feat: bump go to 1.25

feat: bump mockery to v2.53.5 feat: bump govulncheck feat: bump bingo to v0.10.0 force go-1.25.7 update thumbnail images for test bump reva to latest
2026-04-25 17:25:21 +02:00 · 2026-02-09 11:10:41 +01:00
parent 568620a3cd
commit da5e63dfe3
41 changed files with 174 additions and 281 deletions
--- a/.bingo/.gitignore
+++ b/.bingo/.gitignore
@@ -11,3 +11,4 @@
 !variables.env

 *tmp.mod
+*tmp.sum
--- a/.bingo/README.md
+++ b/.bingo/README.md
@@ -1,14 +1,13 @@
 # Project Development Dependencies.

-This is directory which stores Go modules with pinned buildable package that is used within this repository, managed by https://github.com/bwplotka/bingo.
+This is directory which stores Go modules with pinned buildable package that is used within this repository, managed by <https://github.com/bwplotka/bingo>.

 * Run `bingo get` to install all tools having each own module file in this directory.
-* Run `bingo get <tool>` to install <tool> that have own module file in this directory.
-* For Makefile: Make sure to put `include .bingo/Variables.mk` in your Makefile, then use $(<upper case tool name>) variable where <tool> is the .bingo/<tool>.mod.
+* Run `bingo get <tool>` to install `<tool>` that have own module file in this directory.
+* For Makefile: Make sure to put `include .bingo/Variables.mk` in your Makefile, then use `\$(<UPPER_CASE_TOOL_NAME>)` variable where `<tool>` is the .bingo/`<tool>.mod`.
 * For shell: Run `source .bingo/variables.env` to source all environment variable for each tool.
-* For go: Import `.bingo/variables.go` to for variable names.
-* See https://github.com/bwplotka/bingo or -h on how to add, remove or change binaries dependencies.
+* See <https://github.com/bwplotka/bingo> or -h on how to add, remove or change binaries dependencies.

 ## Requirements

-* Go 1.14+
+* Go 1.24.x or 1.25.x
--- a/.bingo/Variables.mk
+++ b/.bingo/Variables.mk
@@ -1,10 +1,16 @@
-# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.9. DO NOT EDIT.
+# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.10. DO NOT EDIT.
 # All tools are designed to be build inside $GOBIN.
 BINGO_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
 GOPATH ?= $(shell go env GOPATH)
 GOBIN  ?= $(firstword $(subst :, ,${GOPATH}))/bin
 GO     ?= $(shell which go)

+# Ensure bingo-managed tools are always built for the host platform,
+# even when GOOS/GOARCH are set for cross-compilation of other targets.
+GOHOSTOS     ?= $(shell $(GO) env GOHOSTOS)
+GOHOSTARCH   ?= $(shell $(GO) env GOHOSTARCH)
+GOHOSTARM    ?= $(shell $(GO) env GOHOSTARM)
+
 # Below generated variables ensure that every time a tool under each variable is invoked, the correct version
 # will be used; reinstalling only if needed.
 # For example for bingo variable:
@@ -17,99 +23,99 @@ GO     ?= $(shell which go)
 #	@echo "Running bingo"
 #	@$(BINGO) <flags/args..>
 #
-BINGO := $(GOBIN)/bingo-v0.9.0
+BINGO := $(GOBIN)/bingo-v0.10.0
 $(BINGO): $(BINGO_DIR)/bingo.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/bingo-v0.9.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=bingo.mod -o=$(GOBIN)/bingo-v0.9.0 "github.com/bwplotka/bingo"
+	@echo "(re)installing $(GOBIN)/bingo-v0.10.0"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=bingo.mod -o=$(GOBIN)/bingo-v0.10.0 "github.com/bwplotka/bingo"

 BUF := $(GOBIN)/buf-v1.39.0
 $(BUF): $(BINGO_DIR)/buf.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/buf-v1.39.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=buf.mod -o=$(GOBIN)/buf-v1.39.0 "github.com/bufbuild/buf/cmd/buf"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=buf.mod -o=$(GOBIN)/buf-v1.39.0 "github.com/bufbuild/buf/cmd/buf"

 BUILDIFIER := $(GOBIN)/buildifier-v0.0.0-20220323134444-a9f46b2bb3de
 $(BUILDIFIER): $(BINGO_DIR)/buildifier.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/buildifier-v0.0.0-20220323134444-a9f46b2bb3de"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=buildifier.mod -o=$(GOBIN)/buildifier-v0.0.0-20220323134444-a9f46b2bb3de "github.com/bazelbuild/buildtools/buildifier"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=buildifier.mod -o=$(GOBIN)/buildifier-v0.0.0-20220323134444-a9f46b2bb3de "github.com/bazelbuild/buildtools/buildifier"

 CALENS := $(GOBIN)/calens-v0.4.0
 $(CALENS): $(BINGO_DIR)/calens.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/calens-v0.4.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=calens.mod -o=$(GOBIN)/calens-v0.4.0 "github.com/restic/calens"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=calens.mod -o=$(GOBIN)/calens-v0.4.0 "github.com/restic/calens"

 GO_LICENSES := $(GOBIN)/go-licenses-v1.5.0
 $(GO_LICENSES): $(BINGO_DIR)/go-licenses.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/go-licenses-v1.5.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=go-licenses.mod -o=$(GOBIN)/go-licenses-v1.5.0 "github.com/google/go-licenses"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=go-licenses.mod -o=$(GOBIN)/go-licenses-v1.5.0 "github.com/google/go-licenses"

 GOLANGCI_LINT := $(GOBIN)/golangci-lint-v1.64.6
 $(GOLANGCI_LINT): $(BINGO_DIR)/golangci-lint.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/golangci-lint-v1.64.6"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=golangci-lint.mod -o=$(GOBIN)/golangci-lint-v1.64.6 "github.com/golangci/golangci-lint/cmd/golangci-lint"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=golangci-lint.mod -o=$(GOBIN)/golangci-lint-v1.64.6 "github.com/golangci/golangci-lint/cmd/golangci-lint"

-GOVULNCHECK := $(GOBIN)/govulncheck-v1.0.1
+GOVULNCHECK := $(GOBIN)/govulncheck-v1.1.4
 $(GOVULNCHECK): $(BINGO_DIR)/govulncheck.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/govulncheck-v1.0.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=govulncheck.mod -o=$(GOBIN)/govulncheck-v1.0.1 "golang.org/x/vuln/cmd/govulncheck"
+	@echo "(re)installing $(GOBIN)/govulncheck-v1.1.4"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=govulncheck.mod -o=$(GOBIN)/govulncheck-v1.1.4 "golang.org/x/vuln/cmd/govulncheck"

-MOCKERY := $(GOBIN)/mockery-v2.52.3
+MOCKERY := $(GOBIN)/mockery-v2.53.5
 $(MOCKERY): $(BINGO_DIR)/mockery.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/mockery-v2.52.3"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=mockery.mod -o=$(GOBIN)/mockery-v2.52.3 "github.com/vektra/mockery/v2"
+	@echo "(re)installing $(GOBIN)/mockery-v2.53.5"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=mockery.mod -o=$(GOBIN)/mockery-v2.53.5 "github.com/vektra/mockery/v2"

 PIGEON := $(GOBIN)/pigeon-v1.2.1
 $(PIGEON): $(BINGO_DIR)/pigeon.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/pigeon-v1.2.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=pigeon.mod -o=$(GOBIN)/pigeon-v1.2.1 "github.com/mna/pigeon"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=pigeon.mod -o=$(GOBIN)/pigeon-v1.2.1 "github.com/mna/pigeon"

 PROTOC_GEN_DOC := $(GOBIN)/protoc-gen-doc-v1.5.1
 $(PROTOC_GEN_DOC): $(BINGO_DIR)/protoc-gen-doc.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-gen-doc-v1.5.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-gen-doc.mod -o=$(GOBIN)/protoc-gen-doc-v1.5.1 "github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-gen-doc.mod -o=$(GOBIN)/protoc-gen-doc-v1.5.1 "github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc"

 PROTOC_GEN_GO := $(GOBIN)/protoc-gen-go-v1.28.1
 $(PROTOC_GEN_GO): $(BINGO_DIR)/protoc-gen-go.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-gen-go-v1.28.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-gen-go.mod -o=$(GOBIN)/protoc-gen-go-v1.28.1 "google.golang.org/protobuf/cmd/protoc-gen-go"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-gen-go.mod -o=$(GOBIN)/protoc-gen-go-v1.28.1 "google.golang.org/protobuf/cmd/protoc-gen-go"

 PROTOC_GEN_MICRO := $(GOBIN)/protoc-gen-micro-v1.0.0
 $(PROTOC_GEN_MICRO): $(BINGO_DIR)/protoc-gen-micro.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-gen-micro-v1.0.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-gen-micro.mod -o=$(GOBIN)/protoc-gen-micro-v1.0.0 "github.com/go-micro/generator/cmd/protoc-gen-micro"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-gen-micro.mod -o=$(GOBIN)/protoc-gen-micro-v1.0.0 "github.com/go-micro/generator/cmd/protoc-gen-micro"

 PROTOC_GEN_MICROWEB := $(GOBIN)/protoc-gen-microweb-v0.0.0-20250812083720-c9765347567d
 $(PROTOC_GEN_MICROWEB): $(BINGO_DIR)/protoc-gen-microweb.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-gen-microweb-v0.0.0-20250812083720-c9765347567d"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-gen-microweb.mod -o=$(GOBIN)/protoc-gen-microweb-v0.0.0-20250812083720-c9765347567d "github.com/owncloud/protoc-gen-microweb"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-gen-microweb.mod -o=$(GOBIN)/protoc-gen-microweb-v0.0.0-20250812083720-c9765347567d "github.com/owncloud/protoc-gen-microweb"

 PROTOC_GEN_OPENAPIV2 := $(GOBIN)/protoc-gen-openapiv2-v2.13.0
 $(PROTOC_GEN_OPENAPIV2): $(BINGO_DIR)/protoc-gen-openapiv2.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-gen-openapiv2-v2.13.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-gen-openapiv2.mod -o=$(GOBIN)/protoc-gen-openapiv2-v2.13.0 "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-gen-openapiv2.mod -o=$(GOBIN)/protoc-gen-openapiv2-v2.13.0 "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2"

 PROTOC_GO_INJECT_TAG := $(GOBIN)/protoc-go-inject-tag-v1.4.0
 $(PROTOC_GO_INJECT_TAG): $(BINGO_DIR)/protoc-go-inject-tag.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/protoc-go-inject-tag-v1.4.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=protoc-go-inject-tag.mod -o=$(GOBIN)/protoc-go-inject-tag-v1.4.0 "github.com/favadi/protoc-go-inject-tag"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=protoc-go-inject-tag.mod -o=$(GOBIN)/protoc-go-inject-tag-v1.4.0 "github.com/favadi/protoc-go-inject-tag"

 REFLEX := $(GOBIN)/reflex-v0.3.1
 $(REFLEX): $(BINGO_DIR)/reflex.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/reflex-v0.3.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=reflex.mod -o=$(GOBIN)/reflex-v0.3.1 "github.com/cespare/reflex"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=reflex.mod -o=$(GOBIN)/reflex-v0.3.1 "github.com/cespare/reflex"

--- a/.bingo/bingo.mod
+++ b/.bingo/bingo.mod
@@ -1,5 +1,5 @@
 module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT

-go 1.17
+go 1.24.9

-require github.com/bwplotka/bingo v0.9.0
+require github.com/bwplotka/bingo v0.10.0
--- a/.bingo/bingo.sum
+++ b/.bingo/bingo.sum
@@ -10,7 +10,10 @@ github.com/bwplotka/bingo v0.8.0 h1:Cx9eQb+ed9aU7sbrmZagomKx+wYor9y5z5HM91bvp1U=
 github.com/bwplotka/bingo v0.8.0/go.mod h1:eXPFwhZ92mmOUBk6F7aKcAJoq8HX88Ju3wLZKwtNKEw=
 github.com/bwplotka/bingo v0.9.0 h1:slnsdJYExR4iRalHR6/ZiYnr9vSazOuFGmc2LdX293g=
 github.com/bwplotka/bingo v0.9.0/go.mod h1:GxC/y/xbmOK5P29cn+B3HuOSw0s2gruddT3r+rDizDw=
+github.com/bwplotka/bingo v0.10.0 h1:NhodmVTA5T6prv7ZDRbr8wMOKlUE14GsKBaKlioBd58=
+github.com/bwplotka/bingo v0.10.0/go.mod h1:dFsm4aLJesa7lAhddUS0yLuuCKeM5n+GIPT7K9yycu4=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.15/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
@@ -18,6 +21,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/efficientgo/core v1.0.0-rc.0 h1:jJoA0N+C4/knWYVZ6GrdHOtDyrg8Y/TR4vFpTaqTsqs=
 github.com/efficientgo/core v1.0.0-rc.0/go.mod h1:kQa0V74HNYMfuJH6jiPiwNdpWXl4xd/K4tzlrcvYDQI=
+github.com/efficientgo/core v1.0.0-rc.3 h1:X6CdgycYWDcbYiJr1H1+lQGzx13o7bq3EUkbB9DsSPc=
+github.com/efficientgo/core v1.0.0-rc.3/go.mod h1:FfGdkzWarkuzOlY04VY+bGfb1lWrjaL6x/GLcQ4vJps=
 github.com/efficientgo/tools/core v0.0.0-20210201220623-8118984754c2 h1:GD19G/vhEa8amDJDBYcTaFXZjxKed67Ev0ZFPHdd/LQ=
 github.com/efficientgo/tools/core v0.0.0-20210201220623-8118984754c2/go.mod h1:cFZoHUhKg31xkPnPjhPKFtevnx0Xcg67ptBRxbpaxtk=
 github.com/efficientgo/tools/core v0.0.0-20220225185207-fe763185946b h1:ZHiD4/yE4idlbqvAO6iYCOYRzOMRpxkW+FKasRA3tsQ=
@@ -29,6 +34,8 @@ github.com/google/renameio v1.0.1/go.mod h1:t/HQoYBZSsWSNK35C6CO/TpPLDVWvxOHboWU
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
@@ -49,8 +56,13 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
 github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -64,6 +76,8 @@ golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -85,6 +99,8 @@ golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f h1:rlezHXNlxYWvBCzNses9Dlc7n
 golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20191110171634-ad39bd3f0407 h1:5zh5atpUEdIc478E/ebrIaHLKcfVvG6dL/fGv7BcMoM=
 golang.org/x/term v0.0.0-20191110171634-ad39bd3f0407/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20210916214954-140adaaadfaf/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -92,6 +108,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -108,6 +126,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 mvdan.cc/editorconfig v0.1.1-0.20200121172147-e40951bde157/go.mod h1:Ge4atmRUYqueGppvJ7JNrtqpqokoJEFxYbP0Z+WeKS8=
 mvdan.cc/editorconfig v0.2.0/go.mod h1:lvnnD3BNdBYkhq+B4uBuFFKatfp02eB6HixDvEz91C0=
 mvdan.cc/sh/v3 v3.2.4 h1:+fZaWcXWRjYAvqzEKoDhDM3DkxdDUykU2iw0VMKFe9s=
@@ -116,3 +135,5 @@ mvdan.cc/sh/v3 v3.4.3 h1:zbuKH7YH9cqU6PGajhFFXZY7dhPXcDr55iN/cUAqpuw=
 mvdan.cc/sh/v3 v3.4.3/go.mod h1:p/tqPPI4Epfk2rICAe2RoaNd8HBSJ8t9Y2DA9yQlbzY=
 mvdan.cc/sh/v3 v3.7.0 h1:lSTjdP/1xsddtaKfGg7Myu7DnlHItd3/M2tomOcNNBg=
 mvdan.cc/sh/v3 v3.7.0/go.mod h1:K2gwkaesF/D7av7Kxl0HbF5kGOd2ArupNTX3X44+8l8=
+mvdan.cc/sh/v3 v3.12.0 h1:ejKUR7ONP5bb+UGHGEG/k9V5+pRVIyD+LsZz7o8KHrI=
+mvdan.cc/sh/v3 v3.12.0/go.mod h1:Se6Cj17eYSn+sNooLZiEUnNNmNxg0imoYlTu4CyaGyg=
--- a/.bingo/govulncheck.mod
+++ b/.bingo/govulncheck.mod
@@ -1,5 +1,5 @@
 module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT

-go 1.21.4
+go 1.22.0

-require golang.org/x/vuln v1.0.1 // cmd/govulncheck
+require golang.org/x/vuln v1.1.4 // cmd/govulncheck
--- a/.bingo/govulncheck.sum
+++ b/.bingo/govulncheck.sum
@@ -1,10 +1,22 @@
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
+golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
 golang.org/x/vuln v1.0.1 h1:KUas02EjQK5LTuIx1OylBQdKKZ9jeugs+HiqO5HormU=
 golang.org/x/vuln v1.0.1/go.mod h1:bb2hMwln/tqxg32BNY4CcxHWtHXuYa3SbIBmtsyjxtM=
+golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
+golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
--- a/.bingo/mockery.mod
+++ b/.bingo/mockery.mod
@@ -4,4 +4,4 @@ go 1.24

 toolchain go1.24.0

-require github.com/vektra/mockery/v2 v2.52.3
+require github.com/vektra/mockery/v2 v2.53.5
--- a/.bingo/mockery.sum
+++ b/.bingo/mockery.sum
@@ -67,6 +67,8 @@ github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -212,6 +214,8 @@ github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=
 github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA=
 github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
 github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
+github.com/spf13/viper v1.20.0 h1:zrxIyR3RQIOsarIrgL8+sAvALXul9jeEPa06Y0Ph6vY=
+github.com/spf13/viper v1.20.0/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -234,6 +238,8 @@ github.com/vektra/mockery/v2 v2.43.2 h1:OdivAsQL/uoQ55UnTt25tliRI8kaj5j6caHk9xaA
 github.com/vektra/mockery/v2 v2.43.2/go.mod h1:XNTE9RIu3deGAGQRVjP1VZxGpQNm0YedZx4oDs3prr8=
 github.com/vektra/mockery/v2 v2.52.3 h1:lInrh+OuJu3dY/UPFvdFmJ/lsscEnUFrTmagcRJKoWU=
 github.com/vektra/mockery/v2 v2.52.3/go.mod h1:zGDY/f6bip0Yh13GQ5j7xa43fuEoYBa4ICHEaihisHw=
+github.com/vektra/mockery/v2 v2.53.5 h1:iktAY68pNiMvLoHxKqlSNSv/1py0QF/17UGrrAMYDI8=
+github.com/vektra/mockery/v2 v2.53.5/go.mod h1:hIFFb3CvzPdDJJiU7J4zLRblUMv7OuezWsHPmswriwo=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
--- a/.bingo/variables.env
+++ b/.bingo/variables.env
@@ -1,4 +1,4 @@
-# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.9. DO NOT EDIT.
+# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.10. DO NOT EDIT.
 # All tools are designed to be build inside $GOBIN.
 # Those variables will work only until 'bingo get' was invoked, or if tools were installed via Makefile's Variables.mk.
 GOBIN=${GOBIN:=$(go env GOBIN)}
@@ -8,7 +8,7 @@ if [ -z "$GOBIN" ]; then
 fi


-BINGO="${GOBIN}/bingo-v0.9.0"
+BINGO="${GOBIN}/bingo-v0.10.0"

 BUF="${GOBIN}/buf-v1.39.0"

@@ -20,9 +20,9 @@ GO_LICENSES="${GOBIN}/go-licenses-v1.5.0"

 GOLANGCI_LINT="${GOBIN}/golangci-lint-v1.64.6"

-GOVULNCHECK="${GOBIN}/govulncheck-v1.0.1"
+GOVULNCHECK="${GOBIN}/govulncheck-v1.1.4"

-MOCKERY="${GOBIN}/mockery-v2.52.3"
+MOCKERY="${GOBIN}/mockery-v2.53.5"

 PIGEON="${GOBIN}/pigeon-v1.2.1"

--- a/.drone.star
+++ b/.drone.star
@@ -19,7 +19,7 @@ OC_CI_BAZEL_BUILDIFIER = "owncloudci/bazel-buildifier:latest"
 OC_CI_CLAMAVD = "owncloudci/clamavd"
 OC_CI_DRONE_ANSIBLE = "owncloudci/drone-ansible:latest"
 OC_CI_DRONE_SKIP_PIPELINE = "owncloudci/drone-skip-pipeline"
-OC_CI_GOLANG = "owncloudci/golang:1.24"
+OC_CI_GOLANG = "owncloudci/golang:1.25"
 OC_CI_NODEJS = "owncloudci/nodejs:%s"
 OC_CI_PHP = "owncloudci/php:%s"
 OC_CI_WAIT_FOR = "owncloudci/wait-for:latest"
@@ -3855,7 +3855,7 @@ def prepareOcisDeployment():

    return [{
        "name": "prepare-ocis-deployment",
-        "image": "owncloudci/golang:latest",
+        "image": "owncloudci/golang:1.25",
        "commands": commands,
        "volumes": [
            {
@@ -3887,7 +3887,7 @@ def setupOcisConfigMaps():
 def deployOcis():
    return [{
        "name": "deploy-ocis",
-        "image": "owncloudci/golang:latest",
+        "image": "owncloudci/golang:1.25",
        "commands": [
            "export KUBECONFIG=%s/kubeconfig-$${DRONE_BUILD_NUMBER}.yaml" % dirs["base"],
            "cd %s/ocis-charts" % dirs["base"],
--- a/2
+++ b/2
@@ -28,7 +28,7 @@ COPY --from=generate /ocis /ocis
 WORKDIR /ocis/ocis
 RUN make ci-go-generate build ENABLE_VIPS=true

-FROM alpine:3.23
+FROM alpine:3.23.3

 RUN apk add --no-cache attr ca-certificates curl mailcap tree vips && \
 	echo 'hosts: files dns' >| /etc/nsswitch.conf
--- a/README.md
+++ b/README.md
@@ -108,7 +108,7 @@ See the [Install Infinite Scale on a Server](https://doc.owncloud.com/ocis/next/

 Use this method to build and run an instance with the latest code. This is only recommended for development purposes.

