rebase: bump the github-dependencies group with 3 updates

Bumps the github-dependencies group with 3 updates: [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2), [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) and [github.com/pkg/xattr](https://github.com/pkg/xattr).


Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.33.19 to 1.33.20
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/sns/v1.33.19...service/sns/v1.33.20)

Updates `github.com/hashicorp/vault/api` from 1.16.0 to 1.20.0
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.16.0...api/v1.20.0)

Updates `github.com/pkg/xattr` from 0.4.10 to 0.4.11
- [Release notes](https://github.com/pkg/xattr/releases)
- [Commits](https://github.com/pkg/xattr/compare/v0.4.10...v0.4.11)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-version: 1.33.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-dependencies
- dependency-name: github.com/hashicorp/vault/api
  dependency-version: 1.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/pkg/xattr
  dependency-version: 0.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v1.33.20 (2025-06-06)
+
+* No change notes available for this release.
+
 # v1.33.19 (2025-04-10)
 
 * No change notes available for this release.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go

@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.33.19"
+const goModuleVersion = "1.33.20"

vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go

@@ -147,6 +147,9 @@ var defaultPartitions = endpoints.Partitions{
 			endpoints.EndpointKey{
 				Region: "ap-east-1",
 			}: endpoints.Endpoint{},
+			endpoints.EndpointKey{
+				Region: "ap-east-2",
+			}: endpoints.Endpoint{},
 			endpoints.EndpointKey{
 				Region: "ap-northeast-1",
 			}: endpoints.Endpoint{},

vendor/github.com/hashicorp/hcl/decoder.go

@@ -24,7 +24,18 @@ var (
 // Unmarshal accepts a byte slice as input and writes the
 // data to the value pointed to by v.
 func Unmarshal(bs []byte, v interface{}) error {
-	root, err := parse(bs)
+	root, err := parse(bs, false)
+	if err != nil {
+		return err
+	}
+
+	return DecodeObject(v, root)
+}
+
+// UnmarshalErrorOnDuplicates accepts a byte slice as input and writes the
+// data to the value pointed to by v but errors on duplicate attribute key.
+func UnmarshalErrorOnDuplicates(bs []byte, v interface{}) error {
+	root, err := parse(bs, true)
 	if err != nil {
 		return err
 	}
@@ -35,7 +46,19 @@ func Unmarshal(bs []byte, v interface{}) error {
 // Decode reads the given input and decodes it into the structure
 // given by `out`.
 func Decode(out interface{}, in string) error {
-	obj, err := Parse(in)
+	return decode(out, in, false)
+}
+
+// DecodeErrorOnDuplicates reads the given input and decodes it into the structure but errrors on duplicate attribute key
+// given by `out`.
+func DecodeErrorOnDuplicates(out interface{}, in string) error {
+	return decode(out, in, true)
+}
+
+// decode reads the given input and decodes it into the structure given by `out`.
+// takes in a boolean to determine if it should error on duplicate attribute
+func decode(out interface{}, in string, errorOnDuplicateAtributes bool) error {
+	obj, err := parse([]byte(in), errorOnDuplicateAtributes)
 	if err != nil {
 		return err
 	}
@@ -393,10 +416,16 @@ func (d *decoder) decodeMap(name string, node ast.Node, result reflect.Value) er
 
 	// Set the final map if we can
 	set.Set(resultMap)
+
 	return nil
 }
 
 func (d *decoder) decodePtr(name string, node ast.Node, result reflect.Value) error {
+	// if pointer is not nil, decode into existing value
+	if !result.IsNil() {
+		return d.decode(name, node, result.Elem())
+	}
+
 	// Create an element of the concrete (non pointer) type and decode
 	// into that. Then set the value of the pointer to this type.
 	resultType := result.Type()

vendor/github.com/hashicorp/hcl/hcl/parser/parser.go

@@ -27,22 +27,35 @@ type Parser struct {
 	enableTrace bool
 	indent      int
 	n           int // buffer size (max = 1)
+
+	errorOnDuplicateKeys bool
 }
 
-func newParser(src []byte) *Parser {
+func newParser(src []byte, errorOnDuplicateKeys bool) *Parser {
 	return &Parser{
-		sc: scanner.New(src),
+		sc:                   scanner.New(src),
+		errorOnDuplicateKeys: errorOnDuplicateKeys,
 	}
 }
 
 // Parse returns the fully parsed source and returns the abstract syntax tree.
 func Parse(src []byte) (*ast.File, error) {
+	return parse(src, true)
+}
+
+// Parse returns the fully parsed source and returns the abstract syntax tree.
+func ParseDontErrorOnDuplicateKeys(src []byte) (*ast.File, error) {
+	return parse(src, false)
+}
+
+// Parse returns the fully parsed source and returns the abstract syntax tree.
+func parse(src []byte, errorOnDuplicateKeys bool) (*ast.File, error) {
 	// normalize all line endings
 	// since the scanner and output only work with "\n" line endings, we may
 	// end up with dangling "\r" characters in the parsed data.
 	src = bytes.Replace(src, []byte("\r\n"), []byte("\n"), -1)
 
-	p := newParser(src)
+	p := newParser(src, errorOnDuplicateKeys)
 	return p.Parse()
 }
 
@@ -65,6 +78,7 @@ func (p *Parser) Parse() (*ast.File, error) {
 	}
 
 	f.Comments = p.comments
+
 	return f, nil
 }
 
@@ -76,6 +90,7 @@ func (p *Parser) objectList(obj bool) (*ast.ObjectList, error) {
 	defer un(trace(p, "ParseObjectList"))
 	node := &ast.ObjectList{}
 
+	seenKeys := map[string]struct{}{}
 	for {
 		if obj {
 			tok := p.scan()
@@ -83,11 +98,29 @@ func (p *Parser) objectList(obj bool) (*ast.ObjectList, error) {
 			if tok.Type == token.RBRACE {
 				break
 			}
+
 		}
 
 		n, err := p.objectItem()
+
 		if err == errEofToken {
 			break // we are finished
+		} else if err != nil {
+			return nil, err
+		}
+
+		if n.Assign.String() != "-" {
+			for _, key := range n.Keys {
+				if !p.errorOnDuplicateKeys {
+					break
+				}
+				_, ok := seenKeys[key.Token.Text]
+				if ok {
+					return nil, errors.New(fmt.Sprintf("The argument %q at %s was already set. Each argument can only be defined once", key.Token.Text, key.Token.Pos.String()))
+
+				}
+				seenKeys[key.Token.Text] = struct{}{}
+			}
 		}
 
 		// we don't return a nil node, because might want to use already
@@ -324,6 +357,8 @@ func (p *Parser) objectType() (*ast.ObjectType, error) {
 	// not a RBRACE, it's an syntax error and we just return it.
 	if err != nil && p.tok.Type != token.RBRACE {
 		return nil, err
+	} else if err != nil {
+		return nil, err
 	}
 
 	// No error, scan and expect the ending to be a brace
@@ -365,6 +400,7 @@ func (p *Parser) listType() (*ast.ListType, error) {
 		}
 		switch tok.Type {
 		case token.BOOL, token.NUMBER, token.FLOAT, token.STRING, token.HEREDOC:
+
 			node, err := p.literalType()
 			if err != nil {
 				return nil, err

vendor/github.com/hashicorp/hcl/parse.go

@@ -12,17 +12,20 @@ import (
 //
 // Input can be either JSON or HCL
 func ParseBytes(in []byte) (*ast.File, error) {
-	return parse(in)
+	return parse(in, true)
 }
 
 // ParseString accepts input as a string and returns ast tree.
 func ParseString(input string) (*ast.File, error) {
-	return parse([]byte(input))
+	return parse([]byte(input), true)
 }
 
-func parse(in []byte) (*ast.File, error) {
+func parse(in []byte, errorOnDuplicateKeys bool) (*ast.File, error) {
 	switch lexMode(in) {
 	case lexModeHcl:
+		if !errorOnDuplicateKeys {
+			return hclParser.ParseDontErrorOnDuplicateKeys(in)
+		}
 		return hclParser.Parse(in)
 	case lexModeJson:
 		return jsonParser.Parse(in)
@@ -35,5 +38,5 @@ func parse(in []byte) (*ast.File, error) {
 //
 // The input format can be either HCL or JSON.
 func Parse(input string) (*ast.File, error) {
-	return parse([]byte(input))
+	return parse([]byte(input), true)
 }

vendor/github.com/hashicorp/vault/api/hcl_dup_attr_deprecation.go

@@ -0,0 +1,25 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"strings"
+
+	"github.com/hashicorp/hcl"
+	"github.com/hashicorp/hcl/hcl/ast"
+	hclParser "github.com/hashicorp/hcl/hcl/parser"
+)
+
+// parseAndCheckForDuplicateHclAttributes parses the input JSON/HCL file and if it is HCL it also checks
+// for duplicate keys in the HCL file, allowing callers to handle the issue accordingly. In a future release we'll
+// change the behavior to treat duplicate keys as an error and eventually remove this helper altogether.
+// TODO (HCL_DUP_KEYS_DEPRECATION): remove once not used anymore
+func parseAndCheckForDuplicateHclAttributes(input string) (res *ast.File, duplicate bool, err error) {
+	res, err = hcl.Parse(input)
+	if err != nil && strings.Contains(err.Error(), "Each argument can only be defined once") {
+		duplicate = true
+		res, err = hclParser.ParseDontErrorOnDuplicateKeys([]byte(input))
+	}
+	return res, duplicate, err
+}

vendor/github.com/hashicorp/vault/api/logical.go

@@ -64,6 +64,12 @@ func (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret,
 	return c.ReadWithDataWithContext(context.Background(), path, data)
 }
 
+// ReadFromSnapshot reads the data at the given Vault path from a previously
+// loaded snapshot. The snapshotID parameter is the ID of the loaded snapshot
+func (c *Logical) ReadFromSnapshot(path string, snapshotID string) (*Secret, error) {
+	return c.ReadWithData(path, map[string][]string{"read_snapshot_id": {snapshotID}})
+}
+
 func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()
@@ -104,6 +110,10 @@ func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Respo
 	return c.ReadRawWithDataWithContext(context.Background(), path, data)
 }
 
+func (c *Logical) ReadRawFromSnapshot(path string, snapshotID string) (*Response, error) {
+	return c.ReadRawWithDataWithContext(context.Background(), path, map[string][]string{"read_snapshot_id": {snapshotID}})
+}
+
 // ReadRawWithDataWithContext attempts to read the value stored at the given
 // Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data'
 // map is added as query parameters to the request.
@@ -160,15 +170,26 @@ func (c *Logical) readRawWithDataWithContext(ctx context.Context, path string, d
 	return c.c.RawRequestWithContext(ctx, r)
 }
 
+// ListFromSnapshot lists from the Vault path using a previously loaded
+// snapshot. The snapshotID parameter is the ID of the loaded snapshot
+func (c *Logical) ListFromSnapshot(path string, snapshotID string) (*Secret, error) {
+	r := c.c.NewRequest("LIST", "/v1/"+path)
+	r.Params.Set("read_snapshot_id", snapshotID)
+	return c.list(context.Background(), r)
+}
+
 func (c *Logical) List(path string) (*Secret, error) {
 	return c.ListWithContext(context.Background(), path)
 }
 
 func (c *Logical) ListWithContext(ctx context.Context, path string) (*Secret, error) {
+	return c.list(ctx, c.c.NewRequest("LIST", "/v1/"+path))
+}
+
+func (c *Logical) list(ctx context.Context, r *Request) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()
 
-	r := c.c.NewRequest("LIST", "/v1/"+path)
 	// Set this for broader compatibility, but we use LIST above to be able to
 	// handle the wrapping lookup function
 	r.Method = http.MethodGet
@@ -223,6 +244,14 @@ func (c *Logical) WriteRawWithContext(ctx context.Context, path string, data []b
 	return c.writeRaw(ctx, r)
 }
 
+// Recover recovers the data at the given Vault path from a loaded snapshot.
+// The snapshotID parameter is the ID of the loaded snapshot
+func (c *Logical) Recover(ctx context.Context, path string, snapshotID string) (*Secret, error) {
+	r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
+	r.Params.Set("recover_snapshot_id", snapshotID)
+	return c.write(ctx, path, r)
+}
+
 func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {
 	r := c.c.NewRequest(http.MethodPatch, "/v1/"+path)
 	r.Headers.Set("Content-Type", "application/merge-patch+json")

vendor/github.com/hashicorp/vault/api/ssh_agent.go

@@ -150,7 +150,9 @@ func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {
 // ParseSSHHelperConfig parses the given contents as a string for the SSHHelper
 // configuration.
 func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
-	root, err := hcl.Parse(string(contents))
+	// TODO (HCL_DUP_KEYS_DEPRECATION): replace with simple call to hcl.Parse once deprecation of duplicate attributes
+	// is over, for now just ignore duplicates
+	root, _, err := parseAndCheckForDuplicateHclAttributes(contents)
 	if err != nil {
 		return nil, errwrap.Wrapf("error parsing config: {{err}}", err)
 	}

vendor/github.com/hashicorp/vault/api/sys_raft.go

@@ -13,6 +13,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"sync"
 	"time"
 
