chore(deps): bump github.com/opencontainers/umoci from 0.4.7 to 0.5.0 in the opencontainers group

[dependabot]

Bumps the opencontainers group with 1 update: github.com/opencontainers/umoci.

Updates github.com/opencontainers/umoci from 0.4.7 to 0.5.0

Changelog

Sourced from github.com/opencontainers/umoci's changelog.

[0.5.0] - 2025-05-21

A wizard is never late, Frodo Baggins. Nor is he early; he arrives precisely when he means to.

This version of umoci requires Go 1.23 to build.

Security

• A security flaw was found in the OCI image-spec, where it is possible to cause a blob with one media-type to be interpreted as a different media-type. As umoci is not a registry nor does it handle signatures, this vulnerability had no real impact on umoci but for safety we implemented the now-recommended media-type embedding and verification. CVE-2021-41190

Breaking

• The method of configuring the on-disk format and MapOptions in RepackOptions and UnpackOptions has been changed. The on-disk format is now represented with the OnDiskFormat interface, with DirRootfs and OverlayfsRootfs as possible options to use. MapOptions is now configured inside the OnDiskFormat setting, which will require callers to adjust their usage of the main umoci APIs. In particular, examples like

  unpackOptions := &layer.UnpackOptions{
      MapOptions: mapOptions,
      WhiteoutMode: layer.StandardOCIWhiteout, // or layer.OverlayFSWhiteout
  }
  err := layer.UnpackManifest(ctx, engineExt, bundle, manifest, unpackOptions)

  will have to now be written as

  unpackOptions := &layer.UnpackOptions{
      OnDiskFormat: layer.DirRootfs{ // or layer.OverlayfsRootfs
          MapOptions: mapOptions,
      },
  }
  err := layer.UnpackManifest(ctx, engineExt, bundle, manifest, unpackOptions)

  and similarly

  repackOptions := &layer.RepackOptions{
      MapOptions: mapOptions,
      TranslateOverlayWhiteouts: false, // or true
  }
  layerRdr, err := layer.GenerateLayer(path, deltas, repackOptions)

... (truncated)

Commits

• 0bb7e0b VERSION: release v0.5.0
• 5a2921b merge #588 into opencontainers/umoci:main
• 486a6a5 oci: layer: handle auto-converting to an opaque whiteout with overlayfs
• a665c67 oci: layer: fix extraction with a non-directory parent component
• 9892049 merge #587 into opencontainers/umoci:main
• 7d2d5e5 oci: layer: add support for userxattr in OverlayfsRootfs
• 55fc2f5 oci: layer: clean up ToDisk and ToTar signatures
• 8375e7a oci: layer: explicitly handle unrelated xattrs for overlayfs xattr filter
• 0cea894 oci: layer: merge is-overlayfs config and mapping into OnDiskFormat config
• fbe9b0e tests: make sure we use a new t.TempDir per-t.Run
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions