Skip to content

fix: upgrade runc to v1.2.8 for security CVEs#10

Merged
adlio merged 2 commits into
mainfrom
fix/security-dependency-updates
Jul 9, 2026
Merged

fix: upgrade runc to v1.2.8 for security CVEs#10
adlio merged 2 commits into
mainfrom
fix/security-dependency-updates

Conversation

@adlio

@adlio adlio commented Jul 9, 2026

Copy link
Copy Markdown
Owner

This pull request was created by @kiro-agent on behalf of @adlio 👻

Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro Web


Summary

Addresses GitHub security alerts for vulnerable dependencies in go.mod.

Changes

Dependencies with no available patches

  • github.com/jackc/pgx/v4 v4.18.3 - This is the latest and final release in the v4 major version line. The maintainer has moved to pgx/v5 (currently at v5.10.0). Resolving this alert requires migrating the library to the pgx/v5 API, which is a breaking change and out of scope for this security patch.

  • github.com/jackc/pgproto3/v2 v2.3.3 - This is the latest and final release in the v2 line. It is a transitive dependency of pgx/v4 and cannot be updated independently. It will be resolved when/if the library migrates to pgx/v5.

Testing

  • go build ./... passes cleanly
  • go mod tidy produces no additional changes
  • Integration tests require a Docker daemon and are validated via CI

- Upgraded github.com/opencontainers/runc from v1.2.3 to v1.2.8 to fix:
  - CVE-2025-31133 (High severity)
  - CVE-2025-52565 (High severity)
  - CVE-2025-52881 (High severity)
  - CVE-2026-41579 (Moderate severity)

- github.com/jackc/pgx/v4 v4.18.3 is already the latest release in the
  v4 major version line. pgx/v5 is the current major version (up to
  v5.10.0), but upgrading to v5 would be a breaking API change. No
  further v4 patches are available.

- github.com/jackc/pgproto3/v2 v2.3.3 is already the latest release in
  the v2 line. It is tied to pgx/v4 and has no further patches available.

Co-authored-by: Aaron Longwell <27492+adlio@users.noreply.github.com>
@cursor

cursor Bot commented Jul 9, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@cursor

cursor Bot commented Jul 9, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (104732c) to head (d513536).

Additional details and impacted files
@@            Coverage Diff            @@
##              main       #10   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines          216       216           
=========================================
  Hits           216       216           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@adlio adlio merged commit ee514e4 into main Jul 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants