Bump the go-modules group with 6 updates

[dependabot]

Bumps the go-modules group with 6 updates:

Package	From	To
github.com/containerd/containerd/v2	2.3.1	2.3.2
github.com/docker/cli	29.5.3+incompatible	29.6.0+incompatible
github.com/moby/moby/api	1.54.2	1.55.0
github.com/moby/moby/client	0.4.1	0.5.0
github.com/spiffe/go-spiffe/v2	2.8.0	2.8.1
github.com/testcontainers/testcontainers-go	0.42.0	0.43.0

Updates github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.3.2

Welcome to the v2.3.2 release of containerd!

The second patch release for containerd 2.3 contains various fixes and updates including security patches.

Security Updates

• containerd
  • CVE-2026-50195
  • CVE-2026-53488
  • CVE-2026-53492
  • CVE-2026-53489
  • CVE-2026-47262

Highlights

• Fix a data race when reading shim logs on Windows (#13522)

Image Distribution

• Allow the last host to retry on transient network errors (#13591)

Runtime

• Fix container startup failures caused by concurrent task RPC timeouts during slow container creation (#13512)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Chris Henzie
• Akihiro Suda
• Derek McGowan
• Akhil Mohan
• Austin Vazquez
• Ben Cressey
• Brian Goff
• Maksym Pavlenko
• Sebastiaan van Stijn
• Sergey Kanzhelev

Changes

• Prepare release notes for v2.3.2 (#13627)
  • fb8ca00b0 Prepare release notes for v2.3.2

... (truncated)

Commits

• fff62f1 Merge pull request #13627 from samuelkarp/prepare-v2.3.2
• fb8ca00 Prepare release notes for v2.3.2
• 9c69960 Merge commit from fork
• b54e3ec Merge pull request #13608 from thaJeztah/2.3_bump_crypto
• 0d1dbb8 Merge pull request #13591 from k8s-infra-cherrypick-robot/cherry-pick-13323-t...
• 0b94695 [release/2.3] vendor: golang.org/x/crypto v0.53.0
• b38dbd1 Merge pull request #13601 from k8s-infra-cherrypick-robot/cherry-pick-13590-t...
• 0f62515 Merge commit from fork
• 7c2e086 Merge commit from fork
• 94aa1e2 Merge commit from fork
• Additional commits viewable in compare view

Updates github.com/docker/cli from 29.5.3+incompatible to 29.6.0+incompatible

Commits

• fb59821 Merge pull request #7062 from vvoland/update-docker
• ee2f737 vendor: github.com/moby/moby/client v0.5.0
• 1f80e23 vendor: github.com/moby/moby/api v1.55.0
• 1d1562e Merge pull request #7029 from agirault/login-password-dash-stdin
• 8c2e800 Merge pull request #7051 from thaJeztah/bump_moby
• 233cd4a vendor: github.com/moby/moby/api v1.55.0-rc.1, moby/client v0.5.0-rc.1
• 5b600d0 Merge pull request #7047 from thaJeztah/bump_go_events
• e6decf4 Merge pull request #7048 from thaJeztah/bump_compress
• a9284d1 Merge pull request #7049 from thaJeztah/bump_x_net
• e7319c7 Merge pull request #7050 from thaJeztah/update_authors_mailmap
• Additional commits viewable in compare view

Updates github.com/moby/moby/api from 1.54.2 to 1.55.0

Release notes

Sourced from github.com/moby/moby/api's releases.

api/v1.55.0

1.55.0

Changelog

• POST /containers/{id}/update now supports per-device blkio resource settingss. moby/moby#52651
• The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
• docs: clarify swarm join required fields. moby/moby#52763

api/v1.55.0-rc.1

1.55.0-rc.1

Changelog

• POST /containers/{id}/update now supports per-device blkio resource settingss. moby/moby#52651
• The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636
• docs: clarify swarm join required fields. moby/moby#52763

Commits

• b6c53c2 Merge pull request #52773 from vvoland/c8d-amd64-variants
• 01115e8 Merge pull request #52906 from vvoland/fix-TestContainerWithConflictingNoneNe...
• b36296f Merge pull request #52913 from thaJeztah/windows_does_stats
• a81aa78 TestContainerWithConflictingNoneNetwork: Extend Windows timeout
• 908a35a Merge pull request #52914 from thaJeztah/no_stderr
• 04d33b5 Merge pull request #52912 from thaJeztah/cleanup_GenerateRandomAlphaOnlyString
• 3b2f557 Merge pull request #52722 from notandruu/integration/migrate-TestInspectAPIIm...
• 62b3aae Merge pull request #52901 from vvoland/c8d-imageusage
• 11d3342 integration-cli: un-skip stats tests on Windows
• a47b1b2 Merge pull request #52891 from smerkviladze/attestations-clearer-blob-missing...
• Additional commits viewable in compare view

Updates github.com/moby/moby/client from 0.4.1 to 0.5.0

Release notes

Sourced from github.com/moby/moby/client's releases.

client/0.5.0

0.5.0

Changelog

• The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636

client/v0.5.0-rc.1

0.5.0-rc.1

Changelog

• The new GET /images/{name}/attestations endpoint returns in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image, with optional platform selection, predicate type filtering, and an opt-in statement query parameter for retrieving the verbatim statement bodies. Tools can now retrieve attestation metadata and content directly from the daemon instead of performing additional registry round-trips. moby/moby#52636

Changelog

Sourced from github.com/moby/moby/client's changelog.

0.5.0 (2013-07-17)

• Runtime: List all processes running inside a container with 'docker top'
• Runtime: Host directories can be mounted as volumes with 'docker run -v'
• Runtime: Containers can expose public UDP ports (eg, '-p 123/udp')
• Runtime: Optionally specify an exact public port (eg. '-p 80:4500')
• Registry: New image naming scheme inspired by Go packaging convention allows arbitrary combinations of registries
• Builder: ENTRYPOINT instruction sets a default binary entry point to a container
• Builder: VOLUME instruction marks a part of the container as persistent data

• Builder: 'docker build' displays the full output of a build by default
• Runtime: 'docker login' supports additional options

• Runtime: Dont save a container's hostname when committing an image.
• Registry: Fix issues when uploading images to a private registry

0.4.8 (2013-07-01)

• Builder: New build operation ENTRYPOINT adds an executable entry point to the container.

• Runtime: Fix a bug which caused 'docker run -d' to no longer print the container ID.
• Tests: Fix issues in the test suite

0.4.7 (2013-06-28)

• Registry: easier push/pull to a custom registry
• Remote API: the progress bar updates faster when downloading and uploading large files

• Remote API: fix a bug in the optional unix socket transport

• Runtime: improve detection of kernel version

• Runtime: host directories can be mounted as volumes with 'docker run -b'

• Runtime: fix an issue when only attaching to stdin

• Runtime: use 'tar --numeric-owner' to avoid uid mismatch across multiple hosts
• Hack: improve test suite and dev environment
• Hack: remove dependency on unit tests on 'os/user'

• Documentation: add terminology section

0.4.6 (2013-06-22)

• Runtime: fix a bug which caused creation of empty images (and volumes) to crash.

0.4.5 (2013-06-21)

• Builder: 'docker build git://URL' fetches and builds a remote git repository

• Runtime: 'docker ps -s' optionally prints container size
• Tests: Improved and simplified

• Runtime: fix a regression introduced in 0.4.3 which caused the logs command to fail.
• Builder: fix a regression when using ADD with single regular file.

0.4.4 (2013-06-19)

• Builder: fix a regression introduced in 0.4.3 which caused builds to fail on new clients.

0.4.3 (2013-06-19)

• Builder: ADD of a local file will detect tar archives and unpack them

• Runtime: Remove bsdtar dependency
• Runtime: Add unix socket and multiple -H support
• Runtime: Prevent rm of running containers
• Runtime: Use go1.1 cookiejar
• Builder: ADD improvements: use tar for copy + automatically unpack local archives

... (truncated)

Commits

• 51f6c4a Merge pull request #1227 from dotcloud/bump_0.5.0
• f4eaec3 Merge pull request #1226 from metalivedev/easydockerfile
• b083418 change -b -> -v and add udp example
• 5794857 Merge pull request #1169 from crosbymichael/buildfile-tests
• e7f3f6f Add unit tests for buildfile config instructions
• aa56714 Make dockerfile docs easier to find. Clean up formatting.
• f8dfd0a Merge pull request #1225 from dotcloud/hotfix_docker_rmi
• 3dbf9c6 Merge pull request #1219 from metalivedev/docs-repoupdate
• de563a3 Merge pull request #1194 from crosbymichael/build-verbose
• 9cf2b41 change rm usage in docs
• Additional commits viewable in compare view

Updates github.com/spiffe/go-spiffe/v2 from 2.8.0 to 2.8.1

Release notes

Sourced from github.com/spiffe/go-spiffe/v2's releases.

v2.8.1

Changed

• WIT bundle JWKS entries now include "use": "wit-svid" as required by the SPIFFE WIT spec (#395)

Changelog

Sourced from github.com/spiffe/go-spiffe/v2's changelog.

[2.8.1] - 2026-06-19

Changed

• WIT bundle JWKS entries now include "use": "wit-svid" as required by the SPIFFE WIT spec (#395)

Commits

• e9973f6 v2.8.1 changelog (#396)
• bbc6dc1 Add wit-svid to marshaled WIT bundle keys (#395)
• See full diff in compare view

Updates github.com/testcontainers/testcontainers-go from 0.42.0 to 0.43.0

Release notes

Sourced from github.com/testcontainers/testcontainers-go's releases.

v0.43.0

What's Changed

⚠️ Breaking Changes

• chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650) @​thaJeztah

Users of wait.ForSQL need to follow the new API contract, using Moby's network.Port instead of string when building the callback function to check the URL. Please see https://golang.testcontainers.org/features/wait/sql/

• feat!: add PullImageWithPlatform to DockerProvider (#3710) @​blueprismo

Users implementing their own testcontainers.ImageProvider need to implement the new PullImageWithPlatform method introduced by this PR.

🚀 Features

• feat(k3s): pull image opts (#3716) @​blueprismo
• feat(wait): implement AnyMultiStrategy: ForAny equivalent to ForAll. (#3719) @​jeanbza
• feat(eventhubs): add WithAzuriteContainer and functional-options config builder (#3722) @​mdelapenya
• feat!: add PullImageWithPlatform to DockerProvider (#3710) @​blueprismo
• feat(modules/dex): add Dex OIDC provider module (#3659) @​guilycst

🐛 Bug Fixes

• fix(security): remove debug code that leaks Docker credentials (#3721) @​mdelapenya
• fix(ollama): align local exec test with Ollama 0.30.6 log format (#3715) @​mdelapenya
• fix: close temp file handle before removal (#3672) @​acouvreur
• fix(compose): close docker clients to prevent goroutine leaks (#3661) @​mdelapenya
• fix: wait for log production goroutine to drain on stop (#3660) @​mdelapenya

📖 Documentation

• chore: update usage metrics (2026-06) (#3714) @github-actions[bot]

🧹 Housekeeping

• chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650) @​thaJeztah
• chore: update usage metrics (2026-05) (#3670) @github-actions[bot]
• chore: remove cgroupnsMode setting from K3s container configuration (#3653) @​lixin9311

📦 Dependency updates

• chore(deps): update dependencies to latest versions in go.mod and go.sum (#3729) @​Steven-Harris
• chore: bump sshd-docker image to 1.4.0 (#3727) @​mdelapenya
• chore(deps): bump Ryuk to v0.14.0 (#3313) @​mdelapenya
• chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#3713) @dependabot[bot]
• chore(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 (#3712) @dependabot[bot]
• chore(deps): bump mkdocs-include-markdown-plugin from 7.2.2 to 7.3.0 (#3711) @dependabot[bot]
• chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.3 (#3677) @dependabot[bot]
• chore(deps): bump idna from 3.11 to 3.15 (#3708) @dependabot[bot]
• chore(deps): bump github.com/containerd/containerd/v2 from 2.2.2 to 2.2.4 in /modules/compose (#3709) @dependabot[bot]
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#3704) @dependabot[bot]

... (truncated)

Commits

• 0835739 chore: use new version (v0.43.0) in modules and examples
• 85b6d70 chore(deps): update dependencies to latest versions in go.mod and go.sum (#3729)
• 8360f71 feat(k3s): pull image opts (#3716)
• b5e7022 chore: bump sshd-docker image to 1.4.0 (#3727)
• 1c05dd5 chore(deps): bump Ryuk to v0.14.0 (#3313)
• 96ab095 feat(wait): implement AnyMultiStrategy: ForAny equivalent to ForAll. (#3719)
• 42ac7d2 chore(wait)!: change url callback in wait.ForSQL to accept network.Port (#3650)
• ab312e0 chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.4 to 4.26.5 (#3713)
• c5c95e5 chore(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 (#3712)
• 465d002 chore(deps): bump mkdocs-include-markdown-plugin from 7.2.2 to 7.3.0 (#3711)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions