diff --git a/head b/head
index 7ec399a92..ae043d2d9 100644
--- a/head
+++ b/head
@@ -1 +1 @@
-5da276fbc1c53eeeabaf31ee149b60f5d5f8b11e
+f7e812e92d60a3c8caca85732ea4ce1665a2313c
diff --git a/upstream/go.mod b/upstream/go.mod
index aeab238c4..90e3b335a 100644
--- a/upstream/go.mod
+++ b/upstream/go.mod
@@ -255,7 +255,7 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
 	github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
diff --git a/upstream/go.sum b/upstream/go.sum
index 230a02606..5baa1df11 100644
--- a/upstream/go.sum
+++ b/upstream/go.sum
@@ -1771,8 +1771,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
-github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
+github.com/theupdateframework/go-tuf/v2 v2.0.1 h1:11p9tXpq10KQEujxjcIjDSivMKCMLguls7erXHZnxJQ=
+github.com/theupdateframework/go-tuf/v2 v2.0.1/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e h1:BuzhfgfWQbX0dWzYzT1zsORLnHRv3bcRcsaUk0VmXA8=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
 github.com/tidwall/gjson v1.12.1 h1:ikuZsLdhr8Ws0IdROXUS1Gi4v9Z4pGqpX/CvJkxvfpo=
diff --git a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
index dc407ba82..3e0a9e1ab 100644
--- a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
+++ b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/metadata.go
@@ -562,28 +562,30 @@ func isTargetInPathPattern(targetpath string, pathpattern string) bool {
 
 // GetRolesForTarget return the names and terminating status of all
 // delegated roles who are responsible for targetFilepath
-func (role *Delegations) GetRolesForTarget(targetFilepath string) map[string]bool {
-	res := map[string]bool{}
-	// standard delegations
+// Note the result should be an ordered list, ref. https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j
+func (role *Delegations) GetRolesForTarget(targetFilepath string) []RoleResult {
+	var res []RoleResult
+	// Standard delegations
 	if role.Roles != nil {
 		for _, r := range role.Roles {
 			ok, err := r.IsDelegatedPath(targetFilepath)
 			if err == nil && ok {
-				res[r.Name] = r.Terminating
+				res = append(res, RoleResult{Name: r.Name, Terminating: r.Terminating})
 			}
 		}
 	} else if role.SuccinctRoles != nil {
 		// SuccinctRoles delegations
 		res = role.SuccinctRoles.GetRolesForTarget(targetFilepath)
 	}
+	// We preserve the same order as the actual roles list
 	return res
 }
 
 // GetRolesForTarget calculate the name of the delegated role responsible for "targetFilepath".
 // The target at path "targetFilepath" is assigned to a bin by casting
 // the left-most "BitLength" of bits of the file path hash digest to
-// int, using it as bin index between 0 and “2**BitLength - 1“.
-func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) map[string]bool {
+// int, using it as bin index between 0 and “2**BitLength-1”.
+func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) []RoleResult {
 	// calculate the suffixLen value based on the total number of bins in
 	// hex. If bit_length = 10 then numberOfBins = 1024 or bin names will
 	// have a suffix between "000" and "3ff" in hex and suffixLen will be 3
@@ -604,8 +606,8 @@ func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) map[string]b
 	// add zero padding if necessary and cast to hex the suffix
 	suffix := fmt.Sprintf("%0*x", suffixLen, binNumber)
 	// we consider all succinct_roles as terminating.
-	// for more information read TAP 15.
-	return map[string]bool{fmt.Sprintf("%s-%s", role.NamePrefix, suffix): true}
+	// for more information, read TAP 15.
+	return []RoleResult{{Name: fmt.Sprintf("%s-%s", role.NamePrefix, suffix), Terminating: true}}
 }
 
 // GetRoles returns the names of all different delegated roles
diff --git a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/types.go b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/types.go
index f0b319dc1..0bd86ee8f 100644
--- a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/types.go
+++ b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/types.go
@@ -171,3 +171,9 @@ type SuccinctRoles struct {
 	NamePrefix         string         `json:"name_prefix"`
 	UnrecognizedFields map[string]any `json:"-"`
 }
+
+// RoleResult represents the name and terminating status of a delegated role that is responsible for targetFilepath
+type RoleResult struct {
+	Name        string
+	Terminating bool
+}
diff --git a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/updater/updater.go b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/updater/updater.go
index 8433cefbe..719436501 100644
--- a/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/updater/updater.go
+++ b/upstream/vendor/github.com/theupdateframework/go-tuf/v2/metadata/updater/updater.go
@@ -550,14 +550,14 @@ func (update *Updater) preOrderDepthFirstWalk(targetFilePath string) (*metadata.
 		// after pre-order check, add current role to set of visited roles
 		visitedRoleNames[delegation.Role] = true
 		if targets.Signed.Delegations != nil {
-			childRolesToVisit := []roleParentTuple{}
+			var childRolesToVisit []roleParentTuple
 			// note that this may be a slow operation if there are many
 			// delegated roles
 			roles := targets.Signed.Delegations.GetRolesForTarget(targetFilePath)
-			for child, terminating := range roles {
-				log.Info("Adding child role", "role", child)
-				childRolesToVisit = append(childRolesToVisit, roleParentTuple{Role: child, Parent: delegation.Role})
-				if terminating {
+			for _, rolesForTarget := range roles {
+				log.Info("Adding child role", "role", rolesForTarget.Name)
+				childRolesToVisit = append(childRolesToVisit, roleParentTuple{Role: rolesForTarget.Name, Parent: delegation.Role})
+				if rolesForTarget.Terminating {
 					log.Info("Not backtracking to other roles")
 					delegationsToVisit = []roleParentTuple{}
 					break
diff --git a/upstream/vendor/modules.txt b/upstream/vendor/modules.txt
index 2a30fb382..9c5657afd 100644
--- a/upstream/vendor/modules.txt
+++ b/upstream/vendor/modules.txt
@@ -1394,7 +1394,7 @@ github.com/theupdateframework/go-tuf/pkg/targets
 github.com/theupdateframework/go-tuf/sign
 github.com/theupdateframework/go-tuf/util
 github.com/theupdateframework/go-tuf/verify
-# github.com/theupdateframework/go-tuf/v2 v2.0.0
+# github.com/theupdateframework/go-tuf/v2 v2.0.1
 ## explicit; go 1.21
 github.com/theupdateframework/go-tuf/v2/metadata
 github.com/theupdateframework/go-tuf/v2/metadata/config