-The minimum go version required is `1.24`.\
+The minimum go version required is `1.25.7`.\
 Note that you need a C compile environment installed as a prerequisite because some dependencies, like reva, have components that require C-Go libraries and toolchains. The command installing for debian based systems is: `sudo apt install build-essential`.

 To build and run a local instance with demo users:
--- a/changelog/unreleased/bump-go-1.25.md
+++ b/changelog/unreleased/bump-go-1.25.md
@@ -0,0 +1,5 @@
+Enhancement: Update to go 1.25
+
+We have updated go to version 1.25 and alpine to version 3.23.3
+
+https://github.com/owncloud/ocis/pull/12011
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/owncloud/ocis/v2

-go 1.24.6
-
-toolchain go1.24.9
+go 1.25.7

 require (
 	dario.cat/mergo v1.0.2
@@ -66,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20260116104114-10074a92be64
-	github.com/owncloud/reva/v2 v2.0.0-20260123085534-22a1be2b211e
+	github.com/owncloud/reva/v2 v2.0.0-20260206095425-032663e2f51a
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12
 	github.com/prometheus/client_golang v1.23.2
--- a/go.sum
+++ b/go.sum
@@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260116104114-10074a92be64 h1:z9djjzd+leAy6QZpi8dLy3OVjc/um+1XAGk1SJEvwE8=
 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260116104114-10074a92be64/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og=
-github.com/owncloud/reva/v2 v2.0.0-20260123085534-22a1be2b211e h1:SL7kqt9HyZpyeWjb0saiRm1COMPZhQ9w8lUoCHWgm2o=
-github.com/owncloud/reva/v2 v2.0.0-20260123085534-22a1be2b211e/go.mod h1:eHbT6pmVlcjdiBeVEYw7exlfJmemMzKBh4R+HFgx9Cc=
+github.com/owncloud/reva/v2 v2.0.0-20260206095425-032663e2f51a h1:XvU5fvmqFzs9pT+JAZHR0QHY1KsCemNAJp000QkPqrM=
+github.com/owncloud/reva/v2 v2.0.0-20260206095425-032663e2f51a/go.mod h1:ahCZbT/ltp5J8aURUpTOfpA/dLBeTvHaMm772cvj7+U=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=
--- a/ocis-pkg/kql/dictionary_gen.go
+++ b/ocis-pkg/kql/dictionary_gen.go
@@ -2721,7 +2721,7 @@ var (

 	// errMaxExprCnt is used to signal that the maximum number of
 	// expressions have been parsed.
-	errMaxExprCnt = errors.New("max number of expressions parsed")
+	errMaxExprCnt = errors.New("max number of expresssions parsed")
 )

 // Option is a function that can set an option on the parser. It returns
--- a/ocis-pkg/oidc/mocks/oidc_client.go
+++ b/ocis-pkg/oidc/mocks/oidc_client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/ocis/docker/Dockerfile.linux.amd64
+++ b/ocis/docker/Dockerfile.linux.amd64
@@ -1,4 +1,4 @@
-FROM amd64/alpine:3.23
+FROM amd64/alpine:3.23.3

 ARG VERSION=""
 ARG REVISION=""
--- a/ocis/docker/Dockerfile.linux.arm64
+++ b/ocis/docker/Dockerfile.linux.arm64
@@ -1,4 +1,4 @@
-FROM arm64v8/alpine:3.23
+FROM arm64v8/alpine:3.23.3

 ARG VERSION=""
 ARG REVISION=""
--- a/services/graph/mocks/base_graph_provider.go
+++ b/services/graph/mocks/base_graph_provider.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/drive_item_permissions_provider.go
+++ b/services/graph/mocks/drive_item_permissions_provider.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/drives_drive_item_provider.go
+++ b/services/graph/mocks/drives_drive_item_provider.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/gateway_selector.go
+++ b/services/graph/mocks/gateway_selector.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/http_client.go
+++ b/services/graph/mocks/http_client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/permissions.go
+++ b/services/graph/mocks/permissions.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/mocks/role_service.go
+++ b/services/graph/mocks/role_service.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/pkg/identity/mocks/backend.go
+++ b/services/graph/pkg/identity/mocks/backend.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/pkg/identity/mocks/education_backend.go
+++ b/services/graph/pkg/identity/mocks/education_backend.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/graph/pkg/identity/mocks/ldapclient.go
+++ b/services/graph/pkg/identity/mocks/ldapclient.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/invitations/pkg/backends/keycloak/mocks/client.go
+++ b/services/invitations/pkg/backends/keycloak/mocks/client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/proxy/pkg/user/backend/mocks/user_backend.go
+++ b/services/proxy/pkg/user/backend/mocks/user_backend.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/proxy/pkg/userroles/mocks/user_role_assigner.go
+++ b/services/proxy/pkg/userroles/mocks/user_role_assigner.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/content/mocks/extractor.go
+++ b/services/search/pkg/content/mocks/extractor.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/content/mocks/retriever.go
+++ b/services/search/pkg/content/mocks/retriever.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/engine/mocks/engine.go
+++ b/services/search/pkg/engine/mocks/engine.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/search/mocks/searcher.go
+++ b/services/search/pkg/search/mocks/searcher.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/services/settings/pkg/settings/mocks/manager.go
+++ b/services/settings/pkg/settings/mocks/manager.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.52.3. DO NOT EDIT.
+// Code generated by mockery v2.53.5. DO NOT EDIT.

 package mocks

--- a/tests/ociswrapper/go.mod
+++ b/tests/ociswrapper/go.mod
@@ -1,6 +1,6 @@
 module ociswrapper

-go 1.22
+go 1.25

 require (
 	github.com/creack/pty v1.1.24
--- a/vendor/github.com/owncloud/reva/v2/internal/grpc/interceptors/auth/scope.go
+++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/interceptors/auth/scope.go
@@ -22,7 +22,6 @@ import (
 	"context"
 	"fmt"
 	"strings"
-	"time"

 	appprovider "github.com/cs3org/go-cs3apis/cs3/app/provider/v1beta1"
 	appregistry "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1"
@@ -41,17 +40,11 @@ import (
 	"github.com/owncloud/reva/v2/pkg/errtypes"
 	statuspkg "github.com/owncloud/reva/v2/pkg/rgrpc/status"
 	"github.com/owncloud/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/owncloud/reva/v2/pkg/storagespace"
 	"github.com/owncloud/reva/v2/pkg/token"
 	"github.com/owncloud/reva/v2/pkg/utils"
 	"google.golang.org/grpc/metadata"
 )

-const (
-	scopeDelimiter       = "#"
-	scopeCacheExpiration = 3600
-)
-
 func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[string]*authpb.Scope, user *userpb.User, gatewayAddr string, mgr token.Manager) error {
 	log := appctx.GetLogger(ctx)
 	client, err := pool.GetGatewayServiceClient(gatewayAddr)
@@ -80,10 +73,6 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 					return nil
 				}

-			case strings.HasPrefix(k, "lightweight"):
-				if err = resolveLightweightScope(ctx, ref, tokenScope[k], user, client, mgr); err == nil {
-					return nil
-				}
 			case strings.HasPrefix(k, "ocmshare"):
 				if err = resolveOCMShare(ctx, ref, tokenScope[k], client, mgr); err == nil {
 					return nil
@@ -91,72 +80,11 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 			}
 			log.Err(err).Interface("ref", ref).Interface("scope", k).Msg("error resolving reference under scope")
 		}
-
-	} else if ref, ok := extractShareRef(req); ok {
-		// It's a share ref
-		// The request might be coming from a share created for a lightweight account
-		// after the token was minted.
-		log.Info().Msgf("resolving share reference against received shares to verify token scope %+v", ref.String())
-		for k := range tokenScope {
-			if strings.HasPrefix(k, "lightweight") {
-				// Check if this ID is cached
-				key := "lw:" + user.Id.OpaqueId + scopeDelimiter + ref.GetId().OpaqueId
-				if _, err := scopeExpansionCache.Get(key); err == nil {
-					return nil
-				}
-
-				shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-				if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
-					log.Warn().Err(err).Msg("error listing received shares")
-					continue
-				}
-				for _, s := range shares.Shares {
-					shareKey := "lw:" + user.Id.OpaqueId + scopeDelimiter + s.Share.Id.OpaqueId
-					_ = scopeExpansionCache.SetWithExpire(shareKey, nil, scopeCacheExpiration*time.Second)
-
-					if ref.GetId() != nil && ref.GetId().OpaqueId == s.Share.Id.OpaqueId {
-						return nil
-					}
-					if key := ref.GetKey(); key != nil && (utils.UserEqual(key.Owner, s.Share.Owner) || utils.UserEqual(key.Owner, s.Share.Creator)) &&
-						utils.ResourceIDEqual(key.ResourceId, s.Share.ResourceId) && utils.GranteeEqual(key.Grantee, s.Share.Grantee) {
-						return nil
-					}
-				}
-			}
-		}
 	}

 	return errtypes.PermissionDenied(fmt.Sprintf("access to resource %+v not allowed within the assigned scope", req))
 }

-func resolveLightweightScope(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, user *userpb.User, client gateway.GatewayAPIClient, mgr token.Manager) error {
-	// Check if this ref is cached
-	key := "lw:" + user.Id.OpaqueId + scopeDelimiter + getRefKey(ref)
-	if _, err := scopeExpansionCache.Get(key); err == nil {
-		return nil
-	}
-
-	shares, err := client.ListReceivedShares(ctx, &collaboration.ListReceivedSharesRequest{})
-	if err != nil || shares.Status.Code != rpc.Code_CODE_OK {
-		return errtypes.InternalError("error listing received shares")
-	}
-
-	for _, share := range shares.Shares {
-		shareKey := "lw:" + user.Id.OpaqueId + scopeDelimiter + storagespace.FormatResourceID(share.Share.ResourceId)
-		_ = scopeExpansionCache.SetWithExpire(shareKey, nil, scopeCacheExpiration*time.Second)
-
-		if ref.ResourceId != nil && utils.ResourceIDEqual(share.Share.ResourceId, ref.ResourceId) {
-			return nil
-		}
-		if ok, err := checkIfNestedResource(ctx, ref, share.Share.ResourceId, client, mgr); err == nil && ok {
-			_ = scopeExpansionCache.SetWithExpire(key, nil, scopeCacheExpiration*time.Second)
-			return nil
-		}
-	}
-
-	return errtypes.PermissionDenied("request is not for a nested resource")
-}
-
 func resolvePublicShare(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, client gateway.GatewayAPIClient, mgr token.Manager) error {
 	var share link.PublicShare
 	err := utils.UnmarshalJSONToProtoV1(scope.Resource.Value, &share)
@@ -164,13 +92,7 @@ func resolvePublicShare(ctx context.Context, ref *provider.Reference, scope *aut
 		return err
 	}

