was empty.
+	}
+	return s.push(dir, remainingPath, linkTarget)
+}
+
+func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) {
+	if s == nil || s.IsEmpty() {
+		return nil, "", false
+	}
+	tailEntry := (*s)[0]
+	*s = (*s)[1:]
+	return tailEntry.dir, tailEntry.remainingPath, true
+}
+
+// partialLookupInRoot tries to lookup as much of the request path as possible
+// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing
+// component of the requested path, returning a file handle to the final
+// existing component and a string containing the remaining path components.
+func partialLookupInRoot(root *os.File, unsafePath string) (*os.File, string, error) {
+	return lookupInRoot(root, unsafePath, true)
+}
+
+func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, remainingPath, err := lookupInRoot(root, unsafePath, false)
+	if remainingPath != "" && err == nil {
+		// should never happen
+		err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath)
+	}
+	// lookupInRoot(partial=false) will always close the handle if an error is
+	// returned, so no need to double-check here.
+	return handle, err
+}
+
+func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// This is very similar to SecureJoin, except that we operate on the
+	// components using file descriptors. We then return the last component we
+	// managed open, along with the remaining path components not opened.
+
+	// Try to use openat2 if possible.
+	if hasOpenat2() {
+		return lookupOpenat2(root, unsafePath, partial)
+	}
+
+	// Get the "actual" root path from /proc/self/fd. This is necessary if the
+	// root is some magic-link like /proc/$pid/root, in which case we want to
+	// make sure when we do checkProcSelfFdPath that we are using the correct
+	// root path.
+	logicalRootPath, err := procSelfFdReadlink(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("get real root path: %w", err)
+	}
+
+	currentDir, err := dupFile(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	// symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats
+	// dangling symlinks. If we hit a non-existent path while resolving a
+	// symlink, we need to return the (dir, remainingPath) that we had when we
+	// hit the symlink (treating the symlink as though it were a regular file).
+	// The set of (dir, remainingPath) sets is stored within the symlinkStack
+	// and we add and remove parts when we hit symlink and non-symlink
+	// components respectively. We need a stack because of recursive symlinks
+	// (symlinks that contain symlink components in their target).
+	//
+	// Note that the stack is ONLY used for book-keeping. All of the actual
+	// path walking logic is still based on currentPath/remainingPath and
+	// currentDir (as in SecureJoin).
+	var symStack *symlinkStack
+	if partial {
+		symStack = new(symlinkStack)
+		defer symStack.Close()
+	}
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Save the current remaining path so if the part is not real we can
+		// return the path including the component.
+		oldRemainingPath := remainingPath
+
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		// If we hit an empty component, we need to treat it as though it is
+		// "." so that trailing "/" and "//" components on a non-directory
+		// correctly return the right error code.
+		if part == "" {
+			part = "."
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			if err := symStack.PopPart(part); err != nil {
+				return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err)
+			}
+			// Jump to root.
+			rootClone, err := dupFile(root)
+			if err != nil {
+				return nil, "", fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := openatFile(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		switch {
+		case err == nil:
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, "", fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			switch st.Mode() & os.ModeType {
+			case os.ModeSymlink:
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := readlinkatFile(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, "", err
+				}
+
+				linksWalked++
+				if linksWalked > maxSymlinkLimit {
+					return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Swap out the symlink's component for the link entry itself.
+				if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil {
+					return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err)
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks reset any work we've already done.
+				if path.IsAbs(linkDest) {
+					// Jump to root.
+					rootClone, err := dupFile(root)
+					if err != nil {
+						return nil, "", fmt.Errorf("clone root fd: %w", err)
+					}
+					_ = currentDir.Close()
+					currentDir = rootClone
+					currentPath = "/"
+				}
+
+			default:
+				// If we are dealing with a directory, simply walk into it.
+				_ = currentDir.Close()
+				currentDir = nextDir
+				currentPath = nextPath
+
+				// The part was real, so drop it from the symlink stack.
+				if err := symStack.PopPart(part); err != nil {
+					return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err)
+				}
+
+				// If we are operating on a .., make sure we haven't escaped.
+				// We only have to check for ".." here because walking down
+				// into a regular component component cannot cause you to
+				// escape. This mirrors the logic in RESOLVE_IN_ROOT, except we
+				// have to check every ".." rather than only checking after a
+				// rename or mount on the system.
+				if part == ".." {
+					// Make sure the root hasn't moved.
+					if err := checkProcSelfFdPath(logicalRootPath, root); err != nil {
+						return nil, "", fmt.Errorf("root path moved during lookup: %w", err)
+					}
+					// Make sure the path is what we expect.
+					fullPath := logicalRootPath + nextPath
+					if err := checkProcSelfFdPath(fullPath, currentDir); err != nil {
+						return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err)
+					}
+				}
+			}
+
+		default:
+			if !partial {
+				return nil, "", err
+			}
+			// If there are any remaining components in the symlink stack, we
+			// are still within a symlink resolution and thus we hit a dangling
+			// symlink. So pretend that the first symlink in the stack we hit
+			// was an ENOENT (to match openat2).
+			if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok {
+				_ = currentDir.Close()
+				return oldDir, remainingPath, err
+			}
+			// We have hit a final component that doesn't exist, so we have our
+			// partial open result. Note that we have to use the OLD remaining
+			// path, since the lookup failed.
+			return currentDir, oldRemainingPath, err
+		}
+	}
+
+	// If the unsafePath had a trailing slash, we need to make sure we try to
+	// do a relative "." open so that we will correctly return an error when
+	// the final component is a non-directory (to match openat2). In the
+	// context of openat2, a trailing slash and a trailing "/." are completely
+	// equivalent.
+	if strings.HasSuffix(unsafePath, "/") {
+		nextDir, err := openatFile(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			if !partial {
+				_ = currentDir.Close()
+				currentDir = nil
+			}
+			return currentDir, "", err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+	}
+
+	// All of the components existed!
+	return currentDir, "", nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
new file mode 100644
index 000000000..5e559bb7a
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
@@ -0,0 +1,215 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	errInvalidMode    = errors.New("invalid permission mode")
+	errPossibleAttack = errors.New("possible attack detected")
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+func MkdirAllHandle(root *os.File, unsafePath string, mode int) (_ *os.File, Err error) {
+	// Make sure there are no os.FileMode bits set.
+	if mode&^0o7777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir 0o%.3o", errInvalidMode, mode)
+	}
+	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
+	// bits. We could also silently ignore them but since we have very few
+	// users it seems more prudent to return an error so users notice that
+	// these bits will not be set.
+	if mode&^0o1777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir 0o%.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode)
+	}
+
+	// Try to open as much of the path as possible.
+	currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath)
+	defer func() {
+		if Err != nil {
+			_ = currentDir.Close()
+		}
+	}()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// If there is an attacker deleting directories as we walk into them,
+	// detect this proactively. Note this is guaranteed to detect if the
+	// attacker deleted any part of the tree up to currentDir.
+	//
+	// Once we walk into a dead directory, partialLookupInRoot would not be
+	// able to walk further down the tree (directories must be empty before
+	// they are deleted), and if the attacker has removed the entire tree we
+	// can be sure that anything that was originally inside a dead directory
+	// must also be deleted and thus is a dead directory in its own right.
+	//
+	// This is mostly a quality-of-life check, because mkdir will simply fail
+	// later if the attacker deletes the tree after this check.
+	if err := isDeadInode(currentDir); err != nil {
+		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
+	// always return a non-O_PATH handle). We also check that we actually got a
+	// directory.
+	if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
+		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
+	} else if err != nil {
+		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
+	} else {
+		_ = currentDir.Close()
+		currentDir = reopenDir
+	}
+
+	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
+	if slices_Contains(remainingParts, "..") {
+		// The path contained ".." components after the end of the "real"
+		// components. We could try to safely resolve ".." here but that would
+		// add a bunch of extra logic for something that it's not clear even
+		// needs to be supported. So just return an error.
+		//
+		// If we do filepath.Clean(remainingPath) then we end up with the
+		// problem that ".." can erase a trailing dangling symlink and produce
+		// a path that doesn't quite match what the user asked for.
+		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
+	}
+
+	// Make sure the mode doesn't have any type bits.
+	mode &^= unix.S_IFMT
+
+	// Create the remaining components.
+	for _, part := range remainingParts {
+		switch part {
+		case "", ".":
+			// Skip over no-op paths.
+			continue
+		}
+
+		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
+		// create the final component without worrying about symlink-exchange
+		// attacks.
+		//
+		// If we get -EEXIST, it's possible that another program created the
+		// directory at the same time as us. In that case, just continue on as
+		// if we created it (if the created inode is not a directory, the
+		// following open call will fail).
+		if err := unix.Mkdirat(int(currentDir.Fd()), part, uint32(mode)); err != nil && !errors.Is(err, unix.EEXIST) {
+			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
+			// Make the error a bit nicer if the directory is dead.
+			if deadErr := isDeadInode(currentDir); deadErr != nil {
+				// TODO: Once we bump the minimum Go version to 1.20, we can use
+				// multiple %w verbs for this wrapping. For now we need to use a
+				// compatibility shim for older Go versions.
+				//err = fmt.Errorf("%w (%w)", err, deadErr)
+				err = wrapBaseError(err, deadErr)
+			}
+			return nil, err
+		}
+
+		// Get a handle to the next component. O_DIRECTORY means we don't need
+		// to use O_PATH.
+		var nextDir *os.File
+		if hasOpenat2() {
+			nextDir, err = openat2File(currentDir, part, &unix.OpenHow{
+				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
+				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
+			})
+		} else {
+			nextDir, err = openatFile(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		}
+		if err != nil {
+			return nil, err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+
+		// It's possible that the directory we just opened was swapped by an
+		// attacker. Unfortunately there isn't much we can do to protect
+		// against this, and MkdirAll's behaviour is that we will reuse
+		// existing directories anyway so the need to protect against this is
+		// incredibly limited (and arguably doesn't even deserve mention here).
+		//
+		// Ideally we might want to check that the owner and mode match what we
+		// would've created -- unfortunately, it is non-trivial to verify that
+		// the owner and mode of the created directory match. While plain Unix
+		// DAC rules seem simple enough to emulate, there are a bunch of other
+		// factors that can change the mode or owner of created directories
+		// (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on
+		// filesystems like vfat, etc etc). We used to try to verify this but
+		// it just lead to a series of spurious errors.
+		//
+		// We could also check that the directory is non-empty, but
+		// unfortunately some pseduofilesystems (like cgroupfs) create
+		// non-empty directories, which would result in different spurious
+		// errors.
+	}
+	return currentDir, nil
+}
+
+// MkdirAll is a race-safe alternative to the [os.MkdirAll] function,
+// where the new directory is guaranteed to be within the root directory (if an
+// attacker can move directories from inside the root to outside the root, the
+// created directory tree might be outside of the root but the key constraint
+// is that at no point will we walk outside of the directory tree we are
+// creating).
+//
+// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	err := os.MkdirAll(path, mode)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is
+// possible for MkdirAll to resolve unsafe symlink components and create
+// directories outside of the root.
+//
+// If you plan to open the directory after you have created it or want to use
+// an open directory handle as the root, you should use [MkdirAllHandle] instead.
+// This function is a wrapper around [MkdirAllHandle].
+//
+// NOTE: The mode argument must be set the unix mode bits (unix.S_I...), not
+// the Go generic mode bits ([os.FileMode]...).
+func MkdirAll(root, unsafePath string, mode int) error {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return err
+	}
+	defer rootDir.Close()
+
+	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
+	if err != nil {
+		return err
+	}
+	_ = f.Close()
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
new file mode 100644
index 000000000..230be73f0
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
@@ -0,0 +1,103 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, err := completeLookupInRoot(root, unsafePath)
+	if err != nil {
+		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
+	}
+	return handle, nil
+}
+
+// OpenInRoot safely opens the provided unsafePath within the root.
+// Effectively, OpenInRoot(root, unsafePath) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
+// possible for the returned file to be outside of the root.
+//
+// Note that the returned handle is an O_PATH handle, meaning that only a very
+// limited set of operations will work on the handle. This is done to avoid
+// accidentally opening an untrusted file that could cause issues (such as a
+// disconnected TTY that could cause a DoS, or some other issue). In order to
+// use the returned handle, you can "upgrade" it to a proper handle using
+// [Reopen].
+func OpenInRoot(root, unsafePath string) (*os.File, error) {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer rootDir.Close()
+	return OpenatInRoot(rootDir, unsafePath)
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(handle *os.File, flags int) (*os.File, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return nil, err
+	}
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procThreadSelf(procRoot, "fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping openatFile, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
new file mode 100644
index 000000000..f7a13e69c
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
@@ -0,0 +1,127 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+var hasOpenat2 = sync_OnceValue(func() bool {
+	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
+		Flags:   unix.O_PATH | unix.O_CLOEXEC,
+		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
+	})
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
+
+func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
+	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
+	// ".." while a mount or rename occurs anywhere on the system. This could
+	// happen spuriously, or as the result of an attacker trying to mess with
+	// us during lookup.
+	//
+	// In addition, scoped lookups have a "safety check" at the end of
+	// complete_walk which will return -EXDEV if the final path is not in the
+	// root.
+	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
+		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
+}
+
+const scopedLookupMaxRetries = 10
+
+func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) {
+	fullPath := dir.Name() + "/" + path
+	// Make sure we always set O_CLOEXEC.
+	how.Flags |= unix.O_CLOEXEC
+	var tries int
+	for tries < scopedLookupMaxRetries {
+		fd, err := unix.Openat2(int(dir.Fd()), path, how)
+		if err != nil {
+			if scopedLookupShouldRetry(how, err) {
+				// We retry a couple of times to avoid the spurious errors, and
+				// if we are being attacked then returning -EAGAIN is the best
+				// we can do.
+				tries++
+				continue
+			}
+			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
+		}
+		// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
+		// NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise
+		//       you'll get infinite recursion here.
+		if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
+			if actualPath, err := rawProcSelfFdReadlink(fd); err == nil {
+				fullPath = actualPath
+			}
+		}
+		return os.NewFile(uintptr(fd), fullPath), nil
+	}
+	return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack}
+}
+
+func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) {
+	if !partial {
+		file, err := openat2File(root, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		return file, "", err
+	}
+	return partialLookupOpenat2(root, unsafePath)
+}
+
+// partialLookupOpenat2 is an alternative implementation of
+// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
+// handle to the deepest existing child of the requested path within the root.
+func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) {
+	// TODO: Implement this as a git-bisect-like binary search.
+
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+	endIdx := len(unsafePath)
+	var lastError error
+	for endIdx > 0 {
+		subpath := unsafePath[:endIdx]
+
+		handle, err := openat2File(root, subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err == nil {
+			// Jump over the slash if we have a non-"" remainingPath.
+			if endIdx < len(unsafePath) {
+				endIdx += 1
+			}
+			// We found a subpath!
+			return handle, unsafePath[endIdx:], lastError
+		}
+		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
+			// That path doesn't exist, let's try the next directory up.
+			endIdx = strings.LastIndexByte(subpath, '/')
+			lastError = err
+			continue
+		}
+		return nil, "", fmt.Errorf("open subpath: %w", err)
+	}
+	// If we couldn't open anything, the whole subpath is missing. Return a
+	// copy of the root fd so that the caller doesn't close this one by
+	// accident.
+	rootClone, err := dupFile(root)
+	if err != nil {
+		return nil, "", err
+	}
+	return rootClone, unsafePath, lastError
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
new file mode 100644
index 000000000..949fb5f2d
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
@@ -0,0 +1,59 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+func dupFile(f *os.File) (*os.File, error) {
+	fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
+	}
+	return os.NewFile(uintptr(fd), f.Name()), nil
+}
+
+func openatFile(dir *os.File, path string, flags int, mode int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.O_CLOEXEC
+	fd, err := unix.Openat(int(dir.Fd()), path, flags, uint32(mode))
+	if err != nil {
+		return nil, &os.PathError{Op: "openat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	// All of the paths we use with openatFile(2) are guaranteed to be
+	// lexically safe, so we can use path.Join here.
+	fullPath := filepath.Join(dir.Name(), path)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
+
+func fstatatFile(dir *os.File, path string, flags int) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstatat(int(dir.Fd()), path, &stat, flags); err != nil {
+		return stat, &os.PathError{Op: "fstatat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stat, nil
+}
+
+func readlinkatFile(dir *os.File, path string) (string, error) {
+	size := 4096
+	for {
+		linkBuf := make([]byte, size)
+		n, err := unix.Readlinkat(int(dir.Fd()), path, linkBuf)
+		if err != nil {
+			return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err}
+		}
+		if n != size {
+			return string(linkBuf[:n]), nil
+		}
+		// Possible truncation, resize the buffer.
+		size *= 2
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
new file mode 100644
index 000000000..809a579cb
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
@@ -0,0 +1,452 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+func fstat(f *os.File) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstat(int(f.Fd()), &stat); err != nil {
+		return stat, &os.PathError{Op: "fstat", Path: f.Name(), Err: err}
+	}
+	return stat, nil
+}
+
+func fstatfs(f *os.File) (unix.Statfs_t, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil {
+		return statfs, &os.PathError{Op: "fstatfs", Path: f.Name(), Err: err}
+	}
+	return statfs, nil
+}
+
+// The kernel guarantees that the root inode of a procfs mount has an
+// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
+const (
+	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
+	procRootIno    = 1      // PROC_ROOT_INO
+)
+
+func verifyProcRoot(procRoot *os.File) error {
+	if statfs, err := fstatfs(procRoot); err != nil {
+		return err
+	} else if statfs.Type != procSuperMagic {
+		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+	}
+	if stat, err := fstat(procRoot); err != nil {
+		return err
+	} else if stat.Ino != procRootIno {
+		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
+	}
+	return nil
+}
+
+var hasNewMountApi = sync_OnceValue(func() bool {
+	// All of the pieces of the new mount API we use (fsopen, fsconfig,
+	// fsmount, open_tree) were added together in Linux 5.1[1,2], so we can
+	// just check for one of the syscalls and the others should also be
+	// available.
+	//
+	// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
+	// This is equivalent to openat(2), but tells us if open_tree is
+	// available (and thus all of the other basic new mount API syscalls).
+	// open_tree(2) is most light-weight syscall to test here.
+	//
+	// [1]: merge commit 400913252d09
+	// [2]: <https://lore.kernel.org/lkml/153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk/>
+	fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
+
+func fsopen(fsName string, flags int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
+}
+
+func newPrivateProcMount() (*os.File, error) {
+	procfsCtx, err := fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return nil, err
+	}
+	defer procfsCtx.Close()
+
+	// Try to configure hidepid=ptraceable,subset=pid if possible, but ignore errors.
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
+
+	// Get an actual handle.
+	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
+		return nil, os.NewSyscallError("fsconfig create procfs", err)
+	}
+	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+}
+
+func openTree(dir *os.File, path string, flags uint) (*os.File, error) {
+	dirFd := -int(unix.EBADF)
+	dirName := "."
+	if dir != nil {
+		dirFd = int(dir.Fd())
+		dirName = dir.Name()
+	}
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.OPEN_TREE_CLOEXEC
+	fd, err := unix.OpenTree(dirFd, path, flags)
+	if err != nil {
+		return nil, &os.PathError{Op: "open_tree", Path: path, Err: err}
+	}
+	return os.NewFile(uintptr(fd), dirName+"/"+path), nil
+}
+
+func clonePrivateProcMount() (_ *os.File, Err error) {
+	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
+	// we can be sure there are no over-mounts and so if the root is valid then
+	// we're golden. Otherwise, we have to deal with over-mounts.
+	procfsHandle, err := openTree(nil, "/proc", unix.OPEN_TREE_CLONE)
+	if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procfsHandle) {
+		procfsHandle, err = openTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
+	}
+	defer func() {
+		if Err != nil {
+			_ = procfsHandle.Close()
+		}
+	}()
+	if err := verifyProcRoot(procfsHandle); err != nil {
+		return nil, err
+	}
+	return procfsHandle, nil
+}
+
+func privateProcRoot() (*os.File, error) {
+	if !hasNewMountApi() || hookForceGetProcRootUnsafe() {
+		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
+	}
+	// Try to create a new procfs mount from scratch if we can. This ensures we
+	// can get a procfs mount even if /proc is fake (for whatever reason).
+	procRoot, err := newPrivateProcMount()
+	if err != nil || hookForcePrivateProcRootOpenTree(procRoot) {
+		// Try to clone /proc then...
+		procRoot, err = clonePrivateProcMount()
+	}
+	return procRoot, err
+}
+
+func unsafeHostProcRoot() (_ *os.File, Err error) {
+	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	if err := verifyProcRoot(procRoot); err != nil {
+		return nil, err
+	}
+	return procRoot, nil
+}
+
+func doGetProcRoot() (*os.File, error) {
+	procRoot, err := privateProcRoot()
+	if err != nil {
+		// Fall back to using a /proc handle if making a private mount failed.
+		// If we have openat2, at least we can avoid some kinds of over-mount
+		// attacks, but without openat2 there's not much we can do.
+		procRoot, err = unsafeHostProcRoot()
+	}
+	return procRoot, err
+}
+
+var getProcRoot = sync_OnceValues(func() (*os.File, error) {
+	return doGetProcRoot()
+})
+
+var hasProcThreadSelf = sync_OnceValue(func() bool {
+	return unix.Access("/proc/thread-self/", unix.F_OK) == nil
+})
+
+var errUnsafeProcfs = errors.New("unsafe procfs detected")
+
+type procThreadSelfCloser func()
+
+// procThreadSelf returns a handle to /proc/thread-self/<subpath> (or an
+// equivalent handle on older kernels where /proc/thread-self doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// This is similar to ProcThreadSelf from runc, but with extra hardening
+// applied and using *os.File.
+func procThreadSelf(procRoot *os.File, subpath string) (_ *os.File, _ procThreadSelfCloser, Err error) {
+	// We need to lock our thread until the caller is done with the handle
+	// because between getting the handle and using it we could get interrupted
+	// by the Go runtime and hit the case where the underlying thread is
+	// swapped out and the original thread is killed, resulting in
+	// pull-your-hair-out-hard-to-debug issues in the caller.
+	runtime.LockOSThread()
+	defer func() {
+		if Err != nil {
+			runtime.UnlockOSThread()
+		}
+	}()
+
+	// Figure out what prefix we want to use.
+	threadSelf := "thread-self/"
+	if !hasProcThreadSelf() || hookForceProcSelfTask() {
+		/// Pre-3.17 kernels don't have /proc/thread-self, so do it manually.
+		threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) + "/"
+		if _, err := fstatatFile(procRoot, threadSelf, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() {
+			// In this case, we running in a pid namespace that doesn't match
+			// the /proc mount we have. This can happen inside runc.
+			//
+			// Unfortunately, there is no nice way to get the correct TID to
+			// use here because of the age of the kernel, so we have to just
+			// use /proc/self and hope that it works.
+			threadSelf = "self/"
+		}
+	}
+
+	// Grab the handle.
+	var (
+		handle *os.File
+		err    error
+	)
+	if hasOpenat2() {
+		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
+		// absolutely sure we are operating on a clean /proc handle that
+		// doesn't have any cheeky overmounts that could trick us (including
+		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
+		// strictly needed, but just use it since we have it.
+		//
+		// NOTE: /proc/self is technically a magic-link (the contents of the
+		//       symlink are generated dynamically), but it doesn't use
+		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
+		//
+		// NOTE: We MUST NOT use RESOLVE_IN_ROOT here, as openat2File uses
+		//       procSelfFdReadlink to clean up the returned f.Name() if we use
+		//       RESOLVE_IN_ROOT (which would lead to an infinite recursion).
+		handle, err = openat2File(procRoot, threadSelf+subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
+		}
+	} else {
+		handle, err = openatFile(procRoot, threadSelf+subpath, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
+		}
+		defer func() {
+			if Err != nil {
+				_ = handle.Close()
+			}
+		}()
+		// We can't detect bind-mounts of different parts of procfs on top of
+		// /proc (a-la RESOLVE_NO_XDEV), but we can at least be sure that we
+		// aren't on the wrong filesystem here.
+		if statfs, err := fstatfs(handle); err != nil {
+			return nil, nil, err
+		} else if statfs.Type != procSuperMagic {
+			return nil, nil, fmt.Errorf("%w: incorrect /proc/self/fd filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+		}
+	}
+	return handle, runtime.UnlockOSThread, nil
+}
+
+// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to
+// avoid bumping the requirement for a single constant we can just define it
+// ourselves.
+const STATX_MNT_ID_UNIQUE = 0x4000
+
+var hasStatxMountId = sync_OnceValue(func() bool {
+	var (
+		stx unix.Statx_t
+		// We don't care which mount ID we get. The kernel will give us the
+		// unique one if it is supported.
+		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+	)
+	err := unix.Statx(-int(unix.EBADF), "/", 0, int(wantStxMask), &stx)
+	return err == nil && stx.Mask&wantStxMask != 0
+})
+
+func getMountId(dir *os.File, path string) (uint64, error) {
+	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
+	if !hasStatxMountId() {
+		return 0, nil
+	}
+
+	var (
+		stx unix.Statx_t
+		// We don't care which mount ID we get. The kernel will give us the
+		// unique one if it is supported.
+		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+	)
+
+	err := unix.Statx(int(dir.Fd()), path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, int(wantStxMask), &stx)
+	if stx.Mask&wantStxMask == 0 {
+		// It's not a kernel limitation, for some reason we couldn't get a
+		// mount ID. Assume it's some kind of attack.
+		err = fmt.Errorf("%w: could not get mount id", errUnsafeProcfs)
+	}
+	if err != nil {
+		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stx.Mnt_id, nil
+}
+
+func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
+	// Get the mntId of our procfs handle.
+	expectedMountId, err := getMountId(procRoot, "")
+	if err != nil {
+		return err
+	}
+	// Get the mntId of the target magic-link.
+	gotMountId, err := getMountId(dir, path)
+	if err != nil {
+		return err
+	}
+	// As long as the directory mount is alive, even with wrapping mount IDs,
+	// we would expect to see a different mount ID here. (Of course, if we're
+	// using unsafeHostProcRoot() then an attaker could change this after we
+	// did this check.)
+	if expectedMountId != gotMountId {
+		return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountId, gotMountId)
+	}
+	return nil
+}
+
+func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {
+	fdPath := fmt.Sprintf("fd/%d", fd)
+	procFdLink, closer, err := procThreadSelf(procRoot, fdPath)
+	if err != nil {
+		return "", fmt.Errorf("get safe /proc/thread-self/%s handle: %w", fdPath, err)
+	}
+	defer procFdLink.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link. Since we use the handle directly
+	// provide to the closure. If the closure uses the handle directly, this
+	// should be safe in general (a mount on top of the path afterwards would
+	// not affect the handle itself) and will definitely be safe if we are
+	// using privateProcRoot() (at least since Linux 5.12[1], when anonymous
+	// mount namespaces were completely isolated from external mounts including
+	// mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {
+		return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)
+	}
+
+	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
+	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
+	// relative pathnames").
+	return readlinkatFile(procFdLink, "")
+}
+
+func rawProcSelfFdReadlink(fd int) (string, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return "", err
+	}
+	return doRawProcSelfFdReadlink(procRoot, fd)
+}
+
+func procSelfFdReadlink(f *os.File) (string, error) {
+	return rawProcSelfFdReadlink(int(f.Fd()))
+}
+
+var (
+	errPossibleBreakout = errors.New("possible breakout detected")
+	errInvalidDirectory = errors.New("wandered into deleted directory")
+	errDeletedInode     = errors.New("cannot verify path of deleted inode")
+)
+
+func isDeadInode(file *os.File) error {
+	// If the nlink of a file drops to 0, there is an attacker deleting
+	// directories during our walk, which could result in weird /proc values.
+	// It's better to error out in this case.
+	stat, err := fstat(file)
+	if err != nil {
+		return fmt.Errorf("check for dead inode: %w", err)
+	}
+	if stat.Nlink == 0 {
+		err := errDeletedInode
+		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
+			err = errInvalidDirectory
+		}
+		return fmt.Errorf("%w %q", err, file.Name())
+	}
+	return nil
+}
+
+func checkProcSelfFdPath(path string, file *os.File) error {
+	if err := isDeadInode(file); err != nil {
+		return err
+	}
+	actualPath, err := procSelfFdReadlink(file)
+	if err != nil {
+		return fmt.Errorf("get path of handle: %w", err)
+	}
+	if actualPath != path {
+		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", errPossibleBreakout, actualPath, path)
+	}
+	return nil
+}
+
+// Test hooks used in the procfs tests to verify that the fallback logic works.
+// See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
+var (
+	hookForcePrivateProcRootOpenTree            = hookDummyFile
+	hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile
+	hookForceGetProcRootUnsafe                  = hookDummy
+
+	hookForceProcSelfTask = hookDummy
+	hookForceProcSelf     = hookDummy
+)
+
+func hookDummy() bool               { return false }
+func hookDummyFile(_ *os.File) bool { return false }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
index a82a5eae1..36373f8c5 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/vfs.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -10,19 +10,19 @@ import "os"
 // are several projects (umoci and go-mtree) that are using this sort of
 // interface.
 
-// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is
-// equivalent to using the standard os.* family of functions. This is mainly
+// VFS is the minimal interface necessary to use [SecureJoinVFS]. A nil VFS is
+// equivalent to using the standard [os].* family of functions. This is mainly
 // used for the purposes of mock testing, but also can be used to otherwise use
-// SecureJoin with VFS-like system.
+// [SecureJoinVFS] with VFS-like system.
 type VFS interface {
-	// Lstat returns a FileInfo describing the named file. If the file is a
-	// symbolic link, the returned FileInfo describes the symbolic link. Lstat
-	// makes no attempt to follow the link. These semantics are identical to
-	// os.Lstat.
+	// Lstat returns an [os.FileInfo] describing the named file. If the
+	// file is a symbolic link, the returned [os.FileInfo] describes the
+	// symbolic link. Lstat makes no attempt to follow the link.
+	// The semantics are identical to [os.Lstat].
 	Lstat(name string) (os.FileInfo, error)
 
-	// Readlink returns the destination of the named symbolic link. These
-	// semantics are identical to os.Readlink.
+	// Readlink returns the destination of the named symbolic link.
+	// The semantics are identical to [os.Readlink].
 	Readlink(name string) (string, error)
 }
 
@@ -30,12 +30,6 @@ type VFS interface {
 // module.
 type osVFS struct{}
 
-// Lstat returns a FileInfo describing the named file. If the file is a
-// symbolic link, the returned FileInfo describes the symbolic link. Lstat
-// makes no attempt to follow the link. These semantics are identical to
-// os.Lstat.
 func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) }
 
-// Readlink returns the destination of the named symbolic link. These
-// semantics are identical to os.Readlink.
 func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) }
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
index 120008db1..df01890b2 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/http/common.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/protocol/packp"
+	"github.com/go-git/go-git/v5/plumbing/protocol/packp/capability"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/utils/ioutil"
 	"github.com/golang/groupcache/lru"
@@ -24,7 +25,7 @@ import (
 
 // it requires a bytes.Buffer, because we need to know the length
 func applyHeadersToRequest(req *http.Request, content *bytes.Buffer, host string, requestType string) {
-	req.Header.Add("User-Agent", "git/1.0")
+	req.Header.Add("User-Agent", capability.DefaultAgent())
 	req.Header.Add("Host", host) // host:port
 
 	if content == nil {
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
index f9c598e6f..ac4e3583c 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/auth_method.go
@@ -230,11 +230,11 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
 //	~/.ssh/known_hosts
 //	/etc/ssh/ssh_known_hosts
 func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
-	db, err := newKnownHostsDb(files...)
-	return db.HostKeyCallback(), err
+	kh, err := newKnownHosts(files...)
+	return ssh.HostKeyCallback(kh), err
 }
 
-func newKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
+func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
 	var err error
 
 	if len(files) == 0 {
@@ -247,7 +247,7 @@ func newKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
 		return nil, err
 	}
 
-	return knownhosts.NewDB(files...)
+	return knownhosts.New(files...)
 }
 
 func getDefaultKnownHostsFiles() ([]string, error) {
@@ -301,12 +301,11 @@ type HostKeyCallbackHelper struct {
 // HostKeyCallback is empty a default callback is created using
 // NewKnownHostsCallback.
 func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
+	var err error
 	if m.HostKeyCallback == nil {
-		db, err := newKnownHostsDb()
-		if err != nil {
+		if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
 			return cfg, err
 		}
-		m.HostKeyCallback = db.HostKeyCallback()
 	}
 
 	cfg.HostKeyCallback = m.HostKeyCallback
diff --git a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
index a37024f0e..05dea448f 100644
--- a/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
+++ b/vendor/github.com/go-git/go-git/v5/plumbing/transport/ssh/common.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
+	"github.com/skeema/knownhosts"
 
 	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
@@ -126,25 +127,17 @@ func (c *command) connect() error {
 	}
 	hostWithPort := c.getHostWithPort()
 	if config.HostKeyCallback == nil {
-		db, err := newKnownHostsDb()
+		kh, err := newKnownHosts()
 		if err != nil {
 			return err
 		}
-
-		config.HostKeyCallback = db.HostKeyCallback()
-		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
+		config.HostKeyCallback = kh.HostKeyCallback()
+		config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
 	} else if len(config.HostKeyAlgorithms) == 0 {
 		// Set the HostKeyAlgorithms based on HostKeyCallback.
 		// For background see https://github.com/go-git/go-git/issues/411 as well as
 		// https://github.com/golang/go/issues/29286 for root cause.
-		db, err := newKnownHostsDb()
-		if err != nil {
-			return err
-		}
-
-		// Note that the knownhost database is used, as it provides additional functionality
-		// to handle ssh cert-authorities.
-		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
+		config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
 	}
 
 	overrideConfig(c.config, config)
diff --git a/vendor/github.com/go-git/go-git/v5/worktree.go b/vendor/github.com/go-git/go-git/v5/worktree.go
index 8dfa50b1b..dded08e99 100644
--- a/vendor/github.com/go-git/go-git/v5/worktree.go
+++ b/vendor/github.com/go-git/go-git/v5/worktree.go
@@ -425,8 +425,9 @@ func (w *Worktree) resetIndex(t *object.Tree, dirs []string, files []string) err
 }
 
 func inFiles(files []string, v string) bool {
+	v = filepath.Clean(v)
 	for _, s := range files {
-		if s == v {
+		if filepath.Clean(s) == v {
 			return true
 		}
 	}
diff --git a/vendor/github.com/go-git/go-git/v5/worktree_status.go b/vendor/github.com/go-git/go-git/v5/worktree_status.go
index 6e72db974..7870d138d 100644
--- a/vendor/github.com/go-git/go-git/v5/worktree_status.go
+++ b/vendor/github.com/go-git/go-git/v5/worktree_status.go
@@ -370,6 +370,8 @@ func (w *Worktree) doAdd(path string, ignorePattern []gitignore.Pattern, skipSta
 		}
 	}
 
+	path = filepath.Clean(path)
+
 	if err != nil || !fi.IsDir() {
 		added, h, err = w.doAddFile(idx, s, path, ignorePattern)
 	} else {
diff --git a/vendor/github.com/iwdgo/sigintwindows/.gitignore b/vendor/github.com/iwdgo/sigintwindows/.gitignore
new file mode 100644
index 000000000..723ef36f4
--- /dev/null
+++ b/vendor/github.com/iwdgo/sigintwindows/.gitignore
@@ -0,0 +1 @@
+.idea
\ No newline at end of file
diff --git a/vendor/github.com/iwdgo/sigintwindows/LICENSE b/vendor/github.com/iwdgo/sigintwindows/LICENSE
new file mode 100644
index 000000000..06c908bd0
--- /dev/null
+++ b/vendor/github.com/iwdgo/sigintwindows/LICENSE
@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2020, Constantin Konstantinidis
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/iwdgo/sigintwindows/README.md b/vendor/github.com/iwdgo/sigintwindows/README.md
new file mode 100644
index 000000000..62a0bb388
--- /dev/null
+++ b/vendor/github.com/iwdgo/sigintwindows/README.md
@@ -0,0 +1,63 @@
+[![Go Reference](https://pkg.go.dev/badge/iwdgo/sigintwindows.svg)](https://pkg.go.dev/iwdgo/sigintwindows)
+[![Go Report Card](https://goreportcard.com/badge/github.com/iwdgo/sigintwindows)](https://goreportcard.com/report/github.com/iwdgo/sigintwindows)
+
+# On Windows, sends a ctrl-break to a process
+
+## How to
+
+### Experiment
+
+```
+$ go get -d github.com/iwdgo/sigintwindows
+$ cd <download path>
+$ go test -v
+=== RUN   TestSendCtrlBreak
+    signal_windows_test.go:40: waiting 5 seconds before goroutine. No log to find.
+    signal_windows_test.go:43: waiting 5 seconds in goroutine. Log displays unless interrupted.
+2021/09/22 10:39:38 sub-process 55536 started
+2021/09/22 10:39:48 graceful exit on interrupt
+--- PASS: TestSendCtrlBreak (15.38s)
+PASS
+```
+
+The output of the sub-process is in the `ctrlbreak.log` file.
+
+Typing Ctrl-C should display error ` exit status 0xc000013a `
+
+Exit code `0xC000013A` is the exit value `STATUS_CONTROL_C_EXIT` returned by the signal package.
+[NTSTATUS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55) says:
+
+> {Application Exit by CTRL+C} The application terminated as a result of a CTRL+C.
+
+### Use as a module
+
+```
+import "github.com/iwdgo/sigintwindows"
+
+sigintwindows.SendCtrlBreak(<some pid>)
+```
+
+
+## Online
+
+### Stackoverflow
+
+https://stackoverflow.com/questions/45309984/signal-other-than-sigkill-not-terminating-process-on-windows  
+https://stackoverflow.com/questions/55092139/gracefully-terminate-a-process-on-windows  
+
+### Golang
+
+https://github.com/golang/go/issues/29744
+
+### About Ctrl-Break on Windows
+
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55  
+https://docs.microsoft.com/en-us/windows/console/generateconsolectrlevent  
+https://docs.microsoft.com/en-us/windows/console/ctrl-c-and-ctrl-break-signals  
+https://docs.microsoft.com/en-us/windows/win32/procthread/process-creation-flags  
+
+### Versions
+
+`v0.2.2` Importable module  
+`v0.1.0` Standalone experiment  
+Standalone version of the test `TestCtrlBreak` of the `signal` package of golang.
diff --git a/vendor/github.com/iwdgo/sigintwindows/signal_windows.go b/vendor/github.com/iwdgo/sigintwindows/signal_windows.go
new file mode 100644
index 000000000..076bf5ae9
--- /dev/null
+++ b/vendor/github.com/iwdgo/sigintwindows/signal_windows.go
@@ -0,0 +1,27 @@
+// Package signalwindows sends a control break to another process.
+
+//go:build windows
+// +build windows
+
+package sigintwindows
+
+import (
+	"syscall"
+)
+
+// SendCtrlBreak sends a Ctrl-Break event to the process with id pid
+func SendCtrlBreak(pid int) error {
+	d, e := syscall.LoadDLL("kernel32.dll")
+	if e != nil {
+		return e
+	}
+	p, e := d.FindProc("GenerateConsoleCtrlEvent")
+	if e != nil {
+		return e
+	}
+	r, _, e := p.Call(uintptr(syscall.CTRL_BREAK_EVENT), uintptr(pid))
+	if r == 0 {
+		return e // syscall.GetLastError()
+	}
+	return nil
+}
diff --git a/vendor/github.com/magiconair/properties/CHANGELOG.md b/vendor/github.com/magiconair/properties/CHANGELOG.md
deleted file mode 100644
index 842e8e24f..000000000
--- a/vendor/github.com/magiconair/properties/CHANGELOG.md
+++ /dev/null
@@ -1,205 +0,0 @@
-## Changelog
-
-### [1.8.7](https://github.com/magiconair/properties/tree/v1.8.7) - 08 Dec 2022
-
- * [PR #65](https://github.com/magiconair/properties/pull/65): Speedup Merge
-
-   Thanks to [@AdityaVallabh](https://github.com/AdityaVallabh) for the patch.
-
- * [PR #66](https://github.com/magiconair/properties/pull/66): use github actions
-
-### [1.8.6](https://github.com/magiconair/properties/tree/v1.8.6) - 23 Feb 2022
-
- * [PR #57](https://github.com/magiconair/properties/pull/57):Fix "unreachable code" lint error
-
-   Thanks to [@ellie](https://github.com/ellie) for the patch.
-
- * [PR #63](https://github.com/magiconair/properties/pull/63): Make TestMustGetParsedDuration backwards compatible
-
-   This patch ensures that the `TestMustGetParsedDuration` still works with `go1.3` to make the
-   author happy until it affects real users.
-
-   Thanks to [@maage](https://github.com/maage) for the patch.
-
-### [1.8.5](https://github.com/magiconair/properties/tree/v1.8.5) - 24 Mar 2021
-
- * [PR #55](https://github.com/magiconair/properties/pull/55): Fix: Encoding Bug in Comments
-
-   When reading comments \ are loaded correctly, but when writing they are then
-   replaced by \\. This leads to wrong comments when writing and reading multiple times.
-
-   Thanks to [@doxsch](https://github.com/doxsch) for the patch.
-
-### [1.8.4](https://github.com/magiconair/properties/tree/v1.8.4) - 23 Sep 2020
-
- * [PR #50](https://github.com/magiconair/properties/pull/50): enhance error message for circular references
-
-   Thanks to [@sriv](https://github.com/sriv) for the patch.
-
-### [1.8.3](https://github.com/magiconair/properties/tree/v1.8.3) - 14 Sep 2020
-
- * [PR #49](https://github.com/magiconair/properties/pull/49): Include the key in error message causing the circular reference
-
-   The change is include the key in the error message which is causing the circular
-   reference when parsing/loading the properties files.
-
-   Thanks to [@haroon-sheikh](https://github.com/haroon-sheikh) for the patch.
-
-### [1.8.2](https://github.com/magiconair/properties/tree/v1.8.2) - 25 Aug 2020
-
- * [PR #36](https://github.com/magiconair/properties/pull/36): Escape backslash on write
-
-   This patch ensures that backslashes are escaped on write. Existing applications which
-   rely on the old behavior may need to be updated.
-
-   Thanks to [@apesternikov](https://github.com/apesternikov) for the patch.
-
- * [PR #42](https://github.com/magiconair/properties/pull/42): Made Content-Type check whitespace agnostic in LoadURL()
-
-   Thanks to [@aliras1](https://github.com/aliras1) for the patch.
-
- * [PR #41](https://github.com/magiconair/properties/pull/41): Make key/value separator configurable on Write()
-
-   Thanks to [@mkjor](https://github.com/mkjor) for the patch.
-
- * [PR #40](https://github.com/magiconair/properties/pull/40): Add method to return a sorted list of keys
-
-   Thanks to [@mkjor](https://github.com/mkjor) for the patch.
-
-### [1.8.1](https://github.com/magiconair/properties/tree/v1.8.1) - 10 May 2019
-
- * [PR #35](https://github.com/magiconair/properties/pull/35): Close body always after request
-
-   This patch ensures that in `LoadURL` the response body is always closed.
-
-   Thanks to [@liubog2008](https://github.com/liubog2008) for the patch.
-
-### [1.8](https://github.com/magiconair/properties/tree/v1.8) - 15 May 2018
-
- * [PR #26](https://github.com/magiconair/properties/pull/26): Disable expansion during loading
-
-   This adds the option to disable property expansion during loading.
-
-   Thanks to [@kmala](https://github.com/kmala) for the patch.
-
-### [1.7.6](https://github.com/magiconair/properties/tree/v1.7.6) - 14 Feb 2018
-
- * [PR #29](https://github.com/magiconair/properties/pull/29): Reworked expansion logic to handle more complex cases.
-
-   See PR for an example.
-
-   Thanks to [@yobert](https://github.com/yobert) for the fix.
-
-### [1.7.5](https://github.com/magiconair/properties/tree/v1.7.5) - 13 Feb 2018
-
- * [PR #28](https://github.com/magiconair/properties/pull/28): Support duplicate expansions in the same value
-
-   Values which expand the same key multiple times (e.g. `key=${a} ${a}`) will no longer fail
-   with a `circular reference error`.
-
-   Thanks to [@yobert](https://github.com/yobert) for the fix.
-
-### [1.7.4](https://github.com/magiconair/properties/tree/v1.7.4) - 31 Oct 2017
-
- * [Issue #23](https://github.com/magiconair/properties/issues/23): Ignore blank lines with whitespaces
-
- * [PR #24](https://github.com/magiconair/properties/pull/24): Update keys when DisableExpansion is enabled
-
-   Thanks to [@mgurov](https://github.com/mgurov) for the fix.
-
-### [1.7.3](https://github.com/magiconair/properties/tree/v1.7.3) - 10 Jul 2017
-
- * [Issue #17](https://github.com/magiconair/properties/issues/17): Add [SetValue()](http://godoc.org/github.com/magiconair/properties#Properties.SetValue) method to set values generically
- * [Issue #22](https://github.com/magiconair/properties/issues/22): Add [LoadMap()](http://godoc.org/github.com/magiconair/properties#LoadMap) function to load properties from a string map
-
-### [1.7.2](https://github.com/magiconair/properties/tree/v1.7.2) - 20 Mar 2017
-
- * [Issue #15](https://github.com/magiconair/properties/issues/15): Drop gocheck dependency
- * [PR #21](https://github.com/magiconair/properties/pull/21): Add [Map()](http://godoc.org/github.com/magiconair/properties#Properties.Map) and [FilterFunc()](http://godoc.org/github.com/magiconair/properties#Properties.FilterFunc)
-
-### [1.7.1](https://github.com/magiconair/properties/tree/v1.7.1) - 13 Jan 2017
-
- * [Issue #14](https://github.com/magiconair/properties/issues/14): Decouple TestLoadExpandedFile from `$USER`
- * [PR #12](https://github.com/magiconair/properties/pull/12): Load from files and URLs
- * [PR #16](https://github.com/magiconair/properties/pull/16): Keep gofmt happy
- * [PR #18](https://github.com/magiconair/properties/pull/18): Fix Delete() function
-
-### [1.7.0](https://github.com/magiconair/properties/tree/v1.7.0) - 20 Mar 2016
-
- * [Issue #10](https://github.com/magiconair/properties/issues/10): Add [LoadURL,LoadURLs,MustLoadURL,MustLoadURLs](http://godoc.org/github.com/magiconair/properties#LoadURL) method to load properties from a URL.
- * [Issue #11](https://github.com/magiconair/properties/issues/11): Add [LoadString,MustLoadString](http://godoc.org/github.com/magiconair/properties#LoadString) method to load properties from an UTF8 string.
- * [PR #8](https://github.com/magiconair/properties/pull/8): Add [MustFlag](http://godoc.org/github.com/magiconair/properties#Properties.MustFlag) method to provide overrides via command line flags. (@pascaldekloe)
-
-### [1.6.0](https://github.com/magiconair/properties/tree/v1.6.0) - 11 Dec 2015
-
- * Add [Decode](http://godoc.org/github.com/magiconair/properties#Properties.Decode) method to populate struct from properties via tags.
-
-### [1.5.6](https://github.com/magiconair/properties/tree/v1.5.6) - 18 Oct 2015
-
- * Vendored in gopkg.in/check.v1
-
-### [1.5.5](https://github.com/magiconair/properties/tree/v1.5.5) - 31 Jul 2015
-
- * [PR #6](https://github.com/magiconair/properties/pull/6): Add [Delete](http://godoc.org/github.com/magiconair/properties#Properties.Delete) method to remove keys including comments. (@gerbenjacobs)
-
-### [1.5.4](https://github.com/magiconair/properties/tree/v1.5.4) - 23 Jun 2015
-
- * [Issue #5](https://github.com/magiconair/properties/issues/5): Allow disabling of property expansion [DisableExpansion](http://godoc.org/github.com/magiconair/properties#Properties.DisableExpansion). When property expansion is disabled Properties become a simple key/value store and don't check for circular references.
-
-### [1.5.3](https://github.com/magiconair/properties/tree/v1.5.3) - 02 Jun 2015
-
- * [Issue #4](https://github.com/magiconair/properties/issues/4): Maintain key order in [Filter()](http://godoc.org/github.com/magiconair/properties#Properties.Filter), [FilterPrefix()](http://godoc.org/github.com/magiconair/properties#Properties.FilterPrefix) and [FilterRegexp()](http://godoc.org/github.com/magiconair/properties#Properties.FilterRegexp)
-
-### [1.5.2](https://github.com/magiconair/properties/tree/v1.5.2) - 10 Apr 2015
-
- * [Issue #3](https://github.com/magiconair/properties/issues/3): Don't print comments in [WriteComment()](http://godoc.org/github.com/magiconair/properties#Properties.WriteComment) if they are all empty
- * Add clickable links to README
-
-### [1.5.1](https://github.com/magiconair/properties/tree/v1.5.1) - 08 Dec 2014
-
- * Added [GetParsedDuration()](http://godoc.org/github.com/magiconair/properties#Properties.GetParsedDuration) and [MustGetParsedDuration()](http://godoc.org/github.com/magiconair/properties#Properties.MustGetParsedDuration) for values specified compatible with
-   [time.ParseDuration()](http://golang.org/pkg/time/#ParseDuration).
-
-### [1.5.0](https://github.com/magiconair/properties/tree/v1.5.0) - 18 Nov 2014
-
- * Added support for single and multi-line comments (reading, writing and updating)
- * The order of keys is now preserved
- * Calling [Set()](http://godoc.org/github.com/magiconair/properties#Properties.Set) with an empty key now silently ignores the call and does not create a new entry
- * Added a [MustSet()](http://godoc.org/github.com/magiconair/properties#Properties.MustSet) method
- * Migrated test library from launchpad.net/gocheck to [gopkg.in/check.v1](http://gopkg.in/check.v1)
-
-### [1.4.2](https://github.com/magiconair/properties/tree/v1.4.2) - 15 Nov 2014
-
- * [Issue #2](https://github.com/magiconair/properties/issues/2): Fixed goroutine leak in parser which created two lexers but cleaned up only one
-
-### [1.4.1](https://github.com/magiconair/properties/tree/v1.4.1) - 13 Nov 2014
-
- * [Issue #1](https://github.com/magiconair/properties/issues/1): Fixed bug in Keys() method which returned an empty string
-
-### [1.4.0](https://github.com/magiconair/properties/tree/v1.4.0) - 23 Sep 2014
-
- * Added [Keys()](http://godoc.org/github.com/magiconair/properties#Properties.Keys) to get the keys
- * Added [Filter()](http://godoc.org/github.com/magiconair/properties#Properties.Filter), [FilterRegexp()](http://godoc.org/github.com/magiconair/properties#Properties.FilterRegexp) and [FilterPrefix()](http://godoc.org/github.com/magiconair/properties#Properties.FilterPrefix) to get a subset of the properties
-
-### [1.3.0](https://github.com/magiconair/properties/tree/v1.3.0) - 18 Mar 2014
-
-* Added support for time.Duration
-* Made MustXXX() failure beha[ior configurable (log.Fatal, panic](https://github.com/magiconair/properties/tree/vior configurable (log.Fatal, panic) - custom)
-* Changed default of MustXXX() failure from panic to log.Fatal
-
-### [1.2.0](https://github.com/magiconair/properties/tree/v1.2.0) - 05 Mar 2014
-
-* Added MustGet... functions
-* Added support for int and uint with range checks on 32 bit platforms
-
-### [1.1.0](https://github.com/magiconair/properties/tree/v1.1.0) - 20 Jan 2014
-
-* Renamed from goproperties to properties
-* Added support for expansion of environment vars in
-  filenames and value expressions
-* Fixed bug where value expressions were not at the
-  start of the string
-
-### [1.0.0](https://github.com/magiconair/properties/tree/v1.0.0) - 7 Jan 2014
-
-* Initial release
diff --git a/vendor/github.com/magiconair/properties/README.md b/vendor/github.com/magiconair/properties/README.md
index e2edda025..4872685f4 100644
--- a/vendor/github.com/magiconair/properties/README.md
+++ b/vendor/github.com/magiconair/properties/README.md
@@ -1,12 +1,9 @@
 [![](https://img.shields.io/github/tag/magiconair/properties.svg?style=flat-square&label=release)](https://github.com/magiconair/properties/releases)
-[![Travis CI Status](https://img.shields.io/travis/magiconair/properties.svg?branch=master&style=flat-square&label=travis)](https://travis-ci.org/magiconair/properties)
 [![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg?style=flat-square)](https://raw.githubusercontent.com/magiconair/properties/master/LICENSE)
 [![GoDoc](http://img.shields.io/badge/godoc-reference-5272B4.svg?style=flat-square)](http://godoc.org/github.com/magiconair/properties)
 
 # Overview
 
-#### Please run `git pull --tags` to update the tags. See [below](#updated-git-tags) why.
-
 properties is a Go library for reading and writing properties files.
 
 It supports reading from multiple files or URLs and Spring style recursive
@@ -99,30 +96,3 @@ $ go get -u github.com/magiconair/properties
 ## ToDo
 
 * Dump contents with passwords and secrets obscured
-
-## Updated Git tags
-
-#### 13 Feb 2018
-
-I realized that all of the git tags I had pushed before v1.7.5 were lightweight tags
-and I've only recently learned that this doesn't play well with `git describe` 😞
-
-I have replaced all lightweight tags with signed tags using this script which should
-retain the commit date, name and email address. Please run `git pull --tags` to update them.
-
-Worst case you have to reclone the repo.
-
-```shell
-#!/bin/bash
-tag=$1
-echo "Updating $tag"
-date=$(git show ${tag}^0 --format=%aD | head -1)
-email=$(git show ${tag}^0 --format=%aE | head -1)
-name=$(git show ${tag}^0 --format=%aN | head -1)
-GIT_COMMITTER_DATE="$date" GIT_COMMITTER_NAME="$name" GIT_COMMITTER_EMAIL="$email" git tag -s -f ${tag} ${tag}^0 -m ${tag}
-```
-
-I apologize for the inconvenience.
-
-Frank
-
diff --git a/vendor/github.com/magiconair/properties/decode.go b/vendor/github.com/magiconair/properties/decode.go
index 8e6aa441d..f5e252f8d 100644
--- a/vendor/github.com/magiconair/properties/decode.go
+++ b/vendor/github.com/magiconair/properties/decode.go
@@ -189,12 +189,12 @@ func dec(p *Properties, key string, def *string, opts map[string]string, v refle
 		for i := 0; i < v.NumField(); i++ {
 			fv := v.Field(i)
 			fk, def, opts := keydef(t.Field(i))
-			if !fv.CanSet() {
-				return fmt.Errorf("cannot set %s", t.Field(i).Name)
-			}
 			if fk == "-" {
 				continue
 			}
+			if !fv.CanSet() {
+				return fmt.Errorf("cannot set %s", t.Field(i).Name)
+			}
 			if key != "" {
 				fk = key + "." + fk
 			}
diff --git a/vendor/github.com/magiconair/properties/load.go b/vendor/github.com/magiconair/properties/load.go
index 635368dc8..6567e0c71 100644
--- a/vendor/github.com/magiconair/properties/load.go
+++ b/vendor/github.com/magiconair/properties/load.go
@@ -6,7 +6,7 @@ package properties
 
 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"strings"
@@ -52,6 +52,15 @@ func (l *Loader) LoadBytes(buf []byte) (*Properties, error) {
 	return l.loadBytes(buf, l.Encoding)
 }
 
+// LoadReader reads an io.Reader into a Properties struct.
+func (l *Loader) LoadReader(r io.Reader) (*Properties, error) {
+	if buf, err := io.ReadAll(r); err != nil {
+		return nil, err
+	} else {
+		return l.loadBytes(buf, l.Encoding)
+	}
+}
+
 // LoadAll reads the content of multiple URLs or files in the given order into
 // a Properties struct. If IgnoreMissing is true then a 404 status code or
 // missing file will not be reported as error. Encoding sets the encoding for
@@ -91,7 +100,7 @@ func (l *Loader) LoadAll(names []string) (*Properties, error) {
 // If IgnoreMissing is true then a missing file will not be
 // reported as error.
 func (l *Loader) LoadFile(filename string) (*Properties, error) {
-	data, err := ioutil.ReadFile(filename)
+	data, err := os.ReadFile(filename)
 	if err != nil {
 		if l.IgnoreMissing && os.IsNotExist(err) {
 			LogPrintf("properties: %s not found. skipping", filename)
@@ -126,7 +135,7 @@ func (l *Loader) LoadURL(url string) (*Properties, error) {
 		return nil, fmt.Errorf("properties: %s returned %d", url, resp.StatusCode)
 	}
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("properties: %s error reading response. %s", url, err)
 	}
@@ -185,6 +194,12 @@ func LoadFile(filename string, enc Encoding) (*Properties, error) {
 	return l.LoadAll([]string{filename})
 }
 
+// LoadReader reads an io.Reader into a Properties struct.
+func LoadReader(r io.Reader, enc Encoding) (*Properties, error) {
+	l := &Loader{Encoding: enc}
+	return l.LoadReader(r)
+}
+
 // LoadFiles reads multiple files in the given order into
 // a Properties struct. If 'ignoreMissing' is true then
 // non-existent files will not be reported as error.
@@ -224,6 +239,12 @@ func MustLoadString(s string) *Properties {
 	return must(LoadString(s))
 }
 
+// MustLoadSReader reads an io.Reader into a Properties struct and
+// panics on error.
+func MustLoadReader(r io.Reader, enc Encoding) *Properties {
+	return must(LoadReader(r, enc))
+}
+
 // MustLoadFile reads a file into a Properties struct and
 // panics on error.
 func MustLoadFile(filename string, enc Encoding) *Properties {
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_table.go b/vendor/github.com/mattn/go-runewidth/runewidth_table.go
index e5d890c26..ad025ad52 100644
--- a/vendor/github.com/mattn/go-runewidth/runewidth_table.go
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_table.go
@@ -4,20 +4,21 @@ package runewidth
 
 var combining = table{
 	{0x0300, 0x036F}, {0x0483, 0x0489}, {0x07EB, 0x07F3},
-	{0x0C00, 0x0C00}, {0x0C04, 0x0C04}, {0x0D00, 0x0D01},
-	{0x135D, 0x135F}, {0x1A7F, 0x1A7F}, {0x1AB0, 0x1AC0},
-	{0x1B6B, 0x1B73}, {0x1DC0, 0x1DF9}, {0x1DFB, 0x1DFF},
+	{0x0C00, 0x0C00}, {0x0C04, 0x0C04}, {0x0CF3, 0x0CF3},
+	{0x0D00, 0x0D01}, {0x135D, 0x135F}, {0x1A7F, 0x1A7F},
+	{0x1AB0, 0x1ACE}, {0x1B6B, 0x1B73}, {0x1DC0, 0x1DFF},
 	{0x20D0, 0x20F0}, {0x2CEF, 0x2CF1}, {0x2DE0, 0x2DFF},
 	{0x3099, 0x309A}, {0xA66F, 0xA672}, {0xA674, 0xA67D},
 	{0xA69E, 0xA69F}, {0xA6F0, 0xA6F1}, {0xA8E0, 0xA8F1},
 	{0xFE20, 0xFE2F}, {0x101FD, 0x101FD}, {0x10376, 0x1037A},
-	{0x10EAB, 0x10EAC}, {0x10F46, 0x10F50}, {0x11300, 0x11301},
-	{0x1133B, 0x1133C}, {0x11366, 0x1136C}, {0x11370, 0x11374},
-	{0x16AF0, 0x16AF4}, {0x1D165, 0x1D169}, {0x1D16D, 0x1D172},
+	{0x10EAB, 0x10EAC}, {0x10F46, 0x10F50}, {0x10F82, 0x10F85},
+	{0x11300, 0x11301}, {0x1133B, 0x1133C}, {0x11366, 0x1136C},
+	{0x11370, 0x11374}, {0x16AF0, 0x16AF4}, {0x1CF00, 0x1CF2D},
+	{0x1CF30, 0x1CF46}, {0x1D165, 0x1D169}, {0x1D16D, 0x1D172},
 	{0x1D17B, 0x1D182}, {0x1D185, 0x1D18B}, {0x1D1AA, 0x1D1AD},
 	{0x1D242, 0x1D244}, {0x1E000, 0x1E006}, {0x1E008, 0x1E018},
 	{0x1E01B, 0x1E021}, {0x1E023, 0x1E024}, {0x1E026, 0x1E02A},
-	{0x1E8D0, 0x1E8D6},
+	{0x1E08F, 0x1E08F}, {0x1E8D0, 0x1E8D6},
 }
 
 var doublewidth = table{
@@ -33,33 +34,34 @@ var doublewidth = table{
 	{0x2753, 0x2755}, {0x2757, 0x2757}, {0x2795, 0x2797},
 	{0x27B0, 0x27B0}, {0x27BF, 0x27BF}, {0x2B1B, 0x2B1C},
 	{0x2B50, 0x2B50}, {0x2B55, 0x2B55}, {0x2E80, 0x2E99},
-	{0x2E9B, 0x2EF3}, {0x2F00, 0x2FD5}, {0x2FF0, 0x2FFB},
-	{0x3000, 0x303E}, {0x3041, 0x3096}, {0x3099, 0x30FF},
-	{0x3105, 0x312F}, {0x3131, 0x318E}, {0x3190, 0x31E3},
-	{0x31F0, 0x321E}, {0x3220, 0x3247}, {0x3250, 0x4DBF},
-	{0x4E00, 0xA48C}, {0xA490, 0xA4C6}, {0xA960, 0xA97C},
-	{0xAC00, 0xD7A3}, {0xF900, 0xFAFF}, {0xFE10, 0xFE19},
-	{0xFE30, 0xFE52}, {0xFE54, 0xFE66}, {0xFE68, 0xFE6B},
-	{0xFF01, 0xFF60}, {0xFFE0, 0xFFE6}, {0x16FE0, 0x16FE4},
-	{0x16FF0, 0x16FF1}, {0x17000, 0x187F7}, {0x18800, 0x18CD5},
-	{0x18D00, 0x18D08}, {0x1B000, 0x1B11E}, {0x1B150, 0x1B152},
-	{0x1B164, 0x1B167}, {0x1B170, 0x1B2FB}, {0x1F004, 0x1F004},
-	{0x1F0CF, 0x1F0CF}, {0x1F18E, 0x1F18E}, {0x1F191, 0x1F19A},
-	{0x1F200, 0x1F202}, {0x1F210, 0x1F23B}, {0x1F240, 0x1F248},
-	{0x1F250, 0x1F251}, {0x1F260, 0x1F265}, {0x1F300, 0x1F320},
-	{0x1F32D, 0x1F335}, {0x1F337, 0x1F37C}, {0x1F37E, 0x1F393},
-	{0x1F3A0, 0x1F3CA}, {0x1F3CF, 0x1F3D3}, {0x1F3E0, 0x1F3F0},
-	{0x1F3F4, 0x1F3F4}, {0x1F3F8, 0x1F43E}, {0x1F440, 0x1F440},
-	{0x1F442, 0x1F4FC}, {0x1F4FF, 0x1F53D}, {0x1F54B, 0x1F54E},
-	{0x1F550, 0x1F567}, {0x1F57A, 0x1F57A}, {0x1F595, 0x1F596},
-	{0x1F5A4, 0x1F5A4}, {0x1F5FB, 0x1F64F}, {0x1F680, 0x1F6C5},
-	{0x1F6CC, 0x1F6CC}, {0x1F6D0, 0x1F6D2}, {0x1F6D5, 0x1F6D7},
-	{0x1F6EB, 0x1F6EC}, {0x1F6F4, 0x1F6FC}, {0x1F7E0, 0x1F7EB},
-	{0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1F978},
-	{0x1F97A, 0x1F9CB}, {0x1F9CD, 0x1F9FF}, {0x1FA70, 0x1FA74},
-	{0x1FA78, 0x1FA7A}, {0x1FA80, 0x1FA86}, {0x1FA90, 0x1FAA8},
-	{0x1FAB0, 0x1FAB6}, {0x1FAC0, 0x1FAC2}, {0x1FAD0, 0x1FAD6},
-	{0x20000, 0x2FFFD}, {0x30000, 0x3FFFD},
+	{0x2E9B, 0x2EF3}, {0x2F00, 0x2FD5}, {0x2FF0, 0x303E},
+	{0x3041, 0x3096}, {0x3099, 0x30FF}, {0x3105, 0x312F},
+	{0x3131, 0x318E}, {0x3190, 0x31E3}, {0x31EF, 0x321E},
+	{0x3220, 0x3247}, {0x3250, 0x4DBF}, {0x4E00, 0xA48C},
+	{0xA490, 0xA4C6}, {0xA960, 0xA97C}, {0xAC00, 0xD7A3},
+	{0xF900, 0xFAFF}, {0xFE10, 0xFE19}, {0xFE30, 0xFE52},
+	{0xFE54, 0xFE66}, {0xFE68, 0xFE6B}, {0xFF01, 0xFF60},
+	{0xFFE0, 0xFFE6}, {0x16FE0, 0x16FE4}, {0x16FF0, 0x16FF1},
+	{0x17000, 0x187F7}, {0x18800, 0x18CD5}, {0x18D00, 0x18D08},
+	{0x1AFF0, 0x1AFF3}, {0x1AFF5, 0x1AFFB}, {0x1AFFD, 0x1AFFE},
+	{0x1B000, 0x1B122}, {0x1B132, 0x1B132}, {0x1B150, 0x1B152},
+	{0x1B155, 0x1B155}, {0x1B164, 0x1B167}, {0x1B170, 0x1B2FB},
+	{0x1F004, 0x1F004}, {0x1F0CF, 0x1F0CF}, {0x1F18E, 0x1F18E},
+	{0x1F191, 0x1F19A}, {0x1F200, 0x1F202}, {0x1F210, 0x1F23B},
+	{0x1F240, 0x1F248}, {0x1F250, 0x1F251}, {0x1F260, 0x1F265},
+	{0x1F300, 0x1F320}, {0x1F32D, 0x1F335}, {0x1F337, 0x1F37C},
+	{0x1F37E, 0x1F393}, {0x1F3A0, 0x1F3CA}, {0x1F3CF, 0x1F3D3},
+	{0x1F3E0, 0x1F3F0}, {0x1F3F4, 0x1F3F4}, {0x1F3F8, 0x1F43E},
+	{0x1F440, 0x1F440}, {0x1F442, 0x1F4FC}, {0x1F4FF, 0x1F53D},
+	{0x1F54B, 0x1F54E}, {0x1F550, 0x1F567}, {0x1F57A, 0x1F57A},
+	{0x1F595, 0x1F596}, {0x1F5A4, 0x1F5A4}, {0x1F5FB, 0x1F64F},
+	{0x1F680, 0x1F6C5}, {0x1F6CC, 0x1F6CC}, {0x1F6D0, 0x1F6D2},
+	{0x1F6D5, 0x1F6D7}, {0x1F6DC, 0x1F6DF}, {0x1F6EB, 0x1F6EC},
+	{0x1F6F4, 0x1F6FC}, {0x1F7E0, 0x1F7EB}, {0x1F7F0, 0x1F7F0},
+	{0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1F9FF},
+	{0x1FA70, 0x1FA7C}, {0x1FA80, 0x1FA88}, {0x1FA90, 0x1FABD},
+	{0x1FABF, 0x1FAC5}, {0x1FACE, 0x1FADB}, {0x1FAE0, 0x1FAE8},
+	{0x1FAF0, 0x1FAF8}, {0x20000, 0x2FFFD}, {0x30000, 0x3FFFD},
 }
 
 var ambiguous = table{
@@ -154,43 +156,43 @@ var neutral = table{
 	{0x0402, 0x040F}, {0x0450, 0x0450}, {0x0452, 0x052F},
 	{0x0531, 0x0556}, {0x0559, 0x058A}, {0x058D, 0x058F},
 	{0x0591, 0x05C7}, {0x05D0, 0x05EA}, {0x05EF, 0x05F4},
-	{0x0600, 0x061C}, {0x061E, 0x070D}, {0x070F, 0x074A},
-	{0x074D, 0x07B1}, {0x07C0, 0x07FA}, {0x07FD, 0x082D},
-	{0x0830, 0x083E}, {0x0840, 0x085B}, {0x085E, 0x085E},
-	{0x0860, 0x086A}, {0x08A0, 0x08B4}, {0x08B6, 0x08C7},
-	{0x08D3, 0x0983}, {0x0985, 0x098C}, {0x098F, 0x0990},
-	{0x0993, 0x09A8}, {0x09AA, 0x09B0}, {0x09B2, 0x09B2},
-	{0x09B6, 0x09B9}, {0x09BC, 0x09C4}, {0x09C7, 0x09C8},
-	{0x09CB, 0x09CE}, {0x09D7, 0x09D7}, {0x09DC, 0x09DD},
-	{0x09DF, 0x09E3}, {0x09E6, 0x09FE}, {0x0A01, 0x0A03},
-	{0x0A05, 0x0A0A}, {0x0A0F, 0x0A10}, {0x0A13, 0x0A28},
-	{0x0A2A, 0x0A30}, {0x0A32, 0x0A33}, {0x0A35, 0x0A36},
-	{0x0A38, 0x0A39}, {0x0A3C, 0x0A3C}, {0x0A3E, 0x0A42},
-	{0x0A47, 0x0A48}, {0x0A4B, 0x0A4D}, {0x0A51, 0x0A51},
-	{0x0A59, 0x0A5C}, {0x0A5E, 0x0A5E}, {0x0A66, 0x0A76},
-	{0x0A81, 0x0A83}, {0x0A85, 0x0A8D}, {0x0A8F, 0x0A91},
-	{0x0A93, 0x0AA8}, {0x0AAA, 0x0AB0}, {0x0AB2, 0x0AB3},
-	{0x0AB5, 0x0AB9}, {0x0ABC, 0x0AC5}, {0x0AC7, 0x0AC9},
-	{0x0ACB, 0x0ACD}, {0x0AD0, 0x0AD0}, {0x0AE0, 0x0AE3},
-	{0x0AE6, 0x0AF1}, {0x0AF9, 0x0AFF}, {0x0B01, 0x0B03},
-	{0x0B05, 0x0B0C}, {0x0B0F, 0x0B10}, {0x0B13, 0x0B28},
-	{0x0B2A, 0x0B30}, {0x0B32, 0x0B33}, {0x0B35, 0x0B39},
-	{0x0B3C, 0x0B44}, {0x0B47, 0x0B48}, {0x0B4B, 0x0B4D},
-	{0x0B55, 0x0B57}, {0x0B5C, 0x0B5D}, {0x0B5F, 0x0B63},
-	{0x0B66, 0x0B77}, {0x0B82, 0x0B83}, {0x0B85, 0x0B8A},
-	{0x0B8E, 0x0B90}, {0x0B92, 0x0B95}, {0x0B99, 0x0B9A},
-	{0x0B9C, 0x0B9C}, {0x0B9E, 0x0B9F}, {0x0BA3, 0x0BA4},
-	{0x0BA8, 0x0BAA}, {0x0BAE, 0x0BB9}, {0x0BBE, 0x0BC2},
-	{0x0BC6, 0x0BC8}, {0x0BCA, 0x0BCD}, {0x0BD0, 0x0BD0},
-	{0x0BD7, 0x0BD7}, {0x0BE6, 0x0BFA}, {0x0C00, 0x0C0C},
-	{0x0C0E, 0x0C10}, {0x0C12, 0x0C28}, {0x0C2A, 0x0C39},
-	{0x0C3D, 0x0C44}, {0x0C46, 0x0C48}, {0x0C4A, 0x0C4D},
-	{0x0C55, 0x0C56}, {0x0C58, 0x0C5A}, {0x0C60, 0x0C63},
+	{0x0600, 0x070D}, {0x070F, 0x074A}, {0x074D, 0x07B1},
+	{0x07C0, 0x07FA}, {0x07FD, 0x082D}, {0x0830, 0x083E},
+	{0x0840, 0x085B}, {0x085E, 0x085E}, {0x0860, 0x086A},
+	{0x0870, 0x088E}, {0x0890, 0x0891}, {0x0898, 0x0983},
+	{0x0985, 0x098C}, {0x098F, 0x0990}, {0x0993, 0x09A8},
+	{0x09AA, 0x09B0}, {0x09B2, 0x09B2}, {0x09B6, 0x09B9},
+	{0x09BC, 0x09C4}, {0x09C7, 0x09C8}, {0x09CB, 0x09CE},
+	{0x09D7, 0x09D7}, {0x09DC, 0x09DD}, {0x09DF, 0x09E3},
+	{0x09E6, 0x09FE}, {0x0A01, 0x0A03}, {0x0A05, 0x0A0A},
+	{0x0A0F, 0x0A10}, {0x0A13, 0x0A28}, {0x0A2A, 0x0A30},
+	{0x0A32, 0x0A33}, {0x0A35, 0x0A36}, {0x0A38, 0x0A39},
+	{0x0A3C, 0x0A3C}, {0x0A3E, 0x0A42}, {0x0A47, 0x0A48},
+	{0x0A4B, 0x0A4D}, {0x0A51, 0x0A51}, {0x0A59, 0x0A5C},
+	{0x0A5E, 0x0A5E}, {0x0A66, 0x0A76}, {0x0A81, 0x0A83},
+	{0x0A85, 0x0A8D}, {0x0A8F, 0x0A91}, {0x0A93, 0x0AA8},
+	{0x0AAA, 0x0AB0}, {0x0AB2, 0x0AB3}, {0x0AB5, 0x0AB9},
+	{0x0ABC, 0x0AC5}, {0x0AC7, 0x0AC9}, {0x0ACB, 0x0ACD},
+	{0x0AD0, 0x0AD0}, {0x0AE0, 0x0AE3}, {0x0AE6, 0x0AF1},
+	{0x0AF9, 0x0AFF}, {0x0B01, 0x0B03}, {0x0B05, 0x0B0C},
+	{0x0B0F, 0x0B10}, {0x0B13, 0x0B28}, {0x0B2A, 0x0B30},
+	{0x0B32, 0x0B33}, {0x0B35, 0x0B39}, {0x0B3C, 0x0B44},
+	{0x0B47, 0x0B48}, {0x0B4B, 0x0B4D}, {0x0B55, 0x0B57},
+	{0x0B5C, 0x0B5D}, {0x0B5F, 0x0B63}, {0x0B66, 0x0B77},
+	{0x0B82, 0x0B83}, {0x0B85, 0x0B8A}, {0x0B8E, 0x0B90},
+	{0x0B92, 0x0B95}, {0x0B99, 0x0B9A}, {0x0B9C, 0x0B9C},
+	{0x0B9E, 0x0B9F}, {0x0BA3, 0x0BA4}, {0x0BA8, 0x0BAA},
+	{0x0BAE, 0x0BB9}, {0x0BBE, 0x0BC2}, {0x0BC6, 0x0BC8},
+	{0x0BCA, 0x0BCD}, {0x0BD0, 0x0BD0}, {0x0BD7, 0x0BD7},
+	{0x0BE6, 0x0BFA}, {0x0C00, 0x0C0C}, {0x0C0E, 0x0C10},
+	{0x0C12, 0x0C28}, {0x0C2A, 0x0C39}, {0x0C3C, 0x0C44},
+	{0x0C46, 0x0C48}, {0x0C4A, 0x0C4D}, {0x0C55, 0x0C56},
+	{0x0C58, 0x0C5A}, {0x0C5D, 0x0C5D}, {0x0C60, 0x0C63},
 	{0x0C66, 0x0C6F}, {0x0C77, 0x0C8C}, {0x0C8E, 0x0C90},
 	{0x0C92, 0x0CA8}, {0x0CAA, 0x0CB3}, {0x0CB5, 0x0CB9},
 	{0x0CBC, 0x0CC4}, {0x0CC6, 0x0CC8}, {0x0CCA, 0x0CCD},
-	{0x0CD5, 0x0CD6}, {0x0CDE, 0x0CDE}, {0x0CE0, 0x0CE3},
-	{0x0CE6, 0x0CEF}, {0x0CF1, 0x0CF2}, {0x0D00, 0x0D0C},
+	{0x0CD5, 0x0CD6}, {0x0CDD, 0x0CDE}, {0x0CE0, 0x0CE3},
+	{0x0CE6, 0x0CEF}, {0x0CF1, 0x0CF3}, {0x0D00, 0x0D0C},
 	{0x0D0E, 0x0D10}, {0x0D12, 0x0D44}, {0x0D46, 0x0D48},
 	{0x0D4A, 0x0D4F}, {0x0D54, 0x0D63}, {0x0D66, 0x0D7F},
 	{0x0D81, 0x0D83}, {0x0D85, 0x0D96}, {0x0D9A, 0x0DB1},
@@ -200,7 +202,7 @@ var neutral = table{
 	{0x0E01, 0x0E3A}, {0x0E3F, 0x0E5B}, {0x0E81, 0x0E82},
 	{0x0E84, 0x0E84}, {0x0E86, 0x0E8A}, {0x0E8C, 0x0EA3},
 	{0x0EA5, 0x0EA5}, {0x0EA7, 0x0EBD}, {0x0EC0, 0x0EC4},
-	{0x0EC6, 0x0EC6}, {0x0EC8, 0x0ECD}, {0x0ED0, 0x0ED9},
+	{0x0EC6, 0x0EC6}, {0x0EC8, 0x0ECE}, {0x0ED0, 0x0ED9},
 	{0x0EDC, 0x0EDF}, {0x0F00, 0x0F47}, {0x0F49, 0x0F6C},
 	{0x0F71, 0x0F97}, {0x0F99, 0x0FBC}, {0x0FBE, 0x0FCC},
 	{0x0FCE, 0x0FDA}, {0x1000, 0x10C5}, {0x10C7, 0x10C7},
@@ -212,20 +214,19 @@ var neutral = table{
 	{0x12D8, 0x1310}, {0x1312, 0x1315}, {0x1318, 0x135A},
 	{0x135D, 0x137C}, {0x1380, 0x1399}, {0x13A0, 0x13F5},
 	{0x13F8, 0x13FD}, {0x1400, 0x169C}, {0x16A0, 0x16F8},
-	{0x1700, 0x170C}, {0x170E, 0x1714}, {0x1720, 0x1736},
-	{0x1740, 0x1753}, {0x1760, 0x176C}, {0x176E, 0x1770},
-	{0x1772, 0x1773}, {0x1780, 0x17DD}, {0x17E0, 0x17E9},
-	{0x17F0, 0x17F9}, {0x1800, 0x180E}, {0x1810, 0x1819},
-	{0x1820, 0x1878}, {0x1880, 0x18AA}, {0x18B0, 0x18F5},
-	{0x1900, 0x191E}, {0x1920, 0x192B}, {0x1930, 0x193B},
-	{0x1940, 0x1940}, {0x1944, 0x196D}, {0x1970, 0x1974},
-	{0x1980, 0x19AB}, {0x19B0, 0x19C9}, {0x19D0, 0x19DA},
-	{0x19DE, 0x1A1B}, {0x1A1E, 0x1A5E}, {0x1A60, 0x1A7C},
-	{0x1A7F, 0x1A89}, {0x1A90, 0x1A99}, {0x1AA0, 0x1AAD},
-	{0x1AB0, 0x1AC0}, {0x1B00, 0x1B4B}, {0x1B50, 0x1B7C},
-	{0x1B80, 0x1BF3}, {0x1BFC, 0x1C37}, {0x1C3B, 0x1C49},
-	{0x1C4D, 0x1C88}, {0x1C90, 0x1CBA}, {0x1CBD, 0x1CC7},
-	{0x1CD0, 0x1CFA}, {0x1D00, 0x1DF9}, {0x1DFB, 0x1F15},
+	{0x1700, 0x1715}, {0x171F, 0x1736}, {0x1740, 0x1753},
+	{0x1760, 0x176C}, {0x176E, 0x1770}, {0x1772, 0x1773},
+	{0x1780, 0x17DD}, {0x17E0, 0x17E9}, {0x17F0, 0x17F9},
+	{0x1800, 0x1819}, {0x1820, 0x1878}, {0x1880, 0x18AA},
+	{0x18B0, 0x18F5}, {0x1900, 0x191E}, {0x1920, 0x192B},
+	{0x1930, 0x193B}, {0x1940, 0x1940}, {0x1944, 0x196D},
+	{0x1970, 0x1974}, {0x1980, 0x19AB}, {0x19B0, 0x19C9},
+	{0x19D0, 0x19DA}, {0x19DE, 0x1A1B}, {0x1A1E, 0x1A5E},
+	{0x1A60, 0x1A7C}, {0x1A7F, 0x1A89}, {0x1A90, 0x1A99},
+	{0x1AA0, 0x1AAD}, {0x1AB0, 0x1ACE}, {0x1B00, 0x1B4C},
+	{0x1B50, 0x1B7E}, {0x1B80, 0x1BF3}, {0x1BFC, 0x1C37},
+	{0x1C3B, 0x1C49}, {0x1C4D, 0x1C88}, {0x1C90, 0x1CBA},
+	{0x1CBD, 0x1CC7}, {0x1CD0, 0x1CFA}, {0x1D00, 0x1F15},
 	{0x1F18, 0x1F1D}, {0x1F20, 0x1F45}, {0x1F48, 0x1F4D},
 	{0x1F50, 0x1F57}, {0x1F59, 0x1F59}, {0x1F5B, 0x1F5B},
 	{0x1F5D, 0x1F5D}, {0x1F5F, 0x1F7D}, {0x1F80, 0x1FB4},
@@ -237,7 +238,7 @@ var neutral = table{
 	{0x2036, 0x203A}, {0x203C, 0x203D}, {0x203F, 0x2064},
 	{0x2066, 0x2071}, {0x2075, 0x207E}, {0x2080, 0x2080},
 	{0x2085, 0x208E}, {0x2090, 0x209C}, {0x20A0, 0x20A8},
-	{0x20AA, 0x20AB}, {0x20AD, 0x20BF}, {0x20D0, 0x20F0},
+	{0x20AA, 0x20AB}, {0x20AD, 0x20C0}, {0x20D0, 0x20F0},
 	{0x2100, 0x2102}, {0x2104, 0x2104}, {0x2106, 0x2108},
 	{0x210A, 0x2112}, {0x2114, 0x2115}, {0x2117, 0x2120},
 	{0x2123, 0x2125}, {0x2127, 0x212A}, {0x212C, 0x2152},
@@ -275,15 +276,15 @@ var neutral = table{
 	{0x2780, 0x2794}, {0x2798, 0x27AF}, {0x27B1, 0x27BE},
 	{0x27C0, 0x27E5}, {0x27EE, 0x2984}, {0x2987, 0x2B1A},
 	{0x2B1D, 0x2B4F}, {0x2B51, 0x2B54}, {0x2B5A, 0x2B73},
-	{0x2B76, 0x2B95}, {0x2B97, 0x2C2E}, {0x2C30, 0x2C5E},
-	{0x2C60, 0x2CF3}, {0x2CF9, 0x2D25}, {0x2D27, 0x2D27},
-	{0x2D2D, 0x2D2D}, {0x2D30, 0x2D67}, {0x2D6F, 0x2D70},
-	{0x2D7F, 0x2D96}, {0x2DA0, 0x2DA6}, {0x2DA8, 0x2DAE},
-	{0x2DB0, 0x2DB6}, {0x2DB8, 0x2DBE}, {0x2DC0, 0x2DC6},
-	{0x2DC8, 0x2DCE}, {0x2DD0, 0x2DD6}, {0x2DD8, 0x2DDE},
-	{0x2DE0, 0x2E52}, {0x303F, 0x303F}, {0x4DC0, 0x4DFF},
-	{0xA4D0, 0xA62B}, {0xA640, 0xA6F7}, {0xA700, 0xA7BF},
-	{0xA7C2, 0xA7CA}, {0xA7F5, 0xA82C}, {0xA830, 0xA839},
+	{0x2B76, 0x2B95}, {0x2B97, 0x2CF3}, {0x2CF9, 0x2D25},
+	{0x2D27, 0x2D27}, {0x2D2D, 0x2D2D}, {0x2D30, 0x2D67},
+	{0x2D6F, 0x2D70}, {0x2D7F, 0x2D96}, {0x2DA0, 0x2DA6},
+	{0x2DA8, 0x2DAE}, {0x2DB0, 0x2DB6}, {0x2DB8, 0x2DBE},
+	{0x2DC0, 0x2DC6}, {0x2DC8, 0x2DCE}, {0x2DD0, 0x2DD6},
+	{0x2DD8, 0x2DDE}, {0x2DE0, 0x2E5D}, {0x303F, 0x303F},
+	{0x4DC0, 0x4DFF}, {0xA4D0, 0xA62B}, {0xA640, 0xA6F7},
+	{0xA700, 0xA7CA}, {0xA7D0, 0xA7D1}, {0xA7D3, 0xA7D3},
+	{0xA7D5, 0xA7D9}, {0xA7F2, 0xA82C}, {0xA830, 0xA839},
 	{0xA840, 0xA877}, {0xA880, 0xA8C5}, {0xA8CE, 0xA8D9},
 	{0xA8E0, 0xA953}, {0xA95F, 0xA95F}, {0xA980, 0xA9CD},
 	{0xA9CF, 0xA9D9}, {0xA9DE, 0xA9FE}, {0xAA00, 0xAA36},
@@ -294,8 +295,8 @@ var neutral = table{
 	{0xD7B0, 0xD7C6}, {0xD7CB, 0xD7FB}, {0xD800, 0xDFFF},
 	{0xFB00, 0xFB06}, {0xFB13, 0xFB17}, {0xFB1D, 0xFB36},
 	{0xFB38, 0xFB3C}, {0xFB3E, 0xFB3E}, {0xFB40, 0xFB41},
-	{0xFB43, 0xFB44}, {0xFB46, 0xFBC1}, {0xFBD3, 0xFD3F},
-	{0xFD50, 0xFD8F}, {0xFD92, 0xFDC7}, {0xFDF0, 0xFDFD},
+	{0xFB43, 0xFB44}, {0xFB46, 0xFBC2}, {0xFBD3, 0xFD8F},
+	{0xFD92, 0xFDC7}, {0xFDCF, 0xFDCF}, {0xFDF0, 0xFDFF},
 	{0xFE20, 0xFE2F}, {0xFE70, 0xFE74}, {0xFE76, 0xFEFC},
 	{0xFEFF, 0xFEFF}, {0xFFF9, 0xFFFC}, {0x10000, 0x1000B},
 	{0x1000D, 0x10026}, {0x10028, 0x1003A}, {0x1003C, 0x1003D},
@@ -307,44 +308,48 @@ var neutral = table{
 	{0x10380, 0x1039D}, {0x1039F, 0x103C3}, {0x103C8, 0x103D5},
 	{0x10400, 0x1049D}, {0x104A0, 0x104A9}, {0x104B0, 0x104D3},
 	{0x104D8, 0x104FB}, {0x10500, 0x10527}, {0x10530, 0x10563},
-	{0x1056F, 0x1056F}, {0x10600, 0x10736}, {0x10740, 0x10755},
-	{0x10760, 0x10767}, {0x10800, 0x10805}, {0x10808, 0x10808},
-	{0x1080A, 0x10835}, {0x10837, 0x10838}, {0x1083C, 0x1083C},
-	{0x1083F, 0x10855}, {0x10857, 0x1089E}, {0x108A7, 0x108AF},
-	{0x108E0, 0x108F2}, {0x108F4, 0x108F5}, {0x108FB, 0x1091B},
-	{0x1091F, 0x10939}, {0x1093F, 0x1093F}, {0x10980, 0x109B7},
-	{0x109BC, 0x109CF}, {0x109D2, 0x10A03}, {0x10A05, 0x10A06},
-	{0x10A0C, 0x10A13}, {0x10A15, 0x10A17}, {0x10A19, 0x10A35},
-	{0x10A38, 0x10A3A}, {0x10A3F, 0x10A48}, {0x10A50, 0x10A58},
-	{0x10A60, 0x10A9F}, {0x10AC0, 0x10AE6}, {0x10AEB, 0x10AF6},
-	{0x10B00, 0x10B35}, {0x10B39, 0x10B55}, {0x10B58, 0x10B72},
-	{0x10B78, 0x10B91}, {0x10B99, 0x10B9C}, {0x10BA9, 0x10BAF},
-	{0x10C00, 0x10C48}, {0x10C80, 0x10CB2}, {0x10CC0, 0x10CF2},
-	{0x10CFA, 0x10D27}, {0x10D30, 0x10D39}, {0x10E60, 0x10E7E},
-	{0x10E80, 0x10EA9}, {0x10EAB, 0x10EAD}, {0x10EB0, 0x10EB1},
-	{0x10F00, 0x10F27}, {0x10F30, 0x10F59}, {0x10FB0, 0x10FCB},
-	{0x10FE0, 0x10FF6}, {0x11000, 0x1104D}, {0x11052, 0x1106F},
-	{0x1107F, 0x110C1}, {0x110CD, 0x110CD}, {0x110D0, 0x110E8},
-	{0x110F0, 0x110F9}, {0x11100, 0x11134}, {0x11136, 0x11147},
-	{0x11150, 0x11176}, {0x11180, 0x111DF}, {0x111E1, 0x111F4},
-	{0x11200, 0x11211}, {0x11213, 0x1123E}, {0x11280, 0x11286},
-	{0x11288, 0x11288}, {0x1128A, 0x1128D}, {0x1128F, 0x1129D},
-	{0x1129F, 0x112A9}, {0x112B0, 0x112EA}, {0x112F0, 0x112F9},
-	{0x11300, 0x11303}, {0x11305, 0x1130C}, {0x1130F, 0x11310},
-	{0x11313, 0x11328}, {0x1132A, 0x11330}, {0x11332, 0x11333},
-	{0x11335, 0x11339}, {0x1133B, 0x11344}, {0x11347, 0x11348},
-	{0x1134B, 0x1134D}, {0x11350, 0x11350}, {0x11357, 0x11357},
-	{0x1135D, 0x11363}, {0x11366, 0x1136C}, {0x11370, 0x11374},
-	{0x11400, 0x1145B}, {0x1145D, 0x11461}, {0x11480, 0x114C7},
-	{0x114D0, 0x114D9}, {0x11580, 0x115B5}, {0x115B8, 0x115DD},
-	{0x11600, 0x11644}, {0x11650, 0x11659}, {0x11660, 0x1166C},
-	{0x11680, 0x116B8}, {0x116C0, 0x116C9}, {0x11700, 0x1171A},
-	{0x1171D, 0x1172B}, {0x11730, 0x1173F}, {0x11800, 0x1183B},
-	{0x118A0, 0x118F2}, {0x118FF, 0x11906}, {0x11909, 0x11909},
-	{0x1190C, 0x11913}, {0x11915, 0x11916}, {0x11918, 0x11935},
-	{0x11937, 0x11938}, {0x1193B, 0x11946}, {0x11950, 0x11959},
-	{0x119A0, 0x119A7}, {0x119AA, 0x119D7}, {0x119DA, 0x119E4},
-	{0x11A00, 0x11A47}, {0x11A50, 0x11AA2}, {0x11AC0, 0x11AF8},
+	{0x1056F, 0x1057A}, {0x1057C, 0x1058A}, {0x1058C, 0x10592},
+	{0x10594, 0x10595}, {0x10597, 0x105A1}, {0x105A3, 0x105B1},
+	{0x105B3, 0x105B9}, {0x105BB, 0x105BC}, {0x10600, 0x10736},
+	{0x10740, 0x10755}, {0x10760, 0x10767}, {0x10780, 0x10785},
+	{0x10787, 0x107B0}, {0x107B2, 0x107BA}, {0x10800, 0x10805},
+	{0x10808, 0x10808}, {0x1080A, 0x10835}, {0x10837, 0x10838},
+	{0x1083C, 0x1083C}, {0x1083F, 0x10855}, {0x10857, 0x1089E},
+	{0x108A7, 0x108AF}, {0x108E0, 0x108F2}, {0x108F4, 0x108F5},
+	{0x108FB, 0x1091B}, {0x1091F, 0x10939}, {0x1093F, 0x1093F},
+	{0x10980, 0x109B7}, {0x109BC, 0x109CF}, {0x109D2, 0x10A03},
+	{0x10A05, 0x10A06}, {0x10A0C, 0x10A13}, {0x10A15, 0x10A17},
+	{0x10A19, 0x10A35}, {0x10A38, 0x10A3A}, {0x10A3F, 0x10A48},
+	{0x10A50, 0x10A58}, {0x10A60, 0x10A9F}, {0x10AC0, 0x10AE6},
+	{0x10AEB, 0x10AF6}, {0x10B00, 0x10B35}, {0x10B39, 0x10B55},
+	{0x10B58, 0x10B72}, {0x10B78, 0x10B91}, {0x10B99, 0x10B9C},
+	{0x10BA9, 0x10BAF}, {0x10C00, 0x10C48}, {0x10C80, 0x10CB2},
+	{0x10CC0, 0x10CF2}, {0x10CFA, 0x10D27}, {0x10D30, 0x10D39},
+	{0x10E60, 0x10E7E}, {0x10E80, 0x10EA9}, {0x10EAB, 0x10EAD},
+	{0x10EB0, 0x10EB1}, {0x10EFD, 0x10F27}, {0x10F30, 0x10F59},
+	{0x10F70, 0x10F89}, {0x10FB0, 0x10FCB}, {0x10FE0, 0x10FF6},
+	{0x11000, 0x1104D}, {0x11052, 0x11075}, {0x1107F, 0x110C2},
+	{0x110CD, 0x110CD}, {0x110D0, 0x110E8}, {0x110F0, 0x110F9},
+	{0x11100, 0x11134}, {0x11136, 0x11147}, {0x11150, 0x11176},
+	{0x11180, 0x111DF}, {0x111E1, 0x111F4}, {0x11200, 0x11211},
+	{0x11213, 0x11241}, {0x11280, 0x11286}, {0x11288, 0x11288},
+	{0x1128A, 0x1128D}, {0x1128F, 0x1129D}, {0x1129F, 0x112A9},
+	{0x112B0, 0x112EA}, {0x112F0, 0x112F9}, {0x11300, 0x11303},
+	{0x11305, 0x1130C}, {0x1130F, 0x11310}, {0x11313, 0x11328},
+	{0x1132A, 0x11330}, {0x11332, 0x11333}, {0x11335, 0x11339},
+	{0x1133B, 0x11344}, {0x11347, 0x11348}, {0x1134B, 0x1134D},
+	{0x11350, 0x11350}, {0x11357, 0x11357}, {0x1135D, 0x11363},
+	{0x11366, 0x1136C}, {0x11370, 0x11374}, {0x11400, 0x1145B},
+	{0x1145D, 0x11461}, {0x11480, 0x114C7}, {0x114D0, 0x114D9},
+	{0x11580, 0x115B5}, {0x115B8, 0x115DD}, {0x11600, 0x11644},
+	{0x11650, 0x11659}, {0x11660, 0x1166C}, {0x11680, 0x116B9},
+	{0x116C0, 0x116C9}, {0x11700, 0x1171A}, {0x1171D, 0x1172B},
+	{0x11730, 0x11746}, {0x11800, 0x1183B}, {0x118A0, 0x118F2},
+	{0x118FF, 0x11906}, {0x11909, 0x11909}, {0x1190C, 0x11913},
+	{0x11915, 0x11916}, {0x11918, 0x11935}, {0x11937, 0x11938},
+	{0x1193B, 0x11946}, {0x11950, 0x11959}, {0x119A0, 0x119A7},
+	{0x119AA, 0x119D7}, {0x119DA, 0x119E4}, {0x11A00, 0x11A47},
+	{0x11A50, 0x11AA2}, {0x11AB0, 0x11AF8}, {0x11B00, 0x11B09},
 	{0x11C00, 0x11C08}, {0x11C0A, 0x11C36}, {0x11C38, 0x11C45},
 	{0x11C50, 0x11C6C}, {0x11C70, 0x11C8F}, {0x11C92, 0x11CA7},
 	{0x11CA9, 0x11CB6}, {0x11D00, 0x11D06}, {0x11D08, 0x11D09},
@@ -352,30 +357,36 @@ var neutral = table{
 	{0x11D3F, 0x11D47}, {0x11D50, 0x11D59}, {0x11D60, 0x11D65},
 	{0x11D67, 0x11D68}, {0x11D6A, 0x11D8E}, {0x11D90, 0x11D91},
 	{0x11D93, 0x11D98}, {0x11DA0, 0x11DA9}, {0x11EE0, 0x11EF8},
+	{0x11F00, 0x11F10}, {0x11F12, 0x11F3A}, {0x11F3E, 0x11F59},
 	{0x11FB0, 0x11FB0}, {0x11FC0, 0x11FF1}, {0x11FFF, 0x12399},
 	{0x12400, 0x1246E}, {0x12470, 0x12474}, {0x12480, 0x12543},
-	{0x13000, 0x1342E}, {0x13430, 0x13438}, {0x14400, 0x14646},
+	{0x12F90, 0x12FF2}, {0x13000, 0x13455}, {0x14400, 0x14646},
 	{0x16800, 0x16A38}, {0x16A40, 0x16A5E}, {0x16A60, 0x16A69},
-	{0x16A6E, 0x16A6F}, {0x16AD0, 0x16AED}, {0x16AF0, 0x16AF5},
-	{0x16B00, 0x16B45}, {0x16B50, 0x16B59}, {0x16B5B, 0x16B61},
-	{0x16B63, 0x16B77}, {0x16B7D, 0x16B8F}, {0x16E40, 0x16E9A},
-	{0x16F00, 0x16F4A}, {0x16F4F, 0x16F87}, {0x16F8F, 0x16F9F},
-	{0x1BC00, 0x1BC6A}, {0x1BC70, 0x1BC7C}, {0x1BC80, 0x1BC88},
-	{0x1BC90, 0x1BC99}, {0x1BC9C, 0x1BCA3}, {0x1D000, 0x1D0F5},
-	{0x1D100, 0x1D126}, {0x1D129, 0x1D1E8}, {0x1D200, 0x1D245},
-	{0x1D2E0, 0x1D2F3}, {0x1D300, 0x1D356}, {0x1D360, 0x1D378},
-	{0x1D400, 0x1D454}, {0x1D456, 0x1D49C}, {0x1D49E, 0x1D49F},
-	{0x1D4A2, 0x1D4A2}, {0x1D4A5, 0x1D4A6}, {0x1D4A9, 0x1D4AC},
-	{0x1D4AE, 0x1D4B9}, {0x1D4BB, 0x1D4BB}, {0x1D4BD, 0x1D4C3},
-	{0x1D4C5, 0x1D505}, {0x1D507, 0x1D50A}, {0x1D50D, 0x1D514},
-	{0x1D516, 0x1D51C}, {0x1D51E, 0x1D539}, {0x1D53B, 0x1D53E},
-	{0x1D540, 0x1D544}, {0x1D546, 0x1D546}, {0x1D54A, 0x1D550},
-	{0x1D552, 0x1D6A5}, {0x1D6A8, 0x1D7CB}, {0x1D7CE, 0x1DA8B},
-	{0x1DA9B, 0x1DA9F}, {0x1DAA1, 0x1DAAF}, {0x1E000, 0x1E006},
-	{0x1E008, 0x1E018}, {0x1E01B, 0x1E021}, {0x1E023, 0x1E024},
-	{0x1E026, 0x1E02A}, {0x1E100, 0x1E12C}, {0x1E130, 0x1E13D},
-	{0x1E140, 0x1E149}, {0x1E14E, 0x1E14F}, {0x1E2C0, 0x1E2F9},
-	{0x1E2FF, 0x1E2FF}, {0x1E800, 0x1E8C4}, {0x1E8C7, 0x1E8D6},
+	{0x16A6E, 0x16ABE}, {0x16AC0, 0x16AC9}, {0x16AD0, 0x16AED},
+	{0x16AF0, 0x16AF5}, {0x16B00, 0x16B45}, {0x16B50, 0x16B59},
+	{0x16B5B, 0x16B61}, {0x16B63, 0x16B77}, {0x16B7D, 0x16B8F},
+	{0x16E40, 0x16E9A}, {0x16F00, 0x16F4A}, {0x16F4F, 0x16F87},
+	{0x16F8F, 0x16F9F}, {0x1BC00, 0x1BC6A}, {0x1BC70, 0x1BC7C},
+	{0x1BC80, 0x1BC88}, {0x1BC90, 0x1BC99}, {0x1BC9C, 0x1BCA3},
+	{0x1CF00, 0x1CF2D}, {0x1CF30, 0x1CF46}, {0x1CF50, 0x1CFC3},
+	{0x1D000, 0x1D0F5}, {0x1D100, 0x1D126}, {0x1D129, 0x1D1EA},
+	{0x1D200, 0x1D245}, {0x1D2C0, 0x1D2D3}, {0x1D2E0, 0x1D2F3},
+	{0x1D300, 0x1D356}, {0x1D360, 0x1D378}, {0x1D400, 0x1D454},
+	{0x1D456, 0x1D49C}, {0x1D49E, 0x1D49F}, {0x1D4A2, 0x1D4A2},
+	{0x1D4A5, 0x1D4A6}, {0x1D4A9, 0x1D4AC}, {0x1D4AE, 0x1D4B9},
+	{0x1D4BB, 0x1D4BB}, {0x1D4BD, 0x1D4C3}, {0x1D4C5, 0x1D505},
+	{0x1D507, 0x1D50A}, {0x1D50D, 0x1D514}, {0x1D516, 0x1D51C},
+	{0x1D51E, 0x1D539}, {0x1D53B, 0x1D53E}, {0x1D540, 0x1D544},
+	{0x1D546, 0x1D546}, {0x1D54A, 0x1D550}, {0x1D552, 0x1D6A5},
+	{0x1D6A8, 0x1D7CB}, {0x1D7CE, 0x1DA8B}, {0x1DA9B, 0x1DA9F},
+	{0x1DAA1, 0x1DAAF}, {0x1DF00, 0x1DF1E}, {0x1DF25, 0x1DF2A},
+	{0x1E000, 0x1E006}, {0x1E008, 0x1E018}, {0x1E01B, 0x1E021},
+	{0x1E023, 0x1E024}, {0x1E026, 0x1E02A}, {0x1E030, 0x1E06D},
+	{0x1E08F, 0x1E08F}, {0x1E100, 0x1E12C}, {0x1E130, 0x1E13D},
+	{0x1E140, 0x1E149}, {0x1E14E, 0x1E14F}, {0x1E290, 0x1E2AE},
+	{0x1E2C0, 0x1E2F9}, {0x1E2FF, 0x1E2FF}, {0x1E4D0, 0x1E4F9},
+	{0x1E7E0, 0x1E7E6}, {0x1E7E8, 0x1E7EB}, {0x1E7ED, 0x1E7EE},
+	{0x1E7F0, 0x1E7FE}, {0x1E800, 0x1E8C4}, {0x1E8C7, 0x1E8D6},
 	{0x1E900, 0x1E94B}, {0x1E950, 0x1E959}, {0x1E95E, 0x1E95F},
 	{0x1EC71, 0x1ECB4}, {0x1ED01, 0x1ED3D}, {0x1EE00, 0x1EE03},
 	{0x1EE05, 0x1EE1F}, {0x1EE21, 0x1EE22}, {0x1EE24, 0x1EE24},
@@ -400,8 +411,8 @@ var neutral = table{
 	{0x1F54F, 0x1F54F}, {0x1F568, 0x1F579}, {0x1F57B, 0x1F594},
 	{0x1F597, 0x1F5A3}, {0x1F5A5, 0x1F5FA}, {0x1F650, 0x1F67F},
 	{0x1F6C6, 0x1F6CB}, {0x1F6CD, 0x1F6CF}, {0x1F6D3, 0x1F6D4},
-	{0x1F6E0, 0x1F6EA}, {0x1F6F0, 0x1F6F3}, {0x1F700, 0x1F773},
-	{0x1F780, 0x1F7D8}, {0x1F800, 0x1F80B}, {0x1F810, 0x1F847},
+	{0x1F6E0, 0x1F6EA}, {0x1F6F0, 0x1F6F3}, {0x1F700, 0x1F776},
+	{0x1F77B, 0x1F7D9}, {0x1F800, 0x1F80B}, {0x1F810, 0x1F847},
 	{0x1F850, 0x1F859}, {0x1F860, 0x1F887}, {0x1F890, 0x1F8AD},
 	{0x1F8B0, 0x1F8B1}, {0x1F900, 0x1F90B}, {0x1F93B, 0x1F93B},
 	{0x1F946, 0x1F946}, {0x1FA00, 0x1FA53}, {0x1FA60, 0x1FA6D},
diff --git a/vendor/github.com/nxadm/tail/.cirrus.yml b/vendor/github.com/nxadm/tail/.cirrus.yml
deleted file mode 100644
index 97e1b978e..000000000
--- a/vendor/github.com/nxadm/tail/.cirrus.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-task:
-  name: FreeBSD
-  freebsd_instance:
-      image_family: freebsd-12-2
-  install_script: pkg install -y go
-  script: |
-    go build
-    go test -v -race -timeout 2m ./...
diff --git a/vendor/github.com/nxadm/tail/.gitignore b/vendor/github.com/nxadm/tail/.gitignore
deleted file mode 100644
index 063e5a65a..000000000
--- a/vendor/github.com/nxadm/tail/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-.idea/
-examples/_*
diff --git a/vendor/github.com/nxadm/tail/CHANGES.md b/vendor/github.com/nxadm/tail/CHANGES.md
deleted file mode 100644
index e6c74d773..000000000
--- a/vendor/github.com/nxadm/tail/CHANGES.md
+++ /dev/null
@@ -1,64 +0,0 @@
-# Version v1.4.11
-* Bump fsnotify to v1.6.0. Should fix some issues.
-
-# Version v1.4.9
-* Bump fsnotify to v1.5.1 fixes issue #28, hpcloud/tail#90.
-* PR #27: "Add timeout to tests"by @kokes++. Also timeout on FreeBSD.
-* PR #29: "Use temp directory for tests, instead of relative" by @ches++.
-
-# Version v1.4.7-v1.4.8
-* Documentation updates.
-* Small linter cleanups.
-* Added example in test.
-
-# Version v1.4.6
-
-* Document the usage of Cleanup when re-reading a file (thanks to @lesovsky) for issue #18.
-* Add example directories with example and tests for issues.
-
-# Version v1.4.4-v1.4.5
-
-* Fix of checksum problem because of forced tag. No changes to the code.
-
-# Version v1.4.1
-
-* Incorporated PR 162 by by Mohammed902: "Simplify non-Windows build tag".
-
-# Version v1.4.0
-
-* Incorporated PR 9 by mschneider82: "Added seekinfo to Tail".
-
-# Version v1.3.1
-
-* Incorporated PR 7: "Fix deadlock when stopping on non-empty file/buffer",
-fixes upstream issue 93.
-
-
-# Version v1.3.0
-
-* Incorporated changes of unmerged upstream PR 149 by mezzi: "added line num
-to Line struct".
-
-# Version v1.2.1
-
-* Incorporated changes of unmerged upstream PR 128 by jadekler: "Compile-able
-code in readme".
-* Incorporated changes of unmerged upstream PR 130 by fgeller: "small change
-to comment wording".
-* Incorporated changes of unmerged upstream PR 133 by sm3142: "removed
-spurious newlines from log messages".
-
-# Version v1.2.0
-
-* Incorporated changes of unmerged upstream PR 126 by Code-Hex: "Solved the
- problem for never return the last line if it's not followed by a newline".
-* Incorporated changes of unmerged upstream PR 131 by StoicPerlman: "Remove
-deprecated os.SEEK consts". The changes bumped the minimal supported Go
-release to 1.9.
-
-# Version v1.1.0
-
-* migration to go modules.
-* release of master branch of the dormant upstream, because it contains
-fixes and improvement no present in the tagged release.
-
diff --git a/vendor/github.com/nxadm/tail/CONTRIBUTING.md b/vendor/github.com/nxadm/tail/CONTRIBUTING.md
deleted file mode 100644
index 23c99ddde..000000000
--- a/vendor/github.com/nxadm/tail/CONTRIBUTING.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# Contributing
-Comments (at Discussions), Issues and PRs are always welcome. In the case of issues,
-code examples make it easier to reproduce the problem. In the case of PRs add tests
-if applicable so we make sure nothing breaks for people using the library on different
-OSes.
diff --git a/vendor/github.com/nxadm/tail/Dockerfile b/vendor/github.com/nxadm/tail/Dockerfile
deleted file mode 100644
index d9633891c..000000000
--- a/vendor/github.com/nxadm/tail/Dockerfile
+++ /dev/null
@@ -1,19 +0,0 @@
-FROM golang
-
-RUN mkdir -p $GOPATH/src/github.com/nxadm/tail/
-ADD . $GOPATH/src/github.com/nxadm/tail/
-
-# expecting to fetch dependencies successfully.
-RUN go get -v github.com/nxadm/tail
-
-# expecting to run the test successfully.
-RUN go test -v github.com/nxadm/tail
-
-# expecting to install successfully
-RUN go install -v github.com/nxadm/tail
-RUN go install -v github.com/nxadm/tail/cmd/gotail
-
-RUN $GOPATH/bin/gotail -h || true
-
-ENV PATH $GOPATH/bin:$PATH
-CMD ["gotail"]
diff --git a/vendor/github.com/nxadm/tail/README.md b/vendor/github.com/nxadm/tail/README.md
deleted file mode 100644
index fca8901c0..000000000
--- a/vendor/github.com/nxadm/tail/README.md
+++ /dev/null
@@ -1,45 +0,0 @@
-[![Go Reference](https://pkg.go.dev/badge/github.com/nxadm/tail.svg)](https://pkg.go.dev/github.com/nxadm/tail#section-documentation)
-![ci](https://github.com/nxadm/tail/workflows/ci/badge.svg)
-[![FreeBSD](https://api.cirrus-ci.com/github/nxadm/tail.svg)](https://cirrus-ci.com/github/nxadm/tail)
-# tail functionality in Go
-
-nxadm/tail provides a Go library that emulates the features of the BSD `tail`
-program. The library comes with full support for truncation/move detection as
-it is designed to work with log rotation tools. The library works on all
-operating systems supported by Go, including POSIX systems like Linux, *BSD,
-MacOS, and MS Windows. Go 1.12 is the oldest compiler release supported.
-
-A simple example:
-
-```Go
-// Create a tail
-t, err := tail.TailFile(
-	"/var/log/nginx.log", tail.Config{Follow: true, ReOpen: true})
-if err != nil {
-    panic(err)
-}
-
-// Print the text of each received line
-for line := range t.Lines {
-    fmt.Println(line.Text)
-}
-```
-
-See [API documentation](https://pkg.go.dev/github.com/nxadm/tail#section-documentation).
-
-## Installing
-
-    go get github.com/nxadm/tail/...
-
-## History
-
-This project is an active, drop-in replacement for the
-[abandoned](https://en.wikipedia.org/wiki/HPE_Helion) Go tail library at
-[hpcloud](https://github.com/hpcloud/tail). Next to
-[addressing open issues/PRs of the original project](https://github.com/nxadm/tail/issues/6),
-nxadm/tail continues the development by keeping up to date with the Go toolchain
-(e.g. go modules) and dependencies, completing the documentation, adding features
-and fixing bugs.
-
-## Examples
-Examples, e.g. used to debug an issue, are kept in the [examples directory](/examples).
diff --git a/vendor/github.com/nxadm/tail/ratelimiter/Licence b/vendor/github.com/nxadm/tail/ratelimiter/Licence
deleted file mode 100644
index 434aab19f..000000000
--- a/vendor/github.com/nxadm/tail/ratelimiter/Licence
+++ /dev/null
@@ -1,7 +0,0 @@
-Copyright (C) 2013 99designs
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/nxadm/tail/ratelimiter/leakybucket.go b/vendor/github.com/nxadm/tail/ratelimiter/leakybucket.go
deleted file mode 100644
index 358b69e7f..000000000
--- a/vendor/github.com/nxadm/tail/ratelimiter/leakybucket.go
+++ /dev/null
@@ -1,97 +0,0 @@
-// Package ratelimiter implements the Leaky Bucket ratelimiting algorithm with memcached and in-memory backends.
-package ratelimiter
-
-import (
-	"time"
-)
-
-type LeakyBucket struct {
-	Size         uint16
-	Fill         float64
-	LeakInterval time.Duration // time.Duration for 1 unit of size to leak
-	Lastupdate   time.Time
-	Now          func() time.Time
-}
-
-func NewLeakyBucket(size uint16, leakInterval time.Duration) *LeakyBucket {
-	bucket := LeakyBucket{
-		Size:         size,
-		Fill:         0,
-		LeakInterval: leakInterval,
-		Now:          time.Now,
-		Lastupdate:   time.Now(),
-	}
-
-	return &bucket
-}
-
-func (b *LeakyBucket) updateFill() {
-	now := b.Now()
-	if b.Fill > 0 {
-		elapsed := now.Sub(b.Lastupdate)
-
-		b.Fill -= float64(elapsed) / float64(b.LeakInterval)
-		if b.Fill < 0 {
-			b.Fill = 0
-		}
-	}
-	b.Lastupdate = now
-}
-
-func (b *LeakyBucket) Pour(amount uint16) bool {
-	b.updateFill()
-
-	var newfill float64 = b.Fill + float64(amount)
-
-	if newfill > float64(b.Size) {
-		return false
-	}
-
-	b.Fill = newfill
-
-	return true
-}
-
-// The time at which this bucket will be completely drained
-func (b *LeakyBucket) DrainedAt() time.Time {
-	return b.Lastupdate.Add(time.Duration(b.Fill * float64(b.LeakInterval)))
-}
-
-// The duration until this bucket is completely drained
-func (b *LeakyBucket) TimeToDrain() time.Duration {
-	return b.DrainedAt().Sub(b.Now())
-}
-
-func (b *LeakyBucket) TimeSinceLastUpdate() time.Duration {
-	return b.Now().Sub(b.Lastupdate)
-}
-
-type LeakyBucketSer struct {
-	Size         uint16
-	Fill         float64
-	LeakInterval time.Duration // time.Duration for 1 unit of size to leak
-	Lastupdate   time.Time
-}
-
-func (b *LeakyBucket) Serialise() *LeakyBucketSer {
-	bucket := LeakyBucketSer{
-		Size:         b.Size,
-		Fill:         b.Fill,
-		LeakInterval: b.LeakInterval,
-		Lastupdate:   b.Lastupdate,
-	}
-
-	return &bucket
-}
-
-func (b *LeakyBucketSer) DeSerialise() *LeakyBucket {
-	bucket := LeakyBucket{
-		Size:         b.Size,
-		Fill:         b.Fill,
-		LeakInterval: b.LeakInterval,
-		Lastupdate:   b.Lastupdate,
-		Now:          time.Now,
-	}
-
-	return &bucket
-}
diff --git a/vendor/github.com/nxadm/tail/ratelimiter/memory.go b/vendor/github.com/nxadm/tail/ratelimiter/memory.go
deleted file mode 100644
index bf3c2131b..000000000
--- a/vendor/github.com/nxadm/tail/ratelimiter/memory.go
+++ /dev/null
@@ -1,60 +0,0 @@
-package ratelimiter
-
-import (
-	"errors"
-	"time"
-)
-
-const (
-	GC_SIZE   int           = 100
-	GC_PERIOD time.Duration = 60 * time.Second
-)
-
-type Memory struct {
-	store           map[string]LeakyBucket
-	lastGCCollected time.Time
-}
-
-func NewMemory() *Memory {
-	m := new(Memory)
-	m.store = make(map[string]LeakyBucket)
-	m.lastGCCollected = time.Now()
-	return m
-}
-
-func (m *Memory) GetBucketFor(key string) (*LeakyBucket, error) {
-
-	bucket, ok := m.store[key]
-	if !ok {
-		return nil, errors.New("miss")
-	}
-
-	return &bucket, nil
-}
-
-func (m *Memory) SetBucketFor(key string, bucket LeakyBucket) error {
-
-	if len(m.store) > GC_SIZE {
-		m.GarbageCollect()
-	}
-
-	m.store[key] = bucket
-
-	return nil
-}
-
-func (m *Memory) GarbageCollect() {
-	now := time.Now()
-
-	// rate limit GC to once per minute
-	if now.Unix() >= m.lastGCCollected.Add(GC_PERIOD).Unix() {
-		for key, bucket := range m.store {
-			// if the bucket is drained, then GC
-			if bucket.DrainedAt().Unix() < now.Unix() {
-				delete(m.store, key)
-			}
-		}
-
-		m.lastGCCollected = now
-	}
-}
diff --git a/vendor/github.com/nxadm/tail/ratelimiter/storage.go b/vendor/github.com/nxadm/tail/ratelimiter/storage.go
deleted file mode 100644
index 89b2fe882..000000000
--- a/vendor/github.com/nxadm/tail/ratelimiter/storage.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package ratelimiter
-
-type Storage interface {
-	GetBucketFor(string) (*LeakyBucket, error)
-	SetBucketFor(string, LeakyBucket) error
-}
diff --git a/vendor/github.com/nxadm/tail/tail_posix.go b/vendor/github.com/nxadm/tail/tail_posix.go
deleted file mode 100644
index 23e071dea..000000000
--- a/vendor/github.com/nxadm/tail/tail_posix.go
+++ /dev/null
@@ -1,17 +0,0 @@
-// Copyright (c) 2019 FOSS contributors of https://github.com/nxadm/tail
-// +build !windows
-
-package tail
-
-import (
-	"os"
-)
-
-// Deprecated: this function is only useful internally and, as such,
-// it will be removed from the API in a future major release.
-//
-// OpenFile proxies a os.Open call for a file so it can be correctly tailed
-// on POSIX and non-POSIX OSes like MS Windows.
-func OpenFile(name string) (file *os.File, err error) {
-	return os.Open(name)
-}
diff --git a/vendor/github.com/nxadm/tail/tail_windows.go b/vendor/github.com/nxadm/tail/tail_windows.go
deleted file mode 100644
index da0d2f39c..000000000
--- a/vendor/github.com/nxadm/tail/tail_windows.go
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2019 FOSS contributors of https://github.com/nxadm/tail
-// +build windows
-
-package tail
-
-import (
-	"os"
-
-	"github.com/nxadm/tail/winfile"
-)
-
-// Deprecated: this function is only useful internally and, as such,
-// it will be removed from the API in a future major release.
-//
-// OpenFile proxies a os.Open call for a file so it can be correctly tailed
-// on POSIX and non-POSIX OSes like MS Windows.
-func OpenFile(name string) (file *os.File, err error) {
-	return winfile.OpenFile(name, os.O_RDONLY, 0)
-}
diff --git a/vendor/github.com/pelletier/go-toml/v2/.goreleaser.yaml b/vendor/github.com/pelletier/go-toml/v2/.goreleaser.yaml
index 1d8b69e65..ec52857a3 100644
--- a/vendor/github.com/pelletier/go-toml/v2/.goreleaser.yaml
+++ b/vendor/github.com/pelletier/go-toml/v2/.goreleaser.yaml
@@ -1,3 +1,4 @@
+version: 2
 before:
   hooks:
     - go mod tidy
diff --git a/vendor/github.com/pelletier/go-toml/v2/README.md b/vendor/github.com/pelletier/go-toml/v2/README.md
index d964b25fe..0755e5564 100644
--- a/vendor/github.com/pelletier/go-toml/v2/README.md
+++ b/vendor/github.com/pelletier/go-toml/v2/README.md
@@ -565,7 +565,7 @@ complete solutions exist out there.
 
 ## Versioning
 
-Expect for parts explicitely marked otherwise, go-toml follows [Semantic
+Expect for parts explicitly marked otherwise, go-toml follows [Semantic
 Versioning](https://semver.org). The supported version of
 [TOML](https://github.com/toml-lang/toml) is indicated at the beginning of this
 document. The last two major versions of Go are supported (see [Go Release
diff --git a/vendor/github.com/pelletier/go-toml/v2/marshaler.go b/vendor/github.com/pelletier/go-toml/v2/marshaler.go
index 7f4e20c12..161acd934 100644
--- a/vendor/github.com/pelletier/go-toml/v2/marshaler.go
+++ b/vendor/github.com/pelletier/go-toml/v2/marshaler.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"math"
 	"reflect"
-	"sort"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -280,7 +280,7 @@ func (enc *Encoder) encode(b []byte, ctx encoderCtx, v reflect.Value) ([]byte, e
 	}
 
 	hasTextMarshaler := v.Type().Implements(textMarshalerType)
-	if hasTextMarshaler || (v.CanAddr() && reflect.PtrTo(v.Type()).Implements(textMarshalerType)) {
+	if hasTextMarshaler || (v.CanAddr() && reflect.PointerTo(v.Type()).Implements(textMarshalerType)) {
 		if !hasTextMarshaler {
 			v = v.Addr()
 		}
@@ -631,6 +631,18 @@ func (enc *Encoder) keyToString(k reflect.Value) (string, error) {
 			return "", fmt.Errorf("toml: error marshalling key %v from text: %w", k, err)
 		}
 		return string(keyB), nil
+
+	case keyType.Kind() == reflect.Int || keyType.Kind() == reflect.Int8 || keyType.Kind() == reflect.Int16 || keyType.Kind() == reflect.Int32 || keyType.Kind() == reflect.Int64:
+		return strconv.FormatInt(k.Int(), 10), nil
+
+	case keyType.Kind() == reflect.Uint || keyType.Kind() == reflect.Uint8 || keyType.Kind() == reflect.Uint16 || keyType.Kind() == reflect.Uint32 || keyType.Kind() == reflect.Uint64:
+		return strconv.FormatUint(k.Uint(), 10), nil
+
+	case keyType.Kind() == reflect.Float32:
+		return strconv.FormatFloat(k.Float(), 'f', -1, 32), nil
+
+	case keyType.Kind() == reflect.Float64:
+		return strconv.FormatFloat(k.Float(), 'f', -1, 64), nil
 	}
 	return "", fmt.Errorf("toml: type %s is not supported as a map key", keyType.Kind())
 }
@@ -668,8 +680,8 @@ func (enc *Encoder) encodeMap(b []byte, ctx encoderCtx, v reflect.Value) ([]byte
 }
 
 func sortEntriesByKey(e []entry) {
-	sort.Slice(e, func(i, j int) bool {
-		return e[i].Key < e[j].Key
+	slices.SortFunc(e, func(a, b entry) int {
+		return strings.Compare(a.Key, b.Key)
 	})
 }
 
@@ -732,7 +744,7 @@ func walkStruct(ctx encoderCtx, t *table, v reflect.Value) {
 			if fieldType.Anonymous {
 				if fieldType.Type.Kind() == reflect.Struct {
 					walkStruct(ctx, t, f)
-				} else if fieldType.Type.Kind() == reflect.Pointer && !f.IsNil() && f.Elem().Kind() == reflect.Struct {
+				} else if fieldType.Type.Kind() == reflect.Ptr && !f.IsNil() && f.Elem().Kind() == reflect.Struct {
 					walkStruct(ctx, t, f.Elem())
 				}
 				continue
@@ -951,7 +963,7 @@ func willConvertToTable(ctx encoderCtx, v reflect.Value) bool {
 	if !v.IsValid() {
 		return false
 	}
-	if v.Type() == timeType || v.Type().Implements(textMarshalerType) || (v.Kind() != reflect.Ptr && v.CanAddr() && reflect.PtrTo(v.Type()).Implements(textMarshalerType)) {
+	if v.Type() == timeType || v.Type().Implements(textMarshalerType) || (v.Kind() != reflect.Ptr && v.CanAddr() && reflect.PointerTo(v.Type()).Implements(textMarshalerType)) {
 		return false
 	}
 
diff --git a/vendor/github.com/pelletier/go-toml/v2/unmarshaler.go b/vendor/github.com/pelletier/go-toml/v2/unmarshaler.go
index 98231bae6..c3df8bee1 100644
--- a/vendor/github.com/pelletier/go-toml/v2/unmarshaler.go
+++ b/vendor/github.com/pelletier/go-toml/v2/unmarshaler.go
@@ -5,9 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math"
 	"reflect"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -21,10 +21,8 @@ import (
 //
 // It is a shortcut for Decoder.Decode() with the default options.
 func Unmarshal(data []byte, v interface{}) error {
-	p := unstable.Parser{}
-	p.Reset(data)
-	d := decoder{p: &p}
-
+	d := decoder{}
+	d.p.Reset(data)
 	return d.FromParser(v)
 }
 
@@ -117,27 +115,25 @@ func (d *Decoder) EnableUnmarshalerInterface() *Decoder {
 //	Inline Table     -> same as Table
 //	Array of Tables  -> same as Array and Table
 func (d *Decoder) Decode(v interface{}) error {
-	b, err := ioutil.ReadAll(d.r)
+	b, err := io.ReadAll(d.r)
 	if err != nil {
 		return fmt.Errorf("toml: %w", err)
 	}
 
-	p := unstable.Parser{}
-	p.Reset(b)
 	dec := decoder{
-		p: &p,
 		strict: strict{
 			Enabled: d.strict,
 		},
 		unmarshalerInterface: d.unmarshalerInterface,
 	}
+	dec.p.Reset(b)
 
 	return dec.FromParser(v)
 }
 
 type decoder struct {
 	// Which parser instance in use for this decoding session.
-	p *unstable.Parser
+	p unstable.Parser
 
 	// Flag indicating that the current expression is stashed.
 	// If set to true, calling nextExpr will not actually pull a new expression
@@ -1078,12 +1074,39 @@ func (d *decoder) keyFromData(keyType reflect.Type, data []byte) (reflect.Value,
 		}
 		return mk, nil
 
-	case reflect.PtrTo(keyType).Implements(textUnmarshalerType):
+	case reflect.PointerTo(keyType).Implements(textUnmarshalerType):
 		mk := reflect.New(keyType)
 		if err := mk.Interface().(encoding.TextUnmarshaler).UnmarshalText(data); err != nil {
 			return reflect.Value{}, fmt.Errorf("toml: error unmarshalling key type %s from text: %w", stringType, err)
 		}
 		return mk.Elem(), nil
+
+	case keyType.Kind() == reflect.Int || keyType.Kind() == reflect.Int8 || keyType.Kind() == reflect.Int16 || keyType.Kind() == reflect.Int32 || keyType.Kind() == reflect.Int64:
+		key, err := strconv.ParseInt(string(data), 10, 64)
+		if err != nil {
+			return reflect.Value{}, fmt.Errorf("toml: error parsing key of type %s from integer: %w", stringType, err)
+		}
+		return reflect.ValueOf(key).Convert(keyType), nil
+	case keyType.Kind() == reflect.Uint || keyType.Kind() == reflect.Uint8 || keyType.Kind() == reflect.Uint16 || keyType.Kind() == reflect.Uint32 || keyType.Kind() == reflect.Uint64:
+		key, err := strconv.ParseUint(string(data), 10, 64)
+		if err != nil {
+			return reflect.Value{}, fmt.Errorf("toml: error parsing key of type %s from unsigned integer: %w", stringType, err)
+		}
+		return reflect.ValueOf(key).Convert(keyType), nil
+
+	case keyType.Kind() == reflect.Float32:
+		key, err := strconv.ParseFloat(string(data), 32)
+		if err != nil {
+			return reflect.Value{}, fmt.Errorf("toml: error parsing key of type %s from float: %w", stringType, err)
+		}
+		return reflect.ValueOf(float32(key)), nil
+
+	case keyType.Kind() == reflect.Float64:
+		key, err := strconv.ParseFloat(string(data), 64)
+		if err != nil {
+			return reflect.Value{}, fmt.Errorf("toml: error parsing key of type %s from float: %w", stringType, err)
+		}
+		return reflect.ValueOf(float64(key)), nil
 	}
 	return reflect.Value{}, fmt.Errorf("toml: cannot convert map key of type %s to expected type %s", stringType, keyType)
 }
diff --git a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
index 99761296f..4230fba01 100644
--- a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
+++ b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm
@@ -1,4 +1,4 @@
-FROM golang:1.20@sha256:2edf6aab2d57644f3fe7407132a0d1770846867465a39c2083770cf62734b05d
+FROM golang:1.23@sha256:51a6466e8dbf3e00e422eb0f7a97ac450b2d57b33617bbe8d2ee0bddcd9d0d37
 
 ENV GOOS=linux
 ENV GOARCH=arm
@@ -10,7 +10,6 @@ ENV PKG_CONFIG_PATH=/usr/lib/arm-linux-gnueabihf/pkgconfig
 RUN dpkg --add-architecture armhf \
     && apt update \
     && apt install -y --no-install-recommends \
-        upx \
         gcc-arm-linux-gnueabihf \
         libc6-dev-armhf-cross \
         pkg-config \
diff --git a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64 b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
index 66bd09474..59928252a 100644
--- a/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
+++ b/vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64
@@ -1,4 +1,4 @@
-FROM golang:1.20@sha256:2edf6aab2d57644f3fe7407132a0d1770846867465a39c2083770cf62734b05d
+FROM golang:1.23@sha256:51a6466e8dbf3e00e422eb0f7a97ac450b2d57b33617bbe8d2ee0bddcd9d0d37
 
 ENV GOOS=linux
 ENV GOARCH=arm64
diff --git a/vendor/github.com/pjbgf/sha1cd/LICENSE b/vendor/github.com/pjbgf/sha1cd/LICENSE
index 261eeb9e9..c8ff622ff 100644
--- a/vendor/github.com/pjbgf/sha1cd/LICENSE
+++ b/vendor/github.com/pjbgf/sha1cd/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2023 pjbgf
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/vendor/github.com/pjbgf/sha1cd/Makefile b/vendor/github.com/pjbgf/sha1cd/Makefile
index b24f2cbad..278a109d8 100644
--- a/vendor/github.com/pjbgf/sha1cd/Makefile
+++ b/vendor/github.com/pjbgf/sha1cd/Makefile
@@ -32,8 +32,7 @@ build-nocgo:
 cross-build: build-arm build-arm64 build-nocgo
 
 generate:
-	go run sha1cdblock_amd64_asm.go -out sha1cdblock_amd64.s
-	sed -i 's;&\samd64;&\n// +build !noasm,gc,amd64;g' sha1cdblock_amd64.s
+	go generate -x ./...
 
 verify: generate
 	git diff --exit-code
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cd.go b/vendor/github.com/pjbgf/sha1cd/sha1cd.go
index a69e480ee..509569f66 100644
--- a/vendor/github.com/pjbgf/sha1cd/sha1cd.go
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cd.go
@@ -20,6 +20,8 @@ import (
 	shared "github.com/pjbgf/sha1cd/internal"
 )
 
+//go:generate go run -C asm . -out ../sha1cdblock_amd64.s -pkg $GOPACKAGE
+
 func init() {
 	crypto.RegisterHash(crypto.SHA1, New)
 }
diff --git a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
index 86f9821ca..e5e213a52 100644
--- a/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
+++ b/vendor/github.com/pjbgf/sha1cd/sha1cdblock_amd64.s
@@ -1,7 +1,6 @@
-// Code generated by command: go run sha1cdblock_amd64_asm.go -out sha1cdblock_amd64.s. DO NOT EDIT.
+// Code generated by command: go run asm.go -out ../sha1cdblock_amd64.s -pkg sha1cd. DO NOT EDIT.
 
 //go:build !noasm && gc && amd64
-// +build !noasm,gc,amd64
 
 #include "textflag.h"
 
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/doc.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc.go
similarity index 68%
rename from vendor/github.com/pjbgf/sha1cd/ubc/doc.go
rename to vendor/github.com/pjbgf/sha1cd/ubc/ubc.go
index 0090e36b9..b0b4d76e3 100644
--- a/vendor/github.com/pjbgf/sha1cd/ubc/doc.go
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc.go
@@ -1,3 +1,5 @@
 // ubc package provides ways for SHA1 blocks to be checked for
 // Unavoidable Bit Conditions that arise from crypto analysis attacks.
 package ubc
+
+//go:generate go run -C asm . -out ../ubc_amd64.s -pkg $GOPACKAGE
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
new file mode 100644
index 000000000..09159bb5b
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.go
@@ -0,0 +1,14 @@
+//go:build !noasm && gc && amd64
+// +build !noasm,gc,amd64
+
+package ubc
+
+func CalculateDvMaskAMD64(W [80]uint32) uint32
+
+// Check takes as input an expanded message block and verifies the unavoidable bitconditions
+// for all listed DVs. It returns a dvmask where each bit belonging to a DV is set if all
+// unavoidable bitconditions for that DV have been met.
+// Thus, one needs to do the recompression check for each DV that has its bit set.
+func CalculateDvMask(W [80]uint32) uint32 {
+	return CalculateDvMaskAMD64(W)
+}
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
new file mode 100644
index 000000000..c77ea77ec
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_amd64.s
@@ -0,0 +1,1897 @@
+// Code generated by command: go run asm.go -out ../ubc_amd64.s -pkg ubc. DO NOT EDIT.
+
+//go:build !noasm && gc && amd64
+
+#include "textflag.h"
+
+// func CalculateDvMaskAMD64(W [80]uint32) uint32
+TEXT ·CalculateDvMaskAMD64(SB), NOSPLIT, $0-324
+	MOVL $0xffffffff, AX
+
+	// (((((W[44] ^ W[45]) >> 29) & 1) - 1) | ^(DV_I_48_0_bit | DV_I_51_0_bit | DV_I_52_0_bit | DV_II_45_0_bit | DV_II_46_0_bit | DV_II_50_0_bit | DV_II_51_0_bit))
+	MOVL W_44+176(FP), CX
+	MOVL W_45+180(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xfd7c5f7f, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[49] ^ W[50]) >> 29) & 1) - 1) | ^(DV_I_46_0_bit | DV_II_45_0_bit | DV_II_50_0_bit | DV_II_51_0_bit | DV_II_55_0_bit | DV_II_56_0_bit))
+	MOVL W_49+196(FP), CX
+	MOVL W_50+200(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x3d7efff7, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[48] ^ W[49]) >> 29) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_52_0_bit | DV_II_49_0_bit | DV_II_50_0_bit | DV_II_54_0_bit | DV_II_55_0_bit))
+	MOVL W_48+192(FP), CX
+	MOVL W_49+196(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x9f5f7ffb, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[47] ^ (W[50] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_51_0_bit | DV_II_56_0_bit))
+	MOVL W_47+188(FP), CX
+	MOVL W_50+200(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	SUBL $0x00000010, CX
+	ORL  $0x7dfedddf, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[47] ^ W[48]) >> 29) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_51_0_bit | DV_II_48_0_bit | DV_II_49_0_bit | DV_II_53_0_bit | DV_II_54_0_bit))
+	MOVL W_47+188(FP), CX
+	MOVL W_48+192(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xcfcfdffd, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[46] >> 4) ^ (W[49] >> 29)) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit | DV_II_50_0_bit | DV_II_55_0_bit))
+	MOVL W_46+184(FP), CX
+	SHRL $0x04, CX
+	MOVL W_49+196(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xbf7f7777, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[46] ^ W[47]) >> 29) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_50_0_bit | DV_II_47_0_bit | DV_II_48_0_bit | DV_II_52_0_bit | DV_II_53_0_bit))
+	MOVL W_46+184(FP), CX
+	MOVL W_47+188(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xe7e7f7fe, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[45] >> 4) ^ (W[48] >> 29)) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit | DV_II_49_0_bit | DV_II_54_0_bit))
+	MOVL W_45+180(FP), CX
+	SHRL $0x04, CX
+	MOVL W_48+192(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xdfdfdddb, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[45] ^ W[46]) >> 29) & 1) - 1) | ^(DV_I_49_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_47_0_bit | DV_II_51_0_bit | DV_II_52_0_bit))
+	MOVL W_45+180(FP), CX
+	MOVL W_46+184(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xf5f57dff, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[44] >> 4) ^ (W[47] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit | DV_II_48_0_bit | DV_II_53_0_bit))
+	MOVL W_44+176(FP), CX
+	SHRL $0x04, CX
+	MOVL W_47+188(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xefeff775, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[43] >> 4) ^ (W[46] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit | DV_II_47_0_bit | DV_II_52_0_bit))
+	MOVL W_43+172(FP), CX
+	SHRL $0x04, CX
+	MOVL W_46+184(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xf7f7fdda, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[43] ^ W[44]) >> 29) & 1) - 1) | ^(DV_I_47_0_bit | DV_I_50_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_49_0_bit | DV_II_50_0_bit))
+	MOVL W_43+172(FP), CX
+	MOVL W_44+176(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xff5ed7df, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[42] >> 4) ^ (W[45] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_51_0_bit))
+	MOVL W_42+168(FP), CX
+	SHRL $0x04, CX
+	MOVL W_45+180(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xfdfd7f75, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[41] >> 4) ^ (W[44] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_50_0_bit))
+	MOVL W_41+164(FP), CX
+	SHRL $0x04, CX
+	MOVL W_44+176(FP), DX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xff7edfda, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[40] ^ W[41]) >> 29) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_47_0_bit | DV_I_48_0_bit | DV_II_46_0_bit | DV_II_47_0_bit | DV_II_56_0_bit))
+	MOVL W_40+160(FP), CX
+	MOVL W_41+164(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x7ff5ff5d, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[54] ^ W[55]) >> 29) & 1) - 1) | ^(DV_I_51_0_bit | DV_II_47_0_bit | DV_II_50_0_bit | DV_II_55_0_bit | DV_II_56_0_bit))
+	MOVL W_54+216(FP), CX
+	MOVL W_55+220(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x3f77dfff, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[53] ^ W[54]) >> 29) & 1) - 1) | ^(DV_I_50_0_bit | DV_II_46_0_bit | DV_II_49_0_bit | DV_II_54_0_bit | DV_II_55_0_bit))
+	MOVL W_53+212(FP), CX
+	MOVL W_54+216(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x9fddf7ff, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[52] ^ W[53]) >> 29) & 1) - 1) | ^(DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit | DV_II_53_0_bit | DV_II_54_0_bit))
+	MOVL W_52+208(FP), CX
+	MOVL W_53+212(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xcfeefdff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[50] ^ (W[53] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_50_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_48_0_bit | DV_II_54_0_bit))
+	MOVL W_50+200(FP), CX
+	MOVL W_53+212(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	SUBL $0x00000010, CX
+	ORL  $0xdfed77ff, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[50] ^ W[51]) >> 29) & 1) - 1) | ^(DV_I_47_0_bit | DV_II_46_0_bit | DV_II_51_0_bit | DV_II_52_0_bit | DV_II_56_0_bit))
+	MOVL W_50+200(FP), CX
+	MOVL W_51+204(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x75fdffdf, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[49] ^ (W[52] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit | DV_II_47_0_bit | DV_II_53_0_bit))
+	MOVL W_49+196(FP), CX
+	MOVL W_52+208(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	SUBL $0x00000010, CX
+	ORL  $0xeff6ddff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[48] ^ (W[51] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit | DV_II_46_0_bit | DV_II_52_0_bit))
+	MOVL W_48+192(FP), CX
+	MOVL W_51+204(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	SUBL $0x00000010, CX
+	ORL  $0xf7fd777f, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[42] ^ W[43]) >> 29) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_49_0_bit | DV_I_50_0_bit | DV_II_48_0_bit | DV_II_49_0_bit))
+	MOVL W_42+168(FP), CX
+	MOVL W_43+172(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xffcff5f7, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[41] ^ W[42]) >> 29) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_48_0_bit | DV_I_49_0_bit | DV_II_47_0_bit | DV_II_48_0_bit))
+	MOVL W_41+164(FP), CX
+	MOVL W_42+168(FP), DX
+	XORL DX, CX
+	SHRL $0x1d, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xffe7fd7b, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[40] >> 4) ^ (W[43] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_50_0_bit | DV_II_49_0_bit | DV_II_56_0_bit))
+	MOVL W_40+160(FP), CX
+	MOVL W_43+172(FP), DX
+	SHRL $0x04, CX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0x7fdff7f5, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[39] >> 4) ^ (W[42] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_49_0_bit | DV_II_48_0_bit | DV_II_55_0_bit))
+	MOVL W_39+156(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x04, CX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xbfeffdfa, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_44_0_bit | DV_I_48_0_bit | DV_II_47_0_bit | DV_II_54_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= (((((W[38] >> 4) ^ (W[41] >> 29)) & 1) - 1) | ^(DV_I_44_0_bit | DV_I_48_0_bit | DV_II_47_0_bit | DV_II_54_0_bit | DV_II_56_0_bit))
+	// }
+	TESTL $0xa0080082, AX
+	JE    f1
+	MOVL  W_38+152(FP), CX
+	MOVL  W_41+164(FP), DX
+	SHRL  $0x04, CX
+	SHRL  $0x1d, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	DECL  CX
+	ORL   $0x5ff7ff7d, CX
+	ANDL  CX, AX
+
+f1:
+	// mask &= (((((W[37] >> 4) ^ (W[40] >> 29)) & 1) - 1) | ^(DV_I_43_0_bit | DV_I_47_0_bit | DV_II_46_0_bit | DV_II_53_0_bit | DV_II_55_0_bit))
+	MOVL W_37+148(FP), CX
+	MOVL W_40+160(FP), DX
+	SHRL $0x04, CX
+	SHRL $0x1d, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xaffdffde, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_51_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= (((((W[55] ^ W[56]) >> 29) & 1) - 1) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_51_0_bit | DV_II_56_0_bit))
+	// }
+	TESTL $0x82108000, AX
+	JE    f2
+	MOVL  W_55+220(FP), CX
+	MOVL  W_56+224(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	DECL  CX
+	ORL   $0x7def7fff, CX
+	ANDL  CX, AX
+
+f2:
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_50_0_bit | DV_II_56_0_bit)) != 0 {
+	//   mask &= ((((W[52] ^ (W[55] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_50_0_bit | DV_II_56_0_bit))
+	// }
+	TESTL $0x80908000, AX
+	JE    f3
+	MOVL  W_52+208(FP), CX
+	MOVL  W_55+220(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0x7f6f7fff, CX
+	ANDL  CX, AX
+
+f3:
+	// if (mask & (DV_I_51_0_bit | DV_II_47_0_bit | DV_II_49_0_bit | DV_II_55_0_bit)) != 0 {
+	//   mask &= ((((W[51] ^ (W[54] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_51_0_bit | DV_II_47_0_bit | DV_II_49_0_bit | DV_II_55_0_bit))
+	// }
+	TESTL $0x40282000, AX
+	JE    f4
+	MOVL  W_51+204(FP), CX
+	MOVL  W_54+216(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xbfd7dfff, CX
+	ANDL  CX, AX
+
+f4:
+	// if (mask & (DV_I_48_0_bit | DV_II_47_0_bit | DV_II_52_0_bit | DV_II_53_0_bit)) != 0 {
+	//   mask &= (((((W[51] ^ W[52]) >> 29) & 1) - 1) | ^(DV_I_48_0_bit | DV_II_47_0_bit | DV_II_52_0_bit | DV_II_53_0_bit))
+	// }
+	TESTL $0x18080080, AX
+	JE    f5
+	MOVL  W_51+204(FP), CX
+	MOVL  W_52+208(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	DECL  CX
+	ORL   $0xe7f7ff7f, CX
+	ANDL  CX, AX
+
+f5:
+	// if (mask & (DV_I_46_0_bit | DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit)) != 0 {
+	//   mask &= (((((W[36] >> 4) ^ (W[40] >> 29)) & 1) - 1) | ^(DV_I_46_0_bit | DV_I_49_0_bit | DV_II_45_0_bit | DV_II_48_0_bit))
+	// }
+	TESTL $0x00110208, AX
+	JE    f6
+	MOVL  W_36+144(FP), CX
+	SHRL  $0x04, CX
+	MOVL  W_40+160(FP), DX
+	SHRL  $0x1d, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	DECL  CX
+	ORL   $0xffeefdf7, CX
+	ANDL  CX, AX
+
+f6:
+	// if (mask & (DV_I_52_0_bit | DV_II_48_0_bit | DV_II_49_0_bit)) != 0 {
+	//   mask &= ((0 - (((W[53] ^ W[56]) >> 29) & 1)) | ^(DV_I_52_0_bit | DV_II_48_0_bit | DV_II_49_0_bit))
+	// }
+	TESTL $0x00308000, AX
+	JE    f7
+	MOVL  W_53+212(FP), CX
+	MOVL  W_56+224(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffcf7fff, CX
+	ANDL  CX, AX
+
+f7:
+	// if (mask & (DV_I_50_0_bit | DV_II_46_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[51] ^ W[54]) >> 29) & 1)) | ^(DV_I_50_0_bit | DV_II_46_0_bit | DV_II_47_0_bit))
+	// }
+	TESTL $0x000a0800, AX
+	JE    f8
+	MOVL  W_51+204(FP), CX
+	MOVL  W_54+216(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfff5f7ff, CX
+	ANDL  CX, AX
+
+f8:
+	// if (mask & (DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[50] ^ W[52]) >> 29) & 1)) | ^(DV_I_49_0_bit | DV_I_51_0_bit | DV_II_45_0_bit))
+	// }
+	TESTL $0x00012200, AX
+	JE    f9
+	MOVL  W_50+200(FP), CX
+	MOVL  W_52+208(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfffeddff, CX
+	ANDL  CX, AX
+
+f9:
+	// if (mask & (DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[49] ^ W[51]) >> 29) & 1)) | ^(DV_I_48_0_bit | DV_I_50_0_bit | DV_I_52_0_bit))
+	// }
+	TESTL $0x00008880, AX
+	JE    f10
+	MOVL  W_49+196(FP), CX
+	MOVL  W_51+204(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffff777f, CX
+	ANDL  CX, AX
+
+f10:
+	// if (mask & (DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[48] ^ W[50]) >> 29) & 1)) | ^(DV_I_47_0_bit | DV_I_49_0_bit | DV_I_51_0_bit))
+	// }
+	TESTL $0x00002220, AX
+	JE    f11
+	MOVL  W_48+192(FP), CX
+	MOVL  W_50+200(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffffdddf, CX
+	ANDL  CX, AX
+
+f11:
+	// if (mask & (DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[47] ^ W[49]) >> 29) & 1)) | ^(DV_I_46_0_bit | DV_I_48_0_bit | DV_I_50_0_bit))
+	// }
+	TESTL $0x00000888, AX
+	JE    f12
+	MOVL  W_47+188(FP), CX
+	MOVL  W_49+196(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfffff777, CX
+	ANDL  CX, AX
+
+f12:
+	// if (mask & (DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[46] ^ W[48]) >> 29) & 1)) | ^(DV_I_45_0_bit | DV_I_47_0_bit | DV_I_49_0_bit))
+	// }
+	TESTL $0x00000224, AX
+	JE    f13
+	MOVL  W_46+184(FP), CX
+	MOVL  W_48+192(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfffffddb, CX
+	ANDL  CX, AX
+
+f13:
+	// mask &= ((((W[45] ^ W[47]) & (1 << 6)) - (1 << 6)) | ^(DV_I_47_2_bit | DV_I_49_2_bit | DV_I_51_2_bit))
+	MOVL W_45+180(FP), CX
+	MOVL W_47+188(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	SUBL $0x00000040, CX
+	ORL  $0xffffbbbf, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[45] ^ W[47]) >> 29) & 1)) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_I_48_0_bit))
+	// }
+	TESTL $0x0000008a, AX
+	JE    f14
+	MOVL  W_45+180(FP), CX
+	MOVL  W_47+188(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffffff75, CX
+	ANDL  CX, AX
+
+f14:
+	// mask &= (((((W[44] ^ W[46]) >> 6) & 1) - 1) | ^(DV_I_46_2_bit | DV_I_48_2_bit | DV_I_50_2_bit))
+	MOVL W_44+176(FP), CX
+	MOVL W_46+184(FP), DX
+	XORL DX, CX
+	SHRL $0x06, CX
+	ANDL $0x00000001, CX
+	DECL CX
+	ORL  $0xffffeeef, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[44] ^ W[46]) >> 29) & 1)) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_I_47_0_bit))
+	// }
+	TESTL $0x00000025, AX
+	JE    f15
+	MOVL  W_44+176(FP), CX
+	MOVL  W_46+184(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffffffda, CX
+	ANDL  CX, AX
+
+f15:
+	// mask &= ((0 - ((W[41] ^ (W[42] >> 5)) & (1 << 1))) | ^(DV_I_48_2_bit | DV_II_46_2_bit | DV_II_51_2_bit))
+	MOVL W_41+164(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xfbfbfeff, CX
+	ANDL CX, AX
+
+	// mask &= ((0 - ((W[40] ^ (W[41] >> 5)) & (1 << 1))) | ^(DV_I_47_2_bit | DV_I_51_2_bit | DV_II_50_2_bit))
+	MOVL W_40+160(FP), CX
+	MOVL W_41+164(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xfeffbfbf, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_44_0_bit | DV_I_46_0_bit | DV_II_56_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[40] ^ W[42]) >> 4) & 1)) | ^(DV_I_44_0_bit | DV_I_46_0_bit | DV_II_56_0_bit))
+	// }
+	TESTL $0x8000000a, AX
+	JE    f16
+	MOVL  W_40+160(FP), CX
+	MOVL  W_42+168(FP), DX
+	XORL  DX, CX
+	SHRL  $0x04, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0x7ffffff5, CX
+	ANDL  CX, AX
+
+f16:
+	// mask &= ((0 - ((W[39] ^ (W[40] >> 5)) & (1 << 1))) | ^(DV_I_46_2_bit | DV_I_50_2_bit | DV_II_49_2_bit))
+	MOVL W_39+156(FP), CX
+	MOVL W_40+160(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xffbfefef, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_43_0_bit | DV_I_45_0_bit | DV_II_55_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[39] ^ W[41]) >> 4) & 1)) | ^(DV_I_43_0_bit | DV_I_45_0_bit | DV_II_55_0_bit))
+	// }
+	TESTL $0x40000005, AX
+	JE    f17
+	MOVL  W_39+156(FP), CX
+	MOVL  W_41+164(FP), DX
+	XORL  DX, CX
+	SHRL  $0x04, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xbffffffa, CX
+	ANDL  CX, AX
+
+f17:
+	// if (mask & (DV_I_44_0_bit | DV_II_54_0_bit | DV_II_56_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[38] ^ W[40]) >> 4) & 1)) | ^(DV_I_44_0_bit | DV_II_54_0_bit | DV_II_56_0_bit))
+	// }
+	TESTL $0xa0000002, AX
+	JE    f18
+	MOVL  W_38+152(FP), CX
+	MOVL  W_40+160(FP), DX
+	XORL  DX, CX
+	SHRL  $0x04, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0x5ffffffd, CX
+	ANDL  CX, AX
+
+f18:
+	// if (mask & (DV_I_43_0_bit | DV_II_53_0_bit | DV_II_55_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[37] ^ W[39]) >> 4) & 1)) | ^(DV_I_43_0_bit | DV_II_53_0_bit | DV_II_55_0_bit))
+	// }
+	TESTL $0x50000001, AX
+	JE    f19
+	MOVL  W_37+148(FP), CX
+	MOVL  W_39+156(FP), DX
+	XORL  DX, CX
+	SHRL  $0x04, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xaffffffe, CX
+	ANDL  CX, AX
+
+f19:
+	// mask &= ((0 - ((W[36] ^ (W[37] >> 5)) & (1 << 1))) | ^(DV_I_47_2_bit | DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVL W_36+144(FP), CX
+	MOVL W_37+148(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xfffbefbf, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_45_0_bit | DV_I_48_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= (((((W[35] >> 4) ^ (W[39] >> 29)) & 1) - 1) | ^(DV_I_45_0_bit | DV_I_48_0_bit | DV_II_47_0_bit))
+	// }
+	TESTL $0x00080084, AX
+	JE    f20
+	MOVL  W_35+140(FP), CX
+	MOVL  W_39+156(FP), DX
+	SHRL  $0x04, CX
+	SHRL  $0x1d, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	SUBL  $0x00000001, CX
+	ORL   $0xfff7ff7b, CX
+	ANDL  CX, AX
+
+f20:
+	// if (mask & (DV_I_48_0_bit | DV_II_48_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[63] ^ (W[64] >> 5)) & (1 << 0))) | ^(DV_I_48_0_bit | DV_II_48_0_bit))
+	// }
+	TESTL $0x00100080, AX
+	JE    f21
+	MOVL  W_63+252(FP), CX
+	MOVL  W_64+256(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffefff7f, CX
+	ANDL  CX, AX
+
+f21:
+	// if (mask & (DV_I_45_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[63] ^ (W[64] >> 5)) & (1 << 1))) | ^(DV_I_45_0_bit | DV_II_45_0_bit))
+	// }
+	TESTL $0x00010004, AX
+	JE    f22
+	MOVL  W_63+252(FP), CX
+	MOVL  W_64+256(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000002, CX
+	NEGL  CX
+	ORL   $0xfffefffb, CX
+	ANDL  CX, AX
+
+f22:
+	// if (mask & (DV_I_47_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[62] ^ (W[63] >> 5)) & (1 << 0))) | ^(DV_I_47_0_bit | DV_II_47_0_bit))
+	// }
+	TESTL $0x00080020, AX
+	JE    f23
+	MOVL  W_62+248(FP), CX
+	MOVL  W_63+252(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfff7ffdf, CX
+	ANDL  CX, AX
+
+f23:
+	// if (mask & (DV_I_46_0_bit | DV_II_46_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[61] ^ (W[62] >> 5)) & (1 << 0))) | ^(DV_I_46_0_bit | DV_II_46_0_bit))
+	// }
+	TESTL $0x00020008, AX
+	JE    f24
+	MOVL  W_61+244(FP), CX
+	MOVL  W_62+248(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfffdfff7, CX
+	ANDL  CX, AX
+
+f24:
+	// mask &= ((0 - ((W[61] ^ (W[62] >> 5)) & (1 << 2))) | ^(DV_I_46_2_bit | DV_II_46_2_bit))
+	MOVL W_61+244(FP), CX
+	MOVL W_62+248(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000004, CX
+	NEGL CX
+	ORL  $0xfffbffef, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_45_0_bit | DV_II_45_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[60] ^ (W[61] >> 5)) & (1 << 0))) | ^(DV_I_45_0_bit | DV_II_45_0_bit))
+	// }
+	TESTL $0x00010004, AX
+	JE    f25
+	MOVL  W_60+240(FP), CX
+	MOVL  W_61+244(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xfffefffb, CX
+	ANDL  CX, AX
+
+f25:
+	// if (mask & (DV_II_51_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= (((((W[58] ^ W[59]) >> 29) & 1) - 1) | ^(DV_II_51_0_bit | DV_II_54_0_bit))
+	// }
+	TESTL $0x22000000, AX
+	JE    f26
+	MOVL  W_58+232(FP), CX
+	MOVL  W_59+236(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	SUBL  $0x00000001, CX
+	ORL   $0xddffffff, CX
+	ANDL  CX, AX
+
+f26:
+	// if (mask & (DV_II_50_0_bit | DV_II_53_0_bit)) != 0 {
+	// 	mask &= (((((W[57] ^ W[58]) >> 29) & 1) - 1) | ^(DV_II_50_0_bit | DV_II_53_0_bit))
+	// }
+	TESTL $0x10800000, AX
+	JE    f27
+	MOVL  W_57+228(FP), CX
+	MOVL  W_58+232(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	SUBL  $0x00000001, CX
+	ORL   $0xef7fffff, CX
+	ANDL  CX, AX
+
+f27:
+	// if (mask & (DV_II_52_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= ((((W[56] ^ (W[59] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_52_0_bit | DV_II_54_0_bit))
+	// }
+	TESTL $0x28000000, AX
+	JE    f28
+	MOVL  W_56+224(FP), CX
+	MOVL  W_59+236(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xd7ffffff, CX
+	ANDL  CX, AX
+
+f28:
+	// if (mask & (DV_II_51_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[56] ^ W[59]) >> 29) & 1)) | ^(DV_II_51_0_bit | DV_II_52_0_bit))
+	// }
+	TESTL $0x0a000000, AX
+	JE    f29
+	MOVL  W_56+224(FP), CX
+	MOVL  W_59+236(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xf5ffffff, CX
+	ANDL  CX, AX
+
+f29:
+	// if (mask & (DV_II_49_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= (((((W[56] ^ W[57]) >> 29) & 1) - 1) | ^(DV_II_49_0_bit | DV_II_52_0_bit))
+	// }
+	TESTL $0x08200000, AX
+	JE    f30
+	MOVL  W_56+224(FP), CX
+	MOVL  W_57+228(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	SUBL  $0x00000001, CX
+	ORL   $0xf7dfffff, CX
+	ANDL  CX, AX
+
+f30:
+	// if (mask & (DV_II_51_0_bit | DV_II_53_0_bit)) != 0 {
+	// 	mask &= ((((W[55] ^ (W[58] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_51_0_bit | DV_II_53_0_bit))
+	// }
+	TESTL $0x12000000, AX
+	JE    f31
+	MOVL  W_55+220(FP), CX
+	MOVL  W_58+232(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xedffffff, CX
+	ANDL  CX, AX
+
+f31:
+	// if (mask & (DV_II_50_0_bit | DV_II_52_0_bit)) != 0 {
+	// 	mask &= ((((W[54] ^ (W[57] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_50_0_bit | DV_II_52_0_bit))
+	// }
+	TESTL $0x08800000, AX
+	JE    f32
+	MOVL  W_54+216(FP), CX
+	MOVL  W_57+228(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xf77fffff, CX
+	ANDL  CX, AX
+
+f32:
+	// if (mask & (DV_II_49_0_bit | DV_II_51_0_bit)) != 0 {
+	// 	mask &= ((((W[53] ^ (W[56] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_II_49_0_bit | DV_II_51_0_bit))
+	// }
+	TESTL $0x02200000, AX
+	JE    f33
+	MOVL  W_53+212(FP), CX
+	MOVL  W_56+224(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xfddfffff, CX
+	ANDL  CX, AX
+
+f33:
+	// mask &= ((((W[51] ^ (W[50] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVL W_51+204(FP), CX
+	MOVL W_50+200(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xfffbefff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[48] ^ W[50]) & (1 << 6)) - (1 << 6)) | ^(DV_I_50_2_bit | DV_II_46_2_bit))
+	MOVL W_48+192(FP), CX
+	MOVL W_50+200(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	SUBL $0x00000040, CX
+	ORL  $0xfffbefff, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_51_0_bit | DV_I_52_0_bit)) != 0 {
+	// 	mask &= ((0 - (((W[48] ^ W[55]) >> 29) & 1)) | ^(DV_I_51_0_bit | DV_I_52_0_bit))
+	// }
+	TESTL $0x0000a000, AX
+	JE    f34
+	MOVL  W_48+192(FP), CX
+	MOVL  W_55+220(FP), DX
+	XORL  DX, CX
+	SHRL  $0x1d, CX
+	ANDL  $0x00000001, CX
+	NEGL  CX
+	ORL   $0xffff5fff, CX
+	ANDL  CX, AX
+
+f34:
+	// mask &= ((((W[47] ^ W[49]) & (1 << 6)) - (1 << 6)) | ^(DV_I_49_2_bit | DV_I_51_2_bit))
+	MOVL W_47+188(FP), CX
+	MOVL W_49+196(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	SUBL $0x00000040, CX
+	ORL  $0xffffbbff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[48] ^ (W[47] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_47_2_bit | DV_II_51_2_bit))
+	MOVL W_48+192(FP), CX
+	MOVL W_47+188(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xfbffffbf, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[46] ^ W[48]) & (1 << 6)) - (1 << 6)) | ^(DV_I_48_2_bit | DV_I_50_2_bit))
+	MOVL W_46+184(FP), CX
+	MOVL W_48+192(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	SUBL $0x00000040, CX
+	ORL  $0xffffeeff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[47] ^ (W[46] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_46_2_bit | DV_II_50_2_bit))
+	MOVL W_47+188(FP), CX
+	MOVL W_46+184(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xfeffffef, CX
+	ANDL CX, AX
+
+	// mask &= ((0 - ((W[44] ^ (W[45] >> 5)) & (1 << 1))) | ^(DV_I_51_2_bit | DV_II_49_2_bit))
+	MOVL W_44+176(FP), CX
+	MOVL W_45+180(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xffbfbfff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[43] ^ W[45]) & (1 << 6)) - (1 << 6)) | ^(DV_I_47_2_bit | DV_I_49_2_bit))
+	MOVL W_43+172(FP), CX
+	MOVL W_45+180(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	SUBL $0x00000040, CX
+	ORL  $0xfffffbbf, CX
+	ANDL CX, AX
+
+	// mask &= (((((W[42] ^ W[44]) >> 6) & 1) - 1) | ^(DV_I_46_2_bit | DV_I_48_2_bit))
+	MOVL W_42+168(FP), CX
+	MOVL W_44+176(FP), DX
+	XORL DX, CX
+	SHRL $0x06, CX
+	ANDL $0x00000001, CX
+	SUBL $0x00000001, CX
+	ORL  $0xfffffeef, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[43] ^ (W[42] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_II_46_2_bit | DV_II_51_2_bit))
+	MOVL W_43+172(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xfbfbffff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[42] ^ (W[41] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_51_2_bit | DV_II_50_2_bit))
+	MOVL W_42+168(FP), CX
+	MOVL W_41+164(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xfeffbfff, CX
+	ANDL CX, AX
+
+	// mask &= ((((W[41] ^ (W[40] >> 5)) & (1 << 1)) - (1 << 1)) | ^(DV_I_50_2_bit | DV_II_49_2_bit))
+	MOVL W_41+164(FP), CX
+	MOVL W_40+160(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	SUBL $0x00000002, CX
+	ORL  $0xffbfefff, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_52_0_bit | DV_II_51_0_bit)) != 0 {
+	// 	mask &= ((((W[39] ^ (W[43] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_52_0_bit | DV_II_51_0_bit))
+	// }
+	TESTL $0x02008000, AX
+	JE    f35
+	MOVL  W_39+156(FP), CX
+	MOVL  W_43+172(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xfdff7fff, CX
+	ANDL  CX, AX
+
+f35:
+	// if (mask & (DV_I_51_0_bit | DV_II_50_0_bit)) != 0 {
+	// 	mask &= ((((W[38] ^ (W[42] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_51_0_bit | DV_II_50_0_bit))
+	// }
+	TESTL $0x00802000, AX
+	JE    f36
+	MOVL  W_38+152(FP), CX
+	MOVL  W_42+168(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xff7fdfff, CX
+	ANDL  CX, AX
+
+f36:
+	// if (mask & (DV_I_48_2_bit | DV_I_51_2_bit)) != 0 {
+	// 	mask &= ((0 - ((W[37] ^ (W[38] >> 5)) & (1 << 1))) | ^(DV_I_48_2_bit | DV_I_51_2_bit))
+	// }
+	TESTL $0x00004100, AX
+	JE    f37
+	MOVL  W_37+148(FP), CX
+	MOVL  W_38+152(FP), DX
+	SHRL  $0x05, DX
+	XORL  DX, CX
+	ANDL  $0x00000002, CX
+	NEGL  CX
+	ORL   $0xffffbeff, CX
+	ANDL  CX, AX
+
+f37:
+	// if (mask & (DV_I_50_0_bit | DV_II_49_0_bit)) != 0 {
+	// 	mask &= ((((W[37] ^ (W[41] >> 25)) & (1 << 4)) - (1 << 4)) | ^(DV_I_50_0_bit | DV_II_49_0_bit))
+	// }
+	TESTL $0x00200800, AX
+	JE    f38
+	MOVL  W_37+148(FP), CX
+	MOVL  W_41+164(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	SUBL  $0x00000010, CX
+	ORL   $0xffdff7ff, CX
+	ANDL  CX, AX
+
+f38:
+	// if (mask & (DV_II_52_0_bit | DV_II_54_0_bit)) != 0 {
+	// 	mask &= ((0 - ((W[36] ^ W[38]) & (1 << 4))) | ^(DV_II_52_0_bit | DV_II_54_0_bit))
+	// }
+	TESTL $0x28000000, AX
+	JE    f39
+	MOVL  W_36+144(FP), CX
+	MOVL  W_38+152(FP), DX
+	XORL  DX, CX
+	ANDL  $0x00000010, CX
+	NEGL  CX
+	ORL   $0xd7ffffff, CX
+	ANDL  CX, AX
+
+f39:
+	// mask &= ((0 - ((W[35] ^ (W[36] >> 5)) & (1 << 1))) | ^(DV_I_46_2_bit | DV_I_49_2_bit))
+	MOVL W_35+140(FP), CX
+	MOVL W_36+144(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	ORL  $0xfffffbef, CX
+	ANDL CX, AX
+
+	// if (mask & (DV_I_51_0_bit | DV_II_47_0_bit)) != 0 {
+	// 	mask &= ((((W[35] ^ (W[39] >> 25)) & (1 << 3)) - (1 << 3)) | ^(DV_I_51_0_bit | DV_II_47_0_bit))
+	// }
+	TESTL $0x00082000, AX
+	JE    f40
+	MOVL  W_35+140(FP), CX
+	MOVL  W_39+156(FP), DX
+	SHRL  $0x19, DX
+	XORL  DX, CX
+	ANDL  $0x00000008, CX
+	SUBL  $0x00000008, CX
+	ORL   $0xfff7dfff, CX
+	ANDL  CX, AX
+
+f40:
+	// if mask != 0
+	TESTL $0x00000000, AX
+	JNE   end
+
+	// if (mask & DV_I_43_0_bit) != 0 {
+	// 	if not((W[61]^(W[62]>>5))&(1<<1)) != 0 ||
+	// 		not(not((W[59]^(W[63]>>25))&(1<<5))) != 0 ||
+	// 		not((W[58]^(W[63]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_I_43_0_bit
+	// 	}
+	// }
+	BTL  $0x00, AX
+	JNC  f41_skip
+	MOVL W_61+244(FP), CX
+	MOVL W_62+248(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f41_in
+	MOVL W_59+236(FP), CX
+	MOVL W_63+252(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f41_in
+	MOVL W_58+232(FP), CX
+	MOVL W_63+252(FP), DX
+	SHRL $0x1e, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f41_in
+	JMP  f41_skip
+
+f41_in:
+	ANDL $0xfffffffe, AX
+
+f41_skip:
+	// if (mask & DV_I_44_0_bit) != 0 {
+	// 	if not((W[62]^(W[63]>>5))&(1<<1)) != 0 ||
+	// 		not(not((W[60]^(W[64]>>25))&(1<<5))) != 0 ||
+	// 		not((W[59]^(W[64]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_I_44_0_bit
+	// 	}
+	// }
+	BTL  $0x01, AX
+	JNC  f42_skip
+	MOVL W_62+248(FP), CX
+	MOVL W_63+252(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f42_in
+	MOVL W_60+240(FP), CX
+	MOVL W_64+256(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f42_in
+	MOVL W_59+236(FP), CX
+	MOVL W_64+256(FP), DX
+	SHRL $0x1e, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f42_in
+	JMP  f42_skip
+
+f42_in:
+	ANDL $0xfffffffd, AX
+
+f42_skip:
+	// if (mask & DV_I_46_2_bit) != 0 {
+	// 	mask &= ((^((W[40] ^ W[42]) >> 2)) | ^DV_I_46_2_bit)
+	// }
+	BTL  $0x04, AX
+	JNC  f43
+	MOVL W_40+160(FP), CX
+	MOVL W_42+168(FP), DX
+	XORL DX, CX
+	SHRL $0x02, CX
+	NOTL CX
+	ORL  $0xffffffef, CX
+	ANDL CX, AX
+
+f43:
+	// if (mask & DV_I_47_2_bit) != 0 {
+	// 	if not((W[62]^(W[63]>>5))&(1<<2)) != 0 ||
+	// 		not(not((W[41]^W[43])&(1<<6))) != 0 {
+	// 		mask &= ^DV_I_47_2_bit
+	// 	}
+	// }
+	BTL  $0x06, AX
+	JNC  f44_skip
+	MOVL W_62+248(FP), CX
+	MOVL W_63+252(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000004, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f44_in
+	MOVL W_41+164(FP), CX
+	MOVL W_43+172(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f44_in
+	JMP  f44_skip
+
+f44_in:
+	ANDL $0xffffffbf, AX
+
+f44_skip:
+	// if (mask & DV_I_48_2_bit) != 0 {
+	// 	if not((W[63]^(W[64]>>5))&(1<<2)) != 0 ||
+	// 		not(not((W[48]^(W[49]<<5))&(1<<6))) != 0 {
+	// 		mask &= ^DV_I_48_2_bit
+	// 	}
+	// }
+	BTL  $0x08, AX
+	JNC  f45_skip
+	MOVL W_63+252(FP), CX
+	MOVL W_64+256(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000004, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f45_in
+	MOVL W_48+192(FP), CX
+	MOVL W_49+196(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f45_in
+	JMP  f45_skip
+
+f45_in:
+	ANDL $0xfffffeff, AX
+
+f45_skip:
+	// if (mask & DV_I_49_2_bit) != 0 {
+	// 	if not(not((W[49]^(W[50]<<5))&(1<<6))) != 0 ||
+	// 		not((W[42]^W[50])&(1<<1)) != 0 ||
+	// 		not(not((W[39]^(W[40]<<5))&(1<<6))) != 0 ||
+	// 		not((W[38]^W[40])&(1<<1)) != 0 {
+	// 		mask &= ^DV_I_49_2_bit
+	// 	}
+	// }
+	BTL  $0x0a, AX
+	JNC  f46_skip
+	MOVL W_49+196(FP), CX
+	MOVL W_50+200(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f46_in
+	MOVL W_42+168(FP), CX
+	MOVL W_50+200(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	CMPL CX, $0x00000000
+	JE   f46_in
+	MOVL W_39+156(FP), CX
+	MOVL W_40+160(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f46_in
+	MOVL W_38+152(FP), CX
+	MOVL W_40+160(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	CMPL CX, $0x00000000
+	JE   f46_in
+	JMP  f46_skip
+
+f46_in:
+	ANDL $0xfffffbff, AX
+
+f46_skip:
+	// if (mask & DV_I_50_0_bit) != 0 {
+	// 	mask &= (((W[36] ^ W[37]) << 7) | ^DV_I_50_0_bit)
+	// }
+	BTL  $0x0b, AX
+	JNC  f47
+	MOVL W_36+144(FP), CX
+	MOVL W_37+148(FP), DX
+	XORL DX, CX
+	SHLL $0x07, CX
+	ORL  $0xfffff7ff, CX
+	ANDL CX, AX
+
+f47:
+	// if (mask & DV_I_50_2_bit) != 0 {
+	// 	mask &= (((W[43] ^ W[51]) << 11) | ^DV_I_50_2_bit)
+	// }
+	BTL  $0x0c, AX
+	JNC  f48
+	MOVL W_43+172(FP), CX
+	MOVL W_51+204(FP), DX
+	XORL DX, CX
+	SHLL $0x0b, CX
+	ORL  $0xffffefff, CX
+	ANDL CX, AX
+
+f48:
+	// if (mask & DV_I_51_0_bit) != 0 {
+	// 	mask &= (((W[37] ^ W[38]) << 9) | ^DV_I_51_0_bit)
+	// }
+	BTL  $0x0d, AX
+	JNC  f49
+	MOVL W_37+148(FP), CX
+	MOVL W_38+152(FP), DX
+	XORL DX, CX
+	SHLL $0x09, CX
+	ORL  $0xffffdfff, CX
+	ANDL CX, AX
+
+f49:
+	// if (mask & DV_I_51_2_bit) != 0 {
+	// 	if not(not((W[51]^(W[52]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[49]^W[51])&(1<<6))) != 0 ||
+	// 		not(not((W[37]^(W[37]>>5))&(1<<1))) != 0 ||
+	// 		not(not((W[35]^(W[39]>>25))&(1<<5))) != 0 {
+	// 		mask &= ^DV_I_51_2_bit
+	// 	}
+	// }
+	BTL  $0x0e, AX
+	JNC  f50_skip
+	MOVL W_51+204(FP), CX
+	MOVL W_52+208(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f50_in
+	MOVL W_49+196(FP), CX
+	MOVL W_51+204(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f50_in
+	MOVL W_37+148(FP), CX
+	MOVL W_37+148(FP), DX
+	SHRL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	CMPL CX, $0x00000000
+	JNE  f50_in
+	MOVL W_35+140(FP), CX
+	MOVL W_39+156(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f50_in
+	JMP  f50_skip
+
+f50_in:
+	ANDL $0xffffbfff, AX
+
+f50_skip:
+	// if (mask & DV_I_52_0_bit) != 0 {
+	// 	mask &= (((W[38] ^ W[39]) << 11) | ^DV_I_52_0_bit)
+	// }
+	BTL  $0x0f, AX
+	JNC  f51
+	MOVL W_38+152(FP), CX
+	MOVL W_39+156(FP), DX
+	XORL DX, CX
+	SHLL $0x0b, CX
+	ORL  $0xffff7fff, CX
+	ANDL CX, AX
+
+f51:
+	// if (mask & DV_II_46_2_bit) != 0 {
+	// 	mask &= (((W[47] ^ W[51]) << 17) | ^DV_II_46_2_bit)
+	// }
+	TESTL $0x00040000, AX
+	BTL   $0x12, AX
+	JNC   f52
+	MOVL  W_47+188(FP), CX
+	MOVL  W_51+204(FP), DX
+	XORL  DX, CX
+	SHLL  $0x11, CX
+	ORL   $0xfffbffff, CX
+	ANDL  CX, AX
+
+f52:
+	// if (mask & DV_II_48_0_bit) != 0 {
+	// 	if not(not((W[36]^(W[40]>>25))&(1<<3))) != 0 ||
+	// 		not((W[35]^(W[40]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_48_0_bit
+	// 	}
+	// }
+	BTL  $0x14, AX
+	JNC  f53_skip
+	MOVL W_36+144(FP), CX
+	MOVL W_40+160(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f53_in
+	MOVL W_35+140(FP), CX
+	MOVL W_40+160(FP), DX
+	SHLL $0x02, DX
+	XORL DX, CX
+	ANDL $0x40000000, CX
+	CMPL CX, $0x00000000
+	JNE  f53_in
+	JMP  f53_skip
+
+f53_in:
+	ANDL $0xffefffff, AX
+
+f53_skip:
+	// if (mask & DV_II_49_0_bit) != 0 {
+	// 	if not(not((W[37]^(W[41]>>25))&(1<<3))) != 0 ||
+	// 		not((W[36]^(W[41]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_49_0_bit
+	// 	}
+	// }
+	BTL  $0x15, AX
+	JNC  f54_skip
+	MOVL W_37+148(FP), CX
+	MOVL W_41+164(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f54_in
+	MOVL W_36+144(FP), CX
+	MOVL W_41+164(FP), DX
+	SHLL $0x02, DX
+	XORL DX, CX
+	ANDL $0x40000000, CX
+	CMPL CX, $0x00000000
+	JNE  f54_in
+	JMP  f54_skip
+
+f54_in:
+	ANDL $0xffdfffff, AX
+
+f54_skip:
+	// if (mask & DV_II_49_2_bit) != 0 {
+	// 	if not(not((W[53]^(W[54]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[51]^W[53])&(1<<6))) != 0 ||
+	// 		not((W[50]^W[54])&(1<<1)) != 0 ||
+	// 		not(not((W[45]^(W[46]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[37]^(W[41]>>25))&(1<<5))) != 0 ||
+	// 		not((W[36]^(W[41]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_49_2_bit
+	// 	}
+	// }
+	BTL  $0x16, AX
+	JNC  f55_skip
+	MOVL W_53+212(FP), CX
+	MOVL W_54+216(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f55_in
+	MOVL W_51+204(FP), CX
+	MOVL W_53+212(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f55_in
+	MOVL W_50+200(FP), CX
+	MOVL W_54+216(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f55_in
+	MOVL W_45+180(FP), CX
+	MOVL W_46+184(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f55_in
+	MOVL W_37+148(FP), CX
+	MOVL W_41+164(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f55_in
+	MOVL W_36+144(FP), CX
+	MOVL W_41+164(FP), DX
+	SHRL $0x1e, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f55_in
+	JMP  f55_skip
+
+f55_in:
+	ANDL $0xffbfffff, AX
+
+f55_skip:
+	// if (mask & DV_II_50_0_bit) != 0 {
+	// 	if not((W[55]^W[58])&(1<<29)) != 0 ||
+	// 		not(not((W[38]^(W[42]>>25))&(1<<3))) != 0 ||
+	// 		not((W[37]^(W[42]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_50_0_bit
+	// 	}
+	// }
+	BTL  $0x17, AX
+	JNC  f56_skip
+	MOVL W_55+220(FP), CX
+	MOVL W_58+232(FP), DX
+	XORL DX, CX
+	ANDL $0x20000000, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f56_in
+	MOVL W_38+152(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f56_in
+	MOVL W_37+148(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x02, DX
+	XORL DX, CX
+	ANDL $0x40000000, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f56_in
+	JMP  f56_skip
+
+f56_in:
+	ANDL $0xff7fffff, AX
+
+f56_skip:
+	// if (mask & DV_II_50_2_bit) != 0 {
+	// 	if not(not((W[54]^(W[55]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[52]^W[54])&(1<<6))) != 0 ||
+	// 		not((W[51]^W[55])&(1<<1)) != 0 ||
+	// 		not((W[45]^W[47])&(1<<1)) != 0 ||
+	// 		not(not((W[38]^(W[42]>>25))&(1<<5))) != 0 ||
+	// 		not((W[37]^(W[42]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_50_2_bit
+	// 	}
+	// }
+	BTL  $0x18, AX
+	JNC  f57_skip
+	MOVL W_54+216(FP), CX
+	MOVL W_55+220(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f57_in
+	MOVL W_52+208(FP), CX
+	MOVL W_54+216(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f57_in
+	MOVL W_51+204(FP), CX
+	MOVL W_55+220(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f57_in
+	MOVL W_45+180(FP), CX
+	MOVL W_47+188(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f57_in
+	MOVL W_38+152(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f57_in
+	MOVL W_37+148(FP), CX
+	MOVL W_42+168(FP), DX
+	SHRL $0x1e, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f57_in
+	JMP  f57_skip
+
+f57_in:
+	ANDL $0xfeffffff, AX
+
+f57_skip:
+	// if (mask & DV_II_51_0_bit) != 0 {
+	// 	if not(not((W[39]^(W[43]>>25))&(1<<3))) != 0 ||
+	// 		not((W[38]^(W[43]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_51_0_bit
+	// 	}
+	// }
+	BTL  $0x19, AX
+	JNC  f58_skip
+	MOVL W_39+156(FP), CX
+	MOVL W_43+172(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f58_in
+	MOVL W_38+152(FP), CX
+	MOVL W_43+172(FP), DX
+	SHLL $0x02, DX
+	XORL DX, CX
+	ANDL $0x40000000, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f58_in
+	JMP  f58_skip
+
+f58_in:
+	ANDL $0xfdffffff, AX
+
+f58_skip:
+	// if (mask & DV_II_51_2_bit) != 0 {
+	// 	if not(not((W[55]^(W[56]<<5))&(1<<6))) != 0 ||
+	// 		not(not((W[53]^W[55])&(1<<6))) != 0 ||
+	// 		not((W[52]^W[56])&(1<<1)) != 0 ||
+	// 		not((W[46]^W[48])&(1<<1)) != 0 ||
+	// 		not(not((W[39]^(W[43]>>25))&(1<<5))) != 0 ||
+	// 		not((W[38]^(W[43]>>30))&(1<<0)) != 0 {
+	// 		mask &= ^DV_II_51_2_bit
+	// 	}
+	// }
+	BTL  $0x1a, AX
+	JNC  f59_skip
+	MOVL W_55+220(FP), CX
+	MOVL W_56+224(FP), DX
+	SHLL $0x05, DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f59_in
+	MOVL W_53+212(FP), CX
+	MOVL W_55+220(FP), DX
+	XORL DX, CX
+	ANDL $0x00000040, CX
+	CMPL CX, $0x00000000
+	JNE  f59_in
+	MOVL W_52+208(FP), CX
+	MOVL W_56+224(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f59_in
+	MOVL W_46+184(FP), CX
+	MOVL W_48+192(FP), DX
+	XORL DX, CX
+	ANDL $0x00000002, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f59_in
+	MOVL W_39+156(FP), CX
+	MOVL W_43+172(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000020, CX
+	CMPL CX, $0x00000000
+	JNE  f59_in
+	MOVL W_38+152(FP), CX
+	MOVL W_43+172(FP), DX
+	SHRL $0x1e, DX
+	XORL DX, CX
+	ANDL $0x00000001, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f59_in
+	JMP  f59_skip
+
+f59_in:
+	ANDL $0xfbffffff, AX
+
+f59_skip:
+	// if (mask & DV_II_52_0_bit) != 0 {
+	// 	if not(not((W[59]^W[60])&(1<<29))) != 0 ||
+	// 		not(not((W[40]^(W[44]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[40]^(W[44]>>25))&(1<<4))) != 0 ||
+	// 		not((W[39]^(W[44]<<2))&(1<<30)) != 0 {
+	// 		mask &= ^DV_II_52_0_bit
+	// 	}
+	// }
+	BTL  $0x1b, AX
+	JNC  f60_skip
+	MOVL W_59+236(FP), CX
+	MOVL W_60+240(FP), DX
+	XORL DX, CX
+	ANDL $0x20000000, CX
+	CMPL CX, $0x00000000
+	JNE  f60_in
+	MOVL W_40+160(FP), CX
+	MOVL W_44+176(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f60_in
+	MOVL W_40+160(FP), CX
+	MOVL W_44+176(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f60_in
+	MOVL W_39+156(FP), CX
+	MOVL W_44+176(FP), DX
+	SHLL $0x02, DX
+	XORL DX, CX
+	ANDL $0x40000000, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f60_in
+	JMP  f60_skip
+
+f60_in:
+	ANDL $0xf7ffffff, AX
+
+f60_skip:
+	// if (mask & DV_II_53_0_bit) != 0 {
+	// 	if not((W[58]^W[61])&(1<<29)) != 0 ||
+	// 		not(not((W[57]^(W[61]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[41]^(W[45]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[41]^(W[45]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_53_0_bit
+	// 	}
+	// }
+	BTL  $0x1c, AX
+	JNC  f61_skip
+	MOVL W_58+232(FP), CX
+	MOVL W_61+244(FP), DX
+	XORL DX, CX
+	ANDL $0x20000000, CX
+	NEGL CX
+	CMPL CX, $0x00000000
+	JE   f61_in
+	MOVL W_57+228(FP), CX
+	MOVL W_61+244(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f61_in
+	MOVL W_41+164(FP), CX
+	MOVL W_45+180(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f61_in
+	MOVL W_41+164(FP), CX
+	MOVL W_45+180(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f61_in
+	JMP  f61_skip
+
+f61_in:
+	ANDL $0xefffffff, AX
+
+f61_skip:
+	// if (mask & DV_II_54_0_bit) != 0 {
+	// 	if not(not((W[58]^(W[62]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[42]^(W[46]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[42]^(W[46]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_54_0_bit
+	// 	}
+	// }
+	BTL  $0x1d, AX
+	JNC  f62_skip
+	MOVL W_58+232(FP), CX
+	MOVL W_62+248(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f62_in
+	MOVL W_42+168(FP), CX
+	MOVL W_46+184(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f62_in
+	MOVL W_42+168(FP), CX
+	MOVL W_46+184(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f62_in
+	JMP  f62_skip
+
+f62_in:
+	ANDL $0xdfffffff, AX
+
+f62_skip:
+	// if (mask & DV_II_55_0_bit) != 0 {
+	// 	if not(not((W[59]^(W[63]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[57]^(W[59]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[43]^(W[47]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[43]^(W[47]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_55_0_bit
+	// 	}
+	// }
+	BTL  $0x1e, AX
+	JNC  f63_skip
+	MOVL W_59+236(FP), CX
+	MOVL W_63+252(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f63_in
+	MOVL W_57+228(FP), CX
+	MOVL W_59+236(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f63_in
+	MOVL W_43+172(FP), CX
+	MOVL W_47+188(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f63_in
+	MOVL W_43+172(FP), CX
+	MOVL W_47+188(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f63_in
+	JMP  f63_skip
+
+f63_in:
+	ANDL $0xbfffffff, AX
+
+f63_skip:
+	// if (mask & DV_II_56_0_bit) != 0 {
+	// 	if not(not((W[60]^(W[64]>>25))&(1<<4))) != 0 ||
+	// 		not(not((W[44]^(W[48]>>25))&(1<<3))) != 0 ||
+	// 		not(not((W[44]^(W[48]>>25))&(1<<4))) != 0 {
+	// 		mask &= ^DV_II_56_0_bit
+	// 	}
+	// }
+	BTL  $0x1f, AX
+	JNC  f64_skip
+	MOVL W_60+240(FP), CX
+	MOVL W_64+256(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f64_in
+	MOVL W_44+176(FP), CX
+	MOVL W_48+192(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000008, CX
+	CMPL CX, $0x00000000
+	JNE  f64_in
+	MOVL W_44+176(FP), CX
+	MOVL W_48+192(FP), DX
+	SHRL $0x19, DX
+	XORL DX, CX
+	ANDL $0x00000010, CX
+	CMPL CX, $0x00000000
+	JNE  f64_in
+	JMP  f64_skip
+
+f64_in:
+	ANDL $0x7fffffff, AX
+
+f64_skip:
+end:
+	MOVL AX, ret+320(FP)
+	RET
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/check.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_generic.go
similarity index 99%
rename from vendor/github.com/pjbgf/sha1cd/ubc/check.go
rename to vendor/github.com/pjbgf/sha1cd/ubc/ubc_generic.go
index 167a5558f..ee95bd52d 100644
--- a/vendor/github.com/pjbgf/sha1cd/ubc/check.go
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_generic.go
@@ -25,7 +25,7 @@ type DvInfo struct {
 // for all listed DVs. It returns a dvmask where each bit belonging to a DV is set if all
 // unavoidable bitconditions for that DV have been met.
 // Thus, one needs to do the recompression check for each DV that has its bit set.
-func CalculateDvMask(W [80]uint32) uint32 {
+func CalculateDvMaskGeneric(W [80]uint32) uint32 {
 	mask := uint32(0xFFFFFFFF)
 	mask &= (((((W[44] ^ W[45]) >> 29) & 1) - 1) | ^(DV_I_48_0_bit | DV_I_51_0_bit | DV_I_52_0_bit | DV_II_45_0_bit | DV_II_46_0_bit | DV_II_50_0_bit | DV_II_51_0_bit))
 	mask &= (((((W[49] ^ W[50]) >> 29) & 1) - 1) | ^(DV_I_46_0_bit | DV_II_45_0_bit | DV_II_50_0_bit | DV_II_51_0_bit | DV_II_55_0_bit | DV_II_56_0_bit))
diff --git a/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
new file mode 100644
index 000000000..48d6dff16
--- /dev/null
+++ b/vendor/github.com/pjbgf/sha1cd/ubc/ubc_noasm.go
@@ -0,0 +1,12 @@
+//go:build !amd64 || noasm || !gc
+// +build !amd64 noasm !gc
+
+package ubc
+
+// Check takes as input an expanded message block and verifies the unavoidable bitconditions
+// for all listed DVs. It returns a dvmask where each bit belonging to a DV is set if all
+// unavoidable bitconditions for that DV have been met.
+// Thus, one needs to do the recompression check for each DV that has its bit set.
+func CalculateDvMask(W [80]uint32) uint32 {
+	return CalculateDvMaskGeneric(W)
+}
diff --git a/vendor/github.com/pulumi/pulumi-command/sdk/go/command/internal/pulumiUtilities.go b/vendor/github.com/pulumi/pulumi-command/sdk/go/command/internal/pulumiUtilities.go
index 4c3c69fc0..2e6c9e8dd 100644
--- a/vendor/github.com/pulumi/pulumi-command/sdk/go/command/internal/pulumiUtilities.go
+++ b/vendor/github.com/pulumi/pulumi-command/sdk/go/command/internal/pulumiUtilities.go
@@ -165,7 +165,7 @@ func callPlainInner(
 func PkgResourceDefaultOpts(opts []pulumi.ResourceOption) []pulumi.ResourceOption {
 	defaults := []pulumi.ResourceOption{}
 
-	version := semver.MustParse("1.0.1")
+	version := semver.MustParse("1.0.2")
 	if !version.Equals(semver.Version{}) {
 		defaults = append(defaults, pulumi.Version(version.String()))
 	}
@@ -176,7 +176,7 @@ func PkgResourceDefaultOpts(opts []pulumi.ResourceOption) []pulumi.ResourceOptio
 func PkgInvokeDefaultOpts(opts []pulumi.InvokeOption) []pulumi.InvokeOption {
 	defaults := []pulumi.InvokeOption{}
 
-	version := semver.MustParse("1.0.1")
+	version := semver.MustParse("1.0.2")
 	if !version.Equals(semver.Version{}) {
 		defaults = append(defaults, pulumi.Version(version.String()))
 	}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/.version b/vendor/github.com/pulumi/pulumi/sdk/v3/.version
index 3fdcb7df8..c8cf08178 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/.version
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/.version
@@ -1 +1 @@
-3.143.0
+3.150.0
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd.go
index b28717894..b744775e9 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd.go
@@ -25,8 +25,10 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"time"
 
 	"github.com/blang/semver"
+
 	"github.com/pulumi/pulumi/sdk/v3"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/env"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/slice"
@@ -281,6 +283,15 @@ func (p pulumiCommand) Run(ctx context.Context,
 	cmd.Stdout = io.MultiWriter(additionalOutput...)
 	cmd.Stderr = io.MultiWriter(additionalErrorOutput...)
 	cmd.Stdin = stdin
+	setSysprocAttrNewProcessGroup(cmd)
+	cmd.Cancel = func() error {
+		err := interruptProcess(cmd.Process)
+		if err != nil {
+			_ = cmd.Process.Kill()
+		}
+		return nil
+	}
+	cmd.WaitDelay = 10 * time.Second
 
 	code := unknownErrorCode
 	err := cmd.Run()
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_other.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_other.go
new file mode 100644
index 000000000..aa6cd9dfb
--- /dev/null
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_other.go
@@ -0,0 +1,30 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !windows
+// +build !windows
+
+package auto
+
+import (
+	"os"
+	"os/exec"
+)
+
+func interruptProcess(proc *os.Process) error {
+	return proc.Signal(os.Interrupt)
+}
+
+func setSysprocAttrNewProcessGroup(_ *exec.Cmd) {
+}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_windows.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_windows.go
new file mode 100644
index 000000000..c14fef745
--- /dev/null
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/cmd_windows.go
@@ -0,0 +1,36 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build windows
+// +build windows
+
+package auto
+
+import (
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/iwdgo/sigintwindows"
+)
+
+func interruptProcess(proc *os.Process) error {
+	return sigintwindows.SendCtrlBreak(proc.Pid)
+}
+
+func setSysprocAttrNewProcessGroup(cmd *exec.Cmd) {
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP,
+	}
+}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/local_workspace.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/local_workspace.go
index a7488beb2..b7a475664 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/local_workspace.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/local_workspace.go
@@ -204,6 +204,9 @@ func (l *LocalWorkspace) GetConfigWithOptions(
 		if opts.Path {
 			args = append(args, "--path")
 		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
 	}
 	args = append(args, key, "--json", "--stack", stackName)
 	stdout, stderr, errCode, err := l.runPulumiCmdSync(ctx, args...)
@@ -220,8 +223,27 @@ func (l *LocalWorkspace) GetConfigWithOptions(
 // GetAllConfig returns the config map for the specified stack name, scoped to the current workspace.
 // LocalWorkspace reads this config from the matching Pulumi.stack.yaml file.
 func (l *LocalWorkspace) GetAllConfig(ctx context.Context, stackName string) (ConfigMap, error) {
+	return l.GetAllConfigWithOptions(ctx, stackName, &GetAllConfigOptions{ShowSecrets: true})
+}
+
+// GetAllConfigWithOptions returns the config map for the specified stack name
+// using the optional GetAllConfigOptions, scoped to the current workspace.
+// LocalWorkspace reads this config from the matching Pulumi.stack.yaml file.
+func (l *LocalWorkspace) GetAllConfigWithOptions(
+	ctx context.Context, stackName string, opts *GetAllConfigOptions,
+) (ConfigMap, error) {
 	var val ConfigMap
-	stdout, stderr, errCode, err := l.runPulumiCmdSync(ctx, "config", "--show-secrets", "--json", "--stack", stackName)
+	args := []string{"config"}
+	if opts != nil {
+		if opts.ShowSecrets {
+			args = append(args, "--show-secrets")
+		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
+	}
+	args = append(args, "--json", "--stack", stackName)
+	stdout, stderr, errCode, err := l.runPulumiCmdSync(ctx, args...)
 	if err != nil {
 		return val, newAutoError(fmt.Errorf("unable to read config: %w", err), stdout, stderr, errCode)
 	}
@@ -248,6 +270,9 @@ func (l *LocalWorkspace) SetConfigWithOptions(
 		if opts.Path {
 			args = append(args, "--path")
 		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
 	}
 	secretArg := "--plaintext"
 	if val.Secret {
@@ -279,6 +304,9 @@ func (l *LocalWorkspace) SetAllConfigWithOptions(
 		if opts.Path {
 			args = append(args, "--path")
 		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
 	}
 	for k, v := range config {
 		secretArg := "--plaintext"
@@ -311,6 +339,9 @@ func (l *LocalWorkspace) RemoveConfigWithOptions(
 		if opts.Path {
 			args = append(args, "--path")
 		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
 	}
 	args = append(args, key, "--stack", stackName)
 	stdout, stderr, errCode, err := l.runPulumiCmdSync(ctx, args...)
@@ -337,6 +368,9 @@ func (l *LocalWorkspace) RemoveAllConfigWithOptions(
 		if opts.Path {
 			args = append(args, "--path")
 		}
+		if opts.ConfigFile != "" {
+			args = append(args, "--config-file", opts.ConfigFile)
+		}
 	}
 	args = append(args, keys...)
 	stdout, stderr, errCode, err := l.runPulumiCmdSync(ctx, args...)
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optdestroy/optdestroy.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optdestroy/optdestroy.go
index b0567fbce..a20e079e8 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optdestroy/optdestroy.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optdestroy/optdestroy.go
@@ -87,6 +87,13 @@ func UserAgent(agent string) Option {
 	})
 }
 
+// Color allows specifying whether to colorize output. Choices are: always, never, raw, auto (default "auto")
+func Color(color string) Option {
+	return optionFunc(func(opts *Options) {
+		opts.Color = color
+	})
+}
+
 // ShowSecrets configures whether to show config secrets when they appear.
 func ShowSecrets(show bool) Option {
 	return optionFunc(func(opts *Options) {
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optpreview/optpreview.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optpreview/optpreview.go
index 7a2d17fc6..794241005 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optpreview/optpreview.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optpreview/optpreview.go
@@ -108,6 +108,13 @@ func UserAgent(agent string) Option {
 	})
 }
 
+// Color allows specifying whether to colorize output. Choices are: always, never, raw, auto (default "auto")
+func Color(color string) Option {
+	return optionFunc(func(opts *Options) {
+		opts.Color = color
+	})
+}
+
 // Plan specifies the path where the update plan should be saved.
 func Plan(path string) Option {
 	return optionFunc(func(opts *Options) {
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optrefresh/optrefresh.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optrefresh/optrefresh.go
index 22177b031..e0834c318 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optrefresh/optrefresh.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optrefresh/optrefresh.go
@@ -38,6 +38,13 @@ func ExpectNoChanges() Option {
 	})
 }
 
+// ClearPendingCreates will cause the refresh to drop all pending creates from the state
+func ClearPendingCreates() Option {
+	return optionFunc(func(opts *Options) {
+		opts.ClearPendingCreates = true
+	})
+}
+
 // Message (optional) to associate with the refresh operation
 func Message(message string) Option {
 	return optionFunc(func(opts *Options) {
@@ -87,6 +94,13 @@ func UserAgent(agent string) Option {
 	})
 }
 
+// Color allows specifying whether to colorize output. Choices are: always, never, raw, auto (default "auto")
+func Color(color string) Option {
+	return optionFunc(func(opts *Options) {
+		opts.Color = color
+	})
+}
+
 // ShowSecrets configures whether to show config secrets when they appear in the config.
 func ShowSecrets(show bool) Option {
 	return optionFunc(func(opts *Options) {
@@ -131,7 +145,9 @@ type Options struct {
 	Message string
 	// Return an error if any changes occur during this preview
 	ExpectNoChanges bool
-	// Specify an exclusive list of resource URNs to re
+	// Clear all pending creates, dropping them from the state
+	ClearPendingCreates bool
+	// Specify an exclusive of resource URNs to refresh
 	Target []string
 	// ProgressStreams allows specifying one or more io.Writers to redirect incremental refresh stdout
 	ProgressStreams []io.Writer
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optup/optup.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optup/optup.go
index 075d9ba3e..35b8404d2 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optup/optup.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/optup/optup.go
@@ -108,6 +108,13 @@ func UserAgent(agent string) Option {
 	})
 }
 
+// Color allows specifying whether to colorize output. Choices are: always, never, raw, auto (default "auto")
+func Color(color string) Option {
+	return optionFunc(func(opts *Options) {
+		opts.Color = color
+	})
+}
+
 // Plan specifies the path to an update plan to use for the update.
 func Plan(path string) Option {
 	return optionFunc(func(opts *Options) {
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/stack.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/stack.go
index ee65b39cd..546313ba4 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/stack.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/stack.go
@@ -108,12 +108,10 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/pulumi/pulumi/sdk/v3/go/auto/optimport"
 
 	"github.com/blang/semver"
-	"github.com/nxadm/tail"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 
@@ -128,6 +126,7 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/common/constant"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/slice"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/tail"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/rpcutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
@@ -371,7 +370,6 @@ func (s *Stack) Up(ctx context.Context, opts ...optup.Option) (UpResult, error)
 	bufferSizeHint := len(upOpts.Replace) + len(upOpts.Target) + len(upOpts.PolicyPacks) + len(upOpts.PolicyPackConfigs)
 	sharedArgs := slice.Prealloc[string](bufferSizeHint)
 
-	sharedArgs = debug.AddArgs(&upOpts.DebugLogOpts, sharedArgs)
 	if upOpts.Message != "" {
 		sharedArgs = append(sharedArgs, fmt.Sprintf("--message=%q", upOpts.Message))
 	}
@@ -431,6 +429,8 @@ func (s *Stack) Up(ctx context.Context, opts ...optup.Option) (UpResult, error)
 	sharedArgs = append(sharedArgs, s.remoteArgs()...)
 
 	kind, args := constant.ExecKindAutoLocal, []string{"up", "--yes", "--skip-preview"}
+	args = debug.AddArgs(&upOpts.DebugLogOpts, args)
+
 	if program := s.Workspace().Program(); program != nil {
 		server, err := startLanguageRuntimeServer(program)
 		if err != nil {
@@ -721,8 +721,8 @@ func (s *Stack) Refresh(ctx context.Context, opts ...optrefresh.Option) (Refresh
 func refreshOptsToCmd(o *optrefresh.Options, s *Stack, isPreview bool) []string {
 	args := slice.Prealloc[string](len(o.Target))
 
-	args = debug.AddArgs(&o.DebugLogOpts, args)
 	args = append(args, "refresh")
+	args = debug.AddArgs(&o.DebugLogOpts, args)
 	if isPreview {
 		args = append(args, "--preview-only")
 	} else {
@@ -734,6 +734,9 @@ func refreshOptsToCmd(o *optrefresh.Options, s *Stack, isPreview bool) []string
 	if o.ExpectNoChanges {
 		args = append(args, "--expect-no-changes")
 	}
+	if o.ClearPendingCreates {
+		args = append(args, "--clear-pending-creates")
+	}
 	for _, tURN := range o.Target {
 		args = append(args, "--target="+tURN)
 	}
@@ -1041,6 +1044,12 @@ func (s *Stack) GetAllConfig(ctx context.Context) (ConfigMap, error) {
 	return s.Workspace().GetAllConfig(ctx, s.Name())
 }
 
+// GetAllConfigWithOptions returns the full config map with optional ConfigAllConfigOptions.
+// Allows using a config file and controlling how secrets are shown
+func (s *Stack) GetAllConfigWithOptions(ctx context.Context, opts *GetAllConfigOptions) (ConfigMap, error) {
+	return s.Workspace().GetAllConfigWithOptions(ctx, s.Name(), opts)
+}
+
 // SetConfig sets the specified config key-value pair.
 func (s *Stack) SetConfig(ctx context.Context, key string, val ConfigValue) error {
 	return s.Workspace().SetConfig(ctx, s.Name(), key, val)
@@ -1624,7 +1633,7 @@ type fileWatcher struct {
 }
 
 func watchFile(path string, receivers []chan<- events.EngineEvent) (*fileWatcher, error) {
-	t, err := tail.TailFile(path, tail.Config{
+	t, err := tail.File(path, tail.Config{
 		Follow:        true,
 		Poll:          runtime.GOOS == "windows", // on Windows poll for file changes instead of using the default inotify
 		Logger:        tail.DiscardingLogger,
@@ -1688,25 +1697,6 @@ func (fw *fileWatcher) Close() {
 	}
 
 	// Tell the watcher to end on next EoF, wait for the done event, then cleanup.
-
-	// The tail library we're using is racy when shutting down.
-	// If it gets the shutdown signal before reading the data, it
-	// will just shut down before finding the EoF.  This problem
-	// is exacerbated on Windows, where we use the poller, which
-	// polls for changes every 250ms.  Sleep a little bit longer
-	// than that to ensure the tail library had a chance to read
-	// the whole file.  On OSs that don't use the poller we still
-	// want to try to avoid the problem so we sleep for a short
-	// amount of time.
-	//
-	// TODO: remove this once https://github.com/nxadm/tail/issues/67
-	// is fixed and we can upgrade nxadm/tail.
-	if runtime.GOOS == "windows" {
-		time.Sleep(300 * time.Millisecond)
-	} else {
-		time.Sleep(150 * time.Millisecond)
-	}
-
 	//nolint:errcheck
 	fw.tail.StopAtEOF()
 	<-fw.done
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/workspace.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/workspace.go
index a4c3d4ee4..02b5fb35d 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/workspace.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/auto/workspace.go
@@ -61,6 +61,10 @@ type Workspace interface {
 	GetConfigWithOptions(context.Context, string, string, *ConfigOptions) (ConfigValue, error)
 	// GetAllConfig returns the config map for the specified stack name, scoped to the current workspace.
 	GetAllConfig(context.Context, string) (ConfigMap, error)
+	// GetAllConfigWithOptions returns the config map for the specified stack name
+	// using the optional GetAllConfigOptions,
+	// scoped to the current workspace.
+	GetAllConfigWithOptions(context.Context, string, *GetAllConfigOptions) (ConfigMap, error)
 	// SetConfig sets the specified key-value pair on the provided stack name.
 	SetConfig(context.Context, string, string, ConfigValue) error
 	// SetConfigWithOptions sets the specified key-value pair on the provided stack name
@@ -164,9 +168,19 @@ type ConfigValue struct {
 }
 
 // ConfigOptions is a configuration option used by a Pulumi program.
-// Allows to use the path flag while getting/setting the configuration.
 type ConfigOptions struct {
+	// Allows to use the path flag while getting/setting the configuration.
 	Path bool
+	// Allows to use the config file flag while getting/setting the configuration.
+	ConfigFile string
+}
+
+// GetAllConfigOptions is a configuration option used by a Pulumi program.
+type GetAllConfigOptions struct {
+	// Allows to use the config file flag while getting/setting the configuration.
+	ConfigFile string
+	// Allows to show secrets while getting the configuration.
+	ShowSecrets bool
 }
 
 // ConfigMap is a map of ConfigValue used by Pulumi programs.
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/crypt.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/crypt.go
index 8532fb171..28af746e7 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/crypt.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/crypt.go
@@ -39,7 +39,8 @@ type Decrypter interface {
 	DecryptValue(ctx context.Context, ciphertext string) (string, error)
 
 	// BulkDecrypt supports bulk decryption of secrets.
-	BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error)
+	// Returns a list of decrypted values in the same order as the input ciphertexts.
+	BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error)
 }
 
 // Crypter can both encrypt and decrypt values.
@@ -60,7 +61,7 @@ func (nopCrypter) DecryptValue(ctx context.Context, ciphertext string) (string,
 	return ciphertext, nil
 }
 
-func (nopCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (nopCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	return DefaultBulkDecrypt(ctx, NopDecrypter, ciphertexts)
 }
 
@@ -88,7 +89,7 @@ func (b blindingCrypter) EncryptValue(ctx context.Context, plaintext string) (st
 	return "[secret]", nil
 }
 
-func (b blindingCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (b blindingCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	return DefaultBulkDecrypt(ctx, b, ciphertexts)
 }
 
@@ -107,7 +108,7 @@ func (p panicCrypter) DecryptValue(ctx context.Context, _ string) (string, error
 	panic("attempt to decrypt value")
 }
 
-func (p panicCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (p panicCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	panic("attempt to bulk decrypt values")
 }
 
@@ -155,15 +156,29 @@ func (s symmetricCrypter) DecryptValue(ctx context.Context, value string) (strin
 		return "", fmt.Errorf("bad value: %w", err)
 	}
 
-	enc, err := base64.StdEncoding.DecodeString(vals[2])
+	ciphertext, err := base64.StdEncoding.DecodeString(vals[2])
 	if err != nil {
 		return "", fmt.Errorf("bad value: %w", err)
 	}
 
-	return decryptAES256GCM(enc, s.key, nonce)
+	contract.Requiref(len(s.key) == SymmetricCrypterKeyBytes, "key", "AES-256-GCM needs a 32 byte key")
+
+	block, err := aes.NewCipher(s.key)
+	contract.AssertNoErrorf(err, "error creating AES cipher")
+
+	aesgcm, err := cipher.NewGCM(block)
+	contract.AssertNoErrorf(err, "error creating AES-GCM cipher")
+
+	if len(nonce) != aesgcm.NonceSize() {
+		return "", errors.New("bad value: nonce size is incorrect")
+	}
+
+	msg, err := aesgcm.Open(nil, nonce, ciphertext, nil)
+
+	return string(msg), err
 }
 
-func (s symmetricCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (s symmetricCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	return DefaultBulkDecrypt(ctx, s, ciphertexts)
 }
 
@@ -187,20 +202,6 @@ func encryptAES256GCGM(plaintext string, key []byte) ([]byte, []byte) {
 	return msg, nonce
 }
 
-func decryptAES256GCM(ciphertext []byte, key []byte, nonce []byte) (string, error) {
-	contract.Requiref(len(key) == SymmetricCrypterKeyBytes, "key", "AES-256-GCM needs a 32 byte key")
-
-	block, err := aes.NewCipher(key)
-	contract.AssertNoErrorf(err, "error creating AES cipher")
-
-	aesgcm, err := cipher.NewGCM(block)
-	contract.AssertNoErrorf(err, "error creating AES-GCM cipher")
-
-	msg, err := aesgcm.Open(nil, nonce, ciphertext, nil)
-
-	return string(msg), err
-}
-
 // Crypter that just adds a prefix to the plaintext string when encrypting,
 // and removes the prefix from the ciphertext when decrypting, for use in tests.
 type prefixCrypter struct {
@@ -219,7 +220,7 @@ func (c prefixCrypter) EncryptValue(ctx context.Context, plaintext string) (stri
 	return c.prefix + plaintext, nil
 }
 
-func (c prefixCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (c prefixCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	return DefaultBulkDecrypt(ctx, c, ciphertexts)
 }
 
@@ -228,20 +229,20 @@ func (c prefixCrypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (m
 // their BulkDecrypt method in cases where they can't do more efficient than just individual decryptions.
 func DefaultBulkDecrypt(ctx context.Context,
 	decrypter Decrypter, ciphertexts []string,
-) (map[string]string, error) {
+) ([]string, error) {
 	if len(ciphertexts) == 0 {
 		return nil, nil
 	}
 
-	secretMap := map[string]string{}
-	for _, ct := range ciphertexts {
+	decrypted := make([]string, len(ciphertexts))
+	for i, ct := range ciphertexts {
 		pt, err := decrypter.DecryptValue(ctx, ct)
 		if err != nil {
 			return nil, err
 		}
-		secretMap[ct] = pt
+		decrypted[i] = pt
 	}
-	return secretMap, nil
+	return decrypted, nil
 }
 
 type base64Crypter struct{}
@@ -261,6 +262,6 @@ func (c *base64Crypter) DecryptValue(ctx context.Context, s string) (string, err
 	return string(b), nil
 }
 
-func (c *base64Crypter) BulkDecrypt(ctx context.Context, ciphertexts []string) (map[string]string, error) {
+func (c *base64Crypter) BulkDecrypt(ctx context.Context, ciphertexts []string) ([]string, error) {
 	return DefaultBulkDecrypt(ctx, c, ciphertexts)
 }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/map.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/map.go
index 8af4471e9..cf639882b 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/map.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/map.go
@@ -183,17 +183,19 @@ func (m Map) Set(k Key, v Value, path bool) error {
 		return err
 	}
 
-	// If we only have a single path segment, set the value and return.
+	var newV object
+	if len(p) > 1 || v.typ != TypeUnknown {
+		newV, err = adjustObjectValue(v)
+		if err != nil {
+			return err
+		}
+	}
+
 	if len(p) == 1 {
 		m[configKey] = v
 		return nil
 	}
 
-	newV, err := adjustObjectValue(v)
-	if err != nil {
-		return err
-	}
-
 	var obj object
 	if root, ok := m[configKey]; ok {
 		obj, err = root.unmarshalObject()
@@ -306,6 +308,24 @@ func adjustObjectValue(v Value) (object, error) {
 		return v.unmarshalObject()
 	}
 
+	if v.typ == TypeString {
+		return newObject(v.value), nil
+	} else if v.typ == TypeInt {
+		i, err := strconv.Atoi(v.value)
+		if err != nil {
+			return object{}, err
+		}
+		return newObject(int64(i)), nil
+	} else if v.typ == TypeBool {
+		return newObject(v.value == "true"), nil
+	} else if v.typ == TypeFloat {
+		f, err := strconv.ParseFloat(v.value, 64)
+		if err != nil {
+			return object{}, err
+		}
+		return newObject(f), nil
+	}
+
 	// If "false" or "true", return the boolean value.
 	if v.value == "false" {
 		return newObject(false), nil
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/value.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/value.go
index 6a2083939..9cdf4fd1f 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/value.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/config/value.go
@@ -18,11 +18,22 @@ import (
 	"context"
 )
 
+type Type int
+
+const (
+	TypeUnknown = iota
+	TypeString
+	TypeInt
+	TypeFloat
+	TypeBool
+)
+
 // Value is a single config value.
 type Value struct {
 	value  string
 	secure bool
 	object bool
+	typ    Type
 }
 
 func NewSecureValue(v string) Value {
@@ -33,6 +44,10 @@ func NewValue(v string) Value {
 	return Value{value: v, secure: false}
 }
 
+func NewTypedValue(v string, t Type) Value {
+	return Value{value: v, secure: false, typ: t}
+}
+
 func NewSecureObjectValue(v string) Value {
 	return Value{value: v, secure: true, object: true}
 }
@@ -109,8 +124,11 @@ func (c Value) Object() bool {
 
 func (c Value) unmarshalObject() (object, error) {
 	var obj object
-	err := obj.UnmarshalString(c.value, c.secure, c.object)
-	return obj, err
+	if c.object || c.typ == TypeUnknown {
+		err := obj.UnmarshalString(c.value, c.secure, c.object)
+		return obj, err
+	}
+	return adjustObjectValue(c)
 }
 
 // ToObject returns the string value (if not an object), or the unmarshalled JSON object (if an object).
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/host.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/host.go
index 45c0785e8..049dea659 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/host.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/host.go
@@ -379,7 +379,7 @@ func (host *defaultHost) ListAnalyzers() []Analyzer {
 
 func (host *defaultHost) Provider(descriptor workspace.PackageDescriptor) (Provider, error) {
 	plugin, err := host.loadPlugin(host.loadRequests, func() (interface{}, error) {
-		pkg := descriptor.Name
+		pkg, path := descriptor.LocalName()
 		version := descriptor.Version
 
 		// Try to load and bind to a plugin.
@@ -396,8 +396,8 @@ func (host *defaultHost) Provider(descriptor workspace.PackageDescriptor) (Provi
 			return nil, fmt.Errorf("Could not marshal config to JSON: %w", err)
 		}
 
-		plug, err := NewProvider(
-			host, host.ctx, tokens.Package(pkg), version,
+		plug, err := NewProviderFromSubdir(
+			host, host.ctx, tokens.Package(pkg), path, version,
 			host.runtimeOptions, host.disableProviderPreview, string(jsonConfig), host.projectName)
 		if err == nil && plug != nil {
 			info, infoerr := plug.GetPluginInfo(host.ctx.Request())
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime.go
index cbd2607c7..3109257f4 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime.go
@@ -130,7 +130,10 @@ type LanguageRuntime interface {
 	GetPluginInfo() (workspace.PluginInfo, error)
 
 	// InstallDependencies will install dependencies for the project, e.g. by running `npm install` for nodejs projects.
-	InstallDependencies(request InstallDependenciesRequest) error
+	// It returns io.Readers for stdout and stderr as well as a channel that will be closed when the operation is
+	// complete, producing an error if one occurred. Callers *must* drain the stdout and stderr readers if they await the
+	// done channel to avoid deadlocks.
+	InstallDependencies(request InstallDependenciesRequest) (io.Reader, io.Reader, <-chan error, error)
 
 	// RuntimeOptions returns additional options that can be set for the runtime.
 	RuntimeOptionsPrompts(info ProgramInfo) ([]RuntimeOptionPrompt, error)
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime_plugin.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime_plugin.go
index 7b7979e5f..07faab96d 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime_plugin.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/langruntime_plugin.go
@@ -470,13 +470,18 @@ func (h *langhost) Close() error {
 	return nil
 }
 
-func (h *langhost) InstallDependencies(request InstallDependenciesRequest) error {
+func (h *langhost) InstallDependencies(request InstallDependenciesRequest) (
+	io.Reader,
+	io.Reader,
+	<-chan error,
+	error,
+) {
 	logging.V(7).Infof("langhost[%v].InstallDependencies(%s) executing",
 		h.runtime, request)
 
 	minfo, err := request.Info.Marshal()
 	if err != nil {
-		return err
+		return nil, nil, nil, err
 	}
 
 	resp, err := h.client.InstallDependencies(h.ctx.Request(), &pulumirpc.InstallDependenciesRequest{
@@ -493,36 +498,70 @@ func (h *langhost) InstallDependencies(request InstallDependenciesRequest) error
 		// It's possible this is just an older language host, prior to the emergence of the InstallDependencies
 		// method.  In such cases, we will silently error (with the above log left behind).
 		if rpcError.Code() == codes.Unimplemented {
-			return nil
+			return nil, nil, nil, nil
 		}
 
-		return rpcError
+		return nil, nil, nil, rpcError
 	}
 
-	for {
-		output, err := resp.Recv()
-		if err != nil {
-			if err == io.EOF {
+	outr, outw := io.Pipe()
+	errr, errw := io.Pipe()
+	done := make(chan error, 1)
+
+	go func() {
+		defer close(done)
+
+		for {
+			logging.V(10).Infof(
+				"langhost[%v].InstallDependencies(%s) waiting for dependency installation messages",
+				h.runtime, request,
+			)
+
+			msg, err := resp.Recv()
+			if err != nil {
+				if err == io.EOF {
+					contract.IgnoreError(outw.Close())
+					contract.IgnoreError(errw.Close())
+
+					done <- nil
+					break
+				}
+
+				rpcError := rpcerror.Convert(err)
+				logging.V(7).Infof("langhost[%v].InstallDependencies(%s) failed: %v",
+					h.runtime, request, rpcError,
+				)
+
+				contract.IgnoreError(outw.CloseWithError(rpcError))
+				contract.IgnoreError(errw.CloseWithError(rpcError))
+
+				done <- rpcError
 				break
 			}
-			rpcError := rpcerror.Convert(err)
-			logging.V(7).Infof("langhost[%v].InstallDependencies(%s) failed: err=%v",
-				h.runtime, request, rpcError)
-			return rpcError
-		}
 
-		if len(output.Stdout) != 0 {
-			os.Stdout.Write(output.Stdout)
-		}
+			logging.V(10).Infof(
+				"langhost[%v].InstallDependencies(%s) got dependency installation response: %v",
+				h.runtime, request, msg,
+			)
+
+			stdoutLen := len(msg.Stdout)
+			if stdoutLen > 0 {
+				n, err := outw.Write(msg.Stdout)
+				contract.AssertNoErrorf(err, "failed to write to stdout pipe: %v", err)
+				contract.Assertf(n == stdoutLen, "wrote fewer bytes (%d) than expected (%d)", n, stdoutLen)
+			}
 
-		if len(output.Stderr) != 0 {
-			os.Stderr.Write(output.Stderr)
+			stderrLen := len(msg.Stderr)
+			if stderrLen > 0 {
+				n, err := errw.Write(msg.Stderr)
+				contract.AssertNoErrorf(err, "failed to write to stderr pipe: %v", err)
+				contract.Assertf(n == stderrLen, "wrote fewer bytes (%d) than expected (%d)", n, stderrLen)
+			}
 		}
-	}
+	}()
 
-	logging.V(7).Infof("langhost[%v].InstallDependencies(%s) success",
-		h.runtime, request)
-	return nil
+	logging.V(7).Infof("langhost[%v].InstallDependencies(%s) success", h.runtime, request)
+	return outr, errr, done, nil
 }
 
 func (h *langhost) RuntimeOptionsPrompts(info ProgramInfo) ([]RuntimeOptionPrompt, error) {
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/plugin.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/plugin.go
index fad047dd7..db9ba6691 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/plugin.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/plugin.go
@@ -16,6 +16,7 @@ package plugin
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -25,6 +26,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -100,6 +102,12 @@ type plugin struct {
 	stdoutDone <-chan bool
 	stderrDone <-chan bool
 
+	// The unstructured output of the process.
+	//
+	// unstructuredOutput is only non-nil if Pulumi launched the process and is hiding
+	// unstructured output.
+	unstructuredOutput *unstructuredOutput
+
 	Bin  string
 	Args []string
 	// Env specifies the environment of the plugin in the same format as go's os/exec.Cmd.Env
@@ -113,6 +121,25 @@ type plugin struct {
 	Stderr io.ReadCloser
 }
 
+type unstructuredOutput struct {
+	output bytes.Buffer
+	// outputLock prevents concurrent writes to output.
+	outputLock sync.Mutex
+	diag       diag.Sink
+
+	// done is true when the output has already been written to the user.
+	done atomic.Bool
+}
+
+// WriteString a string of unstructured output.
+//
+// WriteString is safe to call concurrently.
+func (uo *unstructuredOutput) WriteString(msg string) {
+	uo.outputLock.Lock()
+	defer uo.outputLock.Unlock()
+	uo.output.WriteString(msg)
+}
+
 // pluginRPCConnectionTimeout dictates how long we wait for the plugin's RPC to become available.
 var pluginRPCConnectionTimeout = time.Second * 10
 
@@ -245,16 +272,24 @@ func newPlugin[T any](
 		}
 	}()
 
-	outStreamID := atomic.AddInt32(&nextStreamID, 1)
-	errStreamID := atomic.AddInt32(&nextStreamID, 1)
+	type streamID int32
+	outStreamID := streamID(atomic.AddInt32(&nextStreamID, 1))
+	errStreamID := streamID(atomic.AddInt32(&nextStreamID, 1))
 
 	// For now, we will spawn goroutines that will spew STDOUT/STDERR to the relevant diag streams.
 	var sawPolicyModuleNotFoundErr bool
-	runtrace := func(t io.Reader, stderr bool, done chan<- bool) {
+	if kind == apitype.ResourcePlugin && !isDynamicPluginBinary(bin) {
+		logging.Infof("Hiding logs from %q:%q", prefix, bin)
+		plug.unstructuredOutput = &unstructuredOutput{diag: ctx.Diag}
+	}
+	runtrace := func(t io.Reader, streamID streamID, done chan<- bool) {
 		reader := bufio.NewReader(t)
 
 		for {
 			msg, readerr := reader.ReadString('\n')
+			if plug.unstructuredOutput != nil {
+				plug.unstructuredOutput.WriteString(msg)
+			}
 
 			// Even if we've hit the end of the stream, we want to check for non-empty content.
 			// The reason is that if the last line is missing a \n, we still want to include it.
@@ -268,11 +303,16 @@ func newPlugin[T any](
 					sawPolicyModuleNotFoundErr = true
 				}
 
-				if stderr {
-					ctx.Diag.Infoerrf(diag.StreamMessage("" /*urn*/, msg, errStreamID))
+				var log func(*diag.Diag, ...interface{})
+				if plug.unstructuredOutput != nil {
+					log = ctx.Diag.Debugf
+				} else if streamID == outStreamID {
+					log = ctx.Diag.Infof
 				} else {
-					ctx.Diag.Infof(diag.StreamMessage("" /*urn*/, msg, outStreamID))
+					contract.Assertf(streamID == errStreamID, "invalid")
+					log = ctx.Diag.Infoerrf
 				}
+				log(diag.StreamMessage("" /*urn*/, msg, int32(streamID)))
 			}
 
 			// If we've hit the end of the stream, break out and close the channel.
@@ -287,7 +327,7 @@ func newPlugin[T any](
 	// Set up a tracer on stderr before going any further, since important errors might get communicated this way.
 	stderrDone := make(chan bool)
 	plug.stderrDone = stderrDone
-	go runtrace(plug.Stderr, true, stderrDone)
+	go runtrace(plug.Stderr, errStreamID, stderrDone)
 
 	// Now that we have a process, we expect it to write a single line to STDOUT: the port it's listening on.  We only
 	// read a byte at a time so that STDOUT contains everything after the first newline.
@@ -328,7 +368,7 @@ func newPlugin[T any](
 	// After reading the port number, set up a tracer on stdout just so other output doesn't disappear.
 	stdoutDone := make(chan bool)
 	plug.stdoutDone = stdoutDone
-	go runtrace(plug.Stdout, false, stdoutDone)
+	go runtrace(plug.Stdout, outStreamID, stdoutDone)
 
 	conn, handshakeRes, err := dialPlugin(port, bin, prefix, handshake, dialOptions)
 	if err != nil {
@@ -515,7 +555,13 @@ func buildPluginArguments(opts pluginArgumentOptions) []string {
 }
 
 func (p *plugin) Close() error {
+	pluginCrashed := true
+
 	if p.Conn != nil {
+		// Something has gone wrong with the plugin if it is not ready to handle requests and we have not yet
+		// shut it down.
+		pluginCrashed = p.Conn.GetState() != connectivity.Ready
+
 		contract.IgnoreClose(p.Conn)
 	}
 
@@ -529,5 +575,39 @@ func (p *plugin) Close() error {
 		<-p.stderrDone
 	}
 
+	// If the plugin has crashed and p.unstructuredOutput != nil is non-nil, then we
+	// have not displayed any unstructured output to the user - including any
+	// potential stack trace.
+	//
+	// To help debug (and to avoid attempting to detect the stack trace), we dump the captured stdout.
+	if pluginCrashed && p.unstructuredOutput != nil && p.unstructuredOutput.done.CompareAndSwap(false, true) {
+		id := atomic.AddInt32(&nextStreamID, 1)
+		d := p.unstructuredOutput.diag
+		// This outputs an error block:
+		//
+		//	error:
+		//
+		//	        Detected that <bin> exited prematurely.
+		//	        This is *always* a bug in the provider. Please report the issue to the provider author as appropriate.
+		//
+		//	To assist with debugging we have dumped the STDOUT and STDERR streams of the plugin:
+		//
+		//	<output>
+		d.Errorf(diag.StreamMessage("", fmt.Sprintf("\n\n         Detected that %s exited prematurely.\n", p.Bin), id))
+		d.Errorf(diag.StreamMessage("",
+			"         This is *always* a bug in the provider. "+
+				"Please report the issue to the provider author as appropriate.\n\n", id))
+		d.Errorf(diag.StreamMessage("",
+			"To assist with debugging we have dumped the STDOUT and STDERR streams of the plugin:\n\n", id))
+		p.unstructuredOutput.outputLock.Lock()
+		defer p.unstructuredOutput.outputLock.Unlock()
+		d.Errorf(diag.StreamMessage("", p.unstructuredOutput.output.String(), id))
+	}
+
 	return result
 }
+
+func isDynamicPluginBinary(path string) bool {
+	return strings.HasSuffix(path, "pulumi-resource-pulumi-nodejs") ||
+		strings.HasSuffix(path, "pulumi-resource-pulumi-python")
+}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/provider_plugin.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/provider_plugin.go
index a9aebbb19..b0ed2f91d 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/provider_plugin.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin/provider_plugin.go
@@ -162,6 +162,13 @@ func GetProviderAttachPort(pkg tokens.Package) (*int, error) {
 func NewProvider(host Host, ctx *Context, pkg tokens.Package, version *semver.Version,
 	options map[string]interface{}, disableProviderPreview bool, jsonConfig string,
 	projectName tokens.PackageName,
+) (Provider, error) {
+	return NewProviderFromSubdir(host, ctx, pkg, "", version, options, disableProviderPreview, jsonConfig, projectName)
+}
+
+func NewProviderFromSubdir(host Host, ctx *Context, pkg tokens.Package, subdir string, version *semver.Version,
+	options map[string]interface{}, disableProviderPreview bool, jsonConfig string,
+	projectName tokens.PackageName,
 ) (Provider, error) {
 	// See if this is a provider we just want to attach to
 	var plug *plugin
@@ -204,8 +211,8 @@ func NewProvider(host Host, ctx *Context, pkg tokens.Package, version *semver.Ve
 		}
 	} else {
 		// Load the plugin's path by using the standard workspace logic.
-		path, err := workspace.GetPluginPath(ctx.Diag,
-			apitype.ResourcePlugin, strings.ReplaceAll(string(pkg), tokens.QNameDelimiter, "_"),
+		path, err := workspace.GetPluginPathWithSubdir(ctx.Diag,
+			apitype.ResourcePlugin, strings.ReplaceAll(string(pkg), tokens.QNameDelimiter, "_"), subdir,
 			version, host.GetProjectPlugins())
 		if err != nil {
 			return nil, err
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties.go
index be09f74f5..0b06388be 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties.go
@@ -502,13 +502,13 @@ func (v PropertyValue) IsArray() bool {
 	return is
 }
 
-// IsAsset returns true if the underlying value is an object.
+// IsAsset returns true if the underlying value is an asset.
 func (v PropertyValue) IsAsset() bool {
 	_, is := v.V.(*asset.Asset)
 	return is
 }
 
-// IsArchive returns true if the underlying value is an object.
+// IsArchive returns true if the underlying value is an archive.
 func (v PropertyValue) IsArchive() bool {
 	_, is := v.V.(*archive.Archive)
 	return is
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties_diff.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties_diff.go
index d3ed6e3e8..1fd4c6ac1 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties_diff.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/resource/properties_diff.go
@@ -391,6 +391,15 @@ func (v PropertyValue) DeepEquals(other PropertyValue) bool {
 		return vo.Element.DeepEquals(oo.Element)
 	}
 
+	if v.IsComputed() {
+		if !other.IsComputed() {
+			return false
+		}
+		vc := v.Input().Element
+		oc := other.Input().Element
+		return vc.DeepEquals(oc)
+	}
+
 	// For all other cases, primitives are equal if their values are equal.
 	return v.V == other.V
 }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/LICENSE b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/LICENSE
new file mode 100644
index 000000000..818d802a5
--- /dev/null
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/LICENSE
@@ -0,0 +1,21 @@
+# The MIT License (MIT)
+
+# © Copyright 2015 Hewlett Packard Enterprise Development LP
+Copyright (c) 2014 ActiveState
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/nxadm/tail/tail.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail.go
similarity index 82%
rename from vendor/github.com/nxadm/tail/tail.go
rename to vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail.go
index c962599be..d6045e4a0 100644
--- a/vendor/github.com/nxadm/tail/tail.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail.go
@@ -1,12 +1,17 @@
+//nolint:goheader // This file is a vendored copy of the tail package from nxadm/tail, keep the original license header.
+// Copyright (c) 2024, Pulumi Corporation.
 // Copyright (c) 2019 FOSS contributors of https://github.com/nxadm/tail
 // Copyright (c) 2015 HPE Software Inc. All rights reserved.
 // Copyright (c) 2013 ActiveState Software Inc. All rights reserved.
 
-//nxadm/tail provides a Go library that emulates the features of the BSD `tail`
-//program. The library comes with full support for truncation/move detection as
-//it is designed to work with log rotation tools. The library works on all
-//operating systems supported by Go, including POSIX systems like Linux and
-//*BSD, and MS Windows. Go 1.9 is the oldest compiler release supported.
+// tail provides a Go library that emulates the features of the BSD `tail`
+// program. The library comes with full support for truncation/move detection as
+// it is designed to work with log rotation tools. The library works on all
+// operating systems supported by Go, including POSIX systems like Linux and
+// *BSD, and MS Windows.
+//
+// This is a trimmed down vendored copy of github.com/nxadm/tail with fixes
+// from nxadm/tail#70 and nxadm/tail#71 applied.
 package tail
 
 import (
@@ -14,23 +19,20 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/nxadm/tail/ratelimiter"
 	"github.com/nxadm/tail/util"
 	"github.com/nxadm/tail/watch"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"gopkg.in/tomb.v1"
 )
 
-var (
-	// ErrStop is returned when the tail of a file has been marked to be stopped.
-	ErrStop = errors.New("tail should now stop")
-)
+// ErrStop is returned when the tail of a file has been marked to be stopped.
+var ErrStop = errors.New("tail should now stop")
 
 type Line struct {
 	Text     string    // The contents of the file
@@ -40,15 +42,6 @@ type Line struct {
 	Err      error     // Error from tail
 }
 
-// Deprecated: this function is no longer used internally and it has little of no
-// use in the API. As such, it will be removed from the API in a future major
-// release.
-//
-// NewLine returns a * pointer to a Line struct.
-func NewLine(text string, lineNum int) *Line {
-	return &Line{text, lineNum, SeekInfo{}, time.Now(), nil}
-}
-
 // SeekInfo represents arguments to io.Seek. See: https://golang.org/pkg/io/#SectionReader.Seek
 type SeekInfo struct {
 	Offset int64
@@ -81,9 +74,6 @@ type Config struct {
 	MaxLineSize   int  // If non-zero, split longer lines into multiple lines
 	CompleteLines bool // Only return complete lines (that end with "\n" or EOF when Follow is false)
 
-	// Optionally, use a ratelimiter (e.g. created by the ratelimiter/NewLeakyBucket function)
-	RateLimiter *ratelimiter.LeakyBucket
-
 	// Optionally use a Logger. When nil, the Logger is set to tail.DefaultLogger.
 	// To disable logging, set it to tail.DiscardingLogger
 	Logger logger
@@ -112,15 +102,15 @@ var (
 	// DefaultLogger logs to os.Stderr and it is used when Config.Logger == nil
 	DefaultLogger = log.New(os.Stderr, "", log.LstdFlags)
 	// DiscardingLogger can be used to disable logging output
-	DiscardingLogger = log.New(ioutil.Discard, "", 0)
+	DiscardingLogger = log.New(io.Discard, "", 0)
 )
 
-// TailFile begins tailing the file. And returns a pointer to a Tail struct
+// File begins tailing the file. And returns a pointer to a Tail struct
 // and an error. An output stream is made available via the Tail.Lines
 // channel (e.g. to be looped and printed). To handle errors during tailing,
 // after finishing reading from the Lines channel, invoke the `Wait` or `Err`
 // method on the returned *Tail.
-func TailFile(filename string, config Config) (*Tail, error) {
+func File(filename string, config Config) (*Tail, error) {
 	if config.ReOpen && !config.Follow {
 		util.Fatal("cannot set ReOpen without Follow.")
 	}
@@ -148,7 +138,7 @@ func TailFile(filename string, config Config) (*Tail, error) {
 
 	if t.MustExist {
 		var err error
-		t.file, err = OpenFile(t.Filename)
+		t.file, err = openFile(t.Filename)
 		if err != nil {
 			return nil, err
 		}
@@ -216,7 +206,7 @@ func (tail *Tail) reopen() error {
 	tail.lineNum = 0
 	for {
 		var err error
-		tail.file, err = OpenFile(tail.Filename)
+		tail.file, err = openFile(tail.Filename)
 		if err != nil {
 			if os.IsNotExist(err) {
 				tail.Logger.Printf("Waiting for %s to appear...", tail.Filename)
@@ -259,12 +249,11 @@ func (tail *Tail) readLine() (string, error) {
 		line = tail.lineBuf.String()
 		tail.lineBuf.Reset()
 		return line, nil
-	} else {
-		if tail.Config.Follow {
-			line = ""
-		}
-		return line, io.EOF
 	}
+	if tail.Config.Follow {
+		line = ""
+	}
+	return line, io.EOF
 }
 
 func (tail *Tail) tailFileSync() {
@@ -286,13 +275,14 @@ func (tail *Tail) tailFileSync() {
 	if tail.Location != nil {
 		_, err := tail.file.Seek(tail.Location.Offset, tail.Location.Whence)
 		if err != nil {
-			tail.Killf("Seek error on %s: %s", tail.Filename, err)
+			contract.IgnoreError(tail.Killf("Seek error on %s: %s", tail.Filename, err))
 			return
 		}
 	}
 
 	tail.openReader()
 
+	stopOnNextEOF := false
 	// Read line by line.
 	for {
 		// do not seek in named pipes
@@ -341,11 +331,25 @@ func (tail *Tail) tailFileSync() {
 				}
 			}
 
+			if stopOnNextEOF {
+				return
+			}
+
 			// When EOF is reached, wait for more data to become
 			// available. Wait strategy is based on the `tail.watcher`
 			// implementation (inotify or polling).
 			err := tail.waitForChanges()
 			if err != nil {
+				// When StopAtEOF() is called, we
+				// might have more data to read, that
+				// the filewatcher might not have
+				// notified us about.  Continue
+				// reading until we found an EOF
+				// again, and then exit.
+				if err == ErrStop && tail.Err() == errStopAtEOF {
+					stopOnNextEOF = true
+					continue
+				}
 				if err != ErrStop {
 					tail.Kill(err)
 				}
@@ -353,7 +357,7 @@ func (tail *Tail) tailFileSync() {
 			}
 		} else {
 			// non-EOF error
-			tail.Killf("Error reading %s: %s", tail.Filename, err)
+			contract.IgnoreError(tail.Killf("Error reading %s: %s", tail.Filename, err))
 			return
 		}
 
@@ -450,22 +454,22 @@ func (tail *Tail) sendLine(line string) bool {
 		lines = util.PartitionString(line, tail.MaxLineSize)
 	}
 
+	earlyExitChan := tail.Dying()
 	for _, line := range lines {
 		tail.lineNum++
 		offset, _ := tail.Tell()
 		select {
 		case tail.Lines <- &Line{line, tail.lineNum, SeekInfo{Offset: offset}, now, nil}:
-		case <-tail.Dying():
-			return true
-		}
-	}
-
-	if tail.Config.RateLimiter != nil {
-		ok := tail.Config.RateLimiter.Pour(uint16(len(lines)))
-		if !ok {
-			tail.Logger.Printf("Leaky bucket full (%v); entering 1s cooloff period.",
-				tail.Filename)
-			return false
+		case <-earlyExitChan:
+			// This is a bit weird here, when a user requests StopAtEof we
+			// must keep sending all lines. However <-tail.Dying() will return
+			// immediately at this point so depending on the scheduler we may
+			// not have a chance to send the line.  If StopAtEOF is sent, we
+			// continue sending lines, and expect the reader to read them all
+			// to avoid a deadlock.
+			if tail.Err() == errStopAtEOF {
+				tail.Lines <- &Line{line, tail.lineNum, SeekInfo{Offset: offset}, now, nil}
+			}
 		}
 	}
 
@@ -477,5 +481,5 @@ func (tail *Tail) sendLine(line string) bool {
 // automatically remove inotify watches after the process exits.
 // If you plan to re-read a file, don't call Cleanup in between.
 func (tail *Tail) Cleanup() {
-	watch.Cleanup(tail.Filename)
+	contract.IgnoreError(watch.Cleanup(tail.Filename))
 }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_posix.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_posix.go
new file mode 100644
index 000000000..028bac003
--- /dev/null
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_posix.go
@@ -0,0 +1,17 @@
+//nolint:goheader // This file is a vendored copy of the tail package from nxadm/tail, keep the original license header.
+// Copyright (c) 2024, Pulumi Corporation.
+// Copyright (c) 2019 FOSS contributors of https://github.com/nxadm/tail
+//go:build !windows
+// +build !windows
+
+package tail
+
+import (
+	"os"
+)
+
+// openFile proxies a os.Open call for a file so it can be correctly tailed
+// on POSIX and non-POSIX OSes like MS Windows.
+func openFile(name string) (file *os.File, err error) {
+	return os.Open(name)
+}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_windows.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_windows.go
new file mode 100644
index 000000000..eba78df75
--- /dev/null
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/tail/tail_windows.go
@@ -0,0 +1,19 @@
+//nolint:goheader // This file is a vendored copy of the tail package from nxadm/tail, keep the original license header.
+// Copyright (c) 2024, Pulumi Corporation.
+// Copyright (c) 2019 FOSS contributors of https://github.com/nxadm/tail
+//go:build windows
+// +build windows
+
+package tail
+
+import (
+	"os"
+
+	"github.com/nxadm/tail/winfile"
+)
+
+// openFile proxies a os.Open call for a file so it can be correctly tailed
+// on POSIX and non-POSIX OSes like MS Windows.
+func openFile(name string) (file *os.File, err error) {
+	return winfile.OpenFile(name, os.O_RDONLY, 0)
+}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/util/gitutil/git.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/util/gitutil/git.go
index 985fd349f..8a5a7bcd6 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/util/gitutil/git.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/util/gitutil/git.go
@@ -27,6 +27,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/blang/semver"
 	git "github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -456,6 +457,38 @@ func GitCloneAndCheckoutCommit(ctx context.Context, url string, commit plumbing.
 	})
 }
 
+// GitCloneAndCheckoutRevision clones a Git repository, resolves the revision and checks it out.
+func GitCloneAndCheckoutRevision(ctx context.Context, url string, revision plumbing.Revision, path string) error {
+	logging.V(10).Infof("Attempting to clone from %s at commit %v and path %s", url, revision, path)
+
+	u, auth, err := parseAuthURL(url)
+	if err != nil {
+		return err
+	}
+	repo, err := git.PlainCloneContext(ctx, path, false, &git.CloneOptions{
+		URL:  u,
+		Auth: auth,
+	})
+	if err != nil {
+		return err
+	}
+
+	hash, err := repo.ResolveRevision(revision)
+	if err != nil {
+		return err
+	}
+
+	w, err := repo.Worktree()
+	if err != nil {
+		return err
+	}
+
+	return w.Checkout(&git.CheckoutOptions{
+		Hash:  *hash,
+		Force: true,
+	})
+}
+
 // GitCloneOrPull pulls the repo located at rawurl into the directory specified by path.  If the repo already
 // exists, it will be updated to referenceName, otherwise it will be cloned, and referenceName will be checked
 // out. If shallow is true, a shallow clone will be performed.
@@ -815,9 +848,7 @@ func GetGitReferenceNameOrHashAndSubDirectory(url string, urlPath string) (
 	return plumbing.HEAD, plumbing.ZeroHash, strings.Join(paths, "/"), nil
 }
 
-// GitListBranchesAndTags fetches a remote Git repository's branch and tag references
-// (including HEAD), sorted by the length of the short name descending.
-func GitListBranchesAndTags(url string) ([]plumbing.ReferenceName, error) {
+func gitListRefs(ctx context.Context, url string) ([]*plumbing.Reference, error) {
 	// We're only listing the references, so just use in-memory storage.
 	repo, err := git.Init(memory.NewStorage(), nil)
 	if err != nil {
@@ -837,9 +868,15 @@ func GitListBranchesAndTags(url string) ([]plumbing.ReferenceName, error) {
 		return nil, err
 	}
 
-	refs, err := remote.List(&git.ListOptions{
+	return remote.List(&git.ListOptions{
 		Auth: auth,
 	})
+}
+
+// GitListBranchesAndTags fetches a remote Git repository's branch and tag references
+// (including HEAD), sorted by the length of the short name descending.
+func GitListBranchesAndTags(url string) ([]plumbing.ReferenceName, error) {
+	refs, err := gitListRefs(context.Background(), url)
 	if err != nil {
 		return nil, err
 	}
@@ -857,6 +894,67 @@ func GitListBranchesAndTags(url string) ([]plumbing.ReferenceName, error) {
 	return results, nil
 }
 
+func isPrerelease(version semver.Version) bool {
+	return len(version.Pre) > 0 || len(version.Build) > 0
+}
+
+// GetLatestTagOrHash returns the latest tag or hash in the repository.
+// To do this, we list all the tags in the repository and try to pars them as semver.  If we can't
+// find any valid tags that are semver, we'll use the hash of the default branch.  If we can't find
+// any tags or default branches we return an error.
+func GetLatestTagOrHash(ctx context.Context, url string) (*semver.Version, error) {
+	refs, err := gitListRefs(ctx, url)
+	if err != nil {
+		return nil, err
+	}
+
+	var version semver.Version
+	foundVersion := false
+	namedHashes := make(map[plumbing.ReferenceName]plumbing.Hash)
+	var headRef plumbing.ReferenceName
+	for _, ref := range refs {
+		name := ref.Name()
+		if name.IsTag() {
+			tag := name.Short()
+			v, err := semver.ParseTolerant(tag)
+			if err != nil {
+				continue
+			}
+			if !foundVersion {
+				// We didn't see any valid tags yet, use this one.
+				version = v
+				foundVersion = true
+			} else if isPrerelease(v) == isPrerelease(version) && v.GT(version) {
+				// If either both or neither the current max version and the current tag
+				// are prerelease versions we pick the higher version.
+				version = v
+			} else if isPrerelease(version) && !isPrerelease(v) {
+				// If the currently tracked version is a prerelease version and the current tag
+				// isn't, we use that tag.
+				version = v
+			}
+		} else if name.IsBranch() {
+			namedHashes[name] = ref.Hash()
+		} else if name == plumbing.HEAD {
+			headRef = ref.Target()
+		}
+	}
+	if version.Equals(semver.Version{}) {
+		if hash, ok := namedHashes[headRef]; ok {
+			return &semver.Version{
+				Major: 0,
+				Minor: 0,
+				Patch: 0,
+				Pre: []semver.PRVersion{
+					{VersionStr: "x" + hash.String()},
+				},
+			}, nil
+		}
+		return nil, errors.New("could not determine version in repo")
+	}
+	return &version, nil
+}
+
 type byShortNameLengthDesc []plumbing.ReferenceName
 
 func (r byShortNameLengthDesc) Len() int      { return len(r) }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/plugins.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/plugins.go
index 028ac0f15..2cdfddb7c 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/plugins.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/plugins.go
@@ -1,4 +1,4 @@
-// Copyright 2016-2021, Pulumi Corporation.
+// Copyright 2016-2024, Pulumi Corporation.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,7 +15,9 @@
 package workspace
 
 import (
+	"archive/tar"
 	"bytes"
+	"compress/gzip"
 	"context"
 	"crypto/sha256"
 	"encoding/json"
@@ -40,6 +42,7 @@ import (
 	"github.com/blang/semver"
 	"github.com/cheggaaa/pb"
 	"github.com/djherbis/times"
+	"github.com/go-git/go-git/v5/plumbing"
 
 	"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/diag"
@@ -49,6 +52,7 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/fsutil"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/gitutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/httputil"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/logging"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/retry"
@@ -344,6 +348,104 @@ func (source *gitlabSource) URL() string {
 	return fmt.Sprintf("gitlab://%s/%s", source.host, source.project)
 }
 
+func isPreReleaseVersion(version semver.Version) bool {
+	return version.Major == 0 && version.Minor == 0 && version.Patch == 0 && len(version.Pre) > 0
+}
+
+// gitSource is used to download a plugin from a git repository.
+type gitSource struct {
+	// The git url to clone the plugin from.
+	url string
+	// The path within the repo to the plugin.
+	path string
+
+	// function to clone and checkout the repo.  Used so gitutil.GitCloneAndCheckoutCommit can be mocked in tests.
+	cloneAndCheckoutRevision func(context.Context, string, plumbing.Revision, string) error
+	// function to clone or pull the repo.  Used so gitutil.GitCloneOrPull can be mocked in tests.
+	cloneOrPull func(context.Context, string, plumbing.ReferenceName, string, bool) error
+}
+
+func newGitHTTPSSource(url *url.URL) (*gitSource, error) {
+	url.Scheme = "https"
+	u, path, err := gitutil.ParseGitRepoURL(url.String())
+	if err != nil {
+		return nil, err
+	}
+	return &gitSource{
+		url:                      u,
+		path:                     path,
+		cloneAndCheckoutRevision: gitutil.GitCloneAndCheckoutRevision,
+		cloneOrPull:              gitutil.GitCloneOrPull,
+	}, nil
+}
+
+func (source *gitSource) GetLatestVersion(
+	ctx context.Context, _ func(*http.Request) (io.ReadCloser, int64, error),
+) (*semver.Version, error) {
+	return gitutil.GetLatestTagOrHash(ctx, source.url)
+}
+
+// Downloads a plugin from a git repository.  If the version is a pre-release version, the version is expected to be
+// a commit hash, that will be checked out.  Otherwise, the version is expected to be a tag, that will be checked out.
+// The tag is expected to be prefixed with a 'v' character.
+// If the version is the special sentinel version 0.0.0, we'll use the latest commit on the default branch.
+func (source *gitSource) Download(
+	ctx context.Context, version semver.Version, _ string, _ string,
+	_ func(*http.Request) (io.ReadCloser, int64, error),
+) (io.ReadCloser, int64, error) {
+	tmpdir, err := os.MkdirTemp("", "pulumi-plugin")
+	if err != nil {
+		return nil, -1, err
+	}
+	defer os.RemoveAll(tmpdir)
+	if isPreReleaseVersion(version) {
+		if len(version.Pre) != 1 {
+			return nil, -1, fmt.Errorf("invalid version %s", version)
+		}
+		// The version string is prefixed with a 'x' character because Pre-versions can't
+		// start with a 0. Strip that off to get the actual hash.  Note that we allow short
+		// hashes, so we need to create a go-git revision that's then resolved to a full hash.
+		revision := plumbing.Revision(version.Pre[0].VersionStr[1:])
+		err := source.cloneAndCheckoutRevision(ctx, source.url, revision, tmpdir)
+		if err != nil {
+			return nil, -1, err
+		}
+	} else {
+		var ref plumbing.ReferenceName
+		if version.Major == 0 && version.Minor == 0 && version.Patch == 0 {
+			ref = plumbing.HEAD
+		} else {
+			ref = plumbing.ReferenceName("refs/tags/v" + version.String())
+		}
+		err := source.cloneOrPull(ctx, source.url, ref, tmpdir, true /* shallow */)
+		if err != nil {
+			return nil, -1, err
+		}
+	}
+
+	tarbuf := bytes.NewBuffer([]byte{})
+	zip := gzip.NewWriter(tarbuf)
+
+	tw := tar.NewWriter(zip)
+
+	err = tw.AddFS(os.DirFS(tmpdir))
+	if err != nil {
+		return nil, -1, err
+	}
+
+	// These close statements cannot be deferred, because expressions in return statements
+	// are executed before defer statements in Go.  Closing the writers in defer statements
+	// can lead to the tarbuf.Len() return value to be wrong.
+	tw.Close()
+	zip.Close()
+
+	return io.NopCloser(tarbuf), int64(tarbuf.Len()), nil
+}
+
+func (source *gitSource) URL() string {
+	return source.url
+}
+
 // githubSource can download a plugin from github releases
 type githubSource struct {
 	host         string
@@ -791,12 +893,8 @@ type ProjectPlugin struct {
 }
 
 // Spec Return a PluginSpec object for this project plugin.
-func (pp ProjectPlugin) Spec() PluginSpec {
-	return PluginSpec{
-		Name:    pp.Name,
-		Kind:    pp.Kind,
-		Version: pp.Version,
-	}
+func (pp ProjectPlugin) Spec() (PluginSpec, error) {
+	return NewPluginSpec(pp.Name, pp.Kind, pp.Version, "", nil)
 }
 
 // A PackageDescriptor specifies a package: the source PluginSpec that provides it, and any parameterization
@@ -810,6 +908,70 @@ type PackageDescriptor struct {
 	Parameterization *Parameterization
 }
 
+// PackageName returns the name of the package.
+func (pd PackageDescriptor) PackageName() string {
+	if pd.Parameterization != nil {
+		return pd.Parameterization.Name
+	}
+	return pd.PluginSpec.Name
+}
+
+// PackageVersion returns the version of the package.
+func (pd PackageDescriptor) PackageVersion() *semver.Version {
+	if pd.Parameterization != nil {
+		return &pd.Parameterization.Version
+	}
+	return pd.PluginSpec.Version
+}
+
+func (pd PackageDescriptor) String() string {
+	name := pd.PluginSpec.Name
+	version := pd.PluginSpec.Version
+	if pd.Parameterization != nil {
+		name = pd.Parameterization.Name
+		version = &pd.Parameterization.Version
+	}
+
+	var v string
+	if version != nil {
+		v = fmt.Sprintf("-%s", version)
+	}
+	return name + v
+}
+
+// SortPackageDescriptors is a comparison function for PackageDescriptors that sorts by version, with version-less
+// package descriptors appearing first. It returns -1 if the first argument should appear before the second, 0 if they
+// are equal, and 1 if the first argument should appear after the second. Designed for use with functions like
+// slices.SortFunc.
+func SortPackageDescriptors(x PackageDescriptor, y PackageDescriptor) int {
+	vx := x.PackageVersion()
+	vy := y.PackageVersion()
+
+	switch {
+	case vx == nil && vy == nil:
+		// Both packages lack any version. Consider them equal.
+		return 0
+	case vx == nil:
+		// x has no version. We want version-less packages to come first, so sort x before y (-1).
+		return -1
+	case vy == nil:
+		// y has no version. We want version-less packages to come first, so sort x after y (1).
+		return 1
+	default:
+		// We have two versions. Compare them using semver.
+		semverComparison := vx.Compare(*vy)
+		switch semverComparison {
+		case 0:
+			// The versions are semantically equal. We'll compare their string representations to break ties (e.g. between 1.0.0
+			// and 1.0.0+meta).
+			return strings.Compare(vx.String(), vy.String())
+		default:
+			// The versions are not equal. Sort them using semver comparison.
+			return semverComparison
+		}
+	}
+}
+
 // A Parameterization may be applied to a supporting plugin to yield a package.
 type Parameterization struct {
 	// The name of the package that will be produced by the parameterization.
@@ -833,6 +995,97 @@ type PluginSpec struct {
 	Checksums map[string][]byte
 }
 
