Skip to content

build(deps): bump the go_modules group across 1 directory with 3 updates#17760

Merged
BrianCLong merged 1 commit intomainfrom
dependabot/go_modules/orchestration/runtime/go_modules-0387e5f129
Feb 3, 2026
Merged

build(deps): bump the go_modules group across 1 directory with 3 updates#17760
BrianCLong merged 1 commit intomainfrom
dependabot/go_modules/orchestration/runtime/go_modules-0387e5f129

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 3, 2026

Bumps the go_modules group with 3 updates in the /orchestration/runtime directory: github.com/docker/docker, github.com/go-viper/mapstructure/v2 and github.com/opencontainers/runc.

Updates github.com/docker/docker from 27.1.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges. docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits
  • af898ab Merge pull request #49495 from vvoland/update-buildkit
  • d67f035 vendor: github.com/moby/buildkit v0.20.0
  • 00ab386 Merge pull request #49491 from vvoland/update-buildkit
  • 1fde8c4 builder-next: fix cdi manager
  • cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
  • 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
  • b2b5590 Dockerfile: fix linting warnings
  • 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
  • 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
  • a3628f3 docs/api: add documentation for API v1.48
  • Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.1.0 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

New Contributors

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

New Contributors

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

... (truncated)

Commits

Updates github.com/opencontainers/runc from 1.2.3 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.4.0-rc.2] - 2025-10-10

私の役目は信じるかどうかではない。行うかどうかだ。

libcontainer API

  • The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead. (#4910, #4911)

Added

  • Allow setting user.* sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (#4889, #4892)
  • Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when configuring the runc exec process. This also included some internal changes to how we add processes to containers. (#4822, #4812, #4920)
  • Add support for configuring the NUMA pmemory policy for a container with set_mempolicy(2)opencontainers/runtime-spec#1282#4726, #4915)

... (truncated)

Commits
  • eeb7e60 VERSION: release v1.2.8
  • cdee962 merge private security patches into ghsa-release-1.2.8
  • b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
  • ee56b85 openat2: improve resilience on busy systems
  • 2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
  • 99e41a5 ci: only run lint-extra job on PRs to main
  • f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
  • 8f90185 selinux: use safe procfs API for labels
  • 948d6e9 rootfs: switch to fd-based handling of mountpoint targets
  • 7aa42ad libct: align param type for mountCgroupV1/V2 functions
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the go_modules group across 1 directory with 3 updates
1761ff6 
Bumps the go_modules group with 3 updates in the /orchestration/runtime directory: [github.com/docker/docker](https://github.com/docker/docker), [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) and [github.com/opencontainers/runc](https://github.com/opencontainers/runc).


Updates `github.com/docker/docker` from 27.1.1+incompatible to 28.0.0+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v27.1.1...v28.0.0)

Updates `github.com/go-viper/mapstructure/v2` from 2.1.0 to 2.4.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](go-viper/mapstructure@v2.1.0...v2.4.0)

Updates `github.com/opencontainers/runc` from 1.2.3 to 1.2.8
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.2.3...v1.2.8)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.0.0+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.4.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code major Major release (breaking changes) labels Feb 3, 2026
@coderabbitai
Copy link

coderabbitai bot commented Feb 3, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@BrianCLong BrianCLong enabled auto-merge (squash) February 3, 2026 16:47
@BrianCLong BrianCLong merged commit b960647 into main Feb 3, 2026
32 of 124 checks passed
@BrianCLong BrianCLong deleted the dependabot/go_modules/orchestration/runtime/go_modules-0387e5f129 branch February 3, 2026 18:14
@github-actions
Copy link
Contributor

github-actions bot commented Feb 4, 2026

Release Readiness Report

Status: ❌ NOT RELEASABLE
Commit: 19f38381897a20005e545ad811c3dd281354adc9
Message: Merge 1761ff6 into 5003dec
Timestamp: 2026-02-04T11:38:37Z
Workflow: Release Readiness Gate (#3631)

Checks Performed

Check Description Status
TypeCheck All TypeScript compiles without errors
Lint All ESLint and Ruff rules pass
Build All packages build successfully
Unit Tests All unit tests pass
CI Tests Full test suite with coverage
Workflow Lint All GitHub Actions workflows are valid
Filter Safety Required workflows trigger on critical changes

Guarantees

When this check is green, the following is guaranteed:

  • ✅ All code compiles without TypeScript errors
  • ✅ All linting rules are satisfied
  • ✅ All packages build successfully
  • ✅ All unit tests pass
  • ✅ All integration tests pass with adequate coverage
  • ✅ All CI workflows are valid and will not break
  • ✅ Required checks cannot be bypassed by path filters

Next Steps

This commit is NOT RELEASABLE. Action required:

  • Review failed checks in the workflow logs above
  • Fix all issues locally before pushing
  • Re-run the workflow after fixes

Red means not releasable. Fix before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BrianCLong BrianCLong BrianCLong approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code major Major release (breaking changes)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BrianCLong