k3d/5.8.3-r18: cve remediation

[octo-sts]

k3d/5.8.3-r18: fix GHSA-j5w8-q4qc-rx2x

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/k3d.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

go: module . listed in go.work file requires go >= 1.25.3, but go.work lists go 1.22.4; to update it: go work use

Build Details

Category	Details
Build System	go
Failure Point	go/bump step during gobump execution with 'go get' command

Root Cause Analysis 🔍

Version mismatch between the Go version required by the module (1.25.3) and the Go version specified in the go.work file (1.22.4). The build environment has Go 1.25.3 installed, but the workspace configuration file still references the older 1.22.4 version, causing a compatibility conflict during dependency updates.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• jitsucom-bulker/2.11.0-r1: cve remediation #64201
• k3d/5.8.3-r15: cve remediation #63357

Suggested Changes

File: k3d.yaml

• addition at line 26 (After the first go/bump step for docgen module)
  Original:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
      modroot: docgen

  - uses: go/bump

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/[email protected]
      modroot: docgen

  - runs: |
      go work use

  - uses: go/bump

Content:

Add a runs step to execute 'go work use' command

• modification at line 29-36 (Second go/bump step parameters)
  Original:

  - uses: go/bump
    with:
      deps: |-
        google.golang.org/[email protected]
        golang.org/x/[email protected]
        github.com/containerd/[email protected]
        golang.org/x/[email protected]
        github.com/docker/[email protected]
        golang.org/x/[email protected]
      skip-initial-tidy: false
      tidy: false

Replacement:

  - uses: go/bump
    with:
      deps: |-
        google.golang.org/[email protected]
        golang.org/x/[email protected]
        github.com/containerd/[email protected]
        golang.org/x/[email protected]
        github.com/docker/[email protected]
        golang.org/x/[email protected]
      work: true

Content:

Add work: true parameter to use workspace mode

• modification at line 73-81 (First go/bump step in k3d-proxy subpackage)
  Original:

      - uses: go/bump
        with:
          deps: |-
            github.com/go-jose/go-jose/[email protected]
            github.com/golang/[email protected]
            github.com/hashicorp/[email protected]
            golang.org/x/[email protected]
            golang.org/x/[email protected]
            google.golang.org/[email protected]
          modroot: /home/confd

Replacement:

      - uses: go/bump
        with:
          deps: |-
            github.com/go-jose/go-jose/[email protected]
            github.com/golang/[email protected]
            github.com/hashicorp/[email protected]
            golang.org/x/[email protected]
            golang.org/x/[email protected]
            google.golang.org/[email protected]
          modroot: /home/confd
          work: true

Content:

Add work: true parameter to confd go/bump step

Click to expand fix analysis

Analysis

Looking at the three similar fixed build failures, I can identify a clear pattern: all were resolved by adding a "go work use" command to update the go.work file to reflect the correct Go version. In Fix Example #0, the issue was resolved by adding a go~1.24 package dependency and including a comment about keeping go/bump steps together. In Fix Example #1, the solution was to run "go work use" after the initial go/bump step and then use work: true parameter in subsequent go/bump commands. Fix Example #2 shows a simpler approach with skip-initial-tidy and tidy parameters. The common thread is that when Go modules require a newer version than what's specified in go.work, running "go work use" synchronizes the workspace configuration with the actual Go version available in the build environment.

Click to expand fix explanation

Explanation

The fix addresses the root cause of the Go version mismatch by updating the go.work file to reflect the correct Go version (1.25.3) that's installed in the build environment. The "go work use" command automatically updates the go.work file to use the current Go version, resolving the conflict between the module's requirement (go >= 1.25.3) and the outdated version listed in go.work (1.22.4). Adding work: true to subsequent go/bump steps ensures they operate in workspace mode and respect the updated workspace configuration. This approach follows the exact pattern used in the similar fixes, particularly Fix Example #1 which shows the most comprehensive solution with multiple modules.

Click to expand alternative approaches

Alternative Approaches

• Add skip-initial-tidy: true to the first go/bump step and remove the tidy: false parameter, similar to Fix Example Add binutils-2.39 configuration #1
• Add a Go version constraint package dependency like go~1.25 in the environment.contents.packages section, as shown in Fix Example #0
• Use a single runs step at the beginning to execute 'go work use' before any go/bump operations

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.