@@ -443,3 +444,75 @@ func (c *Sys) PutRaftAutopilotConfigurationWithContext(ctx context.Context, opts
 
 	return nil
 }
+
+// RaftLoadLocalSnapshot wraps RaftLoadLocalSnapshotWithContext using context.Background.
+func (c *Sys) RaftLoadLocalSnapshot(snapReader io.Reader) (*Secret, error) {
+	return c.RaftLoadLocalSnapshotWithContext(context.Background(), snapReader)
+}
+
+// RaftLoadLocalSnapshotWithContext loads a snapshot into the raft cluster.
+// It accepts a reader that reads the snapshot file data.
+func (c *Sys) RaftLoadLocalSnapshotWithContext(ctx context.Context, snapReader io.Reader) (*Secret, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodPost, "/v1/sys/storage/raft/snapshot-load")
+	r.Body = snapReader
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
+// RaftLoadCloudSnapshot wraps RaftLoadCloudSnapshotWithContext using context.Background.
+func (c *Sys) RaftLoadCloudSnapshot(name string, url *url.URL) (*Secret, error) {
+	return c.RaftLoadCloudSnapshotWithContext(context.Background(), name, url)
+}
+
+// RaftLoadCloudSnapshotWithContext loads a snapshot from cloud storage into the raft cluster.
+// It accepts a name for the cloud auto snapshot configuration and a URL to the snapshot location in cloud storage.
+func (c *Sys) RaftLoadCloudSnapshotWithContext(ctx context.Context, name string, url *url.URL) (*Secret, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodPost, "/v1/sys/storage/raft/snapshot-auto/snapshot-load/"+name)
+	if err := r.SetJSONBody(map[string]interface{}{
+		"url": url.String(),
+	}); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
+// RaftUnloadSnapshot wraps RaftUnloadSnapshotWithContext using context.Background.
+func (c *Sys) RaftUnloadSnapshot(snapID string) (*Secret, error) {
+	return c.RaftUnloadSnapshotWithContext(context.Background(), snapID)
+}
+
+// RaftUnloadSnapshotWithContext unloads a snapshot from the raft cluster.
+// It accepts a snapshot ID to identify the snapshot to be unloaded.
+func (c *Sys) RaftUnloadSnapshotWithContext(ctx context.Context, snapID string) (*Secret, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodDelete, "/v1/sys/storage/raft/snapshot-load/"+snapID)
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}

