Skip to content

Bump the go_modules group across 3 directories with 8 updates#9

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/code/manager/go_modules-9cbb878b74
Open

Bump the go_modules group across 3 directories with 8 updates#9
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/code/manager/go_modules-9cbb878b74

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 12, 2026

Bumps the go_modules group with 2 updates in the /code/manager directory: github.com/docker/cli and github.com/opencontainers/runc.
Bumps the go_modules group with 4 updates in the /code/panel directory: filippo.io/edwards25519, golang.org/x/net, github.com/getkin/kin-openapi and github.com/go-chi/chi/v5.
Bumps the go_modules group with 1 update in the /code/scanner directory: github.com/getkin/kin-openapi.

Updates github.com/docker/cli from 20.10.17+incompatible to 29.2.0+incompatible

Commits
  • 0b9d198 Merge pull request #6764 from vvoland/update-docker
  • 9c9ec73 vendor: github.com/moby/moby/client v0.2.2
  • bab3e81 vendor: github.com/moby/moby/api v1.53.0
  • 2e64fc1 Merge pull request #6367 from thaJeztah/template_slicejoin
  • 1f2ba2a Merge pull request #6760 from thaJeztah/container_create_fix_error
  • e34a342 templates: make "join" work with non-string slices and map values
  • a86356d Merge pull request #6763 from thaJeztah/bump_mapstructure
  • 771660a vendor: github.com/go-viper/mapstructure/v2 v2.5.0
  • 9cff36b Merge pull request #6762 from thaJeztah/bump_x_deps
  • 08ed2bc cli/command/container: make injecting config.json failures a warning
  • Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.1.12 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.4.0-rc.2] - 2025-10-10

私の役目は信じるかどうかではない。行うかどうかだ。

libcontainer API

  • The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead. (#4910, #4911)

Added

  • Allow setting user.* sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (#4889, #4892)
  • Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when configuring the runc exec process. This also included some internal changes to how we add processes to containers. (#4822, #4812, #4920)
  • Add support for configuring the NUMA pmemory policy for a container with set_mempolicy(2)opencontainers/runtime-spec#1282#4726, #4915)

... (truncated)

Commits
  • eeb7e60 VERSION: release v1.2.8
  • cdee962 merge private security patches into ghsa-release-1.2.8
  • b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
  • ee56b85 openat2: improve resilience on busy systems
  • 2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
  • 99e41a5 ci: only run lint-extra job on PRs to main
  • f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
  • 8f90185 selinux: use safe procfs API for labels
  • 948d6e9 rootfs: switch to fd-based handling of mountpoint targets
  • 7aa42ad libct: align param type for mountCgroupV1/V2 functions
  • Additional commits viewable in compare view

Updates github.com/sirupsen/logrus from 1.8.1 to 1.9.3

Release notes

Sourced from github.com/sirupsen/logrus's releases.

v1.9.3

Full Changelog: sirupsen/logrus@v1.9.2...v1.9.3

v1.9.2

Full Changelog: sirupsen/logrus@v1.9.1...v1.9.2

v1.9.1

What's Changed

New Contributors

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

v1.9.0

What's Changed

Full Changelog: sirupsen/logrus@v1.8.1...v1.9.0

v1.8.3

What's Changed

... (truncated)

Changelog

Sourced from github.com/sirupsen/logrus's changelog.

1.9.3

Fixes:

  • Re-apply fix for potential denial of service in logrus.Writer() when logging >64KB single-line payloads without newlines (#1376)
  • Fix panic in Writer

1.9.2

Fixes:

  • Revert Writer DoS fix (#1376) due to regression

1.9.1

Fixes:

  • Fix potential denial of service in logrus.Writer() when logging >64KB single-line payloads without newlines (#1376)

1.9.0

Fixes:

  • Multiple concurrency and race condition fixes
  • Improve Windows terminal and ANSI handling

Code quality:

  • Internal cleanups and modernization

1.8.3

Fixes:

  • Fix potential denial of service in logrus.Writer() when logging >64KB single-line payloads without newlines (#1376)

1.8.2

Features:

  • Add support for the logger private buffer pool (#1253)

Fixes:

  • Fix race condition for SetFormatter and SetReportCaller
  • Fix data race in hooks test package
Commits
  • d40e25c fix panic in Writer
  • f9291a5 Revert "Revert "Merge pull request #1376 from ozfive/master""
  • 352781d Revert "Merge pull request #1376 from ozfive/master"
  • b30aa27 Merge pull request #1339 from xieyuschen/patch-1
  • 6acd903 Merge pull request #1376 from ozfive/master
  • 105e63f Merge pull request #1 from ashmckenzie/ashmckenzie/fix-writer-scanner
  • c052ba6 Scan text in 64KB chunks
  • e59b167 Merge pull request #1372 from tommyblue/syslog_different_loglevels
  • 766cfec This commit fixes a potential denial of service vulnerability in logrus.Write...
  • 70234da Add instructions to use different log levels for local and syslog
  • Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

Updates golang.org/x/net from 0.23.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • 99b3ae0 go.mod: update golang.org/x dependencies
  • 85d1d54 go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

Updates github.com/getkin/kin-openapi from 0.123.0 to 0.131.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.131.0

What's Changed

Full Changelog: getkin/kin-openapi@v0.130.0...v0.131.0

v0.130.0

What's Changed

New Contributors

Full Changelog: getkin/kin-openapi@v0.129.0...v0.130.0

v0.129.0

What's Changed

New Contributors

... (truncated)

Commits
  • 67f0b23 openapi3filter: de-register ZipFileBodyDecoder and make a few decoders public...
  • 6da871e openapi3filter: apply default values of an array in a query param with explod...
  • a34baf0 openapi3: delete origin keys only when IncludeOrigin=true (#1055)
  • 2d3e67a use origin to minimize collisions (#1057)
  • e3d68dc Remove redundant ExcludeResponseBody check in ValidateResponse (#1056)
  • 050a930 openapi3gen: Fix issue with separate component generated for time.Time (#1052)
  • 72fb819 feat(openapi3gen): Customize json.RawMessage (#1050)
  • cea0a13 openapi2conv: convert references in nested additionalProperties schemas (#1047)
  • f476f7b openapi3filter: validation of x-www-form-urlencoded with arbitrary nested a...
  • 325cecc openapi3filter: simplify ValidateRequest implementation (#1041)
  • Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.0.12 to 5.2.2

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.2.2

What's Changed

Security fix

  • Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
    • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
    • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See go-chi/chi#963 for related discussion.

What's Changed

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

What's Changed

... (truncated)

Changelog

Sourced from github.com/go-chi/chi/v5's changelog.

Changelog

Commits

Updates golang.org/x/crypto from 0.21.0 to 0.36.0

Commits
  • 49bf5b8 go.mod: update golang.org/x dependencies
  • 24852b6 ssh: add decode support for banners
  • bbc689c ssh: use a more straightforward return value
  • 7292932 ssh: limit the size of the internal packet queue while waiting for KEX
  • f66f74b acme/autocert: check host policy before probing the cache
  • b0784b7 x509roots/fallback: drop obsolete build constraint
  • 911360c all: bump golang.org/x/crypto dependencies of asm generators
  • 89ff08d all: upgrade go directive to at least 1.23.0 [generated]
  • e47973b all: update certs for go1.24
  • 9290511 go.mod: update golang.org/x dependencies
  • Additional commits viewable in compare view

Updates github.com/getkin/kin-openapi from 0.123.0 to 0.131.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.131.0

What's Changed

Full Changelog: getkin/kin-openapi@v0.130.0...v0.131.0

v0.130.0

What's Changed

New Contributors

Full Changelog: getkin/kin-openapi@v0.129.0...v0.130.0

v0.129.0

What's Changed

New Contributors

... (truncated)

Commits
  • 67f0b23 openapi3filter: de-register ZipFileBodyDecoder and make a few decoders public...
  • 6da871e openapi3filter: apply default values of an array in a query param with explod...
  • a34baf0 openapi3: delete origin keys only when IncludeOrigin=true (#1055)
  • 2d3e67a use origin to minimize collisions (#1057)
  • e3d68dc Remove redundant ExcludeResponseBody check in ValidateResponse (#1056)
  • 050a930 openapi3gen: Fix issue with separate component generated for time.Time (#1052)
  • 72fb819 feat(openapi3gen): Customize json.RawMessage (#1050)
  • cea0a13 openapi2conv: convert references in nested additionalProperties schemas (#1047)
  • f476f7b openapi3filter: validation of x-www-form-urlencoded with arbitrary nested a...
  • 325cecc openapi3filter: simplify ValidateRequest implementation (#1041)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the go_modules group across 3 directories with 8 updates
38ce8cf 
Bumps the go_modules group with 2 updates in the /code/manager directory: [github.com/docker/cli](https://github.com/docker/cli) and [github.com/opencontainers/runc](https://github.com/opencontainers/runc).
Bumps the go_modules group with 4 updates in the /code/panel directory: [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519), [golang.org/x/net](https://github.com/golang/net), [github.com/getkin/kin-openapi](https://github.com/getkin/kin-openapi) and [github.com/go-chi/chi/v5](https://github.com/go-chi/chi).
Bumps the go_modules group with 1 update in the /code/scanner directory: [github.com/getkin/kin-openapi](https://github.com/getkin/kin-openapi).


Updates `github.com/docker/cli` from 20.10.17+incompatible to 29.2.0+incompatible
- [Commits](docker/cli@v20.10.17...v29.2.0)

Updates `github.com/opencontainers/runc` from 1.1.12 to 1.2.8
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.1.12...v1.2.8)

Updates `github.com/sirupsen/logrus` from 1.8.1 to 1.9.3
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](sirupsen/logrus@v1.8.1...v1.9.3)

Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1
- [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1)

Updates `golang.org/x/net` from 0.23.0 to 0.38.0
- [Commits](golang/net@v0.23.0...v0.38.0)

Updates `github.com/getkin/kin-openapi` from 0.123.0 to 0.131.0
- [Release notes](https://github.com/getkin/kin-openapi/releases)
- [Commits](getkin/kin-openapi@v0.123.0...v0.131.0)

Updates `github.com/go-chi/chi/v5` from 5.0.12 to 5.2.2
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.0.12...v5.2.2)

Updates `golang.org/x/crypto` from 0.21.0 to 0.36.0
- [Commits](golang/crypto@v0.21.0...v0.36.0)

Updates `github.com/getkin/kin-openapi` from 0.123.0 to 0.131.0
- [Release notes](https://github.com/getkin/kin-openapi/releases)
- [Commits](getkin/kin-openapi@v0.123.0...v0.131.0)

---
updated-dependencies:
- dependency-name: github.com/docker/cli
  dependency-version: 29.2.0+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/sirupsen/logrus
  dependency-version: 1.9.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: filippo.io/edwards25519
  dependency-version: 1.1.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/getkin/kin-openapi
  dependency-version: 0.131.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.2.2
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.36.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/getkin/kin-openapi
  dependency-version: 0.131.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants