Skip to content

Fix/20260506 update go mod cves#763

Closed
raharper wants to merge 2 commits into
project-stacker:mainfrom
raharper:fix/20260506-update-go-mod-cves
Closed

Fix/20260506 update go mod cves#763
raharper wants to merge 2 commits into
project-stacker:mainfrom
raharper:fix/20260506-update-go-mod-cves

Conversation

@raharper
Copy link
Copy Markdown
Contributor

@raharper raharper commented May 6, 2026

What type of PR is this?

bug

Which issue does this PR fix:

#742
#734
#732
#708
#704

What does this PR do / Why do we need it:

Address current dependabot/CVE issues.

If an issue # is not available please add repro steps and logs showing the issue:

Testing done on this change:

make test

Automation added to e2e:

Will this break upgrades or downgrades?

no

Does this PR introduce any user-facing change?:

no

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

raharper added 2 commits May 6, 2026 14:47
@raharper
fix: bump go.mod for cve fixes
c2e869e 
- bump
  - go to 1.25.9
  - buildkit to v0.28.1
  - incus to v6.23.0
  - github.com/docker/docker v25.0.15+incompatible
  - github.com/sigstore/fulcio v1.8.5
  - github.com/go-jose/go-jose/v4 v4.1.4
- fix up stacker convert after new buildkit
  - ENV and LABEL return key, value, separator instead of just k,v

Signed-off-by: Ryan Harper <rharper@woxford.com>
@raharper
fix: update go.sum after mod update
8f52942 
Signed-off-by: Ryan Harper <rharper@woxford.com>
@raharper raharper force-pushed the fix/20260506-update-go-mod-cves branch from 9a91c7c to 8f52942 Compare May 6, 2026 19:47
@raharper
Copy link
Copy Markdown
Contributor Author

raharper commented May 6, 2026

Looks like will need to dig into the containers/storage Differ issue:

      GetDiffer -> NewDiffer which breaks the storage_dest.go in
      the v5.34.0.  Note this is only detectable via `make lint` as
      the stacker binary does not utilize the pkg/lib code; but we have
      downstream tools which do import this which may be affected.

@raharper
Copy link
Copy Markdown
Contributor Author

raharper commented May 6, 2026

Looks like will need to dig into the containers/storage Differ issue:

      GetDiffer -> NewDiffer which breaks the storage_dest.go in
      the v5.34.0.  Note this is only detectable via `make lint` as
      the stacker binary does not utilize the pkg/lib code; but we have
      downstream tools which do import this which may be affected.

If we try to keep the older securejoin, go mod tidy complains with

$ go mod tidy
go: downloading github.com/cyphar/filepath-securejoin v0.4.1
go: finding module for package github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
go: finding module for package github.com/cyphar/filepath-securejoin/pathrs-lite
go: stackerbuild.io/stacker/pkg/lib/containers_storage imports
	github.com/containers/image/v5/storage imports
	github.com/containers/storage imports
	github.com/opencontainers/selinux/go-selinux imports
	github.com/cyphar/filepath-securejoin/pathrs-lite: module github.com/cyphar/filepath-securejoin@latest found (v0.6.1, replaced by github.com/cyphar/filepath-securejoin@v0.4.1), but does not contain package github.com/cyphar/filepath-securejoin/pathrs-lite
go: stackerbuild.io/stacker/pkg/lib/containers_storage imports
	github.com/containers/image/v5/storage imports
	github.com/containers/storage imports
	github.com/opencontainers/selinux/go-selinux imports
	github.com/cyphar/filepath-securejoin/pathrs-lite/procfs: module github.com/cyphar/filepath-securejoin@latest found (v0.6.1, replaced by github.com/cyphar/filepath-securejoin@v0.4.1), but does not contain package github.com/cyphar/filepath-securejoin/pathrs-lite/procfs

and using 0.6.1

golangci-lint run --build-tags "exclude_graphdriver_btrfs exclude_graphdriver_devicemapper containers_image_openpgp osusergo netgo skipembed"
pkg/lib/containers_storage/lib.go:8:2: could not import github.com/containers/image/v5/storage (.build/gopath/pkg/mod/github.com/containers/image/v5@v5.34.3/storage/storage_dest.go:32:2: could not import github.com/containers/storage (-: # github.com/containers/storage
.build/gopath/pkg/mod/github.com/containers/storage@v1.58.0/userns.go:334:29: undefined: securejoin.OpenInRoot
.build/gopath/pkg/mod/github.com/containers/storage@v1.58.0/userns.go:340:20: undefined: securejoin.Reopen)) (typecheck)
	"github.com/containers/image/v5/storage"
	^
1 issues:
* typecheck: 1

@raharper raharper mentioned this pull request May 14, 2026
Merged
@raharper
Copy link
Copy Markdown
Contributor Author

raharper commented May 19, 2026

Closing in favor of #764

@raharper raharper closed this May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rchincha rchincha Awaiting requested review from rchincha rchincha is a code owner

@smoser smoser Awaiting requested review from smoser smoser is a code owner

@hallyn hallyn Awaiting requested review from hallyn hallyn is a code owner

@tych0 tych0 Awaiting requested review from tych0 tych0 is a code owner

@mikemccracken mikemccracken Awaiting requested review from mikemccracken mikemccracken is a code owner

@rchamarthy rchamarthy Awaiting requested review from rchamarthy rchamarthy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raharper