chore(deps): update dependency crossplane/crossplane to v1.18.2

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
crossplane/crossplane	patch	1.18.1 -> 1.18.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

crossplane/crossplane (crossplane/crossplane)

v1.18.2

Compare Source

This is a patch release scoped to fixing issues reported by users of Crossplane v1.17 and fixing security related issues in Crossplane's dependencies.

Users of v1.18.x reported that they were no longer able to downgrade a Crossplane installation from v1.18.x to a previous v1.17.x version. This was fixed in https://github.com/crossplane/crossplane/pull/6157 and we expect downgrades from v1.18.2 to be working once again.

The way Usage objects are managed within a Composition has been updated in https://github.com/crossplane/crossplane/pull/6155 to prevent orphaned Usage objects from remaining in the control plane when a Composition that creates a Usage is updated. The change is described below:

• When the Usage itself deleted, the usage controller will wait for using resource before removing the finalizer, only if the Usage is part of a composite (i.e has crossplane.io/composite label).
• When a resource removed from a composition (i.e. decomposed), the composition controllers (both PT and function) will remove the composed resource labels before deleting the resource.
• This behavior is visually summarized in https://github.com/crossplane/crossplane/issues/5880#issuecomment-2363433313

What's Changed

• [Backport release-1.18] fix(environmentConfigs): revert to v1alpha1 as storageversion to fix rollback issues by @​github-actions in https://github.com/crossplane/crossplane/pull/6168
• [Backport release-1.18] Usages: decomposed usages should be deleted properly by @​github-actions in https://github.com/crossplane/crossplane/pull/6169
• chore(deps): update module golang.org/x/crypto to v0.31.0 [security] (release-1.18) by @​crossplane-renovate in https://github.com/crossplane/crossplane/pull/6180

Full Changelog: crossplane/crossplane@v1.18.1...v1.18.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/crossplane:1.18.2

📦 Image Reference ghcr.io/uniget-org/tools/crossplane:1.18.2

digest	sha256:7b485b335594e7ed5e5f98aafd9121f52f7fdbd2c317667fc855e27f8e789b64
vulnerabilities
platform	linux/amd64
size	19 MB
packages	153

k8s.io/apiserver 0.31.2 (golang) pkg:golang/k8s.io/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.15.10 Fixed version 1.15.10, 1.16.7, 1.17.3 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12389300957.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12389300957.