fix(deps): update module github.com/crossplane/crossplane/v2 to v2.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/crossplane/crossplane/v2	v2.2.1 → v2.3.0

---

Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag

GHSA-wfqx-gjrf-g28r

More information

Details

Summary

Crossplane allows package signature verification to be configured via the ImageConfig mechanism. When enabled, the package manager uses cosign to verify that packages are correctly signed before pulling and installing them.

When a package is installed using a tag reference (e.g., a semantic version), a malicious OCI registry could serve a correctly signed image for verification, then subsequently serve an unsigned image for installation. This is possible because Crossplane resolves the tag reference separately for each step.

This vulnerability is relevant only for users who do all three of the following:

1. Configure signature verification for packages,
2. Install packages using tag references rather than digests, and
3. Install packages from registries they do not control.

Mitigation

Installing packages by image digest rather than using tags avoids this issue.

Fix

The package manager has been updated to resolve tag references once and use the resulting digest for both signature verification and image fetching. This ensures that Crossplane pulls the same content that had its signature verified. The fix has been applied to Crossplane's main branch and backported to the v2.3 and v2.2 release branches; it will be released in v2.3.3 and v2.2.3.

Credits

This issue was reported, independently, by @​bugbunny-research and @​tonghuaroot.

Severity

• CVSS Score: 9.0 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

• https://github.com/crossplane/crossplane/security/advisories/GHSA-wfqx-gjrf-g28r
• https://github.com/crossplane/crossplane

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane/v2)

v2.3.0

Compare Source

The v2.3.0 release is a regular quarterly Crossplane release that is focused on maturing a number of key areas of functionality across the project, as Crossplane continues to become more capable, more reliable, and more performant for your production workloads. This release includes a new high-fidelity local rendering engine, finer-grained reconciliation control for both XRs and managed resources, new alpha deletion protection for Provider packages, and a wide range of fixes and reliability improvements. It also includes security fixes in Crossplane's Go toolchain and dependencies.

ℹ️ Extended support for v1.20

Because v1.20 is the last minor release of the v1 series and major version upgrades require additional planning for users, v1.20 will continue to receive critical fixes. The final EOL date for v1.20 is to be determined.

⚠️ Upgrade from v2.2

It is strongly advised to upgrade to v2.3 from the previous minor version, which is v2.2. Upon upgrade for each minor release, Crossplane performs any necessary migrations of its CRDs to ensure the latest versions are stored in the Kubernetes API server. Therefore, it is important to upgrade sequentially through one minor version at a time as described in the upgrade docs.

🚨 Notable and Breaking Changes

• github.com/crossplane/crossplane/apis/v2 is now a separate Go module from the rest of Crossplane. #​7019
  • External consumers of Crossplane APIs should update their dependencies from github.com/crossplane/crossplane/v2/apis to github.com/crossplane/crossplane/apis/v2.
  • The common APIs from crossplane-runtime have moved to github.com/crossplane/crossplane/apis/v2/core.
  • v1 and v2 of the common APIs have been collapsed into a single v2 package. The old v1.Resource* types are now v2.ClusterManagedResource* to differentiate them from v2.ManagedResource*, which are the namespaced versions.
• The Crossplane CLI (formerly crank) has moved into its own repository, https://github.com/crossplane/cli, and will be released separately from Crossplane core going forward. #​7355
  • A v2.3.0 release of the CLI coincides with this Crossplane core v2.3.0 release and has been dual published to the typical release location on releases.crossplane.io to help ease the transition. After the v2.3.0 release, version numbers and release schedules will diverge as the Crossplane CLI will have its own independent release schedule. Learn more and provide feedback in #​7350.
  • Commands have been re-organized into a noun-first tree.
  • Alpha and beta commands that previously lived in the crossplane alpha and crossplane beta trees have moved into the main tree.
  • Example: crossplane beta trace is now crossplane resource trace
  • See full release CLI notes (including full details on these breaking changes): https://github.com/crossplane/cli/releases/tag/v2.3.0

🎉 Highlights

• High-fidelity render engine: crossplane render now drives the real composite reconciler via a new hidden crossplane internal render subcommand, instead of maintaining a parallel reimplementation. The output of crossplane render (and downstream tools like crossplane-diff) now matches what would actually happen in-cluster, eliminating differences between local rendering and real reconciliation. By default it pulls the Crossplane container image to run the reconcile, so a separate controller binary is not required. See #​7280 and #​7339.
• Provider deletion protection: A new alpha feature automatically protects Provider packages from accidental deletion while instances of their managed resources still exist. When --enable-provider-deletion-protection is set, Crossplane will automatically create ClusterUsage resources that block Provider deletion through the existing Usage webhook. #​7362
• Per-resource reconciliation control: Two new annotations give users fine-grained control over when individual resources reconcile. crossplane.io/poll-interval overrides the controller-level poll interval for a specific resource (e.g. "24h", "30m"), and crossplane.io/reconcile-requested-at triggers an immediate reconciliation when its value changes. This works immediately for XRs, but requires providers to release a new version based on crossplane-runtime v.2.3.0 to gain this behavior for their managed resources #​7239
• Composition functions can now select all resources of a given kind: When a composition function returned a Requirements.ResourceSelector with only apiVersion and kind set (no matchName or matchLabels), Crossplane previously rejected this as an invalid request. A selector with no match field is now correctly interpreted as "all resources of that kind". #​7241
• Scale subresource for XRs: CompositeResourceDefinition can now configure the scale subresource on the XRs it defines, so composite resources can be scaled with kubectl scale and other standard tooling. #​7004
• Other notable improvements:
  • Improved docker network configuration support for crank render: A new render.crossplane.io/runtime-docker-network annotation on Function resources tells the Docker runtime which network function containers should join. This makes crossplane render work inside container jobs (such as GitHub Actions container jobs) where the default bridge network is unreachable from the caller. #​7216
  • commonAnnotations in compositions: Compositions can now propagate a set of common annotations to every composed resource, mirroring the existing commonLabels behavior. #​7211
  • crossplane beta validate now correctly resolves and caches dependencies that use semantic version ranges (e.g. ">=v0.6.0,<v1.0.0"), and adds an --update-cache flag to always check upstream for newer matching versions. #​7050
  • crossplane beta trace adds a YAML output format. #​7275
  • The XR circuit breaker now resets its state when the XR is deleted, so a new resource with the same name starts fresh instead of inheriting an open circuit. #​7201
  • CompositionRevision and composite reconcilers now skip no-op status updates, eliminating an unnecessary reconcile loop that prevented steady state convergence. #​7283

🏅 Release MVP

For the v2.3 release cycle, we'd like to recognize two amazing community members for their contributions and name them the v2.3 release MVPs! 🎉

• @​yordis delivered one of this release's headline features in #​7239 as a first-time contributor to core Crossplane (but long time contributor to the Crossplane ecosystem 😉) : the per-resource reconciliation control. This work gives operators fine-grained control over when individual resources reconcile, and required coordinated changes across both the core composite reconciler and the managed reconciler in crossplane-runtime. Thank you @​yordis!
• @​fernandezcuesta has had a sustained impact on the broader Crossplane ecosystem, contributing to and releasing a steady stream of community providers and extensions that expand what users can build on Crossplane, e.g. provider-kafka, provider-mongodbatlas, and provider-pagerduty. To top that off, they also landed new support in core Crossplane for commonAnnotations for compositions in #​7211. Thank you, @​fernandezcuesta!

What's Changed

• Bump crossplane-runtime dependency to v2.3.0-rc.0 by @​adamwg in #​7134
• Update renovate config for v2.2 release by @​adamwg in #​7141
• Use foreground cascading deletion for unneeded composed resources by @​bobh66 in #​6599
• readme: Leave a note about v1.20 extended support by @​adamwg in #​7153
• chore: clean up lingering refs to HACK_CROSSPLANE_ARGS by @​jbw976 in #​7124
• Add WG to adopters by @​alexey-pankratyev in #​7165
• build: mitigate potential script injection in promote workflow by @​jbw976 in #​7166
• fix: adding required permissions to top level and jobs in the workflow by @​gaganhr94 in #​7131
• ci: fix renovate config parsing by @​phisco in #​7176
• apis: Make apis a separate go module by @​adamwg in #​7019
• Update crossplane-runtime to use core APIs from the apis module by @​adamwg in #​7190
• fix(crank): xpkg push respects proxy environment variables by @​fhopfensperger in #​7208
• fix(crank): include resource kind, name, namespace in trace get errors by @​kruthiwusirika5 in #​7158
• chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security] (main) by @​crossplane-renovate[bot] in #​7177
• Add a warning message for when a resource's namespace is overwritten by @​adamkasztenny in #​7156
• Issue #​7200 - Reset circuit breaker state on XR deletion by @​nicmunroe in #​7201
• Update crossplane-runtime and remove temporary copy by @​adamwg in #​7215
• ci: use new env for renovate allowed commands by @​phisco in #​7188
• ci: switch to korthout/backport-action and update it. by @​phisco in #​7234
• ci: drop Trivy vulnerability scanning by @​phisco in #​7237
• add sig-prod-readiness by @​mestredelpino in #​7136
• Add render.crossplane.io/runtime-docker-network annotation by @​jtucci in #​7216
• fix: get all resources when requiredResources matchLabels is empty by @​nkzk in #​7145
• fix(deps): update module google.golang.org/grpc to v1.79.3 [security] (main) by @​crossplane-renovate[bot] in #​7225
• Support ResourceSelector with no match field by @​negz in #​7241
• feat: implement commonAnnotations by @​fernandezcuesta in #​7211
• adopters: add T-Systems International GmbH to adopters list by @​jbw976 in #​7261
• Remove Hyland Software from ADOPTERS.md by @​sethfduke in #​7262
• Allow XRDs to configure the scale subresource by @​jonasz-lasut in #​7004
• Add YAML output format to crossplane beta trace by @​bobh66 in #​7275
• fix: set standard file permissions on Nix-built release binaries by @​adamkasztenny in #​7255
• pkg: Correctly handle dependency upgrades with ImageConfig prefix rewriting by @​adamwg in #​7233
• README: update release table after v2.2 release by @​jbw976 in #​7274
• chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [security] (main) by @​crossplane-renovate[bot] in #​7286
• fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 [security] (main) by @​crossplane-renovate[bot] in #​7137
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (main) by @​crossplane-renovate[bot] in #​7263
• fix(deps): update module github.com/sigstore/cosign/v3 to v3.0.5 [security] (main) by @​crossplane-renovate[bot] in #​7178
• chore(deps): update module github.com/docker/cli to v29.2.0+incompatible [security] (main) by @​crossplane-renovate[bot] in #​7193
• chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.0.6 [security] (main) by @​crossplane-renovate[bot] in #​7297
• Add UpToDate condition by @​bobh66 in #​7294
• Use xcrd and xpkg packages from crossplane-runtime by @​adamwg in #​7308
• chore(deps): bump Go to 1.25.9 [security] by @​phisco in #​7306
• chore: add Lansweeper as adopter by @​fernandezcuesta in #​7172
• chore(deps): update module github.com/moby/spdystream to v0.5.1 [security] (main) by @​crossplane-renovate[bot] in #​7313
• Fix nix lint errors by @​adamwg in #​7321
• Avoid rebuilding upstream nixpkgs due to Go toolchain changes by @​adamwg in #​7323
• fix(deps): update module github.com/go-git/go-git/v5 to v5.18.0 [security] (main) by @​crossplane-renovate[bot] in #​7325
• Add high-fidelity render engine by @​negz in #​7280
• Add per-resource poll interval and reconcile-now annotations by @​yordis in #​7239
• chore: disable CodeRabbit automatic label application by @​jbw976 in #​7337
• design: Add a design document for developer experience tooling by @​adamwg in #​6909
• crank: Update render to use crossplane internal render by @​adamwg in #​7339
• feat(crank): add per-service template vars for xpkg batch by @​nullable-eth in #​7295
• fix(cli/beta/validate): support dependency semantic version range by @​nkzk in #​7050
• Use pkgs.unstable overlay instead of single pkgs.go-unstable attribute by @​negz in #​7356
• Remove crank by @​adamwg in #​7355
• fix(gomod): update go mod and gomod2nix after crank removal by @​haarchri in #​7361
• feat(provider-deletion): protect Providers from deletion via ClusterUsage by @​haarchri in #​7362
• chore(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security] (main) by @​crossplane-renovate[bot] in #​7368
• chore(deps): update module golang.org/x/net to v0.53.0 [security] (main) by @​crossplane-renovate[bot] in #​7363
• Pin Renovate config validator by @​phisco in #​7386
• Skip no-op status updates in revision and composite reconcilers by @​tgoodwin in #​7283
• Update ADOPTERS.md by @​olafsm in #​7385
• Pin Renovate Earthly download by @​phisco in #​7387
• chore(deps): bump crossplane-runtime to v2.3.0-rc.1 by @​jbw976 in #​7394
• chore(deps): Bump Go to 1.25.10 to fix stdlib CVEs (release-2.3) by @​jbw976 in #​7413
• chore(deps): bump crossplane-runtime to v2.3.0 by @​jbw976 in #​7417

New Contributors

• @​alexey-pankratyev made their first contribution in #​7165
• @​gaganhr94 made their first contribution in #​7131
• @​kruthiwusirika5 made their first contribution in #​7158
• @​adamkasztenny made their first contribution in #​7156
• @​nicmunroe made their first contribution in #​7201
• @​mestredelpino made their first contribution in #​7136
• @​jtucci made their first contribution in #​7216
• @​nkzk made their first contribution in #​7145
• @​yordis made their first contribution in #​7239
• @​tgoodwin made their first contribution in #​7283
• @​olafsm made their first contribution in #​7385

Full Changelog: crossplane/crossplane@v2.2.0...v2.3.0

v2.2.2

Compare Source

v2.2.2 is a patch release scoped to fixing issues reported by users of Crossplane v2.2 and fixing security related issues in Crossplane's dependencies.

What's Changed

• fix(deps): update module github.com/in-toto/in-toto-golang to v0.11.0 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7372
• fix(deps): update module github.com/go-git/go-git/v5 to v5.19.0 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7384
• chore(deps): Bump Go to 1.25.10 to fix stdlib CVEs (release-2.2) by @​jbw976 in #​7412
• fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7409
• chore(deps): update module golang.org/x/crypto to v0.52.0 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7426
• chore(deps): bump crossplane-runtime to v2.2.2 (release-2.2) by @​jbw976 in #​7430