-	if err := checkCacheForNestedResource(ctx, ref, share.ResourceId, client, mgr); err == nil {
-		return nil
-	}
-
-	// Some services like wopi don't access the shared resource relative to the
-	// share root but instead relative to the shared resources parent.
-	return checkRelativeReference(ctx, ref, share.ResourceId, client)
+	return checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr)
 }

 func resolveOCMShare(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, client gateway.GatewayAPIClient, mgr token.Manager) error {
@@ -184,54 +106,7 @@ func resolveOCMShare(ctx context.Context, ref *provider.Reference, scope *authpb
 		ref.ResourceId = share.GetResourceId()
 	}

-	if err := checkCacheForNestedResource(ctx, ref, share.ResourceId, client, mgr); err == nil {
-		return nil
-	}
-
-	// Some services like wopi don't access the shared resource relative to the
-	// share root but instead relative to the shared resources parent.
-	return checkRelativeReference(ctx, ref, share.ResourceId, client)
-}
-
-// checkRelativeReference checks if the shared resource is being accessed via a relative reference
-// e.g.:
-// storage: abcd, space: efgh
-// /root (id: efgh)
-// - New file.txt (id: ijkl) <- shared resource
-//
-// If the requested reference looks like this:
-// Reference{ResourceId: {StorageId: "abcd", SpaceId: "efgh"}, Path: "./New file.txt"}
-// then the request is considered relative and this function would return true.
-// Only references which are relative to the immediate parent of a resource are considered valid.
-func checkRelativeReference(ctx context.Context, requested *provider.Reference, sharedResourceID *provider.ResourceId, client gateway.GatewayAPIClient) error {
-	sRes, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: sharedResourceID}})
-	if err != nil {
-		return err
-	}
-	if sRes.Status.Code != rpc.Code_CODE_OK {
-		return statuspkg.NewErrorFromCode(sRes.Status.Code, "auth interceptor")
-	}
-
-	sharedResource := sRes.Info
-
-	// Is this a shared space
-	if sharedResource.ParentId == nil {
-		// Is the requested resource part of the shared space?
-		if requested.ResourceId.StorageId != sharedResource.Id.StorageId || requested.ResourceId.SpaceId != sharedResource.Id.SpaceId {
-			return errtypes.PermissionDenied("space access forbidden via public link")
-		}
-	} else {
-		parentID := sharedResource.ParentId
-		parentID.StorageId = sharedResource.Id.StorageId
-
-		if !utils.ResourceIDEqual(parentID, requested.ResourceId) && utils.MakeRelativePath(sharedResource.Path) != requested.Path {
-			return errtypes.PermissionDenied("access forbidden via public link")
-		}
-	}
-
-	key := storagespace.FormatResourceID(sharedResourceID) + scopeDelimiter + getRefKey(requested)
-	_ = scopeExpansionCache.SetWithExpire(key, nil, scopeCacheExpiration*time.Second)
-	return nil
+	return checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr)
 }

 func resolveUserShare(ctx context.Context, ref *provider.Reference, scope *authpb.Scope, client gateway.GatewayAPIClient, mgr token.Manager) error {
@@ -241,105 +116,99 @@ func resolveUserShare(ctx context.Context, ref *provider.Reference, scope *authp
 		return err
 	}

-	return checkCacheForNestedResource(ctx, ref, share.ResourceId, client, mgr)
+	return checkIfNestedResource(ctx, ref, share.ResourceId, client, mgr)
 }

-func checkCacheForNestedResource(ctx context.Context, ref *provider.Reference, resource *provider.ResourceId, client gateway.GatewayAPIClient, mgr token.Manager) error {
-	// Check if this ref is cached
-	key := storagespace.FormatResourceID(resource) + scopeDelimiter + getRefKey(ref)
-	if _, err := scopeExpansionCache.Get(key); err == nil {
-		return nil
-	}
-
-	if ok, err := checkIfNestedResource(ctx, ref, resource, client, mgr); err == nil && ok {
-		_ = scopeExpansionCache.SetWithExpire(key, nil, scopeCacheExpiration*time.Second)
-		return nil
-	}
-
-	return errtypes.PermissionDenied("request is not for a nested resource")
-}
-
-func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent *provider.ResourceId, client gateway.GatewayAPIClient, mgr token.Manager) (bool, error) {
+func checkIfNestedResource(ctx context.Context, ref *provider.Reference, shareRoot *provider.ResourceId, client gateway.GatewayAPIClient, mgr token.Manager) error {
 	// Since the resource ID is obtained from the scope, the current token
 	// has access to it.
-	statResponse, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: parent}})
+	rootStat, err := client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: shareRoot}})
 	if err != nil {
-		return false, err
+		return err
 	}
-	if statResponse.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor")
+	if rootStat.GetStatus().GetCode() != rpc.Code_CODE_OK {
+		return statuspkg.NewErrorFromCode(rootStat.Status.Code, "auth interceptor")
 	}

-	pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: statResponse.GetInfo().GetId()})
-	if err != nil {
-		return false, err
-	}
-	if pathResp.Status.Code != rpc.Code_CODE_OK {
-		return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
-	}
-	parentPath := pathResp.Path
+	rootInfo := rootStat.GetInfo()

-	childPath := ref.GetPath()
-	if childPath != "" && childPath != "." && strings.HasPrefix(childPath, parentPath) {
-		// if the request is relative from the root, we can return directly
-		return true, nil
-	}
-
-	// The request is not relative to the root. We need to find out if the requested resource is child of the `parent` (coming from token scope)
+	// We need to find out if the requested resource is a child of the `shareRoot` (coming from token scope)
 	// We mint a token as the owner of the public share and try to stat the reference
-	// TODO(ishank011): We need to find a better alternative to this
-	// NOTE: did somebody say service accounts? ...

 	var user *userpb.User
-	if statResponse.GetInfo().GetOwner().GetType() == userpb.UserType_USER_TYPE_SPACE_OWNER {
+	if rootInfo.GetOwner().GetType() == userpb.UserType_USER_TYPE_SPACE_OWNER {
 		// fake a space owner user
 		user = &userpb.User{
-			Id: statResponse.GetInfo().GetOwner(),
+			Id: rootInfo.GetOwner(),
 		}
 	} else {
-		userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: statResponse.Info.Owner, SkipFetchingUserGroups: true})
+		userResp, err := client.GetUser(ctx, &userpb.GetUserRequest{UserId: rootInfo.GetOwner(), SkipFetchingUserGroups: true})
 		if err != nil || userResp.Status.Code != rpc.Code_CODE_OK {
-			return false, err
+			return err
 		}
 		user = userResp.User
 	}

 	scope, err := scope.AddOwnerScope(map[string]*authpb.Scope{})
 	if err != nil {
-		return false, err
+		return err
 	}
 	token, err := mgr.MintToken(ctx, user, scope)
 	if err != nil {
-		return false, err
+		return err
 	}
 	ctx = metadata.AppendToOutgoingContext(context.Background(), ctxpkg.TokenHeader, token)

-	childStat, err := client.Stat(ctx, &provider.StatRequest{Ref: ref})
+	resourceStat, err := client.Stat(ctx, &provider.StatRequest{Ref: ref})
 	if err != nil {
-		return false, err
+		return err
 	}
-	if childStat.GetStatus().GetCode() == rpc.Code_CODE_NOT_FOUND && ref.GetPath() != "" && ref.GetPath() != "." {
+	if resourceStat.GetStatus().GetCode() == rpc.Code_CODE_NOT_FOUND && ref.GetPath() != "" && ref.GetPath() != "." {
 		// The resource does not seem to exist (yet?). We might be part of an initiate upload request.
 		// Stat the parent to get its path and check that against the root path.
-		childStat, err = client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: ref.GetResourceId()}})
+		resourceStat, err = client.Stat(ctx, &provider.StatRequest{Ref: &provider.Reference{ResourceId: ref.GetResourceId()}})
 		if err != nil {
-			return false, err
+			return err
 		}
 	}
-	if childStat.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor")
+	if resourceStat.GetStatus().GetCode() != rpc.Code_CODE_OK {
+		return statuspkg.NewErrorFromCode(resourceStat.Status.Code, "auth interceptor")
 	}
-	pathResp, err = client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()})
+
+	// Check if the resource and the share root are in the same storage space
+	ci := resourceStat.GetInfo()
+	if ci.GetId().GetStorageId() != rootInfo.GetId().GetStorageId() ||
+		ci.GetId().GetSpaceId() != rootInfo.GetId().GetSpaceId() {
+		return errtypes.PermissionDenied("invalid resource")
+	}
+
+	// check if the resource path is subpath of the share root path
+	rootPath, err := getPath(ctx, rootStat.GetInfo().GetId(), client)
 	if err != nil {
-		return false, err
+		return err
 	}
-	if pathResp.GetStatus().GetCode() != rpc.Code_CODE_OK {
-		return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
+
+	resourcePath, err := getPath(ctx, resourceStat.GetInfo().GetId(), client)
+	if err != nil {
+		return err
 	}
-	childPath = pathResp.Path

-	return strings.HasPrefix(childPath, parentPath), nil
+	if rootPath == "/" || resourcePath == rootPath || strings.HasPrefix(resourcePath, rootPath+"/") {
+		return nil
+	}

+	return errtypes.PermissionDenied("invalid resource")
+}
+
+func getPath(ctx context.Context, resourceId *provider.ResourceId, client gateway.GatewayAPIClient) (string, error) {
+	pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: resourceId})
+	if err != nil {
+		return "", err
+	}
+	if pathResp.Status.Code != rpc.Code_CODE_OK {
+		return "", statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
+	}
+	return pathResp.Path, nil
 }

 func extractRefFromListProvidersReq(v *registry.ListStorageProvidersRequest) (*provider.Reference, bool) {
@@ -503,27 +372,3 @@ func extractRef(req interface{}, tokenScope map[string]*authpb.Scope) (*provider

 	return nil, false
 }
-
-func extractShareRef(req interface{}) (*collaboration.ShareReference, bool) {
-	switch v := req.(type) {
-	case *collaboration.GetReceivedShareRequest:
-		return v.GetRef(), true
-	case *collaboration.UpdateReceivedShareRequest:
-		return &collaboration.ShareReference{Spec: &collaboration.ShareReference_Id{Id: v.GetShare().GetShare().GetId()}}, true
-	}
-	return nil, false
-}
-
-func getRefKey(ref *provider.Reference) string {
-	if ref.GetPath() != "" {
-		return ref.Path
-	}
-
-	if ref.GetResourceId() != nil {
-		return storagespace.FormatResourceID(ref.ResourceId)
-	}
-
-	// on malicious request both path and rid could be empty
-	// we still should not panic
-	return ""
-}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1313,7 +1313,7 @@ github.com/orcaman/concurrent-map
 # github.com/owncloud/libre-graph-api-go v1.0.5-0.20260116104114-10074a92be64
 ## explicit; go 1.18
 github.com/owncloud/libre-graph-api-go
-# github.com/owncloud/reva/v2 v2.0.0-20260123085534-22a1be2b211e
+# github.com/owncloud/reva/v2 v2.0.0-20260206095425-032663e2f51a
 ## explicit; go 1.24.0
 github.com/owncloud/reva/v2/cmd/revad/internal/grace
 github.com/owncloud/reva/v2/cmd/revad/runtime