+func NewPluginSpec(
+	source string,
+	kind apitype.PluginKind,
+	version *semver.Version,
+	pluginDownloadURL string,
+	checksums map[string][]byte,
+) (PluginSpec, error) {
+	name := source
+	isGitPlugin := false
+	versionStr := ""
+
+	// Parse the version if available.  This can either be a simple semver version, or a git commit hash.
+	if s := strings.SplitN(source, "@", 2); len(s) == 2 {
+		name = s[0]
+		versionStr = s[1]
+	}
+
+	if versionStr != "" && version != nil {
+		return PluginSpec{}, errors.New("cannot specify a version when the version is part of the name")
+	}
+
+	urlRegex := regexp.MustCompile(`^[^\./].*\.[a-z]+/[a-zA-Z0-9-/]*[a-zA-Z0-9/]$`)
+	if strings.HasPrefix(name, "https://") || urlRegex.MatchString(name) {
+		// We support URLs with and without the https:// prefix.  Standardize them here, so we can work with
+		// them uniformly.
+		name = strings.TrimPrefix(name, "https://")
+		u, err := url.Parse(name)
+		// If we don't have a URL, we just treat it as a normal plugin name.
+		if err == nil {
+			if pluginDownloadURL != "" {
+				return PluginSpec{}, errors.New("cannot specify a plugin download URL when the plugin name is a URL")
+			}
+			url, _, err := gitutil.ParseGitRepoURL("https://" + u.String())
+			if err != nil {
+				return PluginSpec{}, err
+			}
+			name = strings.ReplaceAll(strings.TrimPrefix(url, "https://"), "/", "_")
+			// Prefix the url with `git://`, so we can later recognize this as a git URL.
+			pluginDownloadURL = "git://" + u.String()
+			isGitPlugin = true
+		}
+	}
+
+	if versionStr != "" {
+		// Semver versions will have two `.`s.
+		if !isGitPlugin || strings.Count(versionStr, ".") == 2 {
+			v, err := semver.ParseTolerant(versionStr)
+			if err != nil {
+				additionalMsg := ""
+				if isGitPlugin {
+					additionalMsg = " or git commit hash"
+				}
+				return PluginSpec{}, fmt.Errorf("VERSION must be valid semver%s: %w", additionalMsg, err)
+			}
+			version = &v
+		} else {
+			// Allow sha1 and sha256 hashes.
+			gitCommitRegex := regexp.MustCompile(`^[0-9a-fA-F]{4,64}$`)
+			if !gitCommitRegex.MatchString(versionStr) {
+				return PluginSpec{}, fmt.Errorf("VERSION must be valid semver or git commit hash: %s", versionStr)
+			}
+			version = &semver.Version{
+				// VersionStr cannot start with a 0, so we prefix it with an 'x' to avoid this.
+				Pre: []semver.PRVersion{{VersionStr: "x" + versionStr}},
+			}
+		}
+	}
+
+	return PluginSpec{
+		Name:              name,
+		Kind:              kind,
+		Version:           version,
+		PluginDownloadURL: pluginDownloadURL,
+		Checksums:         checksums,
+	}, nil
+}
+
+// LocalName returns the local name of the plugin, which is used in the directory name, and a path
+// within that directory if the plugin is located in a subdirectory.
+func (spec PluginSpec) LocalName() (string, string) {
+	if strings.HasPrefix(spec.PluginDownloadURL, "git://") {
+		trimmed := strings.TrimPrefix(spec.PluginDownloadURL, "git://")
+		url, path, err := gitutil.ParseGitRepoURL("https://" + strings.TrimPrefix(trimmed, "git://"))
+		if err != nil {
+			return strings.ReplaceAll(trimmed, "/", "_"), ""
+		}
+		return strings.ReplaceAll(strings.TrimPrefix(url, "https://"), "/", "_"), path
+	}
+	return spec.Name, ""
+}
+
 // Dir gets the expected plugin directory for this plugin.
 func (spec PluginSpec) Dir() string {
 	dir := fmt.Sprintf("%s-%s", spec.Kind, spec.Name)
@@ -842,6 +1095,12 @@ func (spec PluginSpec) Dir() string {
 	return dir
 }
 
+// SubDir gets the expected subdirectory for this plugin.
+func (spec PluginSpec) SubDir() string {
+	_, path := spec.LocalName()
+	return path
+}
+
 // File gets the expected filename for this plugin, excluding any platform specific suffixes (e.g. ".exe" on
 // windows).
 func (spec PluginSpec) File() string {
@@ -984,6 +1243,8 @@ func newPluginSource(name string, kind apitype.PluginKind, pluginDownloadURL str
 		return newGitlabSource(url, name, kind)
 	case "http", "https":
 		return newHTTPSource(name, kind, url), nil
+	case "git":
+		return newGitHTTPSSource(url)
 	default:
 		return nil, fmt.Errorf("unknown plugin source scheme: %s", url.Scheme)
 	}
@@ -1556,8 +1817,24 @@ func (spec PluginSpec) InstallWithContext(ctx context.Context, content PluginCon
 	// the progress bar.
 	contract.IgnoreClose(content)
 
+	err = spec.InstallDependencies(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Installation is complete. Remove the partial file.
+	return os.Remove(partialFilePath)
+}
+
+func (spec PluginSpec) InstallDependencies(ctx context.Context) error {
+	dir, err := spec.DirPath()
+	if err != nil {
+		return err
+	}
+	subdir := filepath.Join(dir, spec.SubDir())
+
 	// Install dependencies, if needed.
-	proj, err := LoadPluginProject(filepath.Join(finalDir, "PulumiPlugin.yaml"))
+	proj, err := LoadPluginProject(filepath.Join(subdir, "PulumiPlugin.yaml"))
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("loading PulumiPlugin.yaml: %w", err)
 	}
@@ -1570,7 +1847,7 @@ func (spec PluginSpec) InstallWithContext(ctx context.Context, content PluginCon
 		switch runtime {
 		case "nodejs":
 			var b bytes.Buffer
-			if _, err := npm.Install(ctx, npm.AutoPackageManager, finalDir, true /* production */, &b, &b); err != nil {
+			if _, err := npm.Install(ctx, npm.AutoPackageManager, subdir, true /* production */, &b, &b); err != nil {
 				os.Stderr.Write(b.Bytes())
 				return fmt.Errorf("installing plugin dependencies: %w", err)
 			}
@@ -1578,21 +1855,19 @@ func (spec PluginSpec) InstallWithContext(ctx context.Context, content PluginCon
 			// TODO[pulumi/pulumi/issues/16287]: Support toolchain options for installing plugins.
 			tc, err := toolchain.ResolveToolchain(toolchain.PythonOptions{
 				Toolchain:  toolchain.Pip,
-				Root:       finalDir,
+				Root:       subdir,
 				Virtualenv: "venv",
 			})
 			if err != nil {
 				return fmt.Errorf("getting python toolchain: %w", err)
 			}
-			if err := tc.InstallDependencies(ctx, finalDir, false, /*useLanguageVersionTools */
+			if err := tc.InstallDependencies(ctx, subdir, false, /*useLanguageVersionTools */
 				false /*showOutput*/, os.Stdout, os.Stderr); err != nil {
 				return fmt.Errorf("installing plugin dependencies: %w", err)
 			}
 		}
 	}
-
-	// Installation is complete. Remove the partial file.
-	return os.Remove(partialFilePath)
+	return nil
 }
 
 // cleanupTempDirs cleans up leftover temp dirs from failed installs with previous versions of Pulumi.
@@ -1805,7 +2080,14 @@ func IsPluginBundled(kind apitype.PluginKind, name string) bool {
 func GetPluginPath(d diag.Sink, kind apitype.PluginKind, name string, version *semver.Version,
 	projectPlugins []ProjectPlugin,
 ) (string, error) {
-	info, path, err := getPluginInfoAndPath(d, kind, name, version, true /* skipMetadata */, projectPlugins)
+	return GetPluginPathWithSubdir(d, kind, name, "", version, projectPlugins)
+}
+
+func GetPluginPathWithSubdir(
+	d diag.Sink, kind apitype.PluginKind, name, subdir string, version *semver.Version,
+	projectPlugins []ProjectPlugin,
+) (string, error) {
+	info, path, err := getPluginInfoAndPath(d, kind, name, subdir, version, true /* skipMetadata */, projectPlugins)
 	if err != nil {
 		return "", err
 	}
@@ -1818,7 +2100,7 @@ func GetPluginPath(d diag.Sink, kind apitype.PluginKind, name string, version *s
 func GetPluginInfo(d diag.Sink, kind apitype.PluginKind, name string, version *semver.Version,
 	projectPlugins []ProjectPlugin,
 ) (*PluginInfo, error) {
-	info, path, err := getPluginInfoAndPath(d, kind, name, version, false, projectPlugins)
+	info, path, err := getPluginInfoAndPath(d, kind, name, "", version, false, projectPlugins)
 	if err != nil {
 		return nil, err
 	}
@@ -1851,7 +2133,7 @@ func getPluginPath(info *PluginInfo) string {
 //   - an error in all other cases.
 func getPluginInfoAndPath(
 	d diag.Sink,
-	kind apitype.PluginKind, name string, version *semver.Version, skipMetadata bool,
+	kind apitype.PluginKind, name, subdir string, version *semver.Version, skipMetadata bool,
 	projectPlugins []ProjectPlugin,
 ) (*PluginInfo, string, error) {
 	filename := (&PluginSpec{Kind: kind, Name: name}).File()
@@ -1886,7 +2168,10 @@ func getPluginInfoAndPath(
 			}
 		}
 
-		spec := plugin.Spec()
+		spec, err := plugin.Spec()
+		if err != nil {
+			return nil, "", err
+		}
 		info := &PluginInfo{
 			Name:    spec.Name,
 			Kind:    spec.Kind,
@@ -1956,7 +2241,11 @@ func getPluginInfoAndPath(
 			// hits any errors then we just skip this warning, better to not warn than to error in a new way.
 			if err == nil {
 				if fullAmbientPath != bundledPath {
-					d.Warningf(diag.Message("", "using %s from $PATH at %s"), filename, ambientPath)
+					var expected string
+					if bundledPath != "" {
+						expected = " expected " + bundledPath
+					}
+					d.Warningf(diag.Message("", "using %s from $PATH at %s%s"), filename, ambientPath, expected)
 				}
 			}
 		}
@@ -1990,7 +2279,13 @@ func getPluginInfoAndPath(
 	}
 
 	var match *PluginInfo
-	if !enableLegacyPluginBehavior && version != nil {
+	if !enableLegacyPluginBehavior &&
+		version != nil &&
+		isPreReleaseVersion(*version) {
+		// We're looking for a plugin matching an exact hash, so we can't use the semver range logic.
+		logging.V(6).Infof("GetPluginPath(%s, %s, %s): enabling prerelease plugin behaviour", kind, name, version)
+		match = SelectPrereleasePlugin(plugins, kind, name, subdir, version)
+	} else if !enableLegacyPluginBehavior && version != nil {
 		logging.V(6).Infof("GetPluginPath(%s, %s, %s): enabling new plugin behavior", kind, name, version)
 		match = SelectCompatiblePlugin(plugins, kind, name, semver.MustParseRange(version.String()))
 	} else {
@@ -2029,27 +2324,22 @@ func (sp SortedPluginInfo) Less(i, j int) bool {
 }
 func (sp SortedPluginInfo) Swap(i, j int) { sp[i], sp[j] = sp[j], sp[i] }
 
-// SortedPluginSpec is a wrapper around PluginSpec that allows for sorting by version.
-type SortedPluginSpec []PluginSpec
-
-func (sp SortedPluginSpec) Len() int { return len(sp) }
-func (sp SortedPluginSpec) Less(i, j int) bool {
-	iVersion := sp[i].Version
-	jVersion := sp[j].Version
-	switch {
-	case iVersion == nil && jVersion == nil:
-		return false
-	case iVersion == nil:
-		return true
-	case jVersion == nil:
-		return false
-	case iVersion.EQ(*jVersion):
-		return iVersion.String() < jVersion.String()
-	default:
-		return iVersion.LT(*jVersion)
+// SelectPrereleasePlugin selects a plugin from the list of plugins, which matches the exact version we
+// are looking for, based on the commit hash.
+func SelectPrereleasePlugin(
+	plugins []PluginInfo, kind apitype.PluginKind, name, subdir string, version *semver.Version,
+) *PluginInfo {
+	for _, cur := range plugins {
+		if cur.Kind == kind && cur.Name == name && cur.Version != nil && cur.Version.EQ(*version) {
+			// If the plugin is located in a subdir, we need to fix up the path to include the subdir.
+			if subdir != "" {
+				cur.Path = filepath.Join(cur.Path, subdir)
+			}
+			return &cur
+		}
 	}
+	return nil
 }
-func (sp SortedPluginSpec) Swap(i, j int) { sp[i], sp[j] = sp[j], sp[i] }
 
 // LegacySelectCompatiblePlugin selects a plugin from the list of plugins with the given kind and name that
 // satisfies the requested version. It returns the highest version plugin greater than the requested version,
@@ -2209,7 +2499,7 @@ func getCandidateExtensions() []string {
 // pluginRegexp matches plugin directory names: pulumi-KIND-NAME-VERSION.
 var pluginRegexp = regexp.MustCompile(
 	"^(?P<Kind>[a-z]+)-" + // KIND
-		"(?P<Name>[a-zA-Z0-9-]*[a-zA-Z0-9])-" + // NAME
+		"(?P<Name>[a-zA-Z0-9-][a-zA-Z0-9-_.]*[a-zA-Z0-9])-" + // NAME
 		"v(?P<Version>.*)$") // VERSION
 
 // installingPluginRegexp matches the name of temporary folders. Previous versions of Pulumi first extracted
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/project.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/project.go
index 821e0e4d8..876fcf35a 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/project.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/project.go
@@ -83,6 +83,8 @@ type ProjectTemplate struct {
 	// Config is an optional template config.
 	Config map[string]ProjectTemplateConfigValue `json:"config,omitempty" yaml:"config,omitempty"`
 	// Important indicates the template is important.
+	//
+	// Deprecated: We don't use this field any more.
 	Important bool `json:"important,omitempty" yaml:"important,omitempty"`
 	// Metadata are key/value pairs used to attach additional metadata to a template.
 	Metadata map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates.go
index fe44b7e4f..9048a54c0 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates.go
@@ -202,7 +202,6 @@ type Template struct {
 	Description string                                // Description of the template.
 	Quickstart  string                                // Optional text to be displayed after template creation.
 	Config      map[string]ProjectTemplateConfigValue // Optional template config.
-	Important   bool                                  // Indicates whether the template should be listed by default.
 	Error       error                                 // Non-nil if the template is broken.
 
 	ProjectName        string // Name of the project.
@@ -286,7 +285,7 @@ func RetrieveTemplates(ctx context.Context, templateNamePathOrURL string, offlin
 	templateKind TemplateKind,
 ) (TemplateRepository, error) {
 	if isZIPTemplateURL(templateNamePathOrURL) {
-		return retrieveZIPTemplates(templateNamePathOrURL)
+		return RetrieveZIPTemplates(templateNamePathOrURL)
 	}
 	if IsTemplateURL(templateNamePathOrURL) {
 		return retrieveURLTemplates(ctx, templateNamePathOrURL, offline, templateKind)
@@ -476,7 +475,6 @@ func LoadTemplate(path string) (Template, error) {
 		template.Description = proj.Template.Description
 		template.Quickstart = proj.Template.Quickstart
 		template.Config = proj.Template.Config
-		template.Important = proj.Template.Important
 	}
 	if proj.Description != nil {
 		template.ProjectDescription = *proj.Description
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates_zip.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates_zip.go
index 473831f37..237f6403e 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates_zip.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/common/workspace/templates_zip.go
@@ -31,6 +31,8 @@ import (
 
 const RetryCount = 6
 
+var ErrPulumiCloudUnauthorized = errors.New("unauthorized")
+
 // Sanitize archive file pathing from "G305: Zip Slip vulnerability"
 func sanitizeArchivePath(d, t string) (v string, err error) {
 	v = filepath.Join(d, t)
@@ -49,7 +51,11 @@ func isZIPTemplateURL(templateNamePathOrURL string) bool {
 	return parsedURL.Path != "" && strings.HasSuffix(parsedURL.Path, ".zip")
 }
 
-func retrieveZIPTemplates(templateURL string) (TemplateRepository, error) {
+func isPulumiHostResponse(resp *http.Response) bool {
+	return resp.Header.Get("X-Pulumi-Request-ID") != ""
+}
+
+func RetrieveZIPTemplates(templateURL string, opts ...RequestOption) (TemplateRepository, error) {
 	var err error
 	// Create a temp dir.
 	var temp string
@@ -63,7 +69,7 @@ func retrieveZIPTemplates(templateURL string) (TemplateRepository, error) {
 	}
 
 	var fullPath string
-	if fullPath, err = RetrieveZIPTemplateFolder(parsedURL, temp); err != nil {
+	if fullPath, err = RetrieveZIPTemplateFolder(parsedURL, temp, opts...); err != nil {
 		return TemplateRepository{}, fmt.Errorf("failed to retrieve zip archive: %w", err)
 	}
 
@@ -144,7 +150,10 @@ func NewRetryableClient() *http.Client {
 	}
 }
 
-func RetrieveZIPTemplateFolder(templateURL *url.URL, tempDir string) (string, error) {
+// RequestOption is a function that modifies an http.Request.
+type RequestOption func(*http.Request)
+
+func RetrieveZIPTemplateFolder(templateURL *url.URL, tempDir string, opts ...RequestOption) (string, error) {
 	if templateURL.Scheme == "" {
 		return "", fmt.Errorf("invalid template URL: %s", templateURL.String())
 	}
@@ -154,14 +163,25 @@ func RetrieveZIPTemplateFolder(templateURL *url.URL, tempDir string) (string, er
 		return "", err
 	}
 	packageRequest.Header.Set("Accept", "application/zip")
+
+	for _, opt := range opts {
+		opt(packageRequest)
+	}
+
 	packageResponse, err := client.Do(packageRequest)
 	if err != nil {
 		return "", err
 	}
+	if packageResponse.StatusCode == http.StatusUnauthorized && isPulumiHostResponse(packageResponse) {
+		return "", fmt.Errorf("failed to download template from pulumi host: %w", ErrPulumiCloudUnauthorized)
+	}
 	packageResponseBody, err := io.ReadAll(packageResponse.Body)
 	if err != nil {
 		return "", err
 	}
+	if packageResponse.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("failed to download template: %s\n%s", packageResponse.Status, string(packageResponseBody))
+	}
 	archive, err := zip.NewReader(bytes.NewReader(packageResponseBody), int64(len(packageResponseBody)))
 	if err != nil {
 		return "", err
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/context.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/context.go
index df36d31f9..b28f437db 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/context.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/context.go
@@ -41,6 +41,7 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/rpcutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/internal"
 	pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
+	"golang.org/x/exp/maps"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/protobuf/proto"
@@ -667,57 +668,27 @@ func (ctx *Context) Invoke(tok string, args interface{}, result interface{}, opt
 //
 // args and result must be pointers to struct values fields and appropriately tagged and typed for use with Pulumi.
 func (ctx *Context) invokePackageRaw(
-	tok string, args interface{}, packageRef string, opts ...InvokeOption,
-) (resource.PropertyMap, []Resource, error) {
+	tok string, args interface{}, packageRef string, options invokeOptions,
+) (resource.PropertyMap, error) {
 	if tok == "" {
-		return nil, []Resource{}, errors.New("invoke token must not be empty")
-	}
-	options := mergeInvokeOptions(opts...)
-	deps := []Resource{}
-	depSet := urnSet{} // Only used for `addURNs` below.
-	for _, d := range options.DependsOn {
-		// This will await the resources, ensuring that we don't call the invoke before the dependencies are ready.
-		if err := d.addURNs(ctx.ctx, depSet, nil); err != nil {
-			return nil, []Resource{}, err
-		}
-		switch d := d.(type) {
-		case resourceDependencySet:
-			deps = append(deps, d...)
-		case *resourceArrayInputDependencySet:
-			out := d.input.ToResourceArrayOutput()
-			value, known, _, _, err := internal.AwaitOutput(ctx.Context(), out)
-			if err != nil || !known {
-				return nil, []Resource{}, err
-			}
-			resources, ok := value.([]Resource)
-			if !ok {
-				return nil, []Resource{},
-					fmt.Errorf("ResourceArrayInput resolved to a value of unexpected type %v, expected []Resource",
-						reflect.TypeOf(value))
-			}
-			deps = append(deps, resources...)
-		default:
-			// Unreachable.
-			// We control all implementations of dependencySet.
-			contract.Failf("Unknown dependencySet %T", d)
-		}
+		return nil, errors.New("invoke token must not be empty")
 	}
 	// Note that we're about to make an outstanding RPC request, so that we can rendezvous during shutdown.
 	var err error
 	if err = ctx.beginRPC(); err != nil {
-		return nil, []Resource{}, err
+		return nil, err
 	}
 	defer ctx.endRPC(err)
 
 	var providerRef string
 	providers, err := ctx.mergeProviders(tok, options.Parent, options.Provider, nil)
 	if err != nil {
-		return nil, []Resource{}, err
+		return nil, err
 	}
 	if provider := providers[getPackage(tok)]; provider != nil {
 		pr, err := ctx.resolveProviderReference(provider)
 		if err != nil {
-			return nil, []Resource{}, err
+			return nil, err
 		}
 		providerRef = pr
 	}
@@ -728,7 +699,7 @@ func (ctx *Context) invokePackageRaw(
 	}
 	resolvedArgs, _, err := marshalInput(args, anyType, false)
 	if err != nil {
-		return nil, []Resource{}, fmt.Errorf("marshaling arguments: %w", err)
+		return nil, fmt.Errorf("marshaling arguments: %w", err)
 	}
 
 	resolvedArgsMap := resource.PropertyMap{}
@@ -745,7 +716,7 @@ func (ctx *Context) invokePackageRaw(
 		},
 	)
 	if err != nil {
-		return nil, []Resource{}, fmt.Errorf("marshaling arguments: %w", err)
+		return nil, fmt.Errorf("marshaling arguments: %w", err)
 	}
 
 	// Now, invoke the RPC to the provider synchronously.
@@ -761,7 +732,7 @@ func (ctx *Context) invokePackageRaw(
 	})
 	if err != nil {
 		logging.V(9).Infof("Invoke(%s, ...): error: %v", tok, err)
-		return nil, []Resource{}, err
+		return nil, err
 	}
 
 	// If there were any failures from the provider, return them.
@@ -772,7 +743,7 @@ func (ctx *Context) invokePackageRaw(
 			ferr = multierror.Append(ferr,
 				fmt.Errorf("%s invoke failed: %s (%s)", tok, failure.Reason, failure.Property))
 		}
-		return nil, []Resource{}, ferr
+		return nil, ferr
 	}
 
 	// Otherwise, simply unmarshal the output properties and return the result.
@@ -784,9 +755,9 @@ func (ctx *Context) invokePackageRaw(
 			KeepResources: true,
 		})
 	if err != nil {
-		return nil, []Resource{}, err
+		return nil, err
 	}
-	return r, deps, nil
+	return r, nil
 }
 
 func validInvokeResult(resultV reflect.Value) bool {
@@ -807,18 +778,13 @@ func (ctx *Context) InvokePackage(
 		return errors.New("result must be a pointer to a struct or map value")
 	}
 
-	invokeOpts, optsErr := NewInvokeOptions(opts...)
-	if optsErr != nil {
-		return optsErr
-	}
+	invokeOpts := mergeInvokeOptions(opts...)
 	if len(invokeOpts.DependsOn) > 0 {
-		return fmt.Errorf("DependsOn is not supported for direct form invoke of %q, use the output form instead", tok)
-	}
-	if len(invokeOpts.DependsOnInputs) > 0 {
-		return fmt.Errorf("DependsOnInputs is not supported for direct form invoke of %q, use the output form instead", tok)
+		// Ignore the DependsOn option for direct invokes.
+		invokeOpts.DependsOn = nil
 	}
 
-	outProps, _, err := ctx.invokePackageRaw(tok, args, packageRef, opts...)
+	outProps, err := ctx.invokePackageRaw(tok, args, packageRef, *invokeOpts)
 	if err != nil {
 		return err
 	}
@@ -842,7 +808,8 @@ func (ctx *Context) InvokePackageRaw(
 		return false, errors.New("result must be a pointer to a struct or map value")
 	}
 
-	outProps, _, err := ctx.invokePackageRaw(tok, args, packageRef, opts...)
+	options := mergeInvokeOptions(opts...)
+	outProps, err := ctx.invokePackageRaw(tok, args, packageRef, *options)
 	if err != nil {
 		return false, err
 	}
@@ -872,13 +839,70 @@ func (ctx *Context) InvokeOutput(
 	output = ctx.newOutput(reflect.TypeOf(output))
 
 	go func() {
-		outProps, deps, err := ctx.invokePackageRaw(tok, args, options.PackageRef, options.InvokeOptions...)
+		// Collect dependencies from the DependsOn/DependsOnInput options.
+		invokeOpts := mergeInvokeOptions(options.InvokeOptions...)
+		deps := []Resource{}         // The direct dependencies of the invoke.
+		depSet := map[URN]Resource{} // The expanded set of dependencies, including children.
+		for _, d := range invokeOpts.DependsOn {
+			if err := d.addDeps(ctx.ctx, depSet, nil); err != nil {
+				return
+			}
+			switch d := d.(type) {
+			case resourceDependencySet:
+				deps = append(deps, d...)
+			case *resourceArrayInputDependencySet:
+				out := d.input.ToResourceArrayOutput()
+				value, known, _, _, err := internal.AwaitOutput(ctx.Context(), out)
+				if err != nil || !known {
+					return
+				}
+				resources, ok := value.([]Resource)
+				if !ok {
+					return
+				}
+				deps = append(deps, resources...)
+			default:
+				// Unreachable.
+				// We control all implementations of dependencySet.
+				contract.Failf("Unknown dependencySet %T", d)
+			}
+		}
+
+		dest := reflect.New(output.ElementType()).Elem()
+
+		// DependsOn for resources is an ordering constraint for register
+		// resource calls. If a resource R1 depends on a resource R2, the
+		// register resource call for R2 will happen after R1. This is ensured
+		// by awaiting the URN for each resource dependency before calling
+		// register resource.
+		//
+		// For invokes, this causes a problem when running under preview. During
+		// preview, register resource immediately returns with the URN, however
+		// this does not tell us if the resource "exists".
+		//
+		// Instead of waiting for the dependency's URN, we wait for the ID. This
+		// tells us that wether a physical resource exists (if the state does
+		// not require a refresh), and we can avoid calling the invoke when it
+		// is unknown.
+		for _, d := range depSet {
+			if r, ok := d.(CustomResource); ok {
+				_, known, _, _, err := internal.AwaitOutput(ctx.Context(), r.ID())
+				if err != nil {
+					contract.Failf("Awaiting ID: %s", err)
+				}
+				if !known {
+					internal.ResolveOutput(output, dest.Interface(), known, false, resourcesToInternal(deps))
+					return
+				}
+			}
+		}
+
+		outProps, err := ctx.invokePackageRaw(tok, args, options.PackageRef, *invokeOpts)
 		if err != nil {
 			internal.RejectOutput(output, err)
 			return
 		}
 
-		dest := reflect.New(output.ElementType()).Elem()
 		known := !outProps.ContainsUnknowns()
 		secret, err := unmarshalOutput(ctx, resource.NewObjectProperty(outProps), dest)
 		if err != nil {
@@ -2198,11 +2222,11 @@ func (ctx *Context) prepareResourceInputs(res Resource, props Input, t string, o
 
 	// Merge all dependencies with what we got earlier from property marshaling, and remove duplicates.
 	var deps []string
-	depSet := urnSet{}
+	depSet := map[URN]struct{}{}
 	for _, dep := range append(resOpts.depURNs, rpcDeps...) {
-		if !depSet.has(dep) {
+		if _, ok := depSet[dep]; !ok {
 			deps = append(deps, string(dep))
-			depSet.add(dep)
+			depSet[dep] = struct{}{}
 		}
 	}
 	sort.Strings(deps)
@@ -2294,13 +2318,13 @@ func (ctx *Context) getOpts(
 
 	var depURNs []URN
 	if opts.DependsOn != nil {
-		depSet := urnSet{}
+		depSet := map[URN]Resource{}
 		for _, ds := range opts.DependsOn {
-			if err := ds.addURNs(ctx.ctx, depSet, res); err != nil {
+			if err := ds.addDeps(ctx.ctx, depSet, res); err != nil {
 				return resourceOpts{}, err
 			}
 		}
-		depURNs = depSet.values()
+		depURNs = maps.Keys(depSet)
 	}
 
 	var providerRef string
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/provider.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/provider.go
index 2d4ef859e..45d8eba3c 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/provider.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/provider.go
@@ -29,6 +29,7 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/rpcutil/rpcerror"
 	"github.com/pulumi/pulumi/sdk/v3/go/internal"
 	pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
+	"golang.org/x/exp/maps"
 
 	"google.golang.org/grpc"
 )
@@ -74,11 +75,11 @@ func construct(ctx context.Context, req *pulumirpc.ConstructRequest, engineConn
 	inputs := make(map[string]interface{}, len(deserializedInputs))
 	for key, value := range deserializedInputs {
 		k := string(key)
-		var deps urnSet
+		var deps map[URN]struct{}
 		if inputDeps, ok := inputDependencies[k]; ok {
-			deps = urnSet{}
+			deps = map[URN]struct{}{}
 			for _, depURN := range inputDeps.GetUrns() {
-				deps.add(URN(depURN))
+				deps[URN(depURN)] = struct{}{}
 			}
 		}
 
@@ -219,14 +220,15 @@ func createProviderResource(ctx *Context, ref string) (ProviderResource, error)
 
 type constructInput struct {
 	value resource.PropertyValue
-	deps  urnSet
+	deps  map[URN]struct{}
 }
 
 func (ci constructInput) Dependencies(ctx *Context) []Resource {
 	if ci.deps == nil {
 		return nil
 	}
-	urns := ci.deps.sortedValues()
+	urns := maps.Keys(ci.deps)
+	sort.Slice(urns, func(i, j int) bool { return urns[i] < urns[j] })
 	var result []Resource
 	if len(urns) > 0 {
 		result = make([]Resource, len(urns))
@@ -261,7 +263,7 @@ func constructInputsMap(ctx *Context, inputs map[string]interface{}) (Map, error
 	return result, nil
 }
 
-func gatherDeps(v resource.PropertyValue, deps urnSet) {
+func gatherDeps(v resource.PropertyValue, deps map[URN]struct{}) {
 	switch {
 	case v.IsSecret():
 		gatherDeps(v.SecretValue().Element, deps)
@@ -269,11 +271,11 @@ func gatherDeps(v resource.PropertyValue, deps urnSet) {
 		gatherDeps(v.Input().Element, deps)
 	case v.IsOutput():
 		for _, urn := range v.OutputValue().Dependencies {
-			deps.add(URN(urn))
+			deps[URN(urn)] = struct{}{}
 		}
 		gatherDeps(v.OutputValue().Element, deps)
 	case v.IsResourceReference():
-		deps.add(URN(v.ResourceReferenceValue().URN))
+		deps[URN(v.ResourceReferenceValue().URN)] = struct{}{}
 	case v.IsArray():
 		for _, e := range v.ArrayValue() {
 			gatherDeps(e, deps)
@@ -614,12 +616,19 @@ func constructInputsCopyTo(ctx *Context, inputs map[string]interface{}, args int
 			}
 
 			// Find all nested dependencies.
-			deps := urnSet{}
+			deps := map[URN]struct{}{}
 			gatherDeps(ci.value, deps)
 
 			// If the top-level property dependencies are equal to (or a subset of) the gathered nested
 			// dependencies, we don't necessarily need to create a top-level output for the property.
-			if deps.contains(ci.deps) {
+			contains := true
+			for v := range ci.deps {
+				if _, ok := deps[v]; !ok {
+					contains = false
+					break
+				}
+			}
+			if contains {
 				if err := copyInputTo(ctx, ci.value, fieldV); err != nil {
 					return fmt.Errorf("copying input %q: %w", k, err)
 				}
@@ -785,11 +794,11 @@ func call(ctx context.Context, req *pulumirpc.CallRequest, engineConn *grpc.Clie
 	args := make(map[string]interface{}, len(deserializedArgs))
 	for key, value := range deserializedArgs {
 		k := string(key)
-		var deps urnSet
+		var deps map[URN]struct{}
 		if inputDeps, ok := argDependencies[k]; ok {
-			deps = urnSet{}
+			deps = map[URN]struct{}{}
 			for _, depURN := range inputDeps.GetUrns() {
-				deps.add(URN(depURN))
+				deps[URN(depURN)] = struct{}{}
 			}
 		}
 
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/resource.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/resource.go
index 1a40aa082..e28997979 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/resource.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/resource.go
@@ -688,11 +688,10 @@ func CompositeInvoke(opts ...InvokeOption) InvokeOption {
 // dependencySet unifies types that can provide dependencies for a
 // resource.
 type dependencySet interface {
-	// Adds URNs for addURNs from this set
-	// into the given urnSet.
+	// Adds dependencies into the depSet.
 	// Optionally pass the last Resource arg to short-circuit component
 	// children cycles.
-	addURNs(context.Context, urnSet, Resource) error
+	addDeps(context.Context, map[URN]Resource, Resource) error
 }
 
 // DependsOn is an optional array of explicit dependencies on other resources.
@@ -713,9 +712,9 @@ type resourceDependencySet []Resource
 
 var _ dependencySet = (resourceDependencySet)(nil)
 
-func (rs resourceDependencySet) addURNs(ctx context.Context, urns urnSet, from Resource) error {
+func (rs resourceDependencySet) addDeps(ctx context.Context, deps map[URN]Resource, from Resource) error {
 	for _, r := range rs {
-		if err := addDependency(ctx, urns, r, from); err != nil {
+		if err := addDependency(ctx, deps, r, from); err != nil {
 			return err
 		}
 	}
@@ -747,7 +746,7 @@ type resourceArrayInputDependencySet struct{ input ResourceArrayInput }
 
 var _ dependencySet = (*resourceArrayInputDependencySet)(nil)
 
-func (ra *resourceArrayInputDependencySet) addURNs(ctx context.Context, urns urnSet, from Resource) error {
+func (ra *resourceArrayInputDependencySet) addDeps(ctx context.Context, deps map[URN]Resource, from Resource) error {
 	out := ra.input.ToResourceArrayOutput()
 
 	value, known, _ /* secret */, _ /* deps */, err := internal.AwaitOutput(ctx, out)
@@ -765,7 +764,7 @@ func (ra *resourceArrayInputDependencySet) addURNs(ctx context.Context, urns urn
 	toplevelDeps := getOutputDeps(out)
 
 	for _, r := range append(resources, toplevelDeps...) {
-		if err := addDependency(ctx, urns, r, from); err != nil {
+		if err := addDependency(ctx, deps, r, from); err != nil {
 			return err
 		}
 	}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/rpc.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/rpc.go
index c49615565..9275db8b6 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/rpc.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/rpc.go
@@ -18,15 +18,18 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
+	"sort"
 	"strings"
 	"sync"
 
 	"github.com/blang/semver"
+	"golang.org/x/exp/maps"
 	"golang.org/x/net/context"
 
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	rarchive "github.com/pulumi/pulumi/sdk/v3/go/common/resource/archive"
 	rasset "github.com/pulumi/pulumi/sdk/v3/go/common/resource/asset"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/slice"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/tokens"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"github.com/pulumi/pulumi/sdk/v3/go/internal"
@@ -61,7 +64,7 @@ import (
 // * Cust4 because it is a child of a custom resource
 // * Comp2 because it is a non-remote component resoruce
 // * Comp3 and Cust5 because Comp3 is a child of a remote component resource
-func addDependency(ctx context.Context, deps urnSet, res, from Resource) error {
+func addDependency(ctx context.Context, deps map[URN]Resource, res, from Resource) error {
 	if _, custom := res.(CustomResource); !custom {
 		// If `res` is the same as `from`, exit early to avoid depending on
 		// children that haven't been registered yet.
@@ -85,24 +88,24 @@ func addDependency(ctx context.Context, deps urnSet, res, from Resource) error {
 	if err != nil {
 		return err
 	}
-	deps.add(urn)
+	deps[urn] = res
 	return nil
 }
 
 // expandDependencies expands the given slice of Resources into a set of URNs.
-func expandDependencies(ctx context.Context, deps []Resource) (urnSet, error) {
-	urns := urnSet{}
+func expandDependencies(ctx context.Context, deps []Resource) (map[URN]Resource, error) {
+	set := map[URN]Resource{}
 	for _, r := range deps {
-		if err := addDependency(ctx, urns, r, nil /* from */); err != nil {
+		if err := addDependency(ctx, set, r, nil /* from */); err != nil {
 			return nil, err
 		}
 	}
-	return urns, nil
+	return set, nil
 }
 
 // marshalInputs turns resource property inputs into a map suitable for marshaling.
 func marshalInputs(props Input) (resource.PropertyMap, map[string][]URN, []URN, error) {
-	deps := urnSet{}
+	deps := map[URN]struct{}{}
 	pmap, pdeps := resource.PropertyMap{}, map[string][]URN{}
 
 	if props == nil {
@@ -121,11 +124,17 @@ func marshalInputs(props Input) (resource.PropertyMap, map[string][]URN, []URN,
 		if err != nil {
 			return err
 		}
-		deps.union(allDeps)
+		for k := range allDeps {
+			deps[k] = struct{}{}
+		}
 
 		if !v.IsNull() || len(allDeps) > 0 {
+			urns := slice.Prealloc[URN](len(allDeps))
+			for v := range allDeps {
+				urns = append(urns, v)
+			}
 			pmap[resource.PropertyKey(pname)] = v
-			pdeps[pname] = allDeps.values()
+			pdeps[pname] = urns
 		}
 		return nil
 	}
@@ -184,7 +193,11 @@ func marshalInputs(props Input) (resource.PropertyMap, map[string][]URN, []URN,
 		return nil, nil, nil, fmt.Errorf("cannot marshal Input that is not a struct or map, saw type %s", pt.String())
 	}
 
-	return pmap, pdeps, deps.values(), nil
+	urns := slice.Prealloc[URN](len(deps))
+	for v := range deps {
+		urns = append(urns, v)
+	}
+	return pmap, pdeps, urns, nil
 }
 
 // `gosec` thinks these are credentials, but they are not.
@@ -265,14 +278,16 @@ func marshalInputImpl(v interface{},
 				}
 
 				// Expand dependencies.
-				urnSet, err := expandDependencies(context.TODO(), outputDeps)
+				depSet, err := expandDependencies(context.TODO(), outputDeps)
 				if err != nil {
 					return resource.PropertyValue{}, nil, err
 				}
 				var dependencies []resource.URN
-				if len(urnSet) > 0 {
-					dependencies = make([]resource.URN, len(urnSet))
-					for i, urn := range urnSet.sortedValues() {
+				if len(depSet) > 0 {
+					dependencies = make([]resource.URN, len(depSet))
+					urns := maps.Keys(depSet)
+					sort.Slice(urns, func(i, j int) bool { return urns[i] < urns[j] })
+					for i, urn := range urns {
 						dependencies[i] = resource.URN(urn)
 					}
 				}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/stack_reference.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/stack_reference.go
index 693a4ea2e..225498961 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/stack_reference.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/stack_reference.go
@@ -42,7 +42,7 @@ func (s *StackReference) GetOutput(name StringInput) AnyOutput {
 		ApplyT(func(args []interface{}) (interface{}, error) {
 			n, stack := args[0].(string), args[1].(resource.PropertyMap)
 			if !stack["outputs"].IsObject() {
-				return Any(nil), fmt.Errorf("failed to convert %T to object", stack)
+				return Any(nil), fmt.Errorf("failed to convert stack output %T to object", stack)
 			}
 			outs := stack["outputs"].ObjectValue()
 			v, ok := outs[resource.PropertyKey(n)]
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/types.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/types.go
index 99cd950ad..c7cdfb410 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/types.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/types.go
@@ -305,6 +305,25 @@ func AnyWithContext(ctx context.Context, v interface{}) AnyOutput {
 	return internal.ToOutputWithOutputType(ctx, anyOutputType, v).(AnyOutput)
 }
 
+// DeferredOutput creates an Output whose value can be later resolved from another Output instance.
+func DeferredOutput[T any](ctx context.Context) (pulumix.Output[T], func(Output)) {
+	var zero T
+	rt := reflect.TypeOf(zero)
+	state := internal.NewOutputState(nil, rt)
+	out := pulumix.Output[T]{OutputState: state}
+	resolve := func(o Output) {
+		go func() {
+			v, known, secret, deps, err := internal.AwaitOutput(ctx, o)
+			if err != nil {
+				internal.RejectOutput(state, err)
+				return
+			}
+			internal.ResolveOutput(out, v, known, secret, deps)
+		}()
+	}
+	return out, resolve
+}
+
 type AnyOutput struct{ *OutputState }
 
 var _ pulumix.Input[any] = AnyOutput{}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/urnset.go b/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/urnset.go
deleted file mode 100644
index 25f6d24e5..000000000
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/go/pulumi/urnset.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2016-2021, Pulumi Corporation.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package pulumi
-
-import (
-	"sort"
-
-	"github.com/pulumi/pulumi/sdk/v3/go/common/slice"
-)
-
-type urnSet map[URN]struct{}
-
-func (s urnSet) add(v URN) {
-	s[v] = struct{}{}
-}
-
-func (s urnSet) has(v URN) bool {
-	_, ok := s[v]
-	return ok
-}
-
-func (s urnSet) contains(other urnSet) bool {
-	for v := range other {
-		if !s.has(v) {
-			return false
-		}
-	}
-	return true
-}
-
-func (s urnSet) union(other urnSet) {
-	for v := range other {
-		s.add(v)
-	}
-}
-
-func (s urnSet) values() []URN {
-	values := slice.Prealloc[URN](len(s))
-	for v := range s {
-		values = append(values, v)
-	}
-	return values
-}
-
-func (s urnSet) sortedValues() []URN {
-	v := s.values()
-	sort.Slice(v, func(i, j int) bool { return v[i] < v[j] })
-	return v
-}
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language.pb.go
index 30208aab4..7c750fb72 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language.pb.go
@@ -37,11 +37,14 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
+// `RuntimeOptionType` is an enum that captures the type of a runtime option.
 type RuntimeOptionPrompt_RuntimeOptionType int32
 
 const (
+	// A string value.
 	RuntimeOptionPrompt_STRING RuntimeOptionPrompt_RuntimeOptionType = 0
-	RuntimeOptionPrompt_INT32  RuntimeOptionPrompt_RuntimeOptionType = 1
+	// A 32-bit integer value.
+	RuntimeOptionPrompt_INT32 RuntimeOptionPrompt_RuntimeOptionType = 1
 )
 
 // Enum value maps for RuntimeOptionPrompt_RuntimeOptionType.
@@ -83,24 +86,28 @@ func (RuntimeOptionPrompt_RuntimeOptionType) EnumDescriptor() ([]byte, []int) {
 	return file_pulumi_language_proto_rawDescGZIP(), []int{15, 0}
 }
 
-// ProgramInfo are the common set of options that a language runtime needs to execute or query a program. This
-// is filled in by the engine based on where the `Pulumi.yaml` file was, the `runtime.options` property, and
-// the `main` property.
+// A `ProgramInfo` struct specifies a Pulumi program, and is built typically based on the location of a `Pulumi.yaml`
+// file and the `runtime`, `main` and other properties within that file.
 type ProgramInfo struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the root of the project, where the `Pulumi.yaml` file is located.
+	// The root of the project containing the program, where the `Pulumi.yaml` file is located. This should be an
+	// absolute path on the filesystem that is accessible to the language host.
 	RootDirectory string `protobuf:"bytes,1,opt,name=root_directory,json=rootDirectory,proto3" json:"root_directory,omitempty"`
-	// the absolute path to the directory of the program to execute. Generally, but not required to be,
-	// underneath the root directory.
+	// The directory containing the program to execute (e.g. the location of the `index.ts` for a TypeScript NodeJS
+	// program). This should be an absolute path on the filesystem that is accessible to the language host. If
+	// `ProgramInfo` is being built from a `Pulumi.yaml`, this will typically be the directory portion of the `main`
+	// property in that file.
 	ProgramDirectory string `protobuf:"bytes,2,opt,name=program_directory,json=programDirectory,proto3" json:"program_directory,omitempty"`
-	// the entry point of the program, normally '.' meaning to just use the program directory, but can also be
-	// a filename inside the program directory. How that filename is interpreted, if at all, is language
-	// specific.
+	// The entry point of the program to execute. This should be a relative path from the `program_directory`, and is
+	// often just `.` to indicate the program directory itself, but it can also be a filename inside the directory.. If
+	// `ProgramInfo` is being built from a `Pulumi.yaml`, this will typically be the filename specified `main` property
+	// in that file if it is present, or the aforementioned `.` if not.
 	EntryPoint string `protobuf:"bytes,3,opt,name=entry_point,json=entryPoint,proto3" json:"entry_point,omitempty"`
-	// JSON style options from the `Pulumi.yaml` runtime options section.
+	// A struct capturing any language-specific options. If `ProgramInfo` is being built from a `Pulumi.yaml`, this will
+	// contain the `runtime.options` property from that file.
 	Options *structpb.Struct `protobuf:"bytes,4,opt,name=options,proto3" json:"options,omitempty"`
 }
 
@@ -164,12 +171,14 @@ func (x *ProgramInfo) GetOptions() *structpb.Struct {
 	return nil
 }
 
+// `AboutRequest` is the type of requests sent as part of an [](pulumirpc.LanguageRuntime.About) call.
 type AboutRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"` // the program info to use.
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *AboutRequest) Reset() {
@@ -211,15 +220,21 @@ func (x *AboutRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
-// AboutResponse returns runtime information about the language.
+// `AboutResponse` is the type of responses sent by an [](pulumirpc.LanguageRuntime.About) call. It contains information
+// about the language runtime being used.
 type AboutResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Executable string            `protobuf:"bytes,1,opt,name=executable,proto3" json:"executable,omitempty"`                                                                                     // the primary executable for the runtime of this language.
-	Version    string            `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`                                                                                           // the version of the runtime for this language.
-	Metadata   map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // other information about this language.
+	// The primary executable for the runtime of this language. This should be an absolute path. E.g. for NodeJS on a
+	// POSIX system, this might be something like `/usr/bin/node`.
+	Executable string `protobuf:"bytes,1,opt,name=executable,proto3" json:"executable,omitempty"`
+	// The version of the runtime underpinning the language host. E.g. for a NodeJS host, this might be the version of
+	// `node` being used.
+	Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
+	// Other host-specific metadata about the runtime underpinning the language host.
+	Metadata map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
 func (x *AboutResponse) Reset() {
@@ -275,19 +290,44 @@ func (x *AboutResponse) GetMetadata() map[string]string {
 	return nil
 }
 
+// `GetProgramDependenciesRequest` is the type of requests sent as part of a
+// [](pulumirpc.LanguageRuntime.GetProgramDependencies) call.
 type GetProgramDependenciesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// The project name.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field. Newer
+	// versions of the engine will always set this field to the string `"deprecated"`.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"` // the project name, the engine always sets this to "deprecated" now.
+	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"`
+	// The program's working directory.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `program_directory` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Pwd string `protobuf:"bytes,2,opt,name=pwd,proto3" json:"pwd,omitempty"` // the program's working directory. Deprecated, use info.program_directory instead.
+	Pwd string `protobuf:"bytes,2,opt,name=pwd,proto3" json:"pwd,omitempty"`
+	// The path to the program.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `entry_point` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Program                string       `protobuf:"bytes,3,opt,name=program,proto3" json:"program,omitempty"`                                // the path to the program. Deprecated, use info.entry_point instead.
-	TransitiveDependencies bool         `protobuf:"varint,4,opt,name=transitiveDependencies,proto3" json:"transitiveDependencies,omitempty"` // if transitive dependencies should be included in the result.
-	Info                   *ProgramInfo `protobuf:"bytes,5,opt,name=info,proto3" json:"info,omitempty"`                                      // the program info to use to calculate dependencies.
+	Program string `protobuf:"bytes,3,opt,name=program,proto3" json:"program,omitempty"`
+	// True if transitive dependencies should be included in the response.
+	TransitiveDependencies bool `protobuf:"varint,4,opt,name=transitiveDependencies,proto3" json:"transitiveDependencies,omitempty"`
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,5,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *GetProgramDependenciesRequest) Reset() {
@@ -360,13 +400,18 @@ func (x *GetProgramDependenciesRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
+// `DependencyInfo` is a struct that captures information about a language-specific dependency required by a program
+// (e.g. an NPM package for NodeJS, or a Maven library for Java). It is returned as part of a
+// [](pulumirpc.LanguageRuntime.GetProgramDependenciesResponse).
 type DependencyInfo struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Name    string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`       // The name of the dependency.
-	Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"` // The version of the dependency.
+	// The name of the dependency.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The version of the dependency.
+	Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
 }
 
 func (x *DependencyInfo) Reset() {
@@ -415,12 +460,16 @@ func (x *DependencyInfo) GetVersion() string {
 	return ""
 }
 
+// `GetProgramDependenciesResponse` is the type of responses sent by a
+// [](pulumirpc.LanguageRuntime.GetProgramDependencies) call. It contains information about the dependencies of a
+// program.
 type GetProgramDependenciesResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Dependencies []*DependencyInfo `protobuf:"bytes,1,rep,name=dependencies,proto3" json:"dependencies,omitempty"` // the dependencies of this program
+	// The dependencies of the program specified by the request.
+	Dependencies []*DependencyInfo `protobuf:"bytes,1,rep,name=dependencies,proto3" json:"dependencies,omitempty"`
 }
 
 func (x *GetProgramDependenciesResponse) Reset() {
@@ -462,18 +511,42 @@ func (x *GetProgramDependenciesResponse) GetDependencies() []*DependencyInfo {
 	return nil
 }
 
+// `GetRequiredPluginsRequest` is the type of requests sent as part of a
+// [](pulumirpc.LanguageRuntime.GetRequiredPlugins) call.
 type GetRequiredPluginsRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// The project name.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field. Newer
+	// versions of the engine will always set this field to the string `"deprecated"`.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"` // the project name, the engine always sets this to "deprecated" now.
+	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"`
+	// The program's working directory.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `program_directory` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Pwd string `protobuf:"bytes,2,opt,name=pwd,proto3" json:"pwd,omitempty"` // the program's working directory. Deprecated, use info.program_directory instead.
+	Pwd string `protobuf:"bytes,2,opt,name=pwd,proto3" json:"pwd,omitempty"`
+	// The path to the program.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `entry_point` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Program string       `protobuf:"bytes,3,opt,name=program,proto3" json:"program,omitempty"` // the path to the program. Deprecated, use info.entry_point instead.
-	Info    *ProgramInfo `protobuf:"bytes,4,opt,name=info,proto3" json:"info,omitempty"`       // the program info to use to calculate plugins.
+	Program string `protobuf:"bytes,3,opt,name=program,proto3" json:"program,omitempty"`
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,4,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *GetRequiredPluginsRequest) Reset() {
@@ -539,12 +612,15 @@ func (x *GetRequiredPluginsRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
+// `GetRequiredPluginsResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.GetRequiredPlugins)
+// call. It contains information about the plugins required by a program.
 type GetRequiredPluginsResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Plugins []*PluginDependency `protobuf:"bytes,1,rep,name=plugins,proto3" json:"plugins,omitempty"` // a list of plugins required by this program.
+	// The plugins required by the program specified by the request.
+	Plugins []*PluginDependency `protobuf:"bytes,1,rep,name=plugins,proto3" json:"plugins,omitempty"`
 }
 
 func (x *GetRequiredPluginsResponse) Reset() {
@@ -586,12 +662,15 @@ func (x *GetRequiredPluginsResponse) GetPlugins() []*PluginDependency {
 	return nil
 }
 
+// `GetRequiredPackagesRequest` is the type of requests sent as part of a
+// [](pulumirpc.LanguageRuntime.GetRequiredPackages) call.
 type GetRequiredPackagesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"` // the program info to use to calculate packages.
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *GetRequiredPackagesRequest) Reset() {
@@ -633,12 +712,15 @@ func (x *GetRequiredPackagesRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
+// `GetRequiredPackagesResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.GetRequiredPackages)
+// call. It contains information about the packages required by a program.
 type GetRequiredPackagesResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Packages []*PackageDependency `protobuf:"bytes,1,rep,name=packages,proto3" json:"packages,omitempty"` // a list of packages required by this program.
+	// The packages required by the program specified by the request.
+	Packages []*PackageDependency `protobuf:"bytes,1,rep,name=packages,proto3" json:"packages,omitempty"`
 }
 
 func (x *GetRequiredPackagesResponse) Reset() {
@@ -680,30 +762,53 @@ func (x *GetRequiredPackagesResponse) GetPackages() []*PackageDependency {
 	return nil
 }
 
-// RunRequest asks the interpreter to execute a program.
+// `RunRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.Run) call.
 type RunRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"` // the project name.
-	Stack   string `protobuf:"bytes,2,opt,name=stack,proto3" json:"stack,omitempty"`     // the name of the stack being deployed into.
-	Pwd     string `protobuf:"bytes,3,opt,name=pwd,proto3" json:"pwd,omitempty"`         // the program's working directory.
+	// The project name.
+	Project string `protobuf:"bytes,1,opt,name=project,proto3" json:"project,omitempty"`
+	// The name of the stack being deployed into.
+	Stack string `protobuf:"bytes,2,opt,name=stack,proto3" json:"stack,omitempty"`
+	// The program's working directory.
+	Pwd string `protobuf:"bytes,3,opt,name=pwd,proto3" json:"pwd,omitempty"`
+	// The path to the program.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `entry_point` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Program           string            `protobuf:"bytes,4,opt,name=program,proto3" json:"program,omitempty"`                                                                                       // the path to the program to execute. Deprecated, use info.entry_point instead.
-	Args              []string          `protobuf:"bytes,5,rep,name=args,proto3" json:"args,omitempty"`                                                                                             // any arguments to pass to the program.
-	Config            map[string]string `protobuf:"bytes,6,rep,name=config,proto3" json:"config,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // the configuration variables to apply before running.
-	DryRun            bool              `protobuf:"varint,7,opt,name=dryRun,proto3" json:"dryRun,omitempty"`                                                                                        // true if we're only doing a dryrun (preview).
-	Parallel          int32             `protobuf:"varint,8,opt,name=parallel,proto3" json:"parallel,omitempty"`                                                                                    // the degree of parallelism for resource operations (<=1 for serial).
-	MonitorAddress    string            `protobuf:"bytes,9,opt,name=monitor_address,json=monitorAddress,proto3" json:"monitor_address,omitempty"`                                                   // the address for communicating back to the resource monitor.
-	QueryMode         bool              `protobuf:"varint,10,opt,name=queryMode,proto3" json:"queryMode,omitempty"`                                                                                 // true if we're only doing a query.
-	ConfigSecretKeys  []string          `protobuf:"bytes,11,rep,name=configSecretKeys,proto3" json:"configSecretKeys,omitempty"`                                                                    // the configuration keys that have secret values.
-	Organization      string            `protobuf:"bytes,12,opt,name=organization,proto3" json:"organization,omitempty"`                                                                            // the organization of the stack being deployed into.
-	ConfigPropertyMap *structpb.Struct  `protobuf:"bytes,13,opt,name=configPropertyMap,proto3" json:"configPropertyMap,omitempty"`                                                                  // the configuration variables to apply before running.
-	Info              *ProgramInfo      `protobuf:"bytes,14,opt,name=info,proto3" json:"info,omitempty"`                                                                                            // the program info to use to execute the program.
+	Program string `protobuf:"bytes,4,opt,name=program,proto3" json:"program,omitempty"`
+	// Any arguments to pass to the program.
+	Args []string `protobuf:"bytes,5,rep,name=args,proto3" json:"args,omitempty"`
+	// Configuration variables to apply before running the program.
+	Config map[string]string `protobuf:"bytes,6,rep,name=config,proto3" json:"config,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// True if we are only doing a dry run (preview).
+	DryRun bool `protobuf:"varint,7,opt,name=dryRun,proto3" json:"dryRun,omitempty"`
+	// The degree of parallelism that should be used for resource operations. A value less than or equal to 1 indicates
+	// serial execution.
+	Parallel int32 `protobuf:"varint,8,opt,name=parallel,proto3" json:"parallel,omitempty"`
+	// The address of the [](pulumirpc.ResourceMonitor) that the program should connect to send [resource
+	// registrations](resource-registration) and other calls to.
+	MonitorAddress string `protobuf:"bytes,9,opt,name=monitor_address,json=monitorAddress,proto3" json:"monitor_address,omitempty"`
+	// True if and only if we are only performing a query.
+	QueryMode bool `protobuf:"varint,10,opt,name=queryMode,proto3" json:"queryMode,omitempty"`
+	// A list of configuration keys whose values should be treated as secrets.
+	ConfigSecretKeys []string `protobuf:"bytes,11,rep,name=configSecretKeys,proto3" json:"configSecretKeys,omitempty"`
+	// The organization of the stack being deployed into.
+	Organization string `protobuf:"bytes,12,opt,name=organization,proto3" json:"organization,omitempty"`
+	// Configuration variables to apply before running the program.
+	ConfigPropertyMap *structpb.Struct `protobuf:"bytes,13,opt,name=configPropertyMap,proto3" json:"configPropertyMap,omitempty"`
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,14,opt,name=info,proto3" json:"info,omitempty"`
 	// The target of a codegen.LoaderServer to use for loading schemas.
-	LoaderTarget   string `protobuf:"bytes,15,opt,name=loader_target,json=loaderTarget,proto3" json:"loader_target,omitempty"`
-	AttachDebugger bool   `protobuf:"varint,16,opt,name=attach_debugger,json=attachDebugger,proto3" json:"attach_debugger,omitempty"` // true if the language host is supposed to start the program under a debugger.
+	LoaderTarget string `protobuf:"bytes,15,opt,name=loader_target,json=loaderTarget,proto3" json:"loader_target,omitempty"`
+	// True if and only if the host should start the program under a debugger.
+	AttachDebugger bool `protobuf:"varint,16,opt,name=attach_debugger,json=attachDebugger,proto3" json:"attach_debugger,omitempty"`
 }
 
 func (x *RunRequest) Reset() {
@@ -851,17 +956,17 @@ func (x *RunRequest) GetAttachDebugger() bool {
 	return false
 }
 
-// RunResponse is the response back from the interpreter/source back to the monitor.
+// `RunResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.Run) call.
 type RunResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// An unhandled error if any occurred.
+	// Information about any unhandled error that occurred during the run.
 	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
-	// An error happened.  And it was reported to the user.  Work should stop immediately
-	// with nothing further to print to the user.  This corresponds to a "result.Bail()"
-	// value in the 'go' layer.
+	// True if an error happened, but it was reported to the user. Work should halt immediately, reporting nothing
+	// further to the user (since this reporting has already happened). This corresponds to a `result.Bail()` value
+	// being raised in the Go application layer.
 	Bail bool `protobuf:"varint,2,opt,name=bail,proto3" json:"bail,omitempty"`
 }
 
@@ -911,16 +1016,30 @@ func (x *RunResponse) GetBail() bool {
 	return false
 }
 
+// `InstallDependenciesRequest` is the type of requests sent as part of an
+// [](pulumirpc.LanguageRuntime.InstallDependencies) call.
 type InstallDependenciesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// The program's working directory.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `program_directory` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Directory               string       `protobuf:"bytes,1,opt,name=directory,proto3" json:"directory,omitempty"`                                                                 // the program's working directory. Deprecated, use info.program_directory instead.
-	IsTerminal              bool         `protobuf:"varint,2,opt,name=is_terminal,json=isTerminal,proto3" json:"is_terminal,omitempty"`                                            // if we are running in a terminal and should use ANSI codes
-	Info                    *ProgramInfo `protobuf:"bytes,3,opt,name=info,proto3" json:"info,omitempty"`                                                                           // the program info to use to execute the plugin.
-	UseLanguageVersionTools bool         `protobuf:"varint,4,opt,name=use_language_version_tools,json=useLanguageVersionTools,proto3" json:"use_language_version_tools,omitempty"` // if we should use language version tools like pyenv or
+	Directory string `protobuf:"bytes,1,opt,name=directory,proto3" json:"directory,omitempty"`
+	// True if we are running in a terminal and may use [ANSI escape
+	// codes](https://en.wikipedia.org/wiki/ANSI_escape_code) in our output.
+	IsTerminal bool `protobuf:"varint,2,opt,name=is_terminal,json=isTerminal,proto3" json:"is_terminal,omitempty"`
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,3,opt,name=info,proto3" json:"info,omitempty"`
+	// True if the host should use language-specific version managers, such as `pyenv` or `nvm`, to set up the version
+	// of the language toolchain used.
+	UseLanguageVersionTools bool `protobuf:"varint,4,opt,name=use_language_version_tools,json=useLanguageVersionTools,proto3" json:"use_language_version_tools,omitempty"`
 }
 
 func (x *InstallDependenciesRequest) Reset() {
@@ -984,13 +1103,17 @@ func (x *InstallDependenciesRequest) GetUseLanguageVersionTools() bool {
 	return false
 }
 
+// `InstallDependenciesResponse` is the type of responses streamed by an
+// [](pulumirpc.LanguageRuntime.InstallDependencies) call.
 type InstallDependenciesResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Stdout []byte `protobuf:"bytes,1,opt,name=stdout,proto3" json:"stdout,omitempty"` // a line of stdout text.
-	Stderr []byte `protobuf:"bytes,2,opt,name=stderr,proto3" json:"stderr,omitempty"` // a line of stderr text.
+	// A line of standard output.
+	Stdout []byte `protobuf:"bytes,1,opt,name=stdout,proto3" json:"stdout,omitempty"`
+	// A line of standard error.
+	Stderr []byte `protobuf:"bytes,2,opt,name=stderr,proto3" json:"stderr,omitempty"`
 }
 
 func (x *InstallDependenciesResponse) Reset() {
@@ -1039,12 +1162,15 @@ func (x *InstallDependenciesResponse) GetStderr() []byte {
 	return nil
 }
 
+// `RuntimeOptionsRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.RuntimeOptionsPrompts)
+// call.
 type RuntimeOptionsRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"` // The current program info used to evaluate which prompts should be asked.
+	// The program to use.
+	Info *ProgramInfo `protobuf:"bytes,1,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *RuntimeOptionsRequest) Reset() {
@@ -1086,16 +1212,23 @@ func (x *RuntimeOptionsRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
+// `RuntimeOptionPrompt` is a struct that captures information about a runtime option that should be prompted for during
+// `pulumi new`.
 type RuntimeOptionPrompt struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Key         string                                    `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
-	Description string                                    `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
-	PromptType  RuntimeOptionPrompt_RuntimeOptionType     `protobuf:"varint,3,opt,name=promptType,proto3,enum=pulumirpc.RuntimeOptionPrompt_RuntimeOptionType" json:"promptType,omitempty"`
-	Choices     []*RuntimeOptionPrompt_RuntimeOptionValue `protobuf:"bytes,4,rep,name=choices,proto3" json:"choices,omitempty"`
-	Default     *RuntimeOptionPrompt_RuntimeOptionValue   `protobuf:"bytes,5,opt,name=default,proto3" json:"default,omitempty"`
+	// A unique key that identifies the runtime option.
+	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	// A human-readable description of the runtime option.
+	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	// The type of the runtime option.
+	PromptType RuntimeOptionPrompt_RuntimeOptionType `protobuf:"varint,3,opt,name=promptType,proto3,enum=pulumirpc.RuntimeOptionPrompt_RuntimeOptionType" json:"promptType,omitempty"`
+	// A set of choices for the runtime option that may be displayed as part of the prompting process.
+	Choices []*RuntimeOptionPrompt_RuntimeOptionValue `protobuf:"bytes,4,rep,name=choices,proto3" json:"choices,omitempty"`
+	// The default value of the runtime option.
+	Default *RuntimeOptionPrompt_RuntimeOptionValue `protobuf:"bytes,5,opt,name=default,proto3" json:"default,omitempty"`
 }
 
 func (x *RuntimeOptionPrompt) Reset() {
@@ -1165,12 +1298,15 @@ func (x *RuntimeOptionPrompt) GetDefault() *RuntimeOptionPrompt_RuntimeOptionVal
 	return nil
 }
 
+// `RuntimeOptionsResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.RuntimeOptionsPrompts) call.
+// It contains information about additional prompts to ask during `pulumi new`.
 type RuntimeOptionsResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Prompts []*RuntimeOptionPrompt `protobuf:"bytes,1,rep,name=prompts,proto3" json:"prompts,omitempty"` // additional prompts to ask the user
+	// Prompts to ask the user.
+	Prompts []*RuntimeOptionPrompt `protobuf:"bytes,1,rep,name=prompts,proto3" json:"prompts,omitempty"`
 }
 
 func (x *RuntimeOptionsResponse) Reset() {
@@ -1212,17 +1348,29 @@ func (x *RuntimeOptionsResponse) GetPrompts() []*RuntimeOptionPrompt {
 	return nil
 }
 
+// `RunPluginRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.RunPlugin) call.
 type RunPluginRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Pwd string `protobuf:"bytes,1,opt,name=pwd,proto3" json:"pwd,omitempty"` // the program's working directory.
+	// The plugin program's working directory.
+	Pwd string `protobuf:"bytes,1,opt,name=pwd,proto3" json:"pwd,omitempty"`
+	// The path to the plugin program.
+	//
+	// :::{important}
+	// This is deprecated in favour of passing a [program info](pulumirpc.ProgramInfo) struct as the `info` field, with
+	// the `entry_point` field set to this value.
+	// :::
+	//
 	// Deprecated: Do not use.
-	Program string       `protobuf:"bytes,2,opt,name=program,proto3" json:"program,omitempty"` // the path to the program to execute. Deprecated, use info.entry_point instead.
-	Args    []string     `protobuf:"bytes,3,rep,name=args,proto3" json:"args,omitempty"`       // any arguments to pass to the program.
-	Env     []string     `protobuf:"bytes,4,rep,name=env,proto3" json:"env,omitempty"`         // any environment variables to set as part of the program.
-	Info    *ProgramInfo `protobuf:"bytes,5,opt,name=info,proto3" json:"info,omitempty"`       // the program info to use to execute the plugin.
+	Program string `protobuf:"bytes,2,opt,name=program,proto3" json:"program,omitempty"`
+	// Any arguments to pass to the plugin program.
+	Args []string `protobuf:"bytes,3,rep,name=args,proto3" json:"args,omitempty"`
+	// Any environment variables to set prior to executing the plugin program.
+	Env []string `protobuf:"bytes,4,rep,name=env,proto3" json:"env,omitempty"`
+	// The [plugin program](pulumirpc.ProgramInfo) to use.
+	Info *ProgramInfo `protobuf:"bytes,5,opt,name=info,proto3" json:"info,omitempty"`
 }
 
 func (x *RunPluginRequest) Reset() {
@@ -1293,6 +1441,7 @@ func (x *RunPluginRequest) GetInfo() *ProgramInfo {
 	return nil
 }
 
+// `RunPluginResponse` is the type of responses streamed by a [](pulumirpc.LanguageRuntime.RunPlugin) call.
 type RunPluginResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -1370,15 +1519,18 @@ type isRunPluginResponse_Output interface {
 }
 
 type RunPluginResponse_Stdout struct {
-	Stdout []byte `protobuf:"bytes,1,opt,name=stdout,proto3,oneof"` // a line of stdout text.
+	// A line of standard output.
+	Stdout []byte `protobuf:"bytes,1,opt,name=stdout,proto3,oneof"`
 }
 
 type RunPluginResponse_Stderr struct {
-	Stderr []byte `protobuf:"bytes,2,opt,name=stderr,proto3,oneof"` // a line of stderr text.
+	// A line of standard error.
+	Stderr []byte `protobuf:"bytes,2,opt,name=stderr,proto3,oneof"`
 }
 
 type RunPluginResponse_Exitcode struct {
-	Exitcode int32 `protobuf:"varint,3,opt,name=exitcode,proto3,oneof"` // the exit code of the provider.
+	// An exit code that the plugin program has terminated with. This should be the last message sent by the host.
+	Exitcode int32 `protobuf:"varint,3,opt,name=exitcode,proto3,oneof"`
 }
 
 func (*RunPluginResponse_Stdout) isRunPluginResponse_Output() {}
@@ -1387,16 +1539,18 @@ func (*RunPluginResponse_Stderr) isRunPluginResponse_Output() {}
 
 func (*RunPluginResponse_Exitcode) isRunPluginResponse_Output() {}
 
+// `GenerateProgramRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.GenerateProgram)
+// call.
 type GenerateProgramRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the PCL source of the project.
+	// The source of the project, represented as a map of file names to [PCL](pcl) source code.
 	Source map[string]string `protobuf:"bytes,1,rep,name=source,proto3" json:"source,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// The target of a codegen.LoaderServer to use for loading schemas.
 	LoaderTarget string `protobuf:"bytes,2,opt,name=loader_target,json=loaderTarget,proto3" json:"loader_target,omitempty"`
-	// if PCL binding should be strict or not.
+	// True if [PCL binding](pcl-binding) should be strict.
 	Strict bool `protobuf:"varint,3,opt,name=strict,proto3" json:"strict,omitempty"`
 }
 
@@ -1453,14 +1607,15 @@ func (x *GenerateProgramRequest) GetStrict() bool {
 	return false
 }
 
+// `GenerateProgramResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.GenerateProgram) call.
 type GenerateProgramResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// any diagnostics from code generation.
+	// Any diagnostics raised by code generation.
 	Diagnostics []*codegen.Diagnostic `protobuf:"bytes,1,rep,name=diagnostics,proto3" json:"diagnostics,omitempty"`
-	// the generated program source code.
+	// The generated program source code, represented as a map of file names to byte contents.
 	Source map[string][]byte `protobuf:"bytes,2,rep,name=source,proto3" json:"source,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
@@ -1510,23 +1665,28 @@ func (x *GenerateProgramResponse) GetSource() map[string][]byte {
 	return nil
 }
 
+// `GenerateProjectRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.GenerateProject) call.
 type GenerateProjectRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the directory to generate the project from.
+	// The directory containing [PCL](pcl) source code, from which the project should be generated.
 	SourceDirectory string `protobuf:"bytes,1,opt,name=source_directory,json=sourceDirectory,proto3" json:"source_directory,omitempty"`
-	// the directory to generate the project in.
+	// The directory in which generated project files should be written. This should be an absolute path on the
+	// filesystem that is accessible to the language host.
 	TargetDirectory string `protobuf:"bytes,2,opt,name=target_directory,json=targetDirectory,proto3" json:"target_directory,omitempty"`
-	// the JSON-encoded pulumi project file.
+	// A string containing JSON to be used as the Pulumi project file (that is, as the contents of `Pulumi.yaml`).
 	Project string `protobuf:"bytes,3,opt,name=project,proto3" json:"project,omitempty"`
-	// if PCL binding should be strict or not.
+	// True if [PCL binding](pcl-binding) should be strict.
 	Strict bool `protobuf:"varint,4,opt,name=strict,proto3" json:"strict,omitempty"`
 	// The target of a codegen.LoaderServer to use for loading schemas.
 	LoaderTarget string `protobuf:"bytes,5,opt,name=loader_target,json=loaderTarget,proto3" json:"loader_target,omitempty"`
-	// local dependencies to use instead of using the package system. This is a map of package name to a local
-	// path of a language specific artifact to use for the SDK for that package.
+	// Local dependencies that the generated project should reference explicitly, instead of e.g. using the language's
+	// package system. This is a map of package names to local paths of language-specific artifacts that should be used.
+	// For instance, in the case of a NodeJS project, this might be a map of NPM package names to local paths to be
+	// used, such as `{ "@pulumi/aws": "/some/path/to/aws.tgz" }` if a local tarball is to be used instead of the
+	// published `@pulumi/aws` package.
 	LocalDependencies map[string]string `protobuf:"bytes,6,rep,name=local_dependencies,json=localDependencies,proto3" json:"local_dependencies,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
@@ -1604,12 +1764,13 @@ func (x *GenerateProjectRequest) GetLocalDependencies() map[string]string {
 	return nil
 }
 
+// `GenerateProjectResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.GenerateProject) call.
 type GenerateProjectResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// any diagnostics from code generation.
+	// Any diagnostics raised by code generation.
 	Diagnostics []*codegen.Diagnostic `protobuf:"bytes,1,rep,name=diagnostics,proto3" json:"diagnostics,omitempty"`
 }
 
@@ -1652,24 +1813,30 @@ func (x *GenerateProjectResponse) GetDiagnostics() []*codegen.Diagnostic {
 	return nil
 }
 
+// `GeneratePackageRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.GeneratePackage) call.
 type GeneratePackageRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the directory to generate the package in.
+	// The directory to generate the package in. This should be an absolute path on the filesystem that is accessible to
+	// the language host.
 	Directory string `protobuf:"bytes,1,opt,name=directory,proto3" json:"directory,omitempty"`
-	// the JSON-encoded schema.
+	// A JSON-encoded string containing the schema from which the SDK package should be generated.
 	Schema string `protobuf:"bytes,2,opt,name=schema,proto3" json:"schema,omitempty"`
-	// extra files to copy to the package output.
+	// Extra files that should be copied as-is to the generated output.
 	ExtraFiles map[string][]byte `protobuf:"bytes,3,rep,name=extra_files,json=extraFiles,proto3" json:"extra_files,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// The target of a codegen.LoaderServer to use for loading schemas.
 	LoaderTarget string `protobuf:"bytes,4,opt,name=loader_target,json=loaderTarget,proto3" json:"loader_target,omitempty"`
-	// local dependencies to use instead of using the package system. This is a map of package name to a local
-	// path of a language specific artifact to use for the SDK for that package.
+	// Local dependencies that the generated package should reference explicitly, instead of e.g. using the language's
+	// package system. This is a map of package names to local paths of language-specific artifacts that should be used.
+	// For instance, in the case of a NodeJS package, this might be a map of NPM package names to local paths to be
+	// used, such as `{ "@pulumi/aws": "/some/path/to/aws.tgz" }` if a local tarball is to be used instead of the
+	// published `@pulumi/aws` package.
 	LocalDependencies map[string]string `protobuf:"bytes,5,rep,name=local_dependencies,json=localDependencies,proto3" json:"local_dependencies,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	// if true generates an SDK appropriate for local usage, this may differ from a standard publishable SDK depending
-	// on the language.
+	// If true, generates an SDK appropriate for local usage. This may differ from a standard publishable SDK depending
+	// on the language (e.g. for a NodeJS package that is intended to be imported locally, the language host may choose
+	// not to generate a `package.json`).
 	Local bool `protobuf:"varint,6,opt,name=local,proto3" json:"local,omitempty"`
 }
 
@@ -1747,12 +1914,13 @@ func (x *GeneratePackageRequest) GetLocal() bool {
 	return false
 }
 
+// `GeneratePackageResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.GeneratePackage) call.
 type GeneratePackageResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// any diagnostics from code generation.
+	// Any diagnostics raised by code generation.
 	Diagnostics []*codegen.Diagnostic `protobuf:"bytes,1,rep,name=diagnostics,proto3" json:"diagnostics,omitempty"`
 }
 
@@ -1795,14 +1963,17 @@ func (x *GeneratePackageResponse) GetDiagnostics() []*codegen.Diagnostic {
 	return nil
 }
 
+// `PackRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.Pack) call.
 type PackRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the directory of a package to pack.
+	// The directory containing the package to pack. This should be an absolute path on the filesystem that is accessible
+	// to the language host.
 	PackageDirectory string `protobuf:"bytes,1,opt,name=package_directory,json=packageDirectory,proto3" json:"package_directory,omitempty"`
-	// the directory to write the packed artifact to.
+	// The directory to write the packed artifact to. This should be an absolute path on the filesystem that is
+	// accessible to the language host.
 	DestinationDirectory string `protobuf:"bytes,2,opt,name=destination_directory,json=destinationDirectory,proto3" json:"destination_directory,omitempty"`
 }
 
@@ -1852,12 +2023,14 @@ func (x *PackRequest) GetDestinationDirectory() string {
 	return ""
 }
 
+// `PackResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.Pack) call.
 type PackResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// the full path of the packed artifact.
+	// The path to the packed artifact. This should be an absolute path on the filesystem that is accessible to the
+	// language host.
 	ArtifactPath string `protobuf:"bytes,1,opt,name=artifact_path,json=artifactPath,proto3" json:"artifact_path,omitempty"`
 }
 
@@ -1900,19 +2073,20 @@ func (x *PackResponse) GetArtifactPath() string {
 	return ""
 }
 
+// `LanguageHandshakeRequest` is the type of requests sent as part of a [](pulumirpc.LanguageRuntime.Handshake) call.
 type LanguageHandshakeRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// The grpc address for the engine.
+	// The gRPC address of the engine calling the language host.
 	EngineAddress string `protobuf:"bytes,1,opt,name=engine_address,json=engineAddress,proto3" json:"engine_address,omitempty"`
-	// The optional root directory, where the `PulumiPlugin.yaml` file or language binary is located.
-	// This can't be sent when the engine is attaching to a language via a port number.
+	// The optional root directory, where the `PulumiPlugin.yaml` file or language binary is located. This can't be sent
+	// when the engine is attaching to a language via a port number.
 	RootDirectory *string `protobuf:"bytes,2,opt,name=root_directory,json=rootDirectory,proto3,oneof" json:"root_directory,omitempty"`
-	// The optional absolute path to the directory of the language program to execute. Generally, but not
-	// required to be, underneath the root directory. This can't be sent when the engine is attaching to a
-	// language via a port number.
+	// The optional absolute path to the directory of the language program to execute. Generally, but not required to
+	// be, underneath the root directory. This can't be sent when the engine is attaching to a language via a port
+	// number.
 	ProgramDirectory *string `protobuf:"bytes,3,opt,name=program_directory,json=programDirectory,proto3,oneof" json:"program_directory,omitempty"`
 }
 
@@ -1969,6 +2143,7 @@ func (x *LanguageHandshakeRequest) GetProgramDirectory() string {
 	return ""
 }
 
+// `LanguageHandshakeResponse` is the type of responses sent by a [](pulumirpc.LanguageRuntime.Handshake) call.
 type LanguageHandshakeResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -2007,15 +2182,20 @@ func (*LanguageHandshakeResponse) Descriptor() ([]byte, []int) {
 	return file_pulumi_language_proto_rawDescGZIP(), []int{28}
 }
 
+// `RuntimeOptionValue` is a struct that captures the value of a runtime option.
 type RuntimeOptionPrompt_RuntimeOptionValue struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	PromptType  RuntimeOptionPrompt_RuntimeOptionType `protobuf:"varint,1,opt,name=promptType,proto3,enum=pulumirpc.RuntimeOptionPrompt_RuntimeOptionType" json:"promptType,omitempty"`
-	StringValue string                                `protobuf:"bytes,2,opt,name=stringValue,proto3" json:"stringValue,omitempty"`
-	Int32Value  int32                                 `protobuf:"varint,3,opt,name=int32Value,proto3" json:"int32Value,omitempty"`
-	DisplayName string                                `protobuf:"bytes,4,opt,name=displayName,proto3" json:"displayName,omitempty"`
+	// The type of the runtime option.
+	PromptType RuntimeOptionPrompt_RuntimeOptionType `protobuf:"varint,1,opt,name=promptType,proto3,enum=pulumirpc.RuntimeOptionPrompt_RuntimeOptionType" json:"promptType,omitempty"`
+	// The string value of the runtime option, if and only if the type is `STRING`.
+	StringValue string `protobuf:"bytes,2,opt,name=stringValue,proto3" json:"stringValue,omitempty"`
+	// The 32-bit integer value of the runtime option, if and only if the type is `INT32`.
+	Int32Value int32 `protobuf:"varint,3,opt,name=int32Value,proto3" json:"int32Value,omitempty"`
+	// The display name of the runtime option, to be used in prompts.
+	DisplayName string `protobuf:"bytes,4,opt,name=displayName,proto3" json:"displayName,omitempty"`
 }
 
 func (x *RuntimeOptionPrompt_RuntimeOptionValue) Reset() {
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language_grpc.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language_grpc.pb.go
index 2cdfe34b7..5ad35043a 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language_grpc.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/language_grpc.pb.go
@@ -23,36 +23,76 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type LanguageRuntimeClient interface {
-	// `Handshake` is the first call made by the engine to a language host. It is used to pass the
-	// engine's address to the language host so that it may establish its own connections back,
-	// and to establish protocol configuration that will be used to communicate between the two parties.
+	// `Handshake` is the first call made by the engine to a language host. It is used to pass the engine's address to
+	// the language host so that it may establish its own connections back, and to establish protocol configuration that
+	// will be used to communicate between the two parties.
 	Handshake(ctx context.Context, in *LanguageHandshakeRequest, opts ...grpc.CallOption) (*LanguageHandshakeResponse, error)
 	// Deprecated: Do not use.
-	// GetRequiredPlugins computes the complete set of anticipated plugins required by a program.
+	// `GetRequiredPlugins` computes the complete set of anticipated [plugins](plugins) required by a Pulumi program.
+	// Among other things, it is intended to be used to pre-install plugins before running a program with
+	// [](pulumirpc.LanguageRuntime.Run), to avoid the need to install them on-demand in response to [resource
+	// registrations](resource-registration) sent back from the running program to the engine.
+	//
+	// :::{important}
+	// The use of `GetRequiredPlugins` is deprecated in favour of [](pulumirpc.LanguageRuntime.GetRequiredPackages),
+	// which returns more granular information about which plugins are required by which packages.
+	// :::
 	GetRequiredPlugins(ctx context.Context, in *GetRequiredPluginsRequest, opts ...grpc.CallOption) (*GetRequiredPluginsResponse, error)
-	// GetRequiredPackages computes the complete set of anticipated packages required by a program.
+	// `GetRequiredPackages` computes the complete set of anticipated [packages](pulumirpc.PackageDependency) required
+	// by a program. It is used to pre-install packages before running a program with [](pulumirpc.LanguageRuntime.Run),
+	// to avoid the need to install them on-demand in response to [resource registrations](resource-registration) sent
+	// back from the running program to the engine. Moreover, when importing resources into a stack, it is used to
+	// determine which plugins are required to service the import of a given resource, since given the presence of
+	// [parameterized providers](parameterized-providers), it is not in general true that a package name corresponds 1:1
+	// with a plugin name. It replaces [](pulumirpc.LanguageRuntime.GetRequiredPlugins) in the face of [parameterized
+	// providers](parameterized-providers), which as mentioned above can enable multiple instances of the same plugin to
+	// provide multiple packages.
 	GetRequiredPackages(ctx context.Context, in *GetRequiredPackagesRequest, opts ...grpc.CallOption) (*GetRequiredPackagesResponse, error)
-	// Run executes a program and returns its result.
+	// `Run` executes a Pulumi program, returning information about whether or not the program produced an error.
 	Run(ctx context.Context, in *RunRequest, opts ...grpc.CallOption) (*RunResponse, error)
-	// GetPluginInfo returns generic information about this plugin, like its version.
+	// `GetPluginInfo` returns information about the [plugin](plugins) implementing this language runtime.
 	GetPluginInfo(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*PluginInfo, error)
-	// InstallDependencies will install dependencies for the project, e.g. by running `npm install` for nodejs projects.
+	// `InstallDependencies` accepts a request specifying a Pulumi project and program that can be executed with
+	// [](pulumirpc.LanguageRuntime.Run) and installs the dependencies for that program (e.g. by running `npm install`
+	// for NodeJS, or `pip install` for Python). Since dependency installation could take a while, and callers may wish
+	// to report on its progress, this method returns a stream of [](pulumirpc.InstallDependenciesResponse) messages
+	// containing information about standard error and output.
 	InstallDependencies(ctx context.Context, in *InstallDependenciesRequest, opts ...grpc.CallOption) (LanguageRuntime_InstallDependenciesClient, error)
-	// RuntimeOptionsPrompts returns a list of additional prompts to ask during `pulumi new`.
+	// `RuntimeOptionsPrompts` accepts a request specifying a Pulumi project and returns a list of additional prompts to
+	// ask during `pulumi new`.
 	RuntimeOptionsPrompts(ctx context.Context, in *RuntimeOptionsRequest, opts ...grpc.CallOption) (*RuntimeOptionsResponse, error)
-	// About returns information about the runtime for this language.
+	// `About` returns information about the language runtime being used.
 	About(ctx context.Context, in *AboutRequest, opts ...grpc.CallOption) (*AboutResponse, error)
-	// GetProgramDependencies returns the set of dependencies required by the program.
+	// `GetProgramDependencies` computes the set of language-level dependencies (e.g. NPM packages for NodeJS, or Maven
+	// libraries for Java) required by a program.
 	GetProgramDependencies(ctx context.Context, in *GetProgramDependenciesRequest, opts ...grpc.CallOption) (*GetProgramDependenciesResponse, error)
-	// RunPlugin executes a plugin program and returns its result asynchronously.
+	// `RunPlugin` is used to execute a program written in this host's language that implements a Pulumi
+	// [plugin](plugins). It it is plugins what [](pulumirpc.LanguageRuntime.Run) is to programs. Since a plugin is not
+	// expected to terminate until instructed/for a long time, this method returns a stream of
+	// [](pulumirpc.RunPluginResponse) messages containing information about standard error and output, as well as the
+	// exit code of the plugin when it does terminate.
 	RunPlugin(ctx context.Context, in *RunPluginRequest, opts ...grpc.CallOption) (LanguageRuntime_RunPluginClient, error)
-	// GenerateProgram generates a given PCL program into a program for this language.
+	// `GenerateProgram` generates code in this host's language that implements the given [PCL](pcl) program. Unlike
+	// [](pulumirpc.LanguageRuntime.GenerateProject), this method *only* generates program code, and does not e.g.
+	// generate a `package.json` for a NodeJS project that details how to run that code.
+	// [](pulumirpc.LanguageRuntime.GenerateProject), this method underpins ["programgen"](programgen) and the main
+	// functionality powering `pulumi convert`.
 	GenerateProgram(ctx context.Context, in *GenerateProgramRequest, opts ...grpc.CallOption) (*GenerateProgramResponse, error)
-	// GenerateProject generates a given PCL program into a project for this language.
+	// `GenerateProject` generates code in this host's language that implements the given [PCL](pcl) program and wraps
+	// it in some language-specific notion of a "project", where a project is a buildable or runnable artifact. In this
+	// sense, `GenerateProject`'s output is a superset of that of [](pulumirpc.LanguageRuntime.GenerateProgram). For
+	// instance, when generating a NodeJS project, this method might generate a corresponding `package.json` file, as
+	// well as the relevant NodeJS program code. Along with [](pulumirpc.LanguageRuntime.GenerateProgram), this method
+	// underpins ["programgen"](programgen) and the main functionality powering `pulumi convert`.
 	GenerateProject(ctx context.Context, in *GenerateProjectRequest, opts ...grpc.CallOption) (*GenerateProjectResponse, error)
-	// GeneratePackage generates a given pulumi package into a package for this language.
+	// `GeneratePackage` generates code in this host's language that implements an [SDK](sdkgen) ("sdkgen") for the
+	// given Pulumi package, as specified by a [schema](schema).
 	GeneratePackage(ctx context.Context, in *GeneratePackageRequest, opts ...grpc.CallOption) (*GeneratePackageResponse, error)
-	// Pack packs a package into a language specific artifact.
+	// `Pack` accepts a request specifying a generated SDK package and packs it into a language-specific artifact. For
+	// instance, in the case of Java, it might produce a JAR file from a list of `.java` sources; in the case of NodeJS,
+	// a `.tgz` file might be produced from a list of `.js` sources; and so on. Presently, `Pack` is primarily used in
+	// [language conformance tests](language-conformance-tests), though it is intended to be used more widely in future
+	// to standardise e.g. provider publishing workflows.
 	Pack(ctx context.Context, in *PackRequest, opts ...grpc.CallOption) (*PackResponse, error)
 }
 
@@ -241,36 +281,76 @@ func (c *languageRuntimeClient) Pack(ctx context.Context, in *PackRequest, opts
 // All implementations must embed UnimplementedLanguageRuntimeServer
 // for forward compatibility
 type LanguageRuntimeServer interface {
-	// `Handshake` is the first call made by the engine to a language host. It is used to pass the
-	// engine's address to the language host so that it may establish its own connections back,
-	// and to establish protocol configuration that will be used to communicate between the two parties.
+	// `Handshake` is the first call made by the engine to a language host. It is used to pass the engine's address to
+	// the language host so that it may establish its own connections back, and to establish protocol configuration that
+	// will be used to communicate between the two parties.
 	Handshake(context.Context, *LanguageHandshakeRequest) (*LanguageHandshakeResponse, error)
 	// Deprecated: Do not use.
-	// GetRequiredPlugins computes the complete set of anticipated plugins required by a program.
+	// `GetRequiredPlugins` computes the complete set of anticipated [plugins](plugins) required by a Pulumi program.
+	// Among other things, it is intended to be used to pre-install plugins before running a program with
+	// [](pulumirpc.LanguageRuntime.Run), to avoid the need to install them on-demand in response to [resource
+	// registrations](resource-registration) sent back from the running program to the engine.
+	//
+	// :::{important}
+	// The use of `GetRequiredPlugins` is deprecated in favour of [](pulumirpc.LanguageRuntime.GetRequiredPackages),
+	// which returns more granular information about which plugins are required by which packages.
+	// :::
 	GetRequiredPlugins(context.Context, *GetRequiredPluginsRequest) (*GetRequiredPluginsResponse, error)
-	// GetRequiredPackages computes the complete set of anticipated packages required by a program.
+	// `GetRequiredPackages` computes the complete set of anticipated [packages](pulumirpc.PackageDependency) required
+	// by a program. It is used to pre-install packages before running a program with [](pulumirpc.LanguageRuntime.Run),
+	// to avoid the need to install them on-demand in response to [resource registrations](resource-registration) sent
+	// back from the running program to the engine. Moreover, when importing resources into a stack, it is used to
+	// determine which plugins are required to service the import of a given resource, since given the presence of
+	// [parameterized providers](parameterized-providers), it is not in general true that a package name corresponds 1:1
+	// with a plugin name. It replaces [](pulumirpc.LanguageRuntime.GetRequiredPlugins) in the face of [parameterized
+	// providers](parameterized-providers), which as mentioned above can enable multiple instances of the same plugin to
+	// provide multiple packages.
 	GetRequiredPackages(context.Context, *GetRequiredPackagesRequest) (*GetRequiredPackagesResponse, error)
-	// Run executes a program and returns its result.
+	// `Run` executes a Pulumi program, returning information about whether or not the program produced an error.
 	Run(context.Context, *RunRequest) (*RunResponse, error)
-	// GetPluginInfo returns generic information about this plugin, like its version.
+	// `GetPluginInfo` returns information about the [plugin](plugins) implementing this language runtime.
 	GetPluginInfo(context.Context, *emptypb.Empty) (*PluginInfo, error)
-	// InstallDependencies will install dependencies for the project, e.g. by running `npm install` for nodejs projects.
+	// `InstallDependencies` accepts a request specifying a Pulumi project and program that can be executed with
+	// [](pulumirpc.LanguageRuntime.Run) and installs the dependencies for that program (e.g. by running `npm install`
+	// for NodeJS, or `pip install` for Python). Since dependency installation could take a while, and callers may wish
+	// to report on its progress, this method returns a stream of [](pulumirpc.InstallDependenciesResponse) messages
+	// containing information about standard error and output.
 	InstallDependencies(*InstallDependenciesRequest, LanguageRuntime_InstallDependenciesServer) error
-	// RuntimeOptionsPrompts returns a list of additional prompts to ask during `pulumi new`.
+	// `RuntimeOptionsPrompts` accepts a request specifying a Pulumi project and returns a list of additional prompts to
+	// ask during `pulumi new`.
 	RuntimeOptionsPrompts(context.Context, *RuntimeOptionsRequest) (*RuntimeOptionsResponse, error)
-	// About returns information about the runtime for this language.
+	// `About` returns information about the language runtime being used.
 	About(context.Context, *AboutRequest) (*AboutResponse, error)
-	// GetProgramDependencies returns the set of dependencies required by the program.
+	// `GetProgramDependencies` computes the set of language-level dependencies (e.g. NPM packages for NodeJS, or Maven
+	// libraries for Java) required by a program.
 	GetProgramDependencies(context.Context, *GetProgramDependenciesRequest) (*GetProgramDependenciesResponse, error)
-	// RunPlugin executes a plugin program and returns its result asynchronously.
+	// `RunPlugin` is used to execute a program written in this host's language that implements a Pulumi
+	// [plugin](plugins). It it is plugins what [](pulumirpc.LanguageRuntime.Run) is to programs. Since a plugin is not
+	// expected to terminate until instructed/for a long time, this method returns a stream of
+	// [](pulumirpc.RunPluginResponse) messages containing information about standard error and output, as well as the
+	// exit code of the plugin when it does terminate.
 	RunPlugin(*RunPluginRequest, LanguageRuntime_RunPluginServer) error
-	// GenerateProgram generates a given PCL program into a program for this language.
+	// `GenerateProgram` generates code in this host's language that implements the given [PCL](pcl) program. Unlike
+	// [](pulumirpc.LanguageRuntime.GenerateProject), this method *only* generates program code, and does not e.g.
+	// generate a `package.json` for a NodeJS project that details how to run that code.
+	// [](pulumirpc.LanguageRuntime.GenerateProject), this method underpins ["programgen"](programgen) and the main
+	// functionality powering `pulumi convert`.
 	GenerateProgram(context.Context, *GenerateProgramRequest) (*GenerateProgramResponse, error)
-	// GenerateProject generates a given PCL program into a project for this language.
+	// `GenerateProject` generates code in this host's language that implements the given [PCL](pcl) program and wraps
+	// it in some language-specific notion of a "project", where a project is a buildable or runnable artifact. In this
+	// sense, `GenerateProject`'s output is a superset of that of [](pulumirpc.LanguageRuntime.GenerateProgram). For
+	// instance, when generating a NodeJS project, this method might generate a corresponding `package.json` file, as
+	// well as the relevant NodeJS program code. Along with [](pulumirpc.LanguageRuntime.GenerateProgram), this method
+	// underpins ["programgen"](programgen) and the main functionality powering `pulumi convert`.
 	GenerateProject(context.Context, *GenerateProjectRequest) (*GenerateProjectResponse, error)
-	// GeneratePackage generates a given pulumi package into a package for this language.
+	// `GeneratePackage` generates code in this host's language that implements an [SDK](sdkgen) ("sdkgen") for the
+	// given Pulumi package, as specified by a [schema](schema).
 	GeneratePackage(context.Context, *GeneratePackageRequest) (*GeneratePackageResponse, error)
-	// Pack packs a package into a language specific artifact.
+	// `Pack` accepts a request specifying a generated SDK package and packs it into a language-specific artifact. For
+	// instance, in the case of Java, it might produce a JAR file from a list of `.java` sources; in the case of NodeJS,
+	// a `.tgz` file might be produced from a list of `.js` sources; and so on. Presently, `Pack` is primarily used in
+	// [language conformance tests](language-conformance-tests), though it is intended to be used more widely in future
+	// to standardise e.g. provider publishing workflows.
 	Pack(context.Context, *PackRequest) (*PackResponse, error)
 	mustEmbedUnimplementedLanguageRuntimeServer()
 }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider.pb.go
index 75c675c24..b0b00f983 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider.pb.go
@@ -1624,6 +1624,13 @@ func (x *PropertyDiff) GetInputDiff() bool {
 //   granular view of the changes that have occurred. Detailed diffs are designed to allow providers to control
 //   precisely which field names are displayed as responsible for a change, and to signal more accurately what kind of
 //   change occurred (e.g. a field was added, deleted or updated).
+//
+// The response must satisfy the following invariants:
+//
+// * For each top-level key in `diff` there is at least one matching property path, starting at that key, in `detailedDiff`.
+// * For each entry in `detailedDiff`, its top-level property is in `diff`.
+// * `diff` does not contain duplicates.
+// * `detailedDiff` does not contain duplicate keys.
 type DiffResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider_grpc.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider_grpc.pb.go
index fd5b25bba..b5d2fce6b 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider_grpc.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/provider_grpc.pb.go
@@ -88,6 +88,8 @@ type ResourceProviderClient interface {
 	// thus be reserved for changes to configuration properties that are guaranteed to make old resources unmanageable.
 	// Changes to an AWS region, for example, will almost certainly require a provider replacement, but changes to an
 	// AWS access key, should almost certainly not.
+	//
+	// Implementations must satisfy the invariants documented on `DiffResponse`.
 	DiffConfig(ctx context.Context, in *DiffRequest, opts ...grpc.CallOption) (*DiffResponse, error)
 	// `Configure` is the final stage in configuring a provider instance. Callers may supply two sets of data:
 	//
@@ -138,6 +140,8 @@ type ResourceProviderClient interface {
 	// `Diff` compares an existing ("old") set of resource properties with a new set of properties and computes the
 	// difference (if any) between them. `Diff` should only be called with values that have at some point been validated
 	// by a [](pulumirpc.ResourceProvider.Check) call.
+	//
+	// Implementations must satisfy the invariants documented on `DiffResponse`.
 	Diff(ctx context.Context, in *DiffRequest, opts ...grpc.CallOption) (*DiffResponse, error)
 	// `Create` provisions a new instance of the specified [(custom) resource](custom-resources). It returns a
 	// provider-assigned ID for the resource as well as the output properties that arose from the creation properties.
@@ -481,6 +485,8 @@ type ResourceProviderServer interface {
 	// thus be reserved for changes to configuration properties that are guaranteed to make old resources unmanageable.
 	// Changes to an AWS region, for example, will almost certainly require a provider replacement, but changes to an
 	// AWS access key, should almost certainly not.
+	//
+	// Implementations must satisfy the invariants documented on `DiffResponse`.
 	DiffConfig(context.Context, *DiffRequest) (*DiffResponse, error)
 	// `Configure` is the final stage in configuring a provider instance. Callers may supply two sets of data:
 	//
@@ -531,6 +537,8 @@ type ResourceProviderServer interface {
 	// `Diff` compares an existing ("old") set of resource properties with a new set of properties and computes the
 	// difference (if any) between them. `Diff` should only be called with values that have at some point been validated
 	// by a [](pulumirpc.ResourceProvider.Check) call.
+	//
+	// Implementations must satisfy the invariants documented on `DiffResponse`.
 	Diff(context.Context, *DiffRequest) (*DiffResponse, error)
 	// `Create` provisions a new instance of the specified [(custom) resource](custom-resources). It returns a
 	// provider-assigned ID for the resource as well as the output properties that arose from the creation properties.
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource.pb.go
index a29aae016..b29fef910 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource.pb.go
@@ -201,7 +201,7 @@ type ReadResourceRequest struct {
 	PluginDownloadURL       string            `protobuf:"bytes,13,opt,name=pluginDownloadURL,proto3" json:"pluginDownloadURL,omitempty"`                                                                                     // the server url of the provider to use when servicing this request.
 	PluginChecksums         map[string][]byte `protobuf:"bytes,15,rep,name=pluginChecksums,proto3" json:"pluginChecksums,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // a map of checksums of the provider to use when servicing this request.
 	SourcePosition          *SourcePosition   `protobuf:"bytes,14,opt,name=sourcePosition,proto3" json:"sourcePosition,omitempty"`                                                                                           // the optional source position of the user code that initiated the read.
-	PackageRef              string            `protobuf:"bytes,16,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterProviderRequest.
+	PackageRef              string            `protobuf:"bytes,16,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterPackageRequest.
 }
 
 func (x *ReadResourceRequest) Reset() {
@@ -442,7 +442,7 @@ type RegisterResourceRequest struct {
 	SourcePosition          *SourcePosition `protobuf:"bytes,29,opt,name=sourcePosition,proto3" json:"sourcePosition,omitempty"`                    // the optional source position of the user code that initiated the register.
 	Transforms              []*Callback     `protobuf:"bytes,31,rep,name=transforms,proto3" json:"transforms,omitempty"`                            // a list of transforms to apply to the resource before registering it.
 	SupportsResultReporting bool            `protobuf:"varint,32,opt,name=supportsResultReporting,proto3" json:"supportsResultReporting,omitempty"` // true if the request is from an SDK that supports the result field in the response.
-	PackageRef              string          `protobuf:"bytes,33,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                            // a reference from RegisterProviderRequest.
+	PackageRef              string          `protobuf:"bytes,33,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                            // a reference from RegisterPackageRequest.
 }
 
 func (x *RegisterResourceRequest) Reset() {
@@ -874,7 +874,7 @@ type ResourceInvokeRequest struct {
 	PluginDownloadURL string            `protobuf:"bytes,6,opt,name=pluginDownloadURL,proto3" json:"pluginDownloadURL,omitempty"`                                                                                     // an optional reference to the provider url to use for this invoke.
 	PluginChecksums   map[string][]byte `protobuf:"bytes,8,rep,name=pluginChecksums,proto3" json:"pluginChecksums,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // a map of checksums expected for the provider plugin.
 	SourcePosition    *SourcePosition   `protobuf:"bytes,7,opt,name=sourcePosition,proto3" json:"sourcePosition,omitempty"`                                                                                           // the optional source position of the user code that initiated the invoke.
-	PackageRef        string            `protobuf:"bytes,9,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterProviderRequest.
+	PackageRef        string            `protobuf:"bytes,9,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterPackageRequest.
 }
 
 func (x *ResourceInvokeRequest) Reset() {
@@ -985,7 +985,7 @@ type ResourceCallRequest struct {
 	PluginDownloadURL string                                               `protobuf:"bytes,13,opt,name=pluginDownloadURL,proto3" json:"pluginDownloadURL,omitempty"`                                                                                     // the pluginDownloadURL of the provider to use when servicing this request.
 	PluginChecksums   map[string][]byte                                    `protobuf:"bytes,16,rep,name=pluginChecksums,proto3" json:"pluginChecksums,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // a map of checksums of the provider to use when servicing this request.
 	SourcePosition    *SourcePosition                                      `protobuf:"bytes,15,opt,name=sourcePosition,proto3" json:"sourcePosition,omitempty"`                                                                                           // the optional source position of the user code that initiated the call.
-	PackageRef        string                                               `protobuf:"bytes,17,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterProviderRequest.
+	PackageRef        string                                               `protobuf:"bytes,17,opt,name=packageRef,proto3" json:"packageRef,omitempty"`                                                                                                   // a reference from RegisterPackageRequest.
 }
 
 func (x *ResourceCallRequest) Reset() {
@@ -1662,6 +1662,8 @@ type RegisterPackageResponse struct {
 	unknownFields protoimpl.UnknownFields
 