Full Changelog: crossplane/crossplane@v2.2.1...v2.2.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/invopop/jsonschema v0.14.0
go: downloading github.com/alecthomas/kong v1.15.0
go: downloading github.com/spf13/afero v1.15.0
go: downloading github.com/gonvenience/bunt v1.4.3
go: downloading github.com/stretchr/testify v1.11.1
go: downloading github.com/crossplane/crossplane-runtime/v2 v2.3.0
go: downloading github.com/crossplane/crossplane/v2 v2.3.0
go: downloading k8s.io/apimachinery v0.35.3
go: downloading k8s.io/apiserver v0.35.0
go: downloading sigs.k8s.io/yaml v1.6.0
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/google/uuid v1.6.0
go: downloading k8s.io/apiextensions-apiserver v0.35.0
go: downloading github.com/go-git/go-git/v5 v5.18.0
go: downloading github.com/gertd/go-pluralize v0.2.1
go: downloading github.com/gonvenience/ytbx v1.5.0
go: downloading github.com/homeport/dyff v1.12.0
go: downloading github.com/otiai10/copy v1.14.1
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/alecthomas/assert/v2 v2.11.0
go: downloading github.com/pb33f/ordered-map/v2 v2.3.1
go: downloading golang.org/x/text v0.36.0
go: downloading github.com/gonvenience/term v1.0.5
go: downloading github.com/lucasb-eyer/go-colorful v1.4.0
go: downloading github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3
go: downloading github.com/mattn/go-isatty v0.0.21
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading sigs.k8s.io/controller-runtime v0.23.1
go: downloading dario.cat/mergo v1.0.2
go: downloading github.com/crossplane/crossplane/apis/v2 v2.0.0-20260424160951-8f231230ebb6
go: downloading k8s.io/api v0.35.3
go: downloading k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
go: downloading k8s.io/klog/v2 v2.130.1
go: downloading go.yaml.in/yaml/v2 v2.4.4
go: downloading k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4
go: downloading github.com/ProtonMail/go-crypto v1.1.6
go: downloading github.com/go-git/go-billy/v5 v5.8.0
go: downloading github.com/sergi/go-diff v1.4.0
go: downloading github.com/BurntSushi/toml v1.6.0
go: downloading github.com/gonvenience/text v1.0.10
go: downloading github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
go: downloading go.yaml.in/yaml/v3 v3.0.4
go: downloading github.com/gonvenience/idem v0.0.3
go: downloading github.com/gonvenience/neat v1.3.20
go: downloading github.com/mitchellh/hashstructure/v2 v2.0.2
go: downloading github.com/texttheater/golang-levenshtein v1.0.1
go: downloading github.com/otiai10/mint v1.6.3
go: downloading golang.org/x/sync v0.20.0
go: downloading golang.org/x/sys v0.43.0
go: downloading github.com/emirpasic/gods v1.18.1
go: downloading github.com/alecthomas/repr v0.5.2
go: downloading github.com/hexops/gotextdiff v1.0.3
go: downloading github.com/bahlo/generic-list-go v0.2.0
go: downloading github.com/buger/jsonparser v1.1.2
go: downloading go.yaml.in/yaml/v4 v4.0.0-rc.2
go: downloading github.com/mitchellh/go-ps v1.0.0
go: downloading golang.org/x/term v0.42.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482
go: downloading sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
go: downloading sigs.k8s.io/randfill v1.0.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/evanphx/json-patch/v5 v5.9.11
go: downloading github.com/evanphx/json-patch v5.9.11+incompatible
go: downloading k8s.io/client-go v0.35.1
go: downloading github.com/go-openapi/jsonreference v0.21.5
go: downloading github.com/go-openapi/swag v0.25.5
go: downloading github.com/google/gnostic-models v0.7.1
go: downloading github.com/google/cel-go v0.27.0
go: downloading k8s.io/component-base v0.35.0
go: downloading golang.org/x/crypto v0.50.0
go: downloading github.com/cyphar/filepath-securejoin v0.4.1
go: downloading github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
go: downloading github.com/pjbgf/sha1cd v0.3.2
go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading golang.org/x/net v0.53.0
go: downloading github.com/fxamacker/cbor/v2 v2.9.0
go: downloading github.com/go-openapi/jsonpointer v0.22.5
go: downloading github.com/go-openapi/swag/cmdutils v0.25.5
go: downloading github.com/go-openapi/swag/conv v0.25.5
go: downloading github.com/go-openapi/swag/fileutils v0.25.5
go: downloading github.com/go-openapi/swag/jsonname v0.25.5
go: downloading github.com/go-openapi/swag/jsonutils v0.25.5
go: downloading github.com/go-openapi/swag/loading v0.25.5
go: downloading github.com/go-openapi/swag/mangling v0.25.5
go: downloading github.com/go-openapi/swag/netutils v0.25.5
go: downloading github.com/go-openapi/swag/stringutils v0.25.5
go: downloading github.com/go-openapi/swag/typeutils v0.25.5
go: downloading github.com/go-openapi/swag/yamlutils v0.25.5
go: downloading google.golang.org/protobuf v1.36.11
go: downloading cel.dev/expr v0.25.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/prometheus/procfs v0.19.2
go: downloading github.com/spf13/pflag v1.0.10
go: downloading go.opentelemetry.io/otel/trace v1.43.0
go: downloading go.opentelemetry.io/otel v1.43.0
go: downloading github.com/cloudflare/circl v1.6.3
go: downloading gopkg.in/warnings.v0 v0.1.2
go: downloading github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8
go: downloading github.com/kevinburke/ssh_config v1.2.0
go: downloading github.com/skeema/knownhosts v1.3.1
go: downloading github.com/xanzy/ssh-agent v0.3.3
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
go: downloading golang.org/x/oauth2 v0.36.0
go: downloading golang.org/x/time v0.15.0
go: downloading github.com/x448/float16 v0.8.4
go: downloading github.com/antlr4-go/antlr/v4 v4.13.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/common v0.67.5
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa
go: downloading github.com/spf13/cobra v1.10.2
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/emicklei/go-restful/v3 v3.13.0
go: downloading github.com/crossplane/crossplane/v2 v2.3.2
go: downloading github.com/crossplane/crossplane v1.20.9
go: github.com/crossplane-contrib/xprin/cmd/xprin-helpers/claimtoxr imports
	github.com/crossplane/crossplane/v2/cmd/crank/beta/convert/io: cannot find module providing package github.com/crossplane/crossplane/v2/cmd/crank/beta/convert/io
go: github.com/crossplane-contrib/xprin/cmd/xprin-helpers/patchxr imports
	github.com/crossplane/crossplane/v2/apis/apiextensions/v1: cannot find module providing package github.com/crossplane/crossplane/v2/apis/apiextensions/v1
go: github.com/crossplane-contrib/xprin/cmd/xprin-helpers/patchxr imports
	github.com/crossplane/crossplane/v2/cmd/crank/render: cannot find module providing package github.com/crossplane/crossplane/v2/cmd/crank/render