vendor/github.com/hashicorp/vault/api/sys_utilization_report.go

@@ -0,0 +1,93 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+func (c *Sys) UtilizationReport() (*UtilizationReportOutput, error) {
+	return c.UtilizationReportWithContext(context.Background())
+}
+
+func (c *Sys) UtilizationReportWithContext(ctx context.Context) (*UtilizationReportOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, "/v1/sys/utilization-report")
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var result UtilizationReportOutput
+	err = mapstructure.Decode(secret.Data, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, err
+}
+
+type UtilizationReportOutput struct {
+	Namespaces int `json:"namespaces,omitempty" structs:"namespaces" mapstructure:"namespaces"`
+
+	KVV1Secrets int `json:"kvv1_secrets,omitempty" structs:"kvv1_secrets" mapstructure:"kvv1_secrets"`
+	KVV2Secrets int `json:"kvv2_secrets,omitempty" structs:"kvv2_secrets" mapstructure:"kvv2_secrets"`
+
+	AuthMethods   map[string]int `json:"auth_methods,omitempty" structs:"auth_methods" mapstructure:"auth_methods"`
+	SecretEngines map[string]int `json:"secret_engines,omitempty" structs:"secret_engines" mapstructure:"secret_engines"`
+
+	LeasesByAuthMethod map[string]int `json:"leases_by_auth_method,omitempty" structs:"leases_by_auth_method" mapstructure:"leases_by_auth_method"`
+
+	ReplicationStatus *UtilizationReportReplicationStatusInformation `json:"replication_status,omitempty" structs:"replication_status" mapstructure:"replication_status"`
+
+	PKI *UtilizationReportPKIInformation `json:"pki,omitempty" structs:"pki" mapstructure:"pki"`
+
+	SecretSync *UtilizationReportSecretSyncInformation `json:"secret_sync,omitempty" structs:"secret_sync" mapstructure:"secret_sync"`
+
+	LeaseCountQuotas *UtilizationReportLeaseCountQuotaInformation `json:"lease_count_quotas,omitempty" structs:"lease_count_quotas" mapstructure:"lease_count_quotas"`
+}
+
+type UtilizationReportReplicationStatusInformation struct {
+	DRPrimary bool   `json:"dr_primary,omitempty" structs:"dr_primary" mapstructure:"dr_primary"`
+	DRState   string `json:"dr_state,omitempty" structs:"dr_state" mapstructure:"dr_state"`
+	PRPrimary bool   `json:"pr_primary,omitempty" structs:"pr_primary" mapstructure:"pr_primary"`
+	PRState   string `json:"pr_state,omitempty" structs:"pr_state" mapstructure:"pr_state"`
+}
+
+type UtilizationReportPKIInformation struct {
+	TotalRoles   int `json:"total_roles,omitempty" structs:"total_roles" mapstructure:"total_roles"`
+	TotalIssuers int `json:"total_issuers,omitempty" structs:"total_issuers" mapstructure:"total_issuers"`
+}
+
+type UtilizationReportSecretSyncInformation struct {
+	TotalSources      int `json:"total_sources,omitempty" structs:"total_sources" mapstructure:"total_sources"`
+	TotalDestinations int `json:"total_destinations,omitempty" structs:"total_destinations" mapstructure:"total_destinations"`
+}
+
+type UtilizationReportLeaseCountQuotaInformation struct {
+	TotalLeaseCountQuotas            int                                                `json:"total_lease_count_quotas,omitempty" structs:"total_lease_count_quotas" mapstructure:"total_lease_count_quotas"`
+	GlobalLeaseCountQuotaInformation *UtilizationReportGlobalLeaseCountQuotaInformation `json:"global_lease_count_quota,omitempty" structs:"global_lease_count_quota" mapstructure:"global_lease_count_quota"`
+}
+
+type UtilizationReportGlobalLeaseCountQuotaInformation struct {
+	Name     string `json:"name,omitempty" structs:"name" mapstructure:"name"`
+	Capacity int    `json:"capacity,omitempty" structs:"capacity" mapstructure:"capacity"`
+	Count    int    `json:"count,omitempty" structs:"count" mapstructure:"count"`
+}

vendor/github.com/pkg/xattr/xattr_solaris.go

@@ -4,8 +4,8 @@
 package xattr
 
 import (
+	"errors"
 	"os"
-	"syscall"
 
 	"golang.org/x/sys/unix"
 )
@@ -17,10 +17,11 @@ const (
 	XATTR_CREATE  = 0x1
 	XATTR_REPLACE = 0x2
 
-	// ENOATTR is not exported by the syscall package on Linux, because it is
-	// an alias for ENODATA. We export it here so it is available on all
-	// our supported platforms.
-	ENOATTR = syscall.ENODATA
+	// ENOATTR is not defined on Solaris. When attempting to open an
+	// extended attribute that doesn't exist, we'll get ENOENT. For
+	// compatibility with other platforms, we make ENOATTR available as
+	// an alias of unix.ENOENT.
+	ENOATTR = unix.ENOENT
 )
 
 func getxattr(path string, name string, data []byte) (int, error) {
@@ -132,7 +133,13 @@ func llistxattr(path string, data []byte) (int, error) {
 func flistxattr(f *os.File, data []byte) (int, error) {
 	fd, err := unix.Openat(int(f.Fd()), ".", unix.O_RDONLY|unix.O_XATTR, 0)
 	if err != nil {
-		return 0, unix.ENOTSUP
+		// When attempting to list extended attributes on a filesystem
+		// that doesn't support them (like as UFS and tmpfs), we'll get
+		// EINVAL. Translate this error to the more conventional ENOTSUP.
+		if errors.Is(err, unix.EINVAL) {
+			return 0, unix.ENOTSUP
+		}
+		return 0, err
 	}
 	xf := os.NewFile(uintptr(fd), f.Name())
 	defer func() {