 	// The UUID package reference for this registered package.
+	//
+	// Lifecycle methods accept this reference in the 'packageRef' field.
 	Ref string `protobuf:"bytes,1,opt,name=ref,proto3" json:"ref,omitempty"`
 }
 
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource_grpc.pb.go b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource_grpc.pb.go
index d840d34d4..e35513751 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource_grpc.pb.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/proto/go/resource_grpc.pb.go
@@ -34,6 +34,8 @@ type ResourceMonitorClient interface {
 	RegisterStackTransform(ctx context.Context, in *Callback, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	// Register an invoke transform for the stack
 	RegisterStackInvokeTransform(ctx context.Context, in *Callback, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	// Registers a package and allocates a packageRef. The same package can be registered multiple times in Pulumi.
+	// Multiple requests are idempotent and guaranteed to return the same result.
 	RegisterPackage(ctx context.Context, in *RegisterPackageRequest, opts ...grpc.CallOption) (*RegisterPackageResponse, error)
 }
 
@@ -173,6 +175,8 @@ type ResourceMonitorServer interface {
 	RegisterStackTransform(context.Context, *Callback) (*emptypb.Empty, error)
 	// Register an invoke transform for the stack
 	RegisterStackInvokeTransform(context.Context, *Callback) (*emptypb.Empty, error)
+	// Registers a package and allocates a packageRef. The same package can be registered multiple times in Pulumi.
+	// Multiple requests are idempotent and guaranteed to return the same result.
 	RegisterPackage(context.Context, *RegisterPackageRequest) (*RegisterPackageResponse, error)
 	mustEmbedUnimplementedResourceMonitorServer()
 }
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/pip.go b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/pip.go
index 4953c4e04..ef388f9d4 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/pip.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/pip.go
@@ -27,7 +27,6 @@ import (
 	"runtime"
 	"strings"
 
-	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/fsutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/logging"
 )
@@ -332,43 +331,6 @@ func NewVirtualEnvError(dir, fullPath string) error {
 		dir, fullPath, message, commandsText)
 }
 
-// ActivateVirtualEnv takes an array of environment variables (same format as os.Environ()) and path to
-// a virtual environment directory, and returns a new "activated" array with the virtual environment's
-// "bin" dir ("Scripts" on Windows) prepended to the `PATH` environment variable, the `VIRTUAL_ENV`
-// variable set to the path, and the `PYTHONHOME` variable removed.
-func ActivateVirtualEnv(environ []string, virtualEnvDir string) []string {
-	virtualEnvBin := filepath.Join(virtualEnvDir, virtualEnvBinDirName())
-	var hasPath bool
-	var result []string
-	for _, env := range environ {
-		split := strings.SplitN(env, "=", 2)
-		contract.Assertf(len(split) == 2, "unexpected environment variable: %q", env)
-		key, value := split[0], split[1]
-
-		// Case-insensitive compare, as Windows will normally be "Path", not "PATH".
-		if strings.EqualFold(key, "PATH") {
-			hasPath = true
-			// Prepend the virtual environment bin directory to PATH so any calls to run
-			// python or pip will use the binaries in the virtual environment.
-			path := fmt.Sprintf("%s=%s%s%s", key, virtualEnvBin, string(os.PathListSeparator), value)
-			result = append(result, path)
-		} else if strings.EqualFold(key, "PYTHONHOME") {
-			// Skip PYTHONHOME to "unset" this value.
-		} else if strings.EqualFold(key, "VIRTUAL_ENV") {
-			// Skip VIRTUAL_ENV, we always set this to `virtualEnvDir`
-		} else {
-			result = append(result, env)
-		}
-	}
-	if !hasPath {
-		path := "PATH=" + virtualEnvBin
-		result = append(result, path)
-	}
-	virtualEnv := "VIRTUAL_ENV=" + virtualEnvDir
-	result = append(result, virtualEnv)
-	return result
-}
-
 // InstallDependencies will create a new virtual environment and install dependencies in the root directory.
 func InstallDependencies(ctx context.Context, cwd, venvDir string, useLanguageVersionTools, showOutput bool,
 	infoWriter, errorWriter io.Writer,
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/toolchain.go b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/toolchain.go
index 6c030819b..d3d29fe39 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/toolchain.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/toolchain.go
@@ -25,6 +25,7 @@ import (
 	"runtime"
 	"strings"
 
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/fsutil"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/logging"
 )
@@ -118,6 +119,43 @@ func ResolveToolchain(options PythonOptions) (Toolchain, error) {
 	return newPip(options.Root, options.Virtualenv)
 }
 
+// ActivateVirtualEnv takes an array of environment variables (same format as os.Environ()) and path to
+// a virtual environment directory, and returns a new "activated" array with the virtual environment's
+// "bin" dir ("Scripts" on Windows) prepended to the `PATH` environment variable, the `VIRTUAL_ENV`
+// variable set to the path, and the `PYTHONHOME` variable removed.
+func ActivateVirtualEnv(environ []string, virtualEnvDir string) []string {
+	virtualEnvBin := filepath.Join(virtualEnvDir, virtualEnvBinDirName())
+	var hasPath bool
+	var result []string
+	for _, env := range environ {
+		split := strings.SplitN(env, "=", 2)
+		contract.Assertf(len(split) == 2, "unexpected environment variable: %q", env)
+		key, value := split[0], split[1]
+
+		// Case-insensitive compare, as Windows will normally be "Path", not "PATH".
+		if strings.EqualFold(key, "PATH") {
+			hasPath = true
+			// Prepend the virtual environment bin directory to PATH so any calls to run
+			// python or pip will use the binaries in the virtual environment.
+			path := fmt.Sprintf("%s=%s%s%s", key, virtualEnvBin, string(os.PathListSeparator), value)
+			result = append(result, path)
+		} else if strings.EqualFold(key, "PYTHONHOME") {
+			// Skip PYTHONHOME to "unset" this value.
+		} else if strings.EqualFold(key, "VIRTUAL_ENV") {
+			// Skip VIRTUAL_ENV, we always set this to `virtualEnvDir`
+		} else {
+			result = append(result, env)
+		}
+	}
+	if !hasPath {
+		path := "PATH=" + virtualEnvBin
+		result = append(result, path)
+	}
+	virtualEnv := "VIRTUAL_ENV=" + virtualEnvDir
+	result = append(result, virtualEnv)
+	return result
+}
+
 func virtualEnvBinDirName() string {
 	if runtime.GOOS == windows {
 		return "Scripts"
diff --git a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/uv.go b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/uv.go
index f125b941d..667a7a29b 100644
--- a/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/uv.go
+++ b/vendor/github.com/pulumi/pulumi/sdk/v3/python/toolchain/uv.go
@@ -24,6 +24,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"runtime"
 	"strings"
 
 	"github.com/blang/semver"
@@ -197,28 +198,78 @@ func (u *uv) ValidateVenv(ctx context.Context) error {
 }
 
 func (u *uv) ListPackages(ctx context.Context, transitive bool) ([]PythonPackage, error) {
-	cmd := exec.CommandContext(ctx, "uv", "pip", "list", "--format", "json")
-	// `uv pip` commands require the virtualenv to be activated.
-	cmd.Env = ActivateVirtualEnv(cmd.Environ(), u.virtualenvPath)
-	output, err := cmd.Output()
+	// We use `pip` instead of `uv pip` because `uv pip` does not respect the
+	// `-v` flag, which is required to get the package location.
+	// https://github.com/astral-sh/uv/issues/9838
+	args := []string{"list", "--format", "json", "-v"}
+	if !transitive {
+		args = append(args, "--not-required")
+	}
+	pipCmd, err := u.ModuleCommand(ctx, "pip", args...)
+	if err != nil {
+		return nil, fmt.Errorf("preparing pip list command: %w", err)
+	}
+	// Check if pip is installed, if not, we'll fallback to `uvx pip`, which will install an
+	// isolated pip for us.
+	cmd, err := u.ModuleCommand(ctx, "pip")
+	if err != nil {
+		return nil, fmt.Errorf("preparing check pip command: %w", err)
+	}
+	if out, err := cmd.CombinedOutput(); err != nil {
+		if strings.Contains(string(out), "No module named pip") {
+			// Use the python executable of our virtual environment so that pip will
+			// list the packages from that venv, instead of the isolated venv where
+			// uvx installs pip.
+			_, pythonPath := u.pythonExecutable()
+			args = []string{"pip", "--python", pythonPath, "list", "--format", "json", "-v"}
+			if !transitive {
+				args = append(args, "--not-required")
+			}
+			cmd := exec.CommandContext(ctx, "uvx", args...)
+			cmd.Dir = u.root
+			pipCmd = cmd
+		} else {
+			return nil, errorWithStderr(err, "checking for pip")
+		}
+	}
+
+	output, err := pipCmd.Output()
 	if err != nil {
-		return nil, fmt.Errorf("error listing packages: %w", err)
+		return nil, errorWithStderr(err, "listing packages")
 	}
 
 	var packages []PythonPackage
 	if err := json.Unmarshal(output, &packages); err != nil {
-		return nil, fmt.Errorf("error parsing package list: %w", err)
+		return nil, fmt.Errorf("parsing package list: %w", err)
 	}
 
 	return packages, nil
 }
 
 func (u *uv) Command(ctx context.Context, args ...string) (*exec.Cmd, error) {
-	return u.uvCommand(ctx, "", false, nil, nil, append([]string{"run", "python"}, args...)...), nil
+	// Note that we do not use `uv run python` here because this results in a
+	// process tree of `python-language-runtime -> uv -> python`. This is
+	// problematic because on error we kill the plugin and its children, but not
+	// the children of the children. On macOS and Linux, when uv is killed, it
+	// kills its children, so we have no problem here. On Windows however, it
+	// does not, and we end up with an orphaned Python process that's
+	// busy-waiting in the eventloop and never exits.
+	var cmd *exec.Cmd
+	name, cmdPath := u.pythonExecutable()
+	if needsPythonShim(cmdPath) {
+		shimCmd := fmt.Sprintf(pythonShimCmdFormat, name)
+		cmd = exec.CommandContext(ctx, shimCmd, args...)
+	} else {
+		cmd = exec.CommandContext(ctx, cmdPath, args...)
+	}
+	cmd.Env = ActivateVirtualEnv(cmd.Environ(), u.virtualenvPath)
+	cmd.Dir = u.root
+	return cmd, nil
 }
 
 func (u *uv) ModuleCommand(ctx context.Context, module string, args ...string) (*exec.Cmd, error) {
-	return u.uvCommand(ctx, "", false, nil, nil, append([]string{"run", "--module"}, args...)...), nil
+	moduleArgs := append([]string{"-m", module}, args...)
+	return u.Command(ctx, moduleArgs...)
 }
 
 func (u *uv) About(ctx context.Context) (Info, error) {
@@ -282,3 +333,11 @@ func (u *uv) uvVersion(versionString string) (semver.Version, error) {
 	}
 	return sem, nil
 }
+
+func (u *uv) pythonExecutable() (string, string) {
+	name := "python"
+	if runtime.GOOS == windows {
+		name = name + ".exe"
+	}
+	return name, filepath.Join(u.virtualenvPath, virtualEnvBinDirName(), name)
+}
diff --git a/vendor/github.com/sahilm/fuzzy/.travis.yml b/vendor/github.com/sahilm/fuzzy/.travis.yml
index 6756d8009..f77acde75 100644
--- a/vendor/github.com/sahilm/fuzzy/.travis.yml
+++ b/vendor/github.com/sahilm/fuzzy/.travis.yml
@@ -1,3 +1,6 @@
+arch:
+  - amd64
+  - ppc64le
 language: go
 go:
   - 1.x
diff --git a/vendor/github.com/sahilm/fuzzy/README.md b/vendor/github.com/sahilm/fuzzy/README.md
index c632da5d9..ea7bf22b2 100644
--- a/vendor/github.com/sahilm/fuzzy/README.md
+++ b/vendor/github.com/sahilm/fuzzy/README.md
@@ -17,7 +17,7 @@ VSCode, IntelliJ IDEA et al. This library is external dependency-free. It only d
 
 - Speed. Matches are returned in milliseconds. It's perfect for interactive search boxes.
 
-- The positions of matches is returned. Allows you to highlight matching characters.
+- The positions of matches are returned. Allows you to highlight matching characters.
 
 - Unicode aware.
 
@@ -76,7 +76,7 @@ func contains(needle int, haystack []int) bool {
 	return false
 }
 ``` 
-If the data you want to match isn't a slice of strings, you can use `FindFromSource` by implementing
+If the data you want to match isn't a slice of strings, you can use `FindFrom` by implementing
 the provided `Source` interface. Here's an example:
 
 ```go
@@ -119,7 +119,9 @@ func main() {
 		},
 	}
 	results := fuzzy.FindFrom("al", emps)
-	fmt.Println(results)
+	for _, r := range results {
+		fmt.Println(emps[r.Index])
+	}
 }
 ```
 
diff --git a/vendor/github.com/sahilm/fuzzy/fuzzy.go b/vendor/github.com/sahilm/fuzzy/fuzzy.go
index bd66ee66c..5125821fd 100644
--- a/vendor/github.com/sahilm/fuzzy/fuzzy.go
+++ b/vendor/github.com/sahilm/fuzzy/fuzzy.go
@@ -76,16 +76,36 @@ The following types of matches apply a bonus:
 
 Penalties are applied for every character in the search string that wasn't matched and all leading
 characters upto the first match.
+
+Results are sorted by best match.
 */
 func Find(pattern string, data []string) Matches {
 	return FindFrom(pattern, stringSource(data))
 }
 
+/*
+FindNoSort is an alternative Find implementation that does not sort
+the results in the end.
+*/
+func FindNoSort(pattern string, data []string) Matches {
+	return FindFromNoSort(pattern, stringSource(data))
+}
+
 /*
 FindFrom is an alternative implementation of Find using a Source
 instead of a list of strings.
 */
 func FindFrom(pattern string, data Source) Matches {
+	matches := FindFromNoSort(pattern, data)
+	sort.Stable(matches)
+	return matches
+}
+
+/*
+FindFromNoSort is an alternative FindFrom implementation that does
+not sort results in the end.
+*/
+func FindFromNoSort(pattern string, data Source) Matches {
 	if len(pattern) == 0 {
 		return nil
 	}
@@ -181,7 +201,6 @@ func FindFrom(pattern string, data Source) Matches {
 			matchedIndexes = match.MatchedIndexes[:0] // Recycle match index slice
 		}
 	}
-	sort.Stable(matches)
 	return matches
 }
 
diff --git a/vendor/github.com/skeema/knownhosts/NOTICE b/vendor/github.com/skeema/knownhosts/NOTICE
index a92cb34d6..224b20248 100644
--- a/vendor/github.com/skeema/knownhosts/NOTICE
+++ b/vendor/github.com/skeema/knownhosts/NOTICE
@@ -1,4 +1,4 @@
-Copyright 2024 Skeema LLC and the Skeema Knownhosts authors
+Copyright 2025 Skeema LLC and the Skeema Knownhosts authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/vendor/github.com/skeema/knownhosts/README.md b/vendor/github.com/skeema/knownhosts/README.md
index 046bc0edc..170e04d14 100644
--- a/vendor/github.com/skeema/knownhosts/README.md
+++ b/vendor/github.com/skeema/knownhosts/README.md
@@ -116,7 +116,7 @@ config := &ssh.ClientConfig{
 
 ## License
 
-**Source code copyright 2024 Skeema LLC and the Skeema Knownhosts authors**
+**Source code copyright 2025 Skeema LLC and the Skeema Knownhosts authors**
 
 ```text
 Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/vendor/github.com/spf13/pflag/.editorconfig b/vendor/github.com/spf13/pflag/.editorconfig
new file mode 100644
index 000000000..4492e9f9f
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/.editorconfig
@@ -0,0 +1,12 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.go]
+indent_style = tab
diff --git a/vendor/github.com/spf13/pflag/.golangci.yaml b/vendor/github.com/spf13/pflag/.golangci.yaml
new file mode 100644
index 000000000..b274f2484
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/.golangci.yaml
@@ -0,0 +1,4 @@
+linters:
+    disable-all: true
+    enable:
+        - nolintlint
diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go
index 24a5036e9..7c058de37 100644
--- a/vendor/github.com/spf13/pflag/flag.go
+++ b/vendor/github.com/spf13/pflag/flag.go
@@ -160,7 +160,7 @@ type FlagSet struct {
 	args              []string // arguments after flags
 	argsLenAtDash     int      // len(args) when a '--' was located when parsing, or -1 if no --
 	errorHandling     ErrorHandling
-	output            io.Writer // nil means stderr; use out() accessor
+	output            io.Writer // nil means stderr; use Output() accessor
 	interspersed      bool      // allow interspersed option/non-option args
 	normalizeNameFunc func(f *FlagSet, name string) NormalizedName
 
@@ -255,13 +255,20 @@ func (f *FlagSet) normalizeFlagName(name string) NormalizedName {
 	return n(f, name)
 }
 
-func (f *FlagSet) out() io.Writer {
+// Output returns the destination for usage and error messages. os.Stderr is returned if
+// output was not set or was set to nil.
+func (f *FlagSet) Output() io.Writer {
 	if f.output == nil {
 		return os.Stderr
 	}
 	return f.output
 }
 
+// Name returns the name of the flag set.
+func (f *FlagSet) Name() string {
+	return f.name
+}
+
 // SetOutput sets the destination for usage and error messages.
 // If output is nil, os.Stderr is used.
 func (f *FlagSet) SetOutput(output io.Writer) {
@@ -358,7 +365,7 @@ func (f *FlagSet) ShorthandLookup(name string) *Flag {
 	}
 	if len(name) > 1 {
 		msg := fmt.Sprintf("can not look up shorthand which is more than one ASCII character: %q", name)
-		fmt.Fprintf(f.out(), msg)
+		fmt.Fprintf(f.Output(), msg)
 		panic(msg)
 	}
 	c := name[0]
@@ -482,7 +489,7 @@ func (f *FlagSet) Set(name, value string) error {
 	}
 
 	if flag.Deprecated != "" {
-		fmt.Fprintf(f.out(), "Flag --%s has been deprecated, %s\n", flag.Name, flag.Deprecated)
+		fmt.Fprintf(f.Output(), "Flag --%s has been deprecated, %s\n", flag.Name, flag.Deprecated)
 	}
 	return nil
 }
@@ -523,7 +530,7 @@ func Set(name, value string) error {
 // otherwise, the default values of all defined flags in the set.
 func (f *FlagSet) PrintDefaults() {
 	usages := f.FlagUsages()
-	fmt.Fprint(f.out(), usages)
+	fmt.Fprint(f.Output(), usages)
 }
 
 // defaultIsZeroValue returns true if the default value for this flag represents
@@ -758,7 +765,7 @@ func PrintDefaults() {
 
 // defaultUsage is the default function to print a usage message.
 func defaultUsage(f *FlagSet) {
-	fmt.Fprintf(f.out(), "Usage of %s:\n", f.name)
+	fmt.Fprintf(f.Output(), "Usage of %s:\n", f.name)
 	f.PrintDefaults()
 }
 
@@ -844,7 +851,7 @@ func (f *FlagSet) AddFlag(flag *Flag) {
 	_, alreadyThere := f.formal[normalizedFlagName]
 	if alreadyThere {
 		msg := fmt.Sprintf("%s flag redefined: %s", f.name, flag.Name)
-		fmt.Fprintln(f.out(), msg)
+		fmt.Fprintln(f.Output(), msg)
 		panic(msg) // Happens only if flags are declared with identical names
 	}
 	if f.formal == nil {
@@ -860,7 +867,7 @@ func (f *FlagSet) AddFlag(flag *Flag) {
 	}
 	if len(flag.Shorthand) > 1 {
 		msg := fmt.Sprintf("%q shorthand is more than one ASCII character", flag.Shorthand)
-		fmt.Fprintf(f.out(), msg)
+		fmt.Fprintf(f.Output(), msg)
 		panic(msg)
 	}
 	if f.shorthands == nil {
@@ -870,7 +877,7 @@ func (f *FlagSet) AddFlag(flag *Flag) {
 	used, alreadyThere := f.shorthands[c]
 	if alreadyThere {
 		msg := fmt.Sprintf("unable to redefine %q shorthand in %q flagset: it's already used for %q flag", c, f.name, used.Name)
-		fmt.Fprintf(f.out(), msg)
+		fmt.Fprintf(f.Output(), msg)
 		panic(msg)
 	}
 	f.shorthands[c] = flag
@@ -909,7 +916,7 @@ func VarP(value Value, name, shorthand, usage string) {
 func (f *FlagSet) failf(format string, a ...interface{}) error {
 	err := fmt.Errorf(format, a...)
 	if f.errorHandling != ContinueOnError {
-		fmt.Fprintln(f.out(), err)
+		fmt.Fprintln(f.Output(), err)
 		f.usage()
 	}
 	return err
@@ -1060,7 +1067,7 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 	}
 
 	if flag.ShorthandDeprecated != "" {
-		fmt.Fprintf(f.out(), "Flag shorthand -%s has been deprecated, %s\n", flag.Shorthand, flag.ShorthandDeprecated)
+		fmt.Fprintf(f.Output(), "Flag shorthand -%s has been deprecated, %s\n", flag.Shorthand, flag.ShorthandDeprecated)
 	}
 
 	err = fn(flag, value)
diff --git a/vendor/github.com/spf13/pflag/ip.go b/vendor/github.com/spf13/pflag/ip.go
index 3d414ba69..06b8bcb57 100644
--- a/vendor/github.com/spf13/pflag/ip.go
+++ b/vendor/github.com/spf13/pflag/ip.go
@@ -16,6 +16,9 @@ func newIPValue(val net.IP, p *net.IP) *ipValue {
 
 func (i *ipValue) String() string { return net.IP(*i).String() }
 func (i *ipValue) Set(s string) error {
+	if s == "" {
+		return nil
+	}
 	ip := net.ParseIP(strings.TrimSpace(s))
 	if ip == nil {
 		return fmt.Errorf("failed to parse IP: %q", s)
diff --git a/vendor/github.com/spf13/pflag/ipnet_slice.go b/vendor/github.com/spf13/pflag/ipnet_slice.go
new file mode 100644
index 000000000..6b541aa87
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/ipnet_slice.go
@@ -0,0 +1,147 @@
+package pflag
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"strings"
+)
+
+// -- ipNetSlice Value
+type ipNetSliceValue struct {
+	value   *[]net.IPNet
+	changed bool
+}
+
+func newIPNetSliceValue(val []net.IPNet, p *[]net.IPNet) *ipNetSliceValue {
+	ipnsv := new(ipNetSliceValue)
+	ipnsv.value = p
+	*ipnsv.value = val
+	return ipnsv
+}
+
+// Set converts, and assigns, the comma-separated IPNet argument string representation as the []net.IPNet value of this flag.
+// If Set is called on a flag that already has a []net.IPNet assigned, the newly converted values will be appended.
+func (s *ipNetSliceValue) Set(val string) error {
+
+	// remove all quote characters
+	rmQuote := strings.NewReplacer(`"`, "", `'`, "", "`", "")
+
+	// read flag arguments with CSV parser
+	ipNetStrSlice, err := readAsCSV(rmQuote.Replace(val))
+	if err != nil && err != io.EOF {
+		return err
+	}
+
+	// parse ip values into slice
+	out := make([]net.IPNet, 0, len(ipNetStrSlice))
+	for _, ipNetStr := range ipNetStrSlice {
+		_, n, err := net.ParseCIDR(strings.TrimSpace(ipNetStr))
+		if err != nil {
+			return fmt.Errorf("invalid string being converted to CIDR: %s", ipNetStr)
+		}
+		out = append(out, *n)
+	}
+
+	if !s.changed {
+		*s.value = out
+	} else {
+		*s.value = append(*s.value, out...)
+	}
+
+	s.changed = true
+
+	return nil
+}
+
+// Type returns a string that uniquely represents this flag's type.
+func (s *ipNetSliceValue) Type() string {
+	return "ipNetSlice"
+}
+
+// String defines a "native" format for this net.IPNet slice flag value.
+func (s *ipNetSliceValue) String() string {
+
+	ipNetStrSlice := make([]string, len(*s.value))
+	for i, n := range *s.value {
+		ipNetStrSlice[i] = n.String()
+	}
+
+	out, _ := writeAsCSV(ipNetStrSlice)
+	return "[" + out + "]"
+}
+
+func ipNetSliceConv(val string) (interface{}, error) {
+	val = strings.Trim(val, "[]")
+	// Emtpy string would cause a slice with one (empty) entry
+	if len(val) == 0 {
+		return []net.IPNet{}, nil
+	}
+	ss := strings.Split(val, ",")
+	out := make([]net.IPNet, len(ss))
+	for i, sval := range ss {
+		_, n, err := net.ParseCIDR(strings.TrimSpace(sval))
+		if err != nil {
+			return nil, fmt.Errorf("invalid string being converted to CIDR: %s", sval)
+		}
+		out[i] = *n
+	}
+	return out, nil
+}
+
+// GetIPNetSlice returns the []net.IPNet value of a flag with the given name
+func (f *FlagSet) GetIPNetSlice(name string) ([]net.IPNet, error) {
+	val, err := f.getFlagType(name, "ipNetSlice", ipNetSliceConv)
+	if err != nil {
+		return []net.IPNet{}, err
+	}
+	return val.([]net.IPNet), nil
+}
+
+// IPNetSliceVar defines a ipNetSlice flag with specified name, default value, and usage string.
+// The argument p points to a []net.IPNet variable in which to store the value of the flag.
+func (f *FlagSet) IPNetSliceVar(p *[]net.IPNet, name string, value []net.IPNet, usage string) {
+	f.VarP(newIPNetSliceValue(value, p), name, "", usage)
+}
+
+// IPNetSliceVarP is like IPNetSliceVar, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) IPNetSliceVarP(p *[]net.IPNet, name, shorthand string, value []net.IPNet, usage string) {
+	f.VarP(newIPNetSliceValue(value, p), name, shorthand, usage)
+}
+
+// IPNetSliceVar defines a []net.IPNet flag with specified name, default value, and usage string.
+// The argument p points to a []net.IPNet variable in which to store the value of the flag.
+func IPNetSliceVar(p *[]net.IPNet, name string, value []net.IPNet, usage string) {
+	CommandLine.VarP(newIPNetSliceValue(value, p), name, "", usage)
+}
+
+// IPNetSliceVarP is like IPNetSliceVar, but accepts a shorthand letter that can be used after a single dash.
+func IPNetSliceVarP(p *[]net.IPNet, name, shorthand string, value []net.IPNet, usage string) {
+	CommandLine.VarP(newIPNetSliceValue(value, p), name, shorthand, usage)
+}
+
+// IPNetSlice defines a []net.IPNet flag with specified name, default value, and usage string.
+// The return value is the address of a []net.IPNet variable that stores the value of that flag.
+func (f *FlagSet) IPNetSlice(name string, value []net.IPNet, usage string) *[]net.IPNet {
+	p := []net.IPNet{}
+	f.IPNetSliceVarP(&p, name, "", value, usage)
+	return &p
+}
+
+// IPNetSliceP is like IPNetSlice, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) IPNetSliceP(name, shorthand string, value []net.IPNet, usage string) *[]net.IPNet {
+	p := []net.IPNet{}
+	f.IPNetSliceVarP(&p, name, shorthand, value, usage)
+	return &p
+}
+
+// IPNetSlice defines a []net.IPNet flag with specified name, default value, and usage string.
+// The return value is the address of a []net.IP variable that stores the value of the flag.
+func IPNetSlice(name string, value []net.IPNet, usage string) *[]net.IPNet {
+	return CommandLine.IPNetSliceP(name, "", value, usage)
+}
+
+// IPNetSliceP is like IPNetSlice, but accepts a shorthand letter that can be used after a single dash.
+func IPNetSliceP(name, shorthand string, value []net.IPNet, usage string) *[]net.IPNet {
+	return CommandLine.IPNetSliceP(name, shorthand, value, usage)
+}
diff --git a/vendor/github.com/spf13/pflag/string_array.go b/vendor/github.com/spf13/pflag/string_array.go
index 4894af818..d1ff0a96b 100644
--- a/vendor/github.com/spf13/pflag/string_array.go
+++ b/vendor/github.com/spf13/pflag/string_array.go
@@ -31,11 +31,7 @@ func (s *stringArrayValue) Append(val string) error {
 func (s *stringArrayValue) Replace(val []string) error {
 	out := make([]string, len(val))
 	for i, d := range val {
-		var err error
 		out[i] = d
-		if err != nil {
-			return err
-		}
 	}
 	*s.value = out
 	return nil
diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go
index 96f4a1a56..212538cb5 100644
--- a/vendor/golang.org/x/crypto/pkcs12/crypto.go
+++ b/vendor/golang.org/x/crypto/pkcs12/crypto.go
@@ -26,7 +26,7 @@ type pbeCipher interface {
 	create(key []byte) (cipher.Block, error)
 	// deriveKey returns a key derived from the given password and salt.
 	deriveKey(salt, password []byte, iterations int) []byte
-	// deriveKey returns an IV derived from the given password and salt.
+	// deriveIV returns an IV derived from the given password and salt.
 	deriveIV(salt, password []byte, iterations int) []byte
 }
 
diff --git a/vendor/golang.org/x/net/http2/config.go b/vendor/golang.org/x/net/http2/config.go
index de58dfb8d..ca645d9a1 100644
--- a/vendor/golang.org/x/net/http2/config.go
+++ b/vendor/golang.org/x/net/http2/config.go
@@ -60,7 +60,7 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config {
 	return conf
 }
 
-// configFromServer merges configuration settings from h2 and h2.t1.HTTP2
+// configFromTransport merges configuration settings from h2 and h2.t1.HTTP2
 // (the net/http Transport).
 func configFromTransport(h2 *Transport) http2Config {
 	conf := http2Config{
diff --git a/vendor/golang.org/x/net/http2/config_go124.go b/vendor/golang.org/x/net/http2/config_go124.go
index e3784123c..5b516c55f 100644
--- a/vendor/golang.org/x/net/http2/config_go124.go
+++ b/vendor/golang.org/x/net/http2/config_go124.go
@@ -13,7 +13,7 @@ func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) {
 	fillNetHTTPConfig(conf, srv.HTTP2)
 }
 
-// fillNetHTTPServerConfig sets fields in conf from tr.HTTP2.
+// fillNetHTTPTransportConfig sets fields in conf from tr.HTTP2.
 func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) {
 	fillNetHTTPConfig(conf, tr.HTTP2)
 }
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 090d0e1bd..b2e2ed337 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -375,6 +375,7 @@ type ClientConn struct {
 	doNotReuse       bool       // whether conn is marked to not be reused for any future requests
 	closing          bool
 	closed           bool
+	closedOnIdle     bool                     // true if conn was closed for idleness
 	seenSettings     bool                     // true if we've seen a settings frame, false otherwise
 	seenSettingsChan chan struct{}            // closed when seenSettings is true or frame reading fails
 	wantSettingsAck  bool                     // we sent a SETTINGS frame and haven't heard back
@@ -1089,10 +1090,12 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 
 	// If this connection has never been used for a request and is closed,
 	// then let it take a request (which will fail).
+	// If the conn was closed for idleness, we're racing the idle timer;
+	// don't try to use the conn. (Issue #70515.)
 	//
 	// This avoids a situation where an error early in a connection's lifetime
 	// goes unreported.
-	if cc.nextStreamID == 1 && cc.streamsReserved == 0 && cc.closed {
+	if cc.nextStreamID == 1 && cc.streamsReserved == 0 && cc.closed && !cc.closedOnIdle {
 		st.canTakeNewRequest = true
 	}
 
@@ -1155,6 +1158,7 @@ func (cc *ClientConn) closeIfIdle() {
 		return
 	}
 	cc.closed = true
+	cc.closedOnIdle = true
 	nextID := cc.nextStreamID
 	// TODO: do clients send GOAWAY too? maybe? Just Close:
 	cc.mu.Unlock()
@@ -2434,9 +2438,12 @@ func (rl *clientConnReadLoop) cleanup() {
 	// This avoids a situation where new connections are constantly created,
 	// added to the pool, fail, and are removed from the pool, without any error
 	// being surfaced to the user.
-	const unusedWaitTime = 5 * time.Second
+	unusedWaitTime := 5 * time.Second
+	if cc.idleTimeout > 0 && unusedWaitTime > cc.idleTimeout {
+		unusedWaitTime = cc.idleTimeout
+	}
 	idleTime := cc.t.now().Sub(cc.lastActive)
-	if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime {
+	if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime && !cc.closedOnIdle {
 		cc.idleTimer = cc.t.afterFunc(unusedWaitTime-idleTime, func() {
 			cc.t.connPool().MarkDead(cc)
 		})
diff --git a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
index 97cb916f2..be8c00207 100644
--- a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
+++ b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
@@ -246,6 +246,18 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
 	return sendfile(outfd, infd, offset, count)
 }
 
+func Dup3(oldfd, newfd, flags int) error {
+	if oldfd == newfd || flags&^O_CLOEXEC != 0 {
+		return EINVAL
+	}
+	how := F_DUP2FD
+	if flags&O_CLOEXEC != 0 {
+		how = F_DUP2FD_CLOEXEC
+	}
+	_, err := fcntl(oldfd, how, newfd)
+	return err
+}
+
 /*
  * Exposed directly
  */
diff --git a/vendor/golang.org/x/sys/windows/dll_windows.go b/vendor/golang.org/x/sys/windows/dll_windows.go
index 4e613cf63..3ca814f54 100644
--- a/vendor/golang.org/x/sys/windows/dll_windows.go
+++ b/vendor/golang.org/x/sys/windows/dll_windows.go
@@ -43,8 +43,8 @@ type DLL struct {
 // LoadDLL loads DLL file into memory.
 //
 // Warning: using LoadDLL without an absolute path name is subject to
-// DLL preloading attacks. To safely load a system DLL, use LazyDLL
-// with System set to true, or use LoadLibraryEx directly.
+// DLL preloading attacks. To safely load a system DLL, use [NewLazySystemDLL],
+// or use [LoadLibraryEx] directly.
 func LoadDLL(name string) (dll *DLL, err error) {
 	namep, err := UTF16PtrFromString(name)
 	if err != nil {
@@ -271,6 +271,9 @@ func (d *LazyDLL) NewProc(name string) *LazyProc {
 }
 
 // NewLazyDLL creates new LazyDLL associated with DLL file.
+//
+// Warning: using NewLazyDLL without an absolute path name is subject to
+// DLL preloading attacks. To safely load a system DLL, use [NewLazySystemDLL].
 func NewLazyDLL(name string) *LazyDLL {
 	return &LazyDLL{Name: name}
 }
@@ -410,7 +413,3 @@ func loadLibraryEx(name string, system bool) (*DLL, error) {
 	}
 	return &DLL{Name: name, Handle: h}, nil
 }
-
-type errString string
-
-func (s errString) Error() string { return string(s) }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6fd36280d..12dc8a5fd 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,4 +1,4 @@
-# dario.cat/mergo v1.0.0
+# dario.cat/mergo v1.0.1
 ## explicit; go 1.13
 dario.cat/mergo
 # github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0
@@ -77,7 +77,7 @@ github.com/Microsoft/go-winio/internal/fs
 github.com/Microsoft/go-winio/internal/socket
 github.com/Microsoft/go-winio/internal/stringbuffer
 github.com/Microsoft/go-winio/pkg/guid
-# github.com/ProtonMail/go-crypto v1.1.3
+# github.com/ProtonMail/go-crypto v1.1.5
 ## explicit; go 1.17
 github.com/ProtonMail/go-crypto/bitcurves
 github.com/ProtonMail/go-crypto/brainpool
@@ -129,8 +129,8 @@ github.com/aws/amazon-ec2-instance-selector/v2/pkg/sorter
 ## explicit; go 1.19
 github.com/aws/aws-sdk-go/aws/awserr
 github.com/aws/aws-sdk-go/aws/endpoints
-# github.com/aws/aws-sdk-go-v2 v1.32.7
-## explicit; go 1.21
+# github.com/aws/aws-sdk-go-v2 v1.36.2
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/arn
 github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -157,15 +157,15 @@ github.com/aws/aws-sdk-go-v2/internal/shareddefaults
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/eventstreamapi
 # github.com/aws/aws-sdk-go-v2/config v1.27.18
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/config
-# github.com/aws/aws-sdk-go-v2/credentials v1.17.18
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/credentials v1.17.60
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/credentials
 github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds
 github.com/aws/aws-sdk-go-v2/credentials/endpointcreds
@@ -173,21 +173,21 @@ github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client
 github.com/aws/aws-sdk-go-v2/credentials/processcreds
 github.com/aws/aws-sdk-go-v2/credentials/ssocreds
 github.com/aws/aws-sdk-go-v2/credentials/stscreds
-# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.29
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26
-## explicit; go 1.21
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.33
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26
-## explicit; go 1.21
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.33
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/internal/ini
-# github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.33
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/internal/v4a
 github.com/aws/aws-sdk-go-v2/internal/v4a/internal/crypto
 github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4
@@ -196,8 +196,8 @@ github.com/aws/aws-sdk-go-v2/internal/v4a/internal/v4
 github.com/aws/aws-sdk-go-v2/service/ec2
 github.com/aws/aws-sdk-go-v2/service/ec2/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ec2/types
-# github.com/aws/aws-sdk-go-v2/service/ecs v1.53.0
-## explicit; go 1.21
+# github.com/aws/aws-sdk-go-v2/service/ecs v1.53.16
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/ecs
 github.com/aws/aws-sdk-go-v2/service/ecs/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ecs/types
@@ -206,14 +206,14 @@ github.com/aws/aws-sdk-go-v2/service/ecs/types
 github.com/aws/aws-sdk-go-v2/service/iam
 github.com/aws/aws-sdk-go-v2/service/iam/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/iam/types
-# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
 # github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/checksum
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.14
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
 # github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5
 ## explicit; go 1.20
@@ -232,23 +232,23 @@ github.com/aws/aws-sdk-go-v2/service/s3/internal/arn
 github.com/aws/aws-sdk-go-v2/service/s3/internal/customizations
 github.com/aws/aws-sdk-go-v2/service/s3/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/s3/types
-# github.com/aws/aws-sdk-go-v2/service/sso v1.20.11
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/service/sso v1.24.16
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/sso
 github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sso/types
-# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.15
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/ssooidc
 github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ssooidc/types
-# github.com/aws/aws-sdk-go-v2/service/sts v1.28.12
-## explicit; go 1.20
+# github.com/aws/aws-sdk-go-v2/service/sts v1.33.15
+## explicit; go 1.22
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sts/types
-# github.com/aws/smithy-go v1.22.1
-## explicit; go 1.21
+# github.com/aws/smithy-go v1.22.3
+## explicit; go 1.22
 github.com/aws/smithy-go
 github.com/aws/smithy-go/auth
 github.com/aws/smithy-go/auth/bearer
@@ -328,8 +328,8 @@ github.com/containerd/console
 # github.com/coocood/freecache v1.2.4
 ## explicit; go 1.13
 github.com/coocood/freecache
-# github.com/cyphar/filepath-securejoin v0.2.5
-## explicit; go 1.13
+# github.com/cyphar/filepath-securejoin v0.3.6
+## explicit; go 1.18
 github.com/cyphar/filepath-securejoin
 # github.com/djherbis/times v1.5.0
 ## explicit; go 1.16
@@ -354,15 +354,15 @@ github.com/go-git/gcfg
 github.com/go-git/gcfg/scanner
 github.com/go-git/gcfg/token
 github.com/go-git/gcfg/types
-# github.com/go-git/go-billy/v5 v5.6.0
-## explicit; go 1.20
+# github.com/go-git/go-billy/v5 v5.6.2
+## explicit; go 1.21
 github.com/go-git/go-billy/v5
 github.com/go-git/go-billy/v5/helper/chroot
 github.com/go-git/go-billy/v5/helper/polyfill
 github.com/go-git/go-billy/v5/memfs
 github.com/go-git/go-billy/v5/osfs
 github.com/go-git/go-billy/v5/util
-# github.com/go-git/go-git/v5 v5.13.0
+# github.com/go-git/go-git/v5 v5.13.2
 ## explicit; go 1.21
 github.com/go-git/go-git/v5
 github.com/go-git/go-git/v5/config
@@ -458,6 +458,9 @@ github.com/imdario/mergo
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
 github.com/inconshreveable/mousetrap
+# github.com/iwdgo/sigintwindows v0.2.2
+## explicit; go 1.14
+github.com/iwdgo/sigintwindows
 # github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
 ## explicit
 github.com/jbenet/go-context/io
@@ -474,7 +477,7 @@ github.com/kylelemons/godebug/pretty
 # github.com/lucasb-eyer/go-colorful v1.2.0
 ## explicit; go 1.12
 github.com/lucasb-eyer/go-colorful
-# github.com/magiconair/properties v1.8.7
+# github.com/magiconair/properties v1.8.9
 ## explicit; go 1.19
 github.com/magiconair/properties
 # github.com/mattn/go-isatty v0.0.20
@@ -483,7 +486,7 @@ github.com/mattn/go-isatty
 # github.com/mattn/go-localereader v0.0.1
 ## explicit
 github.com/mattn/go-localereader
-# github.com/mattn/go-runewidth v0.0.15
+# github.com/mattn/go-runewidth v0.0.16
 ## explicit; go 1.9
 github.com/mattn/go-runewidth
 # github.com/mitchellh/go-homedir v1.1.0
@@ -516,8 +519,6 @@ github.com/muesli/reflow/wrap
 github.com/muesli/termenv
 # github.com/nxadm/tail v1.4.11
 ## explicit; go 1.13
-github.com/nxadm/tail
-github.com/nxadm/tail/ratelimiter
 github.com/nxadm/tail/util
 github.com/nxadm/tail/watch
 github.com/nxadm/tail/winfile
@@ -536,8 +537,8 @@ github.com/opentracing/opentracing-go/log
 # github.com/patrickmn/go-cache v2.1.0+incompatible
 ## explicit
 github.com/patrickmn/go-cache
-# github.com/pelletier/go-toml/v2 v2.2.2
-## explicit; go 1.16
+# github.com/pelletier/go-toml/v2 v2.2.3
+## explicit; go 1.21.0
 github.com/pelletier/go-toml/v2
 github.com/pelletier/go-toml/v2/internal/characters
 github.com/pelletier/go-toml/v2/internal/danger
@@ -546,8 +547,8 @@ github.com/pelletier/go-toml/v2/unstable
 # github.com/pgavlin/fx v0.1.6
 ## explicit; go 1.20
 github.com/pgavlin/fx
-# github.com/pjbgf/sha1cd v0.3.0
-## explicit; go 1.19
+# github.com/pjbgf/sha1cd v0.3.2
+## explicit; go 1.21
 github.com/pjbgf/sha1cd
 github.com/pjbgf/sha1cd/internal
 github.com/pjbgf/sha1cd/ubc
@@ -619,8 +620,8 @@ github.com/pulumi/pulumi-azure-native-sdk/storage/v2
 # github.com/pulumi/pulumi-azure-native-sdk/v2 v2.76.0
 ## explicit; go 1.21
 github.com/pulumi/pulumi-azure-native-sdk/v2/utilities
-# github.com/pulumi/pulumi-command/sdk v1.0.1
-## explicit; go 1.21
+# github.com/pulumi/pulumi-command/sdk v1.0.2
+## explicit; go 1.22
 github.com/pulumi/pulumi-command/sdk/go/command/internal
 github.com/pulumi/pulumi-command/sdk/go/command/remote
 # github.com/pulumi/pulumi-docker/sdk/v4 v4.4.3
@@ -635,8 +636,8 @@ github.com/pulumi/pulumi-random/sdk/v4/go/random/internal
 ## explicit; go 1.21
 github.com/pulumi/pulumi-tls/sdk/v5/go/tls
 github.com/pulumi/pulumi-tls/sdk/v5/go/tls/internal
-# github.com/pulumi/pulumi/sdk/v3 v3.143.0
-## explicit; go 1.21
+# github.com/pulumi/pulumi/sdk/v3 v3.150.0
+## explicit; go 1.22
 github.com/pulumi/pulumi/sdk/v3
 github.com/pulumi/pulumi/sdk/v3/go/auto
 github.com/pulumi/pulumi/sdk/v3/go/auto/debug
@@ -668,6 +669,7 @@ github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin
 github.com/pulumi/pulumi/sdk/v3/go/common/resource/sig
 github.com/pulumi/pulumi/sdk/v3/go/common/resource/urn
 github.com/pulumi/pulumi/sdk/v3/go/common/slice
+github.com/pulumi/pulumi/sdk/v3/go/common/tail
 github.com/pulumi/pulumi/sdk/v3/go/common/tokens
 github.com/pulumi/pulumi/sdk/v3/go/common/util/archive
 github.com/pulumi/pulumi/sdk/v3/go/common/util/ciutil
@@ -714,7 +716,7 @@ github.com/sagikazarmark/locafero
 # github.com/sagikazarmark/slog-shim v0.1.0
 ## explicit; go 1.20
 github.com/sagikazarmark/slog-shim
-# github.com/sahilm/fuzzy v0.1.0
+# github.com/sahilm/fuzzy v0.1.1
 ## explicit
 github.com/sahilm/fuzzy
 # github.com/santhosh-tekuri/jsonschema/v5 v5.0.0
@@ -726,8 +728,8 @@ github.com/sergi/go-diff/diffmatchpatch
 # github.com/sirupsen/logrus v1.9.3
 ## explicit; go 1.13
 github.com/sirupsen/logrus
-# github.com/skeema/knownhosts v1.3.0
-## explicit; go 1.17
+# github.com/skeema/knownhosts v1.3.1
+## explicit; go 1.22
 github.com/skeema/knownhosts
 # github.com/sourcegraph/conc v0.3.0
 ## explicit; go 1.19
@@ -746,7 +748,7 @@ github.com/spf13/cast
 # github.com/spf13/cobra v1.8.0
 ## explicit; go 1.15
 github.com/spf13/cobra
-# github.com/spf13/pflag v1.0.5
+# github.com/spf13/pflag v1.0.6
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/spf13/viper v1.19.0
@@ -801,7 +803,7 @@ go.uber.org/atomic
 # go.uber.org/multierr v1.11.0
 ## explicit; go 1.19
 go.uber.org/multierr
-# golang.org/x/crypto v0.31.0
+# golang.org/x/crypto v0.32.0
 ## explicit; go 1.20
 golang.org/x/crypto/argon2
 golang.org/x/crypto/blake2b
@@ -831,7 +833,7 @@ golang.org/x/exp/slog/internal/buffer
 # golang.org/x/mod v0.19.0
 ## explicit; go 1.18
 golang.org/x/mod/semver
-# golang.org/x/net v0.33.0
+# golang.org/x/net v0.34.0
 ## explicit; go 1.18
 golang.org/x/net/context
 golang.org/x/net/http/httpguts
@@ -845,7 +847,7 @@ golang.org/x/net/trace
 # golang.org/x/sync v0.10.0
 ## explicit; go 1.18
 golang.org/x/sync/errgroup
-# golang.org/x/sys v0.28.0
+# golang.org/x/sys v0.29.0
 ## explicit; go 1.18
 golang.org/x/sys/cpu
 golang.org/x/sys/execabs
@@ -853,7 +855,7 @@ golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
-# golang.org/x/term v0.27.0
+# golang.org/x/term v0.28.0
 ## explicit; go 1.18
 golang.org/x/term
 # golang.org/x/text v0.21.0