Skip to content

Update dependencies to recent versions#1463

Merged
istein1 merged 2 commits into
migtools:masterfrom
awels:update_dependencies
Jul 8, 2026
Merged

Update dependencies to recent versions#1463
istein1 merged 2 commits into
migtools:masterfrom
awels:update_dependencies

Conversation

@awels

@awels awels commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

A variety of libraries were updated to their recent versions. This includes many indirect libraries.

Summary by CodeRabbit

  • Chores
    • Bumped the Go toolchain to Go 1.25.0 and refreshed direct and indirect dependencies.
    • Upgraded key libraries for cloud services, logging, metrics, and tracing.
    • Updated resolution rules to use pinned/stable versions for selected components (including Kubernetes-related modules and specific upstream replacements) to improve stability and consistency.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ef0a1bc-e57b-4a95-bb86-9ac68a127d33

📥 Commits

Reviewing files that changed from the base of the PR and between 957e45b and ebc920b.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

📝 Walkthrough

Walkthrough

Updates go.mod to Go 1.25.0, refreshes direct and indirect dependency versions, and adjusts replace directives for velero, goautoneg, container storage, Docker, and Kubernetes modules.

Changes

go.mod dependency refresh

Layer / File(s) Summary
Direct dependency version bumps
go.mod
Direct require entries updated, including the Go toolchain version and newer aws-sdk-go, logr, Prometheus, Google API, zap, and several k8s.io modules.
Indirect cloud/observability dependency updates
go.mod
Indirect require entries were refreshed across cloud, OpenTelemetry, Google/grpc/protobuf, and related ecosystem packages.
Container/runtime and registry dependency updates
go.mod
Replace directives now point velero and goautoneg to alternate sources and pin container, Docker, and Kubernetes-related module versions.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: a broad dependency refresh to newer versions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 104: The dependency github.com/go-jose/go-jose/v4 is pinned to an
affected version and should be updated to v4.1.4. Modify the go.mod entry for
github.com/go-jose/go-jose/v4 to use v4.1.4, and ensure any corresponding module
metadata or checksums are refreshed if needed so the build resolves the patched
release.
- Around line 175-177: Update the indirect Sigstore dependencies in go.mod so
the module graph uses patched releases: raise github.com/sigstore/fulcio to
v1.8.5 or newer and github.com/sigstore/rekor to v1.5.0 or newer. Keep
github.com/sigstore/protobuf-specs aligned as needed by the resolver, and verify
any go.sum/module graph changes by re-running the dependency tidy/update flow
after adjusting the go.mod entries.
- Line 90: The dependency bump in go.mod for github.com/docker/docker is unsafe
because v28.2.2+incompatible is within the affected CVE range. Update the
github.com/docker/docker requirement to a patched release at or above 29.5.1,
and keep the existing module entry consistent with the rest of the dependency
set.
- Around line 199-201: The OpenTelemetry dependencies are still pinned to
vulnerable versions, so update the module requirements in go.mod to at least
v1.40.0 for both go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk. Keep
the existing go.opentelemetry.io/otel/metric entry aligned with the upgraded
OpenTelemetry set, and make sure the dependency block reflects the new minimum
version consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c48cbfb3-b5d8-4e05-918e-64425ca3e2eb

📥 Commits

Reviewing files that changed from the base of the PR and between 3ee5ec8 and 4b13326.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod Outdated
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v27.0.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.1 // indirect
github.com/docker/docker v28.2.2+incompatible // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

github.com/docker/docker v28.2.2 advisories host-path redirection docker cp plugin privilege validation bypass PUT /containers/{id}/archive fixed release

💡 Result:

The vulnerability you referenced involves a race condition in the docker cp command (and related API endpoints PUT/HEAD /containers/{id}/archive), which is tracked as CVE-2026-42306 [1][2]. This vulnerability allows a malicious container to exploit a time-of-check to time-of-use (TOCTOU) race condition during the mount setup sequence [3][4]. When an operator performs a docker cp operation (or calls the affected archive API endpoints) against a container, the Docker daemon creates a temporary mountpoint [3][5]. A malicious process inside the container can manipulate the destination path or its components by swapping them with symlinks pointing to arbitrary locations on the host before the mount syscall is completed [3][5]. This causes the daemon to bind-mount volumes onto unintended host paths, potentially allowing file overwrites or denial of service [3][1]. Affected versions include: - Docker Engine versions prior to 29.5.1 [1][2] - github.com/docker/docker/daemon versions up to 28.5.2 [1][6] - Moby Daemon versions prior to 2.0.0-beta.14 [1][2] This issue is patched in Docker Engine 29.5.1 and Moby Daemon 2.0.0-beta.14 [1][2]. If you cannot update immediately, recommended mitigations include: - Restricting access to the archive API endpoints using authorization plugins [3][5]. - Avoiding the use of docker cp with untrusted containers [3][5]. - Running containers with the --read-only flag where possible [2]. Please note that a separate issue related to plugin privilege validation (tracked as GHSA-pxq6-2prw-chj9) was also identified, where a bug in the daemon's privilege comparison logic allows malicious plugins to bypass privilege requirements during installation [7]. This is a distinct issue from the docker cp race condition [7][3].

Citations:


🌐 Web query:

OSV GHSA-rg2x-37c3-w2rh github.com/docker/docker fixed version 28.2.2 28.5.3 module

💡 Result:

The vulnerability GHSA-rg2x-37c3-w2rh (also identified as CVE-2026-42306) describes a race condition in the docker cp command that allows a malicious container to redirect a bind mount target to an arbitrary path on the host, which can lead to file overwriting or a denial of service [1][2]. Regarding your query about fixed versions, the vulnerability is patched in Docker Engine version 29.5.1 [2]. Versions of Docker Daemon up to and including 28.5.2 are affected [2]. The specific version numbers 28.2.2 and 28.5.3 mentioned in your query do not appear to be the official patch releases for this issue; the correction is implemented in the 29.5.x release line [2]. For Moby Daemon, the fix is available in versions starting from 2.0.0-beta.14 [2].

Citations:


Block this Docker bump. github.com/docker/docker v28.2.2+incompatible is in the affected range for GHSA-rg2x-37c3-w2rh / CVE-2026-42306 (docker cp and PUT/HEAD /containers/{id}/archive TOCTOU on host paths). Move to a patched release, starting with 29.5.1.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby firewalld reload makes published container ports accessible from remote hosts in github.com/docker/docker

(GO-2025-3830)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

(GO-2026-4883)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

(GO-2026-4887)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker

(GO-2026-5617)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker

(GO-2026-5668)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host in github.com/docker/docker

(GO-2026-5746)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation

(GHSA-pxq6-2prw-chj9)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path

(GHSA-rg2x-37c3-w2rh)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

(GHSA-vp62-88p7-qqf5)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby firewalld reload makes published container ports accessible from remote hosts

(GHSA-x4rx-4gw3-53p4)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies

(GHSA-x744-4wpc-v9h2)


[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host

(GHSA-x86f-5xw2-fm2r)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 90, The dependency bump in go.mod for
github.com/docker/docker is unsafe because v28.2.2+incompatible is within the
affected CVE range. Update the github.com/docker/docker requirement to a patched
release at or above 29.5.1, and keep the existing module entry consistent with
the rest of the dependency set.

Source: Linters/SAST tools

Comment thread go.mod Outdated
Comment thread go.mod Outdated
Comment thread go.mod Outdated
@awels awels force-pushed the update_dependencies branch from 4b13326 to 2798f2f Compare July 7, 2026 18:42
A variety of libraries were updated to their
recent versions. This includes many indirect
libraries.

Signed-off-by: Alexander Wels <awels@redhat.com>
@awels awels force-pushed the update_dependencies branch from 2798f2f to 957e45b Compare July 7, 2026 19:47
@istein1

istein1 commented Jul 8, 2026

Copy link
Copy Markdown
Member

@awels ,
Is there an option to upgrade docker to v29.5.1 or confirm the affected API surfaces are unreachable from this
project's code?
Claude's comment:
github.com/docker/docker v28.5.2 has 6+ HIGH-severity CVEs — including docker cp TOCTOU races, container archive host code execution, AuthZ plugin bypass, and firewalld reload exposing published ports. The fix requires v29.5.1+. Since this is an indirect dependency with +incompatible, upgrading to v29 needs careful evaluation, but the CVE surface is large enough to warrant it.

@midays ,
Tests recommendation: Run integration tests for GCS/S3 given the large jumps.

Comment thread go.mod Outdated
github.com/prometheus/procfs v0.16.1 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
github.com/sigstore/fulcio v1.6.6 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for CVE-2025-66506, which covers 2 jira tickets: (MIG-1802, MIG-1800) the bump needed >= 1.8.3

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I can't do fulcio 1.8.3 because it is the thing requiring the newer version of docker as well. I guess that is the thing that pulls in that dependency to start with.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wrong, found a way with some replace statements to update fulcio to 1.8.3.

@awels

awels commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@awels , Is there an option to upgrade docker to v29.5.1 or confirm the affected API surfaces are unreachable from this project's code? Claude's comment: github.com/docker/docker v28.5.2 has 6+ HIGH-severity CVEs — including docker cp TOCTOU races, container archive host code execution, AuthZ plugin bypass, and firewalld reload exposing published ports. The fix requires v29.5.1+. Since this is an indirect dependency with +incompatible, upgrading to v29 needs careful evaluation, but the CVE surface is large enough to warrant it.

@midays , Tests recommendation: Run integration tests for GCS/S3 given the large jumps.

Unfortunately I have to pick. Either update selinux or update docker. I cannot do both. I choose selinux. We don't directly use any of the docker stuff, it is all indirect imports from other libraries.

Here is why we have to pick, docker/docker requires containers/storage 1.59.1+ which requires an old version of filepath-securejoin, while selinux requires a newer version of filepath-securejoin. They are not compatible, and there is no version which can satisfy both

  Critical Decision Needed: Unfixable Dependency Conflict

  You have an incompatible dependency triangle:

  containers/storage v1.59.1 (latest)
      └── requires filepath-securejoin v0.4.1 (has OpenInRoot/Reopen functions)

  opencontainers/selinux v1.13.0 (security fix for CVE GO-2025-4098)
      └── requires filepath-securejoin v0.6.0+ (removed OpenInRoot/Reopen functions)

version of docker than we can support. But with
a replace we can downgrade the actual version.

Signed-off-by: Alexander Wels <awels@redhat.com>
@istein1 istein1 merged commit 4ce4d3c into migtools:master Jul 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants