Skip to content

Bump github.com/opencontainers/runc from 1.4.2 to 1.5.0#2784

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/opencontainers/runc-1.5.0
Open

Bump github.com/opencontainers/runc from 1.4.2 to 1.5.0#2784
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/opencontainers/runc-1.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/opencontainers/runc from 1.4.2 to 1.5.0.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.5.0 -- "Why do we even have that lever?!"

This is the somewhat-delayed^Wlong-awaited first stable release of the 1.5.z release branch of runc. It contains a handful of fixes for issues found in 1.5.0-rc.3 and an important dependency bump for libpathrs.

This is the third release of runc following our new release and support policy (see RELEASES.md for more details). This means that, as of this release:

  • The runc 1.2.z (and earlier) release branches are now completely unsupported.
  • The runc 1.3.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of October 2026).
  • The runc 1.4.z release branch will now only recieve security and "significant" bugfixes.
  • Users are encouraged to plan migrating to runc 1.5.0 as soon as possible.
  • Despite this release being delayed by over a month, users should still expect a runc 1.6.0 release in late October 2026.

Added

  • runc version and runc features now provide version information about libpathrs (when runc is built with the libpathrs build tag). (#5291, #5328)

Fixed

  • Since runc 1.3.0, the org.opencontainers.runc.version annotation included in runc features contained an extraneous \n, possibly causing issues with tools that parse the output. It is now properly stripped. (#5329, #5330, #5331, #5335)

Changed

  • runc (when built with the libpathrs build tag) now depends on libpathrs v0.2.5 or later, and attempting to build with older versions will cause compilation errors. (#5291, #5328)
  • Switched to go-criu v8.3.0, which reduces our binary size from ~16MB to ~14MB. (#5312, #5326)

Static Linking Notices

The runc binaries distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.5.0] - 2026-06-19

Why do we even have that lever?!

Added

  • runc version and runc features now provide version information about libpathrs (when runc is built with the libpathrs build tag). (#5291, #5328)

Fixed

  • Since runc 1.3.0, the org.opencontainers.runc.version annotation included in runc features contained an extraneous \n, possibly causing issues with tools that parse the output. It is now properly stripped. (#5329, #5330, #5331, #5335)

Changed

  • runc (when built with the libpathrs build tag) now depends on libpathrs v0.2.5 or later, and attempting to build with older versions will cause compilation errors. (#5291, #5328)
  • Switched to go-criu v8.3.0, which reduces our binary size from ~16MB to ~14MB. (#5312, #5326)

[1.5.0-rc.3] - 2026-06-13

The best way to get a drink out of a Vogon is to stick your finger down his throat.

Security

This release includes a fix for the following low-severity security issue:

  • CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

libcontainer API

  • The cmsg helpers from github.com/opencontainers/runc/libcontainer/utils have been moved to an internal package. We have included wrapper functions but they will be removed in runc 1.6. (#5227, #5231)
  • Added //go:fix inline to ease migration for libcontainer/devices symbols that are deprecated and scheduled for removal in runc 1.6. (#5223, #5225)

Fixed

... (truncated)

Commits
  • c4bb595 VERSION: release v1.5.0
  • fabada3 Merge pull request #5335 from AkihiroSuda/cherrypick-5330-1.5
  • c8a2d9b features: propagate version from the root urfave/cli command
  • 8e155ff Merge pull request #5328 from cyphar/1.5-libpathrs-0.2.5-5921
  • 3c2913c runc: add libpathrs info to --version and features
  • aba980f deps: update to libpathrs v0.2.5
  • 778bd25 Merge pull request #5326 from kolyshkin/1.5-5312
  • cc3c5c1 deps: bump to go-criu v8.3.0
  • 750317a deps: bump go-criu to v8.2.0
  • 8ac0bc0 CHANGELOG: fix codespell
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 21, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 21, 2026 03:52
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 21, 2026
@dependabot
Bump github.com/opencontainers/runc from 1.4.2 to 1.5.0
0d2340d 
Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.4.2 to 1.5.0.
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.4.2...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/opencontainers/runc-1.5.0 branch from b45cf1c to 0d2340d Compare June 26, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants