Skip to content

Bump the go_modules group across 1 directory with 2 updates #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the go_modules group across 1 directory with 2 updates #7

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github May 21, 2025

Bumps the go_modules group with 1 update in the / directory: github.com/opencontainers/runc.

Updates github.com/opencontainers/runc from 1.0.0-rc5 to 1.2.0-rc.3

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.0-rc.2 -- "TRUE or FALSE, it's a problem!"

This is the second release candidate for the 1.2.0 branch of runc. It includes all patches and bugfixes included in runc 1.1 patch releases (up to and including 1.1.13). A fair few new features have been added, and some changes have been made which may affect users. Please help us thoroughly test this release candidate before we release 1.2.0.

Breaking

  • runc now requires a minimum of Go 1.20 to compile. If building with Go 1.22, make sure to use 1.22.4 or later version (#4233).
  • libcontainer/cgroups users who want to manage cgroup devices need to explicitly import libcontainer/cgroups/devices. (#3452, #4248)

Security

  • The runc binaries provided here were built with go1.21.11, which includes a security fix for os.RemoveAll to fix a bug that would allow an attacker to trick runc into deleting a directory on the host. We encourage users to update, and if they build runc themselves, make sure they build their binaries using go1.21.11 or later, or go1.22.4 or later.

Added

Fixed

  • cgroup v2: do not set swap to 0 or unlimited when it's not available. (#4188)
  • Set the default value of CpuBurst to nil instead of 0. (#4210, #4211)
  • libct/cg: write unified resources line by line. (#4186)
  • libct.Start: fix locking, do not allow a second container init. (#4271)
  • Fix tests in debian testing (mount_sshfs.bats). (#4245)
  • libct/cg/dev: fix TestSetV1Allow panic. (#4295)
  • tests/int/scheduler: require smp. (#4298)

Changed

  • libct/cg/fs: don't write cpu_burst twice on ENOENT. (#4259)
  • Make trimpath optional. (#3908)
  • Remove unused system.Execv. (#4268)
  • Stop blacklisting Go 1.22+, drop Go < 1.21 support, use Go 1.22 in CI. (#4292)
  • Improve some error messages for runc exec. (#4320)
  • ci/gha: bump golangci-lint[-action]. (#4255)
  • tests/int/tty: increase the timeout. (#4260)
  • [ci] use go mod instead of go get in spec.bats. (#4264)
  • tests/int/checkpoint: rm double logging. (#4251)
  • ci/gha: bump golangci-lint-action from 5 to 6. (#4275)
  • .cirrus.yml: rm FIXME from rootless fs on CentOS 7. (#4279)

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.0-rc.3] - 2024-09-02

The supreme happiness of life is the conviction that we are loved.

Security

  • Fix CVE-2024-45310, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.

Added

  • Document build prerequisites for different platforms. (#4353)

Fixed

  • Try to delete exec fifo file when failure in creation. (#4319)
  • Revert "libcontainer: seccomp: pass around *os.File for notifyfd". (#4337)
  • Fix link to gvariant documentation in systemd docs. (#4369)

Changed

  • Remove pre-go1.17 build-tags. (#4329)
  • libct/userns: assorted (godoc) improvements. (#4330)
  • libct/userns: split userns detection from internal userns code. (#4331)
  • rootfs: consolidate mountpoint creation logic. (#4359)
  • Add Go 1.23, drop 1.21. (#4360)
  • Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION. (#4370)
  • Mv contrib/cmd tests/cmd (except memfd-bind). (#4377)
  • Makefile: Don't read COMMIT, BUILDTAGS, EXTRA_BUILDTAGS from env vars. (#4380)

[1.2.0-rc.2] - 2024-06-26

TRUE or FALSE, it's a problem!

Important Notes

  • libcontainer/cgroups users who want to manage cgroup devices need to explicitly import libcontainer/cgroups/devices. (#3452, #4248)
  • If building with Go 1.22.x, make sure to use 1.22.4 or a later version. (see #4233 for more details)

Added

... (truncated)

Commits
  • 45471bc VERSION: release v1.2.0-rc.3
  • 6c24b2e changelog: update to include 1.1.14 notes
  • 9e9fdd8 Merge commit from fork
  • 63c2908 rootfs: try to scope MkdirAll to stay inside the rootfs
  • 346b818 Merge pull request #4380 from rata/makefile-no-envs
  • 767bc00 Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars
  • a41b62a Merge pull request #4376 from kolyshkin/simplify-branch-protection
  • 2cd24a4 ci/gha: add all-done jobs
  • 41831e7 Merge pull request #4377 from AkihiroSuda/distro-should-not-install-recvtty-etc
  • 376e875 Merge pull request #4370 from rata/main
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.0.0-20190701094942-4def268fd1a4 to 0.22.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the go_modules group across 1 directory with 2 updates
cf795eb 
Bumps the go_modules group with 1 update in the / directory: [github.com/opencontainers/runc](https://github.com/opencontainers/runc).


Updates `github.com/opencontainers/runc` from 1.0.0-rc5 to 1.2.0-rc.3
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.0.0-rc5...v1.2.0-rc.3)

Updates `golang.org/x/crypto` from 0.0.0-20190701094942-4def268fd1a4 to 0.22.0
- [Commits](https://github.com/golang/crypto/commits/v0.22.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.2.0-rc.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.22.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from a team as a code owner May 21, 2025 15:19
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 21, 2025
@dependabot dependabot bot mentioned this pull request May 21, 2025
Closed
@evanelias
Copy link

Just FYI, upstream no longer uses these two dependencies at all. They were removed in July 2023 (Skeema v1.11).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@evanelias