rebase: update kubernetes to 1.28.0 in main

updating kubernetes to 1.28.0 in the main repo. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-14 18:53:35 +00:00 · 2023-08-17 07:15:28 +02:00
parent b2fdc269c3
commit ff3e84ad67
706 changed files with 45252 additions and 16346 deletions
--- a/vendor/github.com/google/cel-go/cel/BUILD.bazel
+++ b/vendor/github.com/google/cel-go/cel/BUILD.bazel
@ -23,6 +23,7 @@ go_library(
        "//checker/decls:go_default_library",
        "//common:go_default_library",
        "//common/containers:go_default_library",
+        "//common/operators:go_default_library",
        "//common/overloads:go_default_library",
        "//common/types:go_default_library",
        "//common/types/pb:go_default_library",
@ -31,7 +32,7 @@ go_library(
        "//interpreter:go_default_library",
        "//interpreter/functions:go_default_library",
        "//parser:go_default_library",
-        "@org_golang_google_genproto//googleapis/api/expr/v1alpha1:go_default_library",
+        "@org_golang_google_genproto_googleapis_api//expr/v1alpha1:go_default_library",
        "@org_golang_google_protobuf//proto:go_default_library",
        "@org_golang_google_protobuf//reflect/protodesc:go_default_library",
        "@org_golang_google_protobuf//reflect/protoreflect:go_default_library",
@ -69,7 +70,7 @@ go_test(
        "//test/proto2pb:go_default_library",
        "//test/proto3pb:go_default_library",
        "@io_bazel_rules_go//proto/wkt:descriptor_go_proto",
-        "@org_golang_google_genproto//googleapis/api/expr/v1alpha1:go_default_library",
+        "@org_golang_google_genproto_googleapis_api//expr/v1alpha1:go_default_library",
        "@org_golang_google_protobuf//proto:go_default_library",
        "@org_golang_google_protobuf//types/known/structpb:go_default_library",
    ],
--- a/vendor/github.com/google/cel-go/cel/decls.go
+++ b/vendor/github.com/google/cel-go/cel/decls.go
@ -139,7 +139,7 @@ var (
 		kind:        TypeKind,
 		runtimeType: types.TypeType,
 	}
-	//UintType represents a uint type.
+	// UintType represents a uint type.
 	UintType = &Type{
 		kind:        UintKind,
 		runtimeType: types.UintType,
@ -222,7 +222,8 @@ func (t *Type) equals(other *Type) bool {
 // - The from types are the same instance
 // - The target type is dynamic
 // - The fromType has the same kind and type name as the target type, and all parameters of the target type
-//	 are IsAssignableType() from the parameters of the fromType.
+//
+//	are IsAssignableType() from the parameters of the fromType.
 func (t *Type) defaultIsAssignableType(fromType *Type) bool {
 	if t == fromType || t.isDyn() {
 		return true
@ -312,6 +313,11 @@ func NullableType(wrapped *Type) *Type {
 	}
 }

+// OptionalType creates an abstract parameterized type instance corresponding to CEL's notion of optional.
+func OptionalType(param *Type) *Type {
+	return OpaqueType("optional", param)
+}
+
 // OpaqueType creates an abstract parameterized type with a given name.
 func OpaqueType(name string, params ...*Type) *Type {
 	return &Type{
@ -365,7 +371,9 @@ func Variable(name string, t *Type) EnvOption {
 //
 // - Overloads are searched in the order they are declared
 // - Dynamic dispatch for lists and maps is limited by inspection of the list and map contents
-//   at runtime. Empty lists and maps will result in a 'default dispatch'
+//
+//	at runtime. Empty lists and maps will result in a 'default dispatch'
+//
 // - In the event that a default dispatch occurs, the first overload provided is the one invoked
 //
 // If you intend to use overloads which differentiate based on the key or element type of a list or
@ -405,7 +413,7 @@ func Function(name string, opts ...FunctionOpt) EnvOption {
 // FunctionOpt defines a functional  option for configuring a function declaration.
 type FunctionOpt func(*functionDecl) (*functionDecl, error)

-// SingletonUnaryBinding creates a singleton function defintion to be used for all function overloads.
+// SingletonUnaryBinding creates a singleton function definition to be used for all function overloads.
 //
 // Note, this approach works well if operand is expected to have a specific trait which it implements,
 // e.g. traits.ContainerType. Otherwise, prefer per-overload function bindings.
@ -431,7 +439,17 @@ func SingletonUnaryBinding(fn functions.UnaryOp, traits ...int) FunctionOpt {
 //
 // Note, this approach works well if operand is expected to have a specific trait which it implements,
 // e.g. traits.ContainerType. Otherwise, prefer per-overload function bindings.
+//
+// Deprecated: use SingletonBinaryBinding
 func SingletonBinaryImpl(fn functions.BinaryOp, traits ...int) FunctionOpt {
+	return SingletonBinaryBinding(fn, traits...)
+}
+
+// SingletonBinaryBinding creates a singleton function definition to be used with all function overloads.
+//
+// Note, this approach works well if operand is expected to have a specific trait which it implements,
+// e.g. traits.ContainerType. Otherwise, prefer per-overload function bindings.
+func SingletonBinaryBinding(fn functions.BinaryOp, traits ...int) FunctionOpt {
 	trait := 0
 	for _, t := range traits {
 		trait = trait | t
@ -453,7 +471,17 @@ func SingletonBinaryImpl(fn functions.BinaryOp, traits ...int) FunctionOpt {
 //
 // Note, this approach works well if operand is expected to have a specific trait which it implements,
 // e.g. traits.ContainerType. Otherwise, prefer per-overload function bindings.
+//
+// Deprecated: use SingletonFunctionBinding
 func SingletonFunctionImpl(fn functions.FunctionOp, traits ...int) FunctionOpt {
+	return SingletonFunctionBinding(fn, traits...)
+}
+
+// SingletonFunctionBinding creates a singleton function definition to be used with all function overloads.
+//
+// Note, this approach works well if operand is expected to have a specific trait which it implements,
+// e.g. traits.ContainerType. Otherwise, prefer per-overload function bindings.
+func SingletonFunctionBinding(fn functions.FunctionOp, traits ...int) FunctionOpt {
 	trait := 0
 	for _, t := range traits {
 		trait = trait | t
@ -720,9 +748,8 @@ func (f *functionDecl) addOverload(overload *overloadDecl) error {
 				// Allow redefinition of an overload implementation so long as the signatures match.
 				f.overloads[index] = overload
 				return nil
-			} else {
-				return fmt.Errorf("overload redefinition in function. %s: %s has multiple definitions", f.name, o.id)
 			}
+			return fmt.Errorf("overload redefinition in function. %s: %s has multiple definitions", f.name, o.id)
 		}
 	}
 	f.overloads = append(f.overloads, overload)
@ -1177,3 +1204,43 @@ func collectParamNames(paramNames map[string]struct{}, arg *Type) {
 		collectParamNames(paramNames, param)
 	}
 }
+
+func typeValueToKind(tv *types.TypeValue) (Kind, error) {
+	switch tv {
+	case types.BoolType:
+		return BoolKind, nil
+	case types.DoubleType:
+		return DoubleKind, nil
+	case types.IntType:
+		return IntKind, nil
+	case types.UintType:
+		return UintKind, nil
+	case types.ListType:
+		return ListKind, nil
+	case types.MapType:
+		return MapKind, nil
+	case types.StringType:
+		return StringKind, nil
+	case types.BytesType:
+		return BytesKind, nil
+	case types.DurationType:
+		return DurationKind, nil
+	case types.TimestampType:
+		return TimestampKind, nil
+	case types.NullType:
+		return NullTypeKind, nil
+	case types.TypeType:
+		return TypeKind, nil
+	default:
+		switch tv.TypeName() {
+		case "dyn":
+			return DynKind, nil
+		case "google.protobuf.Any":
+			return AnyKind, nil
+		case "optional":
+			return OpaqueKind, nil
+		default:
+			return 0, fmt.Errorf("no known conversion for type of %s", tv.TypeName())
+		}
+	}
+}
--- a/vendor/github.com/google/cel-go/cel/env.go
+++ b/vendor/github.com/google/cel-go/cel/env.go
@ -102,15 +102,18 @@ type Env struct {
 	provider        ref.TypeProvider
 	features        map[int]bool
 	appliedFeatures map[int]bool
+	libraries       map[string]bool

 	// Internal parser representation
-	prsr *parser.Parser
+	prsr     *parser.Parser
+	prsrOpts []parser.Option

 	// Internal checker representation
-	chk     *checker.Env
-	chkErr  error
-	chkOnce sync.Once
-	chkOpts []checker.Option
+	chkMutex sync.Mutex
+	chk      *checker.Env
+	chkErr   error
+	chkOnce  sync.Once
+	chkOpts  []checker.Option

 	// Program options tied to the environment
 	progOpts []ProgramOption
@ -159,6 +162,7 @@ func NewCustomEnv(opts ...EnvOption) (*Env, error) {
 		provider:        registry,
 		features:        map[int]bool{},
 		appliedFeatures: map[int]bool{},
+		libraries:       map[string]bool{},
 		progOpts:        []ProgramOption{},
 	}).configure(opts)
 }
@ -175,14 +179,14 @@ func (e *Env) Check(ast *Ast) (*Ast, *Issues) {
 	pe, _ := AstToParsedExpr(ast)

 	// Construct the internal checker env, erroring if there is an issue adding the declarations.
-	err := e.initChecker()
+	chk, err := e.initChecker()
 	if err != nil {
 		errs := common.NewErrors(ast.Source())
-		errs.ReportError(common.NoLocation, e.chkErr.Error())
+		errs.ReportError(common.NoLocation, err.Error())
 		return nil, NewIssues(errs)
 	}

-	res, errs := checker.Check(pe, ast.Source(), e.chk)
+	res, errs := checker.Check(pe, ast.Source(), chk)
 	if len(errs.GetErrors()) > 0 {
 		return nil, NewIssues(errs)
 	}
@ -236,10 +240,14 @@ func (e *Env) CompileSource(src Source) (*Ast, *Issues) {
 // TypeProvider are immutable, or that their underlying implementations are based on the
 // ref.TypeRegistry which provides a Copy method which will be invoked by this method.
 func (e *Env) Extend(opts ...EnvOption) (*Env, error) {
-	if e.chkErr != nil {
-		return nil, e.chkErr
+	chk, chkErr := e.getCheckerOrError()
+	if chkErr != nil {
+		return nil, chkErr
 	}

+	prsrOptsCopy := make([]parser.Option, len(e.prsrOpts))
+	copy(prsrOptsCopy, e.prsrOpts)
+
 	// The type-checker is configured with Declarations. The declarations may either be provided
 	// as options which have not yet been validated, or may come from a previous checker instance
 	// whose types have already been validated.
@ -248,10 +256,10 @@ func (e *Env) Extend(opts ...EnvOption) (*Env, error) {

 	// Copy the declarations if needed.
 	decsCopy := []*exprpb.Decl{}
-	if e.chk != nil {
+	if chk != nil {
 		// If the type-checker has already been instantiated, then the e.declarations have been
-		// valdiated within the chk instance.
-		chkOptsCopy = append(chkOptsCopy, checker.ValidatedDeclarations(e.chk))
+		// validated within the chk instance.
+		chkOptsCopy = append(chkOptsCopy, checker.ValidatedDeclarations(chk))
 	} else {
 		// If the type-checker has not been instantiated, ensure the unvalidated declarations are
 		// provided to the extended Env instance.
@ -304,8 +312,11 @@ func (e *Env) Extend(opts ...EnvOption) (*Env, error) {
 	for k, v := range e.functions {
 		funcsCopy[k] = v
 	}
+	libsCopy := make(map[string]bool, len(e.libraries))
+	for k, v := range e.libraries {
+		libsCopy[k] = v
+	}

-	// TODO: functions copy needs to happen here.
 	ext := &Env{
 		Container:       e.Container,
 		declarations:    decsCopy,
@ -315,8 +326,10 @@ func (e *Env) Extend(opts ...EnvOption) (*Env, error) {
 		adapter:         adapter,
 		features:        featuresCopy,
 		appliedFeatures: appliedFeaturesCopy,
+		libraries:       libsCopy,
 		provider:        provider,
 		chkOpts:         chkOptsCopy,
+		prsrOpts:        prsrOptsCopy,
 	}
 	return ext.configure(opts)
 }
@ -328,6 +341,12 @@ func (e *Env) HasFeature(flag int) bool {
 	return has && enabled
 }

+// HasLibrary returns whether a specific SingletonLibrary has been configured in the environment.
+func (e *Env) HasLibrary(libName string) bool {
+	configured, exists := e.libraries[libName]
+	return exists && configured
+}
+
 // Parse parses the input expression value `txt` to a Ast and/or a set of Issues.
 //
 // This form of Parse creates a Source value for the input `txt` and forwards to the
@ -422,8 +441,8 @@ func (e *Env) UnknownVars() interpreter.PartialActivation {
 // TODO: Consider adding an option to generate a Program.Residual to avoid round-tripping to an
 // Ast format and then Program again.
 func (e *Env) ResidualAst(a *Ast, details *EvalDetails) (*Ast, error) {
-	pruned := interpreter.PruneAst(a.Expr(), details.State())
-	expr, err := AstToString(ParsedExprToAst(&exprpb.ParsedExpr{Expr: pruned}))
+	pruned := interpreter.PruneAst(a.Expr(), a.SourceInfo().GetMacroCalls(), details.State())
+	expr, err := AstToString(ParsedExprToAst(pruned))
 	if err != nil {
 		return nil, err
 	}
@ -443,12 +462,12 @@ func (e *Env) ResidualAst(a *Ast, details *EvalDetails) (*Ast, error) {

 // EstimateCost estimates the cost of a type checked CEL expression using the length estimates of input data and
 // extension functions provided by estimator.
-func (e *Env) EstimateCost(ast *Ast, estimator checker.CostEstimator) (checker.CostEstimate, error) {
+func (e *Env) EstimateCost(ast *Ast, estimator checker.CostEstimator, opts ...checker.CostOption) (checker.CostEstimate, error) {
 	checked, err := AstToCheckedExpr(ast)
 	if err != nil {
 		return checker.CostEstimate{}, fmt.Errorf("EsimateCost could not inspect Ast: %v", err)
 	}
-	return checker.Cost(checked, estimator), nil
+	return checker.Cost(checked, estimator, opts...)
 }

 // configure applies a series of EnvOptions to the current environment.
@ -464,17 +483,9 @@ func (e *Env) configure(opts []EnvOption) (*Env, error) {
 	}

 	// If the default UTC timezone fix has been enabled, make sure the library is configured
-	if e.HasFeature(featureDefaultUTCTimeZone) {
-		if _, found := e.appliedFeatures[featureDefaultUTCTimeZone]; !found {
-			e, err = Lib(timeUTCLibrary{})(e)
-			if err != nil {
-				return nil, err
-			}
-			// record that the feature has been applied since it will generate declarations
-			// and functions which will be propagated on Extend() calls and which should only
-			// be registered once.
-			e.appliedFeatures[featureDefaultUTCTimeZone] = true
-		}
+	e, err = e.maybeApplyFeature(featureDefaultUTCTimeZone, Lib(timeUTCLibrary{}))
+	if err != nil {
+		return nil, err
 	}

 	// Initialize all of the functions configured within the environment.
@ -486,7 +497,10 @@ func (e *Env) configure(opts []EnvOption) (*Env, error) {
 	}

 	// Configure the parser.
-	prsrOpts := []parser.Option{parser.Macros(e.macros...)}
+	prsrOpts := []parser.Option{}
+	prsrOpts = append(prsrOpts, e.prsrOpts...)
+	prsrOpts = append(prsrOpts, parser.Macros(e.macros...))
+
 	if e.HasFeature(featureEnableMacroCallTracking) {
 		prsrOpts = append(prsrOpts, parser.PopulateMacroCalls(true))
 	}
@ -497,7 +511,7 @@ func (e *Env) configure(opts []EnvOption) (*Env, error) {

 	// Ensure that the checker init happens eagerly rather than lazily.
 	if e.HasFeature(featureEagerlyValidateDeclarations) {
-		err := e.initChecker()
+		_, err := e.initChecker()
 		if err != nil {
 			return nil, err
 		}
@ -506,7 +520,7 @@ func (e *Env) configure(opts []EnvOption) (*Env, error) {
 	return e, nil
 }

-func (e *Env) initChecker() error {
+func (e *Env) initChecker() (*checker.Env, error) {
 	e.chkOnce.Do(func() {
 		chkOpts := []checker.Option{}
 		chkOpts = append(chkOpts, e.chkOpts...)
@ -518,32 +532,68 @@ func (e *Env) initChecker() error {

 		ce, err := checker.NewEnv(e.Container, e.provider, chkOpts...)
 		if err != nil {
-			e.chkErr = err
+			e.setCheckerOrError(nil, err)
 			return
 		}
 		// Add the statically configured declarations.
 		err = ce.Add(e.declarations...)
 		if err != nil {
-			e.chkErr = err
+			e.setCheckerOrError(nil, err)
 			return
 		}
 		// Add the function declarations which are derived from the FunctionDecl instances.
 		for _, fn := range e.functions {
 			fnDecl, err := functionDeclToExprDecl(fn)
 			if err != nil {
-				e.chkErr = err
+				e.setCheckerOrError(nil, err)
 				return
 			}
 			err = ce.Add(fnDecl)
 			if err != nil {
-				e.chkErr = err
+				e.setCheckerOrError(nil, err)
 				return
 			}
 		}
 		// Add function declarations here separately.
-		e.chk = ce
+		e.setCheckerOrError(ce, nil)
 	})
-	return e.chkErr
+	return e.getCheckerOrError()
+}
+
+// setCheckerOrError sets the checker.Env or error state in a concurrency-safe manner
+func (e *Env) setCheckerOrError(chk *checker.Env, chkErr error) {
+	e.chkMutex.Lock()
+	e.chk = chk
+	e.chkErr = chkErr
+	e.chkMutex.Unlock()
+}
+
+// getCheckerOrError gets the checker.Env or error state in a concurrency-safe manner
+func (e *Env) getCheckerOrError() (*checker.Env, error) {
+	e.chkMutex.Lock()
+	defer e.chkMutex.Unlock()
+	return e.chk, e.chkErr
+}
+
+// maybeApplyFeature determines whether the feature-guarded option is enabled, and if so applies
+// the feature if it has not already been enabled.
+func (e *Env) maybeApplyFeature(feature int, option EnvOption) (*Env, error) {
+	if !e.HasFeature(feature) {
+		return e, nil
+	}
+	_, applied := e.appliedFeatures[feature]
+	if applied {
+		return e, nil
+	}
+	e, err := option(e)
+	if err != nil {
+		return nil, err
+	}
+	// record that the feature has been applied since it will generate declarations
+	// and functions which will be propagated on Extend() calls and which should only
+	// be registered once.
+	e.appliedFeatures[feature] = true
+	return e, nil
 }

 // Issues defines methods for inspecting the error details of parse and check calls.
--- a/vendor/github.com/google/cel-go/cel/io.go
+++ b/vendor/github.com/google/cel-go/cel/io.go
@ -19,14 +19,14 @@ import (
 	"fmt"
 	"reflect"

+	"google.golang.org/protobuf/proto"
+
 	"github.com/google/cel-go/common"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/common/types/traits"
 	"github.com/google/cel-go/parser"

-	"google.golang.org/protobuf/proto"
-
 	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
 	anypb "google.golang.org/protobuf/types/known/anypb"
 )
--- a/vendor/github.com/google/cel-go/cel/library.go
+++ b/vendor/github.com/google/cel-go/cel/library.go
@ -20,10 +20,27 @@ import (
 	"time"

 	"github.com/google/cel-go/checker"
+	"github.com/google/cel-go/common"
+	"github.com/google/cel-go/common/operators"
 	"github.com/google/cel-go/common/overloads"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"github.com/google/cel-go/common/types/traits"
+	"github.com/google/cel-go/interpreter"
 	"github.com/google/cel-go/interpreter/functions"
+	"github.com/google/cel-go/parser"
+
+	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
+)
+
+const (
+	optMapMacro                = "optMap"
+	hasValueFunc               = "hasValue"
+	optionalNoneFunc           = "optional.none"
+	optionalOfFunc             = "optional.of"
+	optionalOfNonZeroValueFunc = "optional.ofNonZeroValue"
+	valueFunc                  = "value"
+	unusedIterVar              = "#unused"
 )

 // Library provides a collection of EnvOption and ProgramOption values used to configure a CEL
@ -42,10 +59,27 @@ type Library interface {
 	ProgramOptions() []ProgramOption
 }

+// SingletonLibrary refines the Library interface to ensure that libraries in this format are only
+// configured once within the environment.
+type SingletonLibrary interface {
+	Library
+
+	// LibraryName provides a namespaced name which is used to check whether the library has already
+	// been configured in the environment.
+	LibraryName() string
+}
+
 // Lib creates an EnvOption out of a Library, allowing libraries to be provided as functional args,
 // and to be linked to each other.
 func Lib(l Library) EnvOption {
+	singleton, isSingleton := l.(SingletonLibrary)
 	return func(e *Env) (*Env, error) {
+		if isSingleton {
+			if e.HasLibrary(singleton.LibraryName()) {
+				return e, nil
+			}
+			e.libraries[singleton.LibraryName()] = true
+		}
 		var err error
 		for _, opt := range l.CompileOptions() {
 			e, err = opt(e)
@ -67,6 +101,11 @@ func StdLib() EnvOption {
 // features documented in the specification.
 type stdLibrary struct{}

+// LibraryName implements the SingletonLibrary interface method.
+func (stdLibrary) LibraryName() string {
+	return "cel.lib.std"
+}
+
 // EnvOptions returns options for the standard CEL function declarations and macros.
 func (stdLibrary) CompileOptions() []EnvOption {
 	return []EnvOption{
@ -82,6 +121,225 @@ func (stdLibrary) ProgramOptions() []ProgramOption {
 	}
 }

+type optionalLibrary struct{}
+
+// LibraryName implements the SingletonLibrary interface method.
+func (optionalLibrary) LibraryName() string {
+	return "cel.lib.optional"
+}
+
+// CompileOptions implements the Library interface method.
+func (optionalLibrary) CompileOptions() []EnvOption {
+	paramTypeK := TypeParamType("K")
+	paramTypeV := TypeParamType("V")
+	optionalTypeV := OptionalType(paramTypeV)
+	listTypeV := ListType(paramTypeV)
+	mapTypeKV := MapType(paramTypeK, paramTypeV)
+
+	return []EnvOption{
+		// Enable the optional syntax in the parser.
+		enableOptionalSyntax(),
+
+		// Introduce the optional type.
+		Types(types.OptionalType),
+
+		// Configure the optMap macro.
+		Macros(NewReceiverMacro(optMapMacro, 2, optMap)),
+
+		// Global and member functions for working with optional values.
+		Function(optionalOfFunc,
+			Overload("optional_of", []*Type{paramTypeV}, optionalTypeV,
+				UnaryBinding(func(value ref.Val) ref.Val {
+					return types.OptionalOf(value)
+				}))),
+		Function(optionalOfNonZeroValueFunc,
+			Overload("optional_ofNonZeroValue", []*Type{paramTypeV}, optionalTypeV,
+				UnaryBinding(func(value ref.Val) ref.Val {
+					v, isZeroer := value.(traits.Zeroer)
+					if !isZeroer || !v.IsZeroValue() {
+						return types.OptionalOf(value)
+					}
+					return types.OptionalNone
+				}))),
+		Function(optionalNoneFunc,
+			Overload("optional_none", []*Type{}, optionalTypeV,
+				FunctionBinding(func(values ...ref.Val) ref.Val {
+					return types.OptionalNone
+				}))),
+		Function(valueFunc,
+			MemberOverload("optional_value", []*Type{optionalTypeV}, paramTypeV,
+				UnaryBinding(func(value ref.Val) ref.Val {
+					opt := value.(*types.Optional)
+					return opt.GetValue()
+				}))),
+		Function(hasValueFunc,
+			MemberOverload("optional_hasValue", []*Type{optionalTypeV}, BoolType,
+				UnaryBinding(func(value ref.Val) ref.Val {
+					opt := value.(*types.Optional)
+					return types.Bool(opt.HasValue())
+				}))),
+
+		// Implementation of 'or' and 'orValue' are special-cased to support short-circuiting in the
+		// evaluation chain.
+		Function("or",
+			MemberOverload("optional_or_optional", []*Type{optionalTypeV, optionalTypeV}, optionalTypeV)),
+		Function("orValue",
+			MemberOverload("optional_orValue_value", []*Type{optionalTypeV, paramTypeV}, paramTypeV)),
+
+		// OptSelect is handled specially by the type-checker, so the receiver's field type is used to determine the
+		// optput type.
+		Function(operators.OptSelect,
+			Overload("select_optional_field", []*Type{DynType, StringType}, optionalTypeV)),
+
+		// OptIndex is handled mostly like any other indexing operation on a list or map, so the type-checker can use
+		// these signatures to determine type-agreement without any special handling.
+		Function(operators.OptIndex,
+			Overload("list_optindex_optional_int", []*Type{listTypeV, IntType}, optionalTypeV),
+			Overload("optional_list_optindex_optional_int", []*Type{OptionalType(listTypeV), IntType}, optionalTypeV),
+			Overload("map_optindex_optional_value", []*Type{mapTypeKV, paramTypeK}, optionalTypeV),
+			Overload("optional_map_optindex_optional_value", []*Type{OptionalType(mapTypeKV), paramTypeK}, optionalTypeV)),
+
+		// Index overloads to accommodate using an optional value as the operand.
+		Function(operators.Index,
+			Overload("optional_list_index_int", []*Type{OptionalType(listTypeV), IntType}, optionalTypeV),
+			Overload("optional_map_index_optional_value", []*Type{OptionalType(mapTypeKV), paramTypeK}, optionalTypeV)),
+	}
+}
+
+func optMap(meh MacroExprHelper, target *exprpb.Expr, args []*exprpb.Expr) (*exprpb.Expr, *common.Error) {
+	varIdent := args[0]
+	varName := ""
+	switch varIdent.GetExprKind().(type) {
+	case *exprpb.Expr_IdentExpr:
+		varName = varIdent.GetIdentExpr().GetName()
+	default:
+		return nil, &common.Error{
+			Message:  "optMap() variable name must be a simple identifier",
+			Location: meh.OffsetLocation(varIdent.GetId()),
+		}
+	}
+	mapExpr := args[1]
+	return meh.GlobalCall(
+		operators.Conditional,
+		meh.ReceiverCall(hasValueFunc, target),
+		meh.GlobalCall(optionalOfFunc,
+			meh.Fold(
+				unusedIterVar,
+				meh.NewList(),
+				varName,
+				meh.ReceiverCall(valueFunc, target),
+				meh.LiteralBool(false),
+				meh.Ident(varName),
+				mapExpr,
+			),
+		),
+		meh.GlobalCall(optionalNoneFunc),
+	), nil
+}
+
+// ProgramOptions implements the Library interface method.
+func (optionalLibrary) ProgramOptions() []ProgramOption {
+	return []ProgramOption{
+		CustomDecorator(decorateOptionalOr),
+	}
+}
+
+func enableOptionalSyntax() EnvOption {
+	return func(e *Env) (*Env, error) {
+		e.prsrOpts = append(e.prsrOpts, parser.EnableOptionalSyntax(true))
+		return e, nil
+	}
+}
+
+func decorateOptionalOr(i interpreter.Interpretable) (interpreter.Interpretable, error) {
+	call, ok := i.(interpreter.InterpretableCall)
+	if !ok {
+		return i, nil
+	}
+	args := call.Args()
+	if len(args) != 2 {
+		return i, nil
+	}
+	switch call.Function() {
+	case "or":
+		if call.OverloadID() != "" && call.OverloadID() != "optional_or_optional" {
+			return i, nil
+		}
+		return &evalOptionalOr{
+			id:  call.ID(),
+			lhs: args[0],
+			rhs: args[1],
+		}, nil
+	case "orValue":
+		if call.OverloadID() != "" && call.OverloadID() != "optional_orValue_value" {
+			return i, nil
+		}
+		return &evalOptionalOrValue{
+			id:  call.ID(),
+			lhs: args[0],
+			rhs: args[1],
+		}, nil
+	default:
+		return i, nil
+	}
+}
+
+// evalOptionalOr selects between two optional values, either the first if it has a value, or
+// the second optional expression is evaluated and returned.
+type evalOptionalOr struct {
+	id  int64
+	lhs interpreter.Interpretable
+	rhs interpreter.Interpretable
+}
+
+// ID implements the Interpretable interface method.
+func (opt *evalOptionalOr) ID() int64 {
+	return opt.id
+}
+
+// Eval evaluates the left-hand side optional to determine whether it contains a value, else
+// proceeds with the right-hand side evaluation.
+func (opt *evalOptionalOr) Eval(ctx interpreter.Activation) ref.Val {
+	// short-circuit lhs.
+	optLHS := opt.lhs.Eval(ctx)
+	optVal, ok := optLHS.(*types.Optional)
+	if !ok {
+		return optLHS
+	}
+	if optVal.HasValue() {
+		return optVal
+	}
+	return opt.rhs.Eval(ctx)
+}
+
+// evalOptionalOrValue selects between an optional or a concrete value. If the optional has a value,
+// its value is returned, otherwise the alternative value expression is evaluated and returned.
+type evalOptionalOrValue struct {
+	id  int64
+	lhs interpreter.Interpretable
+	rhs interpreter.Interpretable
+}
+
+// ID implements the Interpretable interface method.
+func (opt *evalOptionalOrValue) ID() int64 {
+	return opt.id
+}
+
+// Eval evaluates the left-hand side optional to determine whether it contains a value, else
+// proceeds with the right-hand side evaluation.
+func (opt *evalOptionalOrValue) Eval(ctx interpreter.Activation) ref.Val {
+	// short-circuit lhs.
+	optLHS := opt.lhs.Eval(ctx)
+	optVal, ok := optLHS.(*types.Optional)
+	if !ok {
+		return optLHS
+	}
+	if optVal.HasValue() {
+		return optVal.GetValue()
+	}
+	return opt.rhs.Eval(ctx)
+}
+
 type timeUTCLibrary struct{}

 func (timeUTCLibrary) CompileOptions() []EnvOption {
--- a/vendor/github.com/google/cel-go/cel/macro.go
+++ b/vendor/github.com/google/cel-go/cel/macro.go
@ -17,6 +17,7 @@ package cel
 import (
 	"github.com/google/cel-go/common"
 	"github.com/google/cel-go/parser"
+
 	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
 )

@ -26,8 +27,11 @@ import (
 // a Macro should be created per arg-count or as a var arg macro.
 type Macro = parser.Macro

-// MacroExpander converts a call and its associated arguments into a new CEL abstract syntax tree, or an error
-// if the input arguments are not suitable for the expansion requirements for the macro in question.
+// MacroExpander converts a call and its associated arguments into a new CEL abstract syntax tree.
+//
+// If the MacroExpander determines within the implementation that an expansion is not needed it may return
+// a nil Expr value to indicate a non-match. However, if an expansion is to be performed, but the arguments
+// are not well-formed, the result of the expansion will be an error.
 //
 // The MacroExpander accepts as arguments a MacroExprHelper as well as the arguments used in the function call
 // and produces as output an Expr ast node.
@ -81,8 +85,10 @@ func ExistsOneMacroExpander(meh MacroExprHelper, target *exprpb.Expr, args []*ex
 // input to produce an output list.
 //
 // There are two call patterns supported by map:
-//   <iterRange>.map(<iterVar>, <transform>)
-//   <iterRange>.map(<iterVar>, <predicate>, <transform>)
+//
+//	<iterRange>.map(<iterVar>, <transform>)
+//	<iterRange>.map(<iterVar>, <predicate>, <transform>)
+//
 // In the second form only iterVar values which return true when provided to the predicate expression
 // are transformed.
 func MapMacroExpander(meh MacroExprHelper, target *exprpb.Expr, args []*exprpb.Expr) (*exprpb.Expr, *common.Error) {
--- a/vendor/github.com/google/cel-go/cel/options.go
+++ b/vendor/github.com/google/cel-go/cel/options.go
@ -29,6 +29,7 @@ import (
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/interpreter"
 	"github.com/google/cel-go/interpreter/functions"
+	"github.com/google/cel-go/parser"

 	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
 	descpb "google.golang.org/protobuf/types/descriptorpb"
@ -61,6 +62,10 @@ const (
 	// on a CEL timestamp operation. This fixes the scenario where the input time
 	// is not already in UTC.
 	featureDefaultUTCTimeZone
+
+	// Enable the use of optional types in the syntax, type-system, type-checking,
+	// and runtime.
+	featureOptionalTypes
 )

 // EnvOption is a functional interface for configuring the environment.
@ -163,19 +168,19 @@ func Container(name string) EnvOption {
 // Abbreviations can be useful when working with variables, functions, and especially types from
 // multiple namespaces:
 //
-//    // CEL object construction
-//    qual.pkg.version.ObjTypeName{
-//       field: alt.container.ver.FieldTypeName{value: ...}
-//    }
+//	// CEL object construction
+//	qual.pkg.version.ObjTypeName{
+//	   field: alt.container.ver.FieldTypeName{value: ...}
+//	}
 //
 // Only one the qualified names above may be used as the CEL container, so at least one of these
 // references must be a long qualified name within an otherwise short CEL program. Using the
 // following abbreviations, the program becomes much simpler:
 //
-//    // CEL Go option
-//    Abbrevs("qual.pkg.version.ObjTypeName", "alt.container.ver.FieldTypeName")
-//    // Simplified Object construction
-//    ObjTypeName{field: FieldTypeName{value: ...}}
+//	// CEL Go option
+//	Abbrevs("qual.pkg.version.ObjTypeName", "alt.container.ver.FieldTypeName")
+//	// Simplified Object construction
+//	ObjTypeName{field: FieldTypeName{value: ...}}
 //
 // There are a few rules for the qualified names and the simple abbreviations generated from them:
 // - Qualified names must be dot-delimited, e.g. `package.subpkg.name`.
@ -188,9 +193,12 @@ func Container(name string) EnvOption {
 // - Expanded abbreviations do not participate in namespace resolution.
 // - Abbreviation expansion is done instead of the container search for a matching identifier.
 // - Containers follow C++ namespace resolution rules with searches from the most qualified name
-//   to the least qualified name.
+//
+//	to the least qualified name.
+//
 // - Container references within the CEL program may be relative, and are resolved to fully
-//   qualified names at either type-check time or program plan time, whichever comes first.
+//
+//	qualified names at either type-check time or program plan time, whichever comes first.
 //
 // If there is ever a case where an identifier could be in both the container and as an
 // abbreviation, the abbreviation wins as this will ensure that the meaning of a program is
@ -216,7 +224,7 @@ func Abbrevs(qualifiedNames ...string) EnvOption {
 // environment by default.
 //
 // Note: This option must be specified after the CustomTypeProvider option when used together.
-func Types(addTypes ...interface{}) EnvOption {
+func Types(addTypes ...any) EnvOption {
 	return func(e *Env) (*Env, error) {
 		reg, isReg := e.provider.(ref.TypeRegistry)
 		if !isReg {
@ -253,7 +261,7 @@ func Types(addTypes ...interface{}) EnvOption {
 //
 // TypeDescs are hermetic to a single Env object, but may be copied to other Env values via
 // extension or by re-using the same EnvOption with another NewEnv() call.
-func TypeDescs(descs ...interface{}) EnvOption {
+func TypeDescs(descs ...any) EnvOption {
 	return func(e *Env) (*Env, error) {
 		reg, isReg := e.provider.(ref.TypeRegistry)
 		if !isReg {
@ -350,8 +358,8 @@ func Functions(funcs ...*functions.Overload) ProgramOption {
 // variables with the same name provided to the Eval() call. If Globals is used in a Library with
 // a Lib EnvOption, vars may shadow variables provided by previously added libraries.
 //
-// The vars value may either be an `interpreter.Activation` instance or a `map[string]interface{}`.
-func Globals(vars interface{}) ProgramOption {
+// The vars value may either be an `interpreter.Activation` instance or a `map[string]any`.
+func Globals(vars any) ProgramOption {
 	return func(p *prog) (*prog, error) {
 		defaultVars, err := interpreter.NewActivation(vars)
 		if err != nil {
@ -404,6 +412,9 @@ const (
 	// OptTrackCost enables the runtime cost calculation while validation and return cost within evalDetails
 	// cost calculation is available via func ActualCost()
 	OptTrackCost EvalOption = 1 << iota
+
+	// OptCheckStringFormat enables compile-time checking of string.format calls for syntax/cardinality.
+	OptCheckStringFormat EvalOption = 1 << iota
 )

 // EvalOptions sets one or more evaluation options which may affect the evaluation or Result.
@ -534,6 +545,13 @@ func DefaultUTCTimeZone(enabled bool) EnvOption {
 	return features(featureDefaultUTCTimeZone, enabled)
 }

+// OptionalTypes enable support for optional syntax and types in CEL. The optional value type makes
+// it possible to express whether variables have been provided, whether a result has been computed,
+// and in the future whether an object field path, map key value, or list index has a value.
+func OptionalTypes() EnvOption {
+	return Lib(optionalLibrary{})
+}
+
 // features sets the given feature flags.  See list of Feature constants above.
 func features(flag int, enabled bool) EnvOption {
 	return func(e *Env) (*Env, error) {
@ -541,3 +559,21 @@ func features(flag int, enabled bool) EnvOption {
 		return e, nil
 	}
 }
+
+// ParserRecursionLimit adjusts the AST depth the parser will tolerate.
+// Defaults defined in the parser package.
+func ParserRecursionLimit(limit int) EnvOption {
+	return func(e *Env) (*Env, error) {
+		e.prsrOpts = append(e.prsrOpts, parser.MaxRecursionDepth(limit))
+		return e, nil
+	}
+}
+
+// ParserExpressionSizeLimit adjusts the number of code points the expression parser is allowed to parse.
+// Defaults defined in the parser package.
+func ParserExpressionSizeLimit(limit int) EnvOption {
+	return func(e *Env) (*Env, error) {
+		e.prsrOpts = append(e.prsrOpts, parser.ExpressionSizeCodePointLimit(limit))
+		return e, nil
+	}
+}
--- a/vendor/github.com/google/cel-go/cel/program.go
+++ b/vendor/github.com/google/cel-go/cel/program.go
@ -17,21 +17,20 @@ package cel
 import (
 	"context"
 	"fmt"
-	"math"
 	"sync"

-	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
-
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/interpreter"
+
+	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
 )

 // Program is an evaluable view of an Ast.
 type Program interface {
 	// Eval returns the result of an evaluation of the Ast and environment against the input vars.
 	//
-	// The vars value may either be an `interpreter.Activation` or a `map[string]interface{}`.
+	// The vars value may either be an `interpreter.Activation` or a `map[string]any`.
 	//
 	// If the `OptTrackState`, `OptTrackCost` or `OptExhaustiveEval` flags are used, the `details` response will
 	// be non-nil. Given this caveat on `details`, the return state from evaluation will be:
@ -43,16 +42,16 @@ type Program interface {
 	// An unsuccessful evaluation is typically the result of a series of incompatible `EnvOption`
 	// or `ProgramOption` values used in the creation of the evaluation environment or executable
 	// program.
-	Eval(interface{}) (ref.Val, *EvalDetails, error)
+	Eval(any) (ref.Val, *EvalDetails, error)

 	// ContextEval evaluates the program with a set of input variables and a context object in order
 	// to support cancellation and timeouts. This method must be used in conjunction with the
 	// InterruptCheckFrequency() option for cancellation interrupts to be impact evaluation.
 	//
-	// The vars value may either be an `interpreter.Activation` or `map[string]interface{}`.
+	// The vars value may either be an `interpreter.Activation` or `map[string]any`.
 	//
 	// The output contract for `ContextEval` is otherwise identical to the `Eval` method.
-	ContextEval(context.Context, interface{}) (ref.Val, *EvalDetails, error)
+	ContextEval(context.Context, any) (ref.Val, *EvalDetails, error)
 }

 // NoVars returns an empty Activation.
@ -65,7 +64,7 @@ func NoVars() interpreter.Activation {
 //
 // The `vars` value may either be an interpreter.Activation or any valid input to the
 // interpreter.NewActivation call.
-func PartialVars(vars interface{},
+func PartialVars(vars any,
 	unknowns ...*interpreter.AttributePattern) (interpreter.PartialActivation, error) {
 	return interpreter.NewPartialActivation(vars, unknowns...)
 }
@ -207,6 +206,37 @@ func newProgram(e *Env, ast *Ast, opts []ProgramOption) (Program, error) {
 	if len(p.regexOptimizations) > 0 {
 		decorators = append(decorators, interpreter.CompileRegexConstants(p.regexOptimizations...))
 	}
+	// Enable compile-time checking of syntax/cardinality for string.format calls.
+	if p.evalOpts&OptCheckStringFormat == OptCheckStringFormat {
+		var isValidType func(id int64, validTypes ...*types.TypeValue) (bool, error)
+		if ast.IsChecked() {
+			isValidType = func(id int64, validTypes ...*types.TypeValue) (bool, error) {
+				t, err := ExprTypeToType(ast.typeMap[id])
+				if err != nil {
+					return false, err
+				}
+				if t.kind == DynKind {
+					return true, nil
+				}
+				for _, vt := range validTypes {
+					k, err := typeValueToKind(vt)
+					if err != nil {
+						return false, err
+					}
+					if k == t.kind {
+						return true, nil
+					}
+				}
+				return false, nil
+			}
+		} else {
+			// if the AST isn't type-checked, short-circuit validation
+			isValidType = func(id int64, validTypes ...*types.TypeValue) (bool, error) {
+				return true, nil
+			}
+		}
+		decorators = append(decorators, interpreter.InterpolateFormattedString(isValidType))
+	}

 	// Enable exhaustive eval, state tracking and cost tracking last since they require a factory.
 	if p.evalOpts&(OptExhaustiveEval|OptTrackState|OptTrackCost) != 0 {
@ -268,7 +298,7 @@ func (p *prog) initInterpretable(ast *Ast, decs []interpreter.InterpretableDecor
 }

 // Eval implements the Program interface method.
-func (p *prog) Eval(input interface{}) (v ref.Val, det *EvalDetails, err error) {
+func (p *prog) Eval(input any) (v ref.Val, det *EvalDetails, err error) {
 	// Configure error recovery for unexpected panics during evaluation. Note, the use of named
 	// return values makes it possible to modify the error response during the recovery
 	// function.
@ -287,11 +317,11 @@ func (p *prog) Eval(input interface{}) (v ref.Val, det *EvalDetails, err error)
 	switch v := input.(type) {
 	case interpreter.Activation:
 		vars = v
-	case map[string]interface{}:
+	case map[string]any:
 		vars = activationPool.Setup(v)
 		defer activationPool.Put(vars)
 	default:
-		return nil, nil, fmt.Errorf("invalid input, wanted Activation or map[string]interface{}, got: (%T)%v", input, input)
+		return nil, nil, fmt.Errorf("invalid input, wanted Activation or map[string]any, got: (%T)%v", input, input)
 	}
 	if p.defaultVars != nil {
 		vars = interpreter.NewHierarchicalActivation(p.defaultVars, vars)
@ -307,7 +337,7 @@ func (p *prog) Eval(input interface{}) (v ref.Val, det *EvalDetails, err error)
 }

 // ContextEval implements the Program interface.
-func (p *prog) ContextEval(ctx context.Context, input interface{}) (ref.Val, *EvalDetails, error) {
+func (p *prog) ContextEval(ctx context.Context, input any) (ref.Val, *EvalDetails, error) {
 	if ctx == nil {
 		return nil, nil, fmt.Errorf("context can not be nil")
 	}
@ -318,22 +348,17 @@ func (p *prog) ContextEval(ctx context.Context, input interface{}) (ref.Val, *Ev
 	case interpreter.Activation:
 		vars = ctxActivationPool.Setup(v, ctx.Done(), p.interruptCheckFrequency)
 		defer ctxActivationPool.Put(vars)
-	case map[string]interface{}:
+	case map[string]any:
 		rawVars := activationPool.Setup(v)
 		defer activationPool.Put(rawVars)
 		vars = ctxActivationPool.Setup(rawVars, ctx.Done(), p.interruptCheckFrequency)
 		defer ctxActivationPool.Put(vars)
 	default:
-		return nil, nil, fmt.Errorf("invalid input, wanted Activation or map[string]interface{}, got: (%T)%v", input, input)
+		return nil, nil, fmt.Errorf("invalid input, wanted Activation or map[string]any, got: (%T)%v", input, input)
 	}
 	return p.Eval(vars)
 }

-// Cost implements the Coster interface method.
-func (p *prog) Cost() (min, max int64) {
-	return estimateCost(p.interpretable)
-}
-
 // progFactory is a helper alias for marking a program creation factory function.
 type progFactory func(interpreter.EvalState, *interpreter.CostTracker) (Program, error)

@ -354,7 +379,7 @@ func newProgGen(factory progFactory) (Program, error) {
 }

 // Eval implements the Program interface method.
-func (gen *progGen) Eval(input interface{}) (ref.Val, *EvalDetails, error) {
+func (gen *progGen) Eval(input any) (ref.Val, *EvalDetails, error) {
 	// The factory based Eval() differs from the standard evaluation model in that it generates a
 	// new EvalState instance for each call to ensure that unique evaluations yield unique stateful
 	// results.
@ -379,7 +404,7 @@ func (gen *progGen) Eval(input interface{}) (ref.Val, *EvalDetails, error) {
 }

 // ContextEval implements the Program interface method.
-func (gen *progGen) ContextEval(ctx context.Context, input interface{}) (ref.Val, *EvalDetails, error) {
+func (gen *progGen) ContextEval(ctx context.Context, input any) (ref.Val, *EvalDetails, error) {
 	if ctx == nil {
 		return nil, nil, fmt.Errorf("context can not be nil")
 	}
@ -406,29 +431,6 @@ func (gen *progGen) ContextEval(ctx context.Context, input interface{}) (ref.Val
 	return v, det, nil
 }

-// Cost implements the Coster interface method.
-func (gen *progGen) Cost() (min, max int64) {
-	// Use an empty state value since no evaluation is performed.
-	p, err := gen.factory(emptyEvalState, nil)
-	if err != nil {
-		return 0, math.MaxInt64
-	}
-	return estimateCost(p)
-}
-
-// EstimateCost returns the heuristic cost interval for the program.
-func EstimateCost(p Program) (min, max int64) {
-	return estimateCost(p)
-}
-
-func estimateCost(i interface{}) (min, max int64) {
-	c, ok := i.(interpreter.Coster)
-	if !ok {
-		return 0, math.MaxInt64
-	}
-	return c.Cost()
-}
-
 type ctxEvalActivation struct {
 	parent                  interpreter.Activation
 	interrupt               <-chan struct{}
@ -438,7 +440,7 @@ type ctxEvalActivation struct {

 // ResolveName implements the Activation interface method, but adds a special #interrupted variable
 // which is capable of testing whether a 'done' signal is provided from a context.Context channel.
-func (a *ctxEvalActivation) ResolveName(name string) (interface{}, bool) {
+func (a *ctxEvalActivation) ResolveName(name string) (any, bool) {
 	if name == "#interrupted" {
 		a.interruptCheckCount++
 		if a.interruptCheckCount%a.interruptCheckFrequency == 0 {
@ -461,7 +463,7 @@ func (a *ctxEvalActivation) Parent() interpreter.Activation {
 func newCtxEvalActivationPool() *ctxEvalActivationPool {
 	return &ctxEvalActivationPool{
 		Pool: sync.Pool{
-			New: func() interface{} {
+			New: func() any {
 				return &ctxEvalActivation{}
 			},
 		},
@ -483,21 +485,21 @@ func (p *ctxEvalActivationPool) Setup(vars interpreter.Activation, done <-chan s
 }

 type evalActivation struct {
-	vars     map[string]interface{}
-	lazyVars map[string]interface{}
+	vars     map[string]any
+	lazyVars map[string]any
 }

 // ResolveName looks up the value of the input variable name, if found.
 //
 // Lazy bindings may be supplied within the map-based input in either of the following forms:
-// - func() interface{}
+// - func() any
 // - func() ref.Val
 //
 // The lazy binding will only be invoked once per evaluation.
 //
 // Values which are not represented as ref.Val types on input may be adapted to a ref.Val using
 // the ref.TypeAdapter configured in the environment.
-func (a *evalActivation) ResolveName(name string) (interface{}, bool) {
+func (a *evalActivation) ResolveName(name string) (any, bool) {
 	v, found := a.vars[name]
 	if !found {
 		return nil, false
@ -510,7 +512,7 @@ func (a *evalActivation) ResolveName(name string) (interface{}, bool) {
 		lazy := obj()
 		a.lazyVars[name] = lazy
 		return lazy, true
-	case func() interface{}:
+	case func() any:
 		if resolved, found := a.lazyVars[name]; found {
 			return resolved, true
 		}
@ -530,8 +532,8 @@ func (a *evalActivation) Parent() interpreter.Activation {
 func newEvalActivationPool() *evalActivationPool {
 	return &evalActivationPool{
 		Pool: sync.Pool{
-			New: func() interface{} {
-				return &evalActivation{lazyVars: make(map[string]interface{})}
+			New: func() any {
+				return &evalActivation{lazyVars: make(map[string]any)}
 			},
 		},
 	}
@ -542,13 +544,13 @@ type evalActivationPool struct {
 }

 // Setup initializes a pooled Activation object with the map input.
-func (p *evalActivationPool) Setup(vars map[string]interface{}) *evalActivation {
+func (p *evalActivationPool) Setup(vars map[string]any) *evalActivation {
 	a := p.Pool.Get().(*evalActivation)
 	a.vars = vars
 	return a
 }

-func (p *evalActivationPool) Put(value interface{}) {
+func (p *evalActivationPool) Put(value any) {
 	a := value.(*evalActivation)
 	for k := range a.lazyVars {
 		delete(a.lazyVars, k)
@ -559,7 +561,7 @@ func (p *evalActivationPool) Put(value interface{}) {
 var (
 	emptyEvalState = interpreter.NewEvalState()

-	// activationPool is an internally managed pool of Activation values that wrap map[string]interface{} inputs
+	// activationPool is an internally managed pool of Activation values that wrap map[string]any inputs
 	activationPool = newEvalActivationPool()

 	// ctxActivationPool is an internally managed pool of Activation values that expose a special #interrupted variable