Bump the go_modules group across 12 directories with 7 updates #24

dependabot · 2025-11-05T16:52:50Z

Bumps the go_modules group with 5 updates in the /libs/site-packages/vault-main directory:

Package	From	To
github.com/docker/docker	`27.2.1+incompatible`	`28.0.0+incompatible`
github.com/go-viper/mapstructure/v2	`2.1.0`	`2.4.0`
github.com/cloudflare/circl	`1.6.0`	`1.6.1`
github.com/opencontainers/runc	`1.2.3`	`1.2.8`
github.com/snowflakedb/gosnowflake	`1.13.0`	`1.13.3`

Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/vault/hcp_link/proto directory: golang.org/x/net.
Bumps the go_modules group with 3 updates in the /libs/site-packages/vault-main/sdk directory: github.com/docker/docker, golang.org/x/net and golang.org/x/oauth2.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/userpass directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/ldap directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/kubernetes directory: golang.org/x/net.
Bumps the go_modules group with 2 updates in the /libs/site-packages/vault-main/api/auth/gcp directory: golang.org/x/net and golang.org/x/oauth2.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/cert directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/azure directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/aws directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/approle directory: golang.org/x/net.

Updates github.com/docker/docker from 27.2.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

docker/cli, 28.0.0 milestone

moby/moby, 28.0.0 milestone

Deprecated and removed features, see Deprecated Features.

Changes to the Engine API, see API version history.

New

Add ability to mount an image inside a container via --mount type=image. moby/moby#48798

You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755

docker images --tree now shows metadata badges. docker/cli#5744

docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331

Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145

docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720

Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132

Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.

The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.

DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290

When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.

Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808

Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.

IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.

The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406

Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664

Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155

When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.

The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.

This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….

Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …

If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

dockerd now requires ipset support in the Linux kernel. moby/moby#48596

The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815

If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:

iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER

If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.

Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325

Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits

af898ab Merge pull request #49495 from vvoland/update-buildkit
d67f035 vendor: github.com/moby/buildkit v0.20.0
00ab386 Merge pull request #49491 from vvoland/update-buildkit
1fde8c4 builder-next: fix cdi manager
cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
b2b5590 Dockerfile: fix linting warnings
62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
a3628f3 docs/api: add documentation for API v1.48
Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.1.0 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

refactor: replace interface{} with any by @sagikazarmark in go-viper/mapstructure#115

build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @dependabot[bot] in go-viper/mapstructure#114

Generic tests by @sagikazarmark in go-viper/mapstructure#118

Fix godoc reference link in README.md by @peczenyj in go-viper/mapstructure#107

feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @ErfanMomeniii in go-viper/mapstructure#117

feat: add back previous StringToSlice as a weak function by @sagikazarmark in go-viper/mapstructure#119

New Contributors

@ErfanMomeniii made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in go-viper/mapstructure#46

build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @dependabot in go-viper/mapstructure#47

[enhancement] Add check for reflect.Value in ComposeDecodeHookFunc by @mahadzaryab1 in go-viper/mapstructure#52

build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @dependabot in go-viper/mapstructure#51

build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @dependabot in go-viper/mapstructure#50

build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in go-viper/mapstructure#55

build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @dependabot in go-viper/mapstructure#58

ci: add Go 1.24 to the test matrix by @sagikazarmark in go-viper/mapstructure#74

build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by @dependabot in go-viper/mapstructure#72

build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @dependabot in go-viper/mapstructure#76

build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @dependabot in go-viper/mapstructure#78

feat: add decode hook for netip.Prefix by @tklauser in go-viper/mapstructure#85

Updates by @sagikazarmark in go-viper/mapstructure#86

build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by @dependabot in go-viper/mapstructure#87

build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot in go-viper/mapstructure#93

build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by @dependabot in go-viper/mapstructure#92

build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by @dependabot in go-viper/mapstructure#97

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot in go-viper/mapstructure#96

Update README.md by @peczenyj in go-viper/mapstructure#90

Add omitzero tag. by @Crystalix007 in go-viper/mapstructure#98

Use error structs instead of duplicated strings by @m1k1o in go-viper/mapstructure#102

build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @dependabot in go-viper/mapstructure#101

feat: add common error interface by @sagikazarmark in go-viper/mapstructure#105

update linter by @sagikazarmark in go-viper/mapstructure#106

Feature allow unset pointer by @rostislaved in go-viper/mapstructure#80

New Contributors

@tklauser made their first contribution in go-viper/mapstructure#85

@peczenyj made their first contribution in go-viper/mapstructure#90

@Crystalix007 made their first contribution in go-viper/mapstructure#98

@rostislaved made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

... (truncated)

Commits

b9794a5 Merge pull request #119 from go-viper/string-to-weak-slice
17cdcb0 feat: add back previous StringToSlice as a weak function
3caca36 Merge pull request #117 from ErfanMomeniii/main
9a861bc Merge pull request #107 from peczenyj/patch-2
86ed5b5 refactor: update
ace5b4e chore: add interface any linter
1a4f1ae Merge pull request #118 from go-viper/generic-tests
a268909 fix: lint
17f1fd4 test: add more comments
b48c856 test: expand tests
Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.6.0 to 1.6.1

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.1

Fixes some point checks on the FourQ curve.

Hybrid KEM fails on low-order points.

What's Changed

kem/hybrid: ensure X25519 hybrids fails with low order points by @Lekensteyn in cloudflare/circl#541

.github: Use native ARM64 builders instead of QEMU by @Lekensteyn in cloudflare/circl#542

Fixes several errors on twisted Edwards curves. by @armfazh in cloudflare/circl#545

Release v1.6.1 by @armfazh in cloudflare/circl#546

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

Commits

c6d33e3 Release v1.6.1
0c3868e curve4q: Shared must fail with low order points.
9fd570d curve4q: Test showing DH does not fails on identity point.
c988ceb fourq: Correctly unmarshalling point.
ef2611d fourq: Test showing point unmarshal fails.
05eba44 fourq: Handle the case of Z=0 for IsOnCurve and IsEqual.
eef0878 fourq: Test showing isEqual and IsOnCurve fail.
2298474 goldilocks; Handling points with z=0.
5a940a1 goldilocks: Test for IsEqual must fail with Z=0
48c3b6a ed25519: Fix isEqual to handle points with Z=0.
Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.2.3 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

libseccomp

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.2.7] - 2025-09-05

さんをつけろよデコ助野郎！

Fixed

Removed preemptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered. (#4709, #4720)

Add time namespace to container config after checkpoint/restore. CRIU since version 3.14 uses a time namespace for checkpoint/restore, however it was not joining the time namespace in runc. (#4696, #4714)

Container processes will no longer inherit the CPU affinity of runc by default. Instead, the default CPU affinity of container processes will be the largest set of CPUs permitted by the container's cpuset cgroup and any other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)

... (truncated)

Commits

eeb7e60 VERSION: release v1.2.8
cdee962 merge private security patches into ghsa-release-1.2.8
b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
ee56b85 openat2: improve resilience on busy systems
2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
99e41a5 ci: only run lint-extra job on PRs to main
f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
8f90185 selinux: use safe procfs API for labels
948d6e9 rootfs: switch to fd-based handling of mountpoint targets
7aa42ad libct: align param type for mountCgroupV1/V2 functions
Additional commits viewable in compare view

Updates github.com/snowflakedb/gosnowflake from 1.13.0 to 1.13.3

Release notes

Sourced from github.com/snowflakedb/gosnowflake's releases.

Release

Please check Snowflake Go Snowflake for release notes.

Release

Please check Snowflake Go Snowflake for release notes.

Release

Please check Snowflake Go Snowflake for release notes.

Commits

3d3e3b0 PATCH: Bumped up GoLang connector PATCH version from 1.13.2 to 1.13.3 (#1383)
ba94a48 SNOW-1155452 Fix race condition on perm checking for easy logging (#1382)
14db80d SNOW-18254476 Readd PrPr for PAT and OAuth (#1381)
96413d8 SNOW-1825500: Add OAuth Authorization Code, Client Credentials & Refresh Toke...
bee8f03 SNOW-2042000 Treat all non-Windows systems the same (#1372)
750a0f3 SNOW-2034185: Remove reencryption when retry PUT upload (#1364)
c195281 SNOW-2026797 Adding PAT tests (#1374)
ae006c1 SNOW-2040000 change default tag to bptp-stable (#1366)
fb3995b SNOW-1825476 Remove PAT with password instead of token (#1357)
912819c NO-SNOW Hide logger enabled flag behind mutex (#1358)
Additional commits viewable in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates github.com/docker/docker from 27.2.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

docker/cli, 28.0.0 milestone

moby/moby, 28.0.0 milestone

Deprecated and removed features, see Deprecated Features.

Changes to the Engine API, see API version history.

New

Add ability to mount an image inside a container via --mount type=image. moby/moby#48798

You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755

docker images --tree now shows metadata badges. docker/cli#5744

docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331

Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145

docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720

Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132

Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.

The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.

DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290

When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.

Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808

Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.

IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.

The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406

Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664

Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155

When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.

The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.

This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….

Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …

If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

dockerd now requires ipset support in the Linux kernel. moby/moby#48596

The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815

If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:

iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER

If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.

Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325

Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits

af898ab Merge pull request #49495 from vvoland/update-buildkit
d67f035 vendor: github.com/moby/buildkit v0.20.0
00ab386 Merge pull request #49491 from vvoland/update-buildkit
1fde8c4 builder-next: fix cdi manager
cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
b2b5590 Dockerfile: fix linting warnings
62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
a3628f3 docs/api: add documentation for API v1.48
Additional commits viewable in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/oauth2 from 0.24.0 to 0.27.0

Commits

681b4d8 jws: split token into fixed number of parts
3f78298 all: upgrade go directive to at least 1.23.0 [generated]
109dabf endpoints: add links/provider for Discord
ac571fa oauth2: fix docs for Config.DeviceAuth
314ee5b endpoints: add patreon endpoint
b9c813b google: add warning about externally-provided credentials
49a531d all: make method and struct comments match the names
See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits

e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
1f1fa29 publicsuffix: regenerate table
1215081 http2: improve error when server sends HTTP/1
312450e html: ensure <search> tag closes and update tests
09731f9 http2: improve handling of lost PING in Server
55989e2 http2/h2c: use ResponseController for hijacking connections
2914f46 websocket: re-recommend gorilla/websocket
See full diff in compare view

Updates golang.org/x/oauth2 from 0.19.0 to 0.27.0

Commits

681b4d8 jws: split token into fixed number of parts

Bumps the go_modules group with 5 updates in the /libs/site-packages/vault-main directory: | Package | From | To | | --- | --- | --- | | [github.com/docker/docker](https://github.com/docker/docker) | `27.2.1+incompatible` | `28.0.0+incompatible` | | [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `2.1.0` | `2.4.0` | | [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.6.0` | `1.6.1` | | [github.com/opencontainers/runc](https://github.com/opencontainers/runc) | `1.2.3` | `1.2.8` | | [github.com/snowflakedb/gosnowflake](https://github.com/snowflakedb/gosnowflake) | `1.13.0` | `1.13.3` | Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/vault/hcp_link/proto directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 3 updates in the /libs/site-packages/vault-main/sdk directory: [github.com/docker/docker](https://github.com/docker/docker), [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/oauth2](https://github.com/golang/oauth2). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/userpass directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/ldap directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/kubernetes directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 2 updates in the /libs/site-packages/vault-main/api/auth/gcp directory: [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/oauth2](https://github.com/golang/oauth2). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/cert directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/azure directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/aws directory: [golang.org/x/net](https://github.com/golang/net). Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/approle directory: [golang.org/x/net](https://github.com/golang/net). Updates `github.com/docker/docker` from 27.2.1+incompatible to 28.0.0+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v27.2.1...v28.0.0) Updates `github.com/go-viper/mapstructure/v2` from 2.1.0 to 2.4.0 - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.1.0...v2.4.0) Updates `github.com/cloudflare/circl` from 1.6.0 to 1.6.1 - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.6.0...v1.6.1) Updates `github.com/opencontainers/runc` from 1.2.3 to 1.2.8 - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.2.8/CHANGELOG.md) - [Commits](opencontainers/runc@v1.2.3...v1.2.8) Updates `github.com/snowflakedb/gosnowflake` from 1.13.0 to 1.13.3 - [Release notes](https://github.com/snowflakedb/gosnowflake/releases) - [Changelog](https://github.com/snowflakedb/gosnowflake/blob/master/CHANGELOG.md) - [Commits](snowflakedb/gosnowflake@v1.13.0...v1.13.3) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `github.com/docker/docker` from 27.2.1+incompatible to 28.0.0+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v27.2.1...v28.0.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/oauth2` from 0.24.0 to 0.27.0 - [Commits](golang/oauth2@v0.24.0...v0.27.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/oauth2` from 0.19.0 to 0.27.0 - [Commits](golang/oauth2@v0.24.0...v0.27.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](golang/net@v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.0.0+incompatible dependency-type: direct:production dependency-group: go_modules - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.1 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/opencontainers/runc dependency-version: 1.2.8 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/snowflakedb/gosnowflake dependency-version: 1.13.3 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/docker/docker dependency-version: 28.0.0+incompatible dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/oauth2 dependency-version: 0.27.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/oauth2 dependency-version: 0.27.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2025-11-05T16:54:54Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability
	golang.org/x/oauth2@v0.17.0 ⏵ v0.32.0	⁺¹	⁺²⁰
	github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.17.0
	github.com/docker/docker@v27.2.1+incompatible ⏵ v28.0.0+incompatible	⁺¹	⁺²
	github.com/joyent/triton-go@v1.7.1-0.20200416154420-6801d15b779f
	github.com/Azure/go-autorest/autorest@v0.11.29
	go.mongodb.org/atlas@v0.37.0
	github.com/hashicorp/consul-template@v0.39.1
	github.com/Azure/azure-storage-blob-go@v0.15.0
	github.com/google/go-github@v17.0.0+incompatible
	github.com/hashicorp/vault/sdk@v0.15.2
	golang.org/x/crypto@v0.36.0 ⏵ v0.43.0	⁺¹
	k8s.io/apimachinery@v0.32.1
	go.opentelemetry.io/otel@v1.31.0 ⏵ v1.35.0	⁺¹
	golang.org/x/net@v0.37.0 ⏵ v0.46.0	⁺¹	⁺³
	golang.org/x/tools@v0.29.0 ⏵ v0.37.0	⁺¹
	google.golang.org/grpc@v1.63.2 ⏵ v1.70.0	⁺¹
	github.com/aliyun/alibaba-cloud-sdk-go@v1.63.84
	github.com/okta/okta-sdk-golang/v5@v5.0.2
	github.com/oracle/oci-go-sdk@v24.3.0+incompatible
	go.mongodb.org/mongo-driver@v1.17.3
	github.com/hashicorp/hcp-sdk-go@v0.138.0
	github.com/michaelklishin/rabbit-hole/v2@v2.12.0
	github.com/aws/aws-sdk-go@v1.51.8 ⏵ v1.55.6	⁺¹
	cloud.google.com/go/spanner@v1.63.0 ⏵ v1.73.0	^-2
	golang.org/x/text@v0.23.0 ⏵ v0.30.0	⁺¹
	google.golang.org/api@v0.214.0 ⏵ v0.221.0	⁺¹
	github.com/gocql/gocql@v1.0.0
	github.com/go-git/go-git/v5@v5.14.0
	cloud.google.com/go/storage@v1.43.0
	golang.org/x/sys@v0.31.0 ⏵ v0.37.0
	github.com/hashicorp/hcl/v2@v2.16.2
See 115 more rows in the dashboard

View full report

socket-security · 2025-11-05T16:54:56Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: Authorization Bypass Through User-Controlled Key in go-restful in golang `github.com/emicklei/go-restful` CVE: GHSA-r48q-9g5r-8q2h Authorization Bypass Through User-Controlled Key in go-restful (CRITICAL) Affected versions: < 2.16.0 Patched version: 2.16.0 From: `?` → `golang/github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore golang/github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

sonarqubecloud · 2025-11-05T17:00:07Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Nov 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the go_modules group across 12 directories with 7 updates #24

Bump the go_modules group across 12 directories with 7 updates #24

Uh oh!

dependabot bot commented on behalf of github Nov 5, 2025

Uh oh!

socket-security bot commented Nov 5, 2025

Uh oh!

socket-security bot commented Nov 5, 2025

Uh oh!

sonarqubecloud bot commented Nov 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Bump the go_modules group across 12 directories with 7 updates #24

Are you sure you want to change the base?

Bump the go_modules group across 12 directories with 7 updates #24

Uh oh!

Conversation

dependabot bot commented on behalf of github Nov 5, 2025

v28.0.0

28.0.0

New

Networking

Port publishing in bridge networks

v2.4.0

What's Changed

New Contributors

v2.3.0

What's Changed

New Contributors

CIRCL v1.6.1

What's Changed

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

Security

Static Linking Notices

[1.2.8] - 2025-11-05

Security

[1.2.7] - 2025-09-05

Fixed

Release

Release

Release

v28.0.0

28.0.0

New

Networking

Port publishing in bridge networks

Uh oh!

socket-security bot commented Nov 5, 2025

Uh oh!

socket-security bot commented Nov 5, 2025

Uh oh!

sonarqubecloud bot commented Nov 5, 2025

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant