fix(deps): vuln minor upgrades — 6 packages (minor: 1 · patch: 5)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/containerd/containerd	v1.7.20	v1.7.31	patch	Direct	3 HIGH, 4 MODERATE, 2 MEDIUM
github.com/stretchr/testify	v1.9.0	v1.11.1	minor	Direct	-
github.com/opencontainers/image-spec	v1.1.0	v1.1.1	patch	Direct	-
github.com/sirupsen/logrus	v1.9.3	v1.9.4	patch	Direct	-
github.com/urfave/cli/v2	v2.27.2	v2.27.7	patch	Direct	-
oras.land/oras-go	v1.2.6	v1.2.7	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/containerd/containerd	GHSA-pwhc-rpq9-4c8w	HIGH	containerd affected by a local privilege escalation via wide permissions on CRI directory	v1.7.20	1.7.29
github.com/containerd/containerd	GO-2025-4100	HIGH	containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd	v1.7.20	1.7.29
github.com/containerd/containerd	CVE-2024-25621	HIGH	containerd affected by a local privilege escalation via wide permissions on CRI directory	v1.7.20	-

ℹ️ Other Vulnerabilities (6)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/containerd/containerd	GO-2025-3528	medium	containerd has an integer overflow in User ID handling in github.com/containerd/containerd	v1.7.20	1.6.38
github.com/containerd/containerd	CVE-2024-40635	medium	containerd has an integer overflow in User ID handling	v1.7.20	-
github.com/containerd/containerd	GHSA-m6hq-p25p-ffr2	MODERATE	containerd CRI server: Host memory exhaustion through Attach goroutine leak	v1.7.20	1.7.29
github.com/containerd/containerd	CVE-2025-64329	MODERATE	containerd CRI server: Host memory exhaustion through Attach goroutine leak	v1.7.20	-
github.com/containerd/containerd	GO-2025-4108	MODERATE	containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd	v1.7.20	1.7.29
github.com/containerd/containerd	GHSA-265r-hfxg-fhmg	MODERATE	containerd has an integer overflow in User ID handling	v1.7.20	1.7.27

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

github.com/containerd/containerd (v1.7.20 → v1.7.31) — GitHub Release

v1.7.31

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

Security Updates

• spdystream
  • CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

• Fix CNI issue where DEL is never executed after a restart (https://github.com/containerd/containerd/issues/12931)
• Sanitize error before gRPC return to prevent possible credential leak in pod events (https://github.com/containerd/containerd/issues/12805)
• Improve error message and add warning when concurrent container creation is detected (https://github.com/containerd/containerd/issues/12744)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Maksym Pavlenko
• Akhil Mohan
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Henzie
• Michael Zappa
• Ricardo Branco
• Shachar Tal
• ningmingxiao
• yashsingh74

Changes

37 commits

• Prepare release notes for v1.7.31 (https://github.com/containerd/containerd/issues/13221)
  • 7d2662653 Prepare release notes for v1.7.31
• update github.com/moby/spdystream v0.5.1 (https://github.com/containerd/containerd/issues/13220)
  • 3f795c02a update github.com/moby/spdystream v0.5.1
• update to Go 1.25.9, 1.26.2 (https://github.com/containerd/containerd/issues/13200)
  • 7b1e1b17b update to Go 1.25.9, 1.26.2
  • [b673f2d42](containerd/containerd@b673f2d421384fcf1

(truncated)

v1.7.30

Welcome to the v1.7.30 release of containerd!

The thirtieth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Container Runtime Interface (CRI)

• Fix NRI dropping requested CDI devices silently (https://github.com/containerd/containerd/issues/12650)
• Redact all query parameters in CRI error logs (https://github.com/containerd/containerd/issues/12551)

Runtime

• Update runc binary to v1.3.4 (https://github.com/containerd/containerd/issues/12619)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Austin Vazquez
• Mike Brown
• Wei Fu
• Andrey Noskov
• CrazyMax
• Davanum Srinivas
• Jin Dong
• Krisztian Litkey
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Samuel Karp

Changes

26 commits

• Prepare release notes for v1.7.30 (https://github.com/containerd/containerd/issues/12652)
  • 3d0ca6d2e Prepare release notes for v1.7.30
• Fix NRI dropping requested CDI devices silently (https://github.com/containerd/containerd/issues/12650)
  • 0bc74f47e cri,nri: don't drop requested CDI devices silently.
• script/setup/install-cni: install CNI plugins v1.9.0 (https://github.com/containerd/containerd/issues/12660)
  • 7db16b562 script/setup/install-cni: install CNI plugins v1.9.0
• go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) (https://github.com/containerd/containerd/issues/12640)
  • bca897b47 go.mod: golang.org/x/crypto v0.45.0

(truncated)

v1.7.29

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes
and updates including security patches.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Image Distribution

• Update differ to handle zstd media types (https://github.com/containerd/containerd/issues/12018)

Runtime

• Update runc binary to v1.3.3 (https://github.com/containerd/containerd/issues/12480)
• Fix lost container logs from quickly closing io (https://github.com/containerd/containerd/issues/12375)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Austin Vazquez
• Sebastiaan van Stijn
• ningmingxiao
• Maksym Pavlenko
• StepSecurity Bot
• wheat2018

Changes

38 commits

• 442cb34bd Merge commit from fork
• 0450f046e Fix directory permissions
• e5cb6ddb7 Merge commit from fork
• c575d1b5f fix gorout

(truncated)

(and 8 more releases — view all)

github.com/stretchr/testify (v1.9.0 → v1.11.1) — GitHub Release

v1.11.1

This release fixes stretchr/testify#1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

• Backport mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @brackendawson in Backport #1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers stretchr/testify#1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

• Call stack perf change for CallerInfo by @mikeauclair in Call stack perf change for CallerInfo stretchr/testify#1614
• Lazily render mock diff output on successful match by @mikeauclair in Lazily render mock diff output on successful match stretchr/testify#1615
• assert: check early in Eventually, EventuallyWithT, and Never by @cszczepaniak in assert: check early in Eventually, EventuallyWithT, and Never stretchr/testify#1427
• assert: add IsNotType by @bartventer in assert: add IsNotType stretchr/testify#1730
• assert.JSONEq: shortcut if same strings by @dolmen in assert.JSONEq: shortcut if same strings stretchr/testify#1754
• assert.YAMLEq: shortcut if same strings by @dolmen in assert.YAMLEq: shortcut if same strings stretchr/testify#1755
• assert: faster and simpler isEmpty using reflect.Value.IsZero by @dolmen in assert: faster and simpler isEmpty using reflect.Value.IsZero stretchr/testify#1761
• suite: faster methods filtering (internal refactor) by @dolmen in suite: faster methods filtering (internal refactor) stretchr/testify#1758

Fixes

• assert.ErrorAs: log target type by @craig65535 in assert.ErrorAs: log target type stretchr/testify#1345
• Fix failure message formatting for Positive and Negative asserts in Fix failure message formatting for Positive and Negative asserts stretchr/testify#1062
• Improve ErrorIs message when error is nil but an error was expected by @tsioftas in Improve ErrorIs message when error is nil but an error was expected stretchr/testify#1681
• fix Subset/NotSubset when calling with mixed input types by @siliconbrain in fix Subset/NotSubset when calling with mixed input types stretchr/testify#1729
• Improve ErrorAs failure message when error is nil by @ccoVeille in Improve ErrorAs failure message when error is nil stretchr/testify#1734
• mock.AssertNumberOfCalls: improve error msg by @3scalation in mock.AssertNumberOfCalls: improve error msg stretchr/testify#1743

Documentation, Build & CI

• docs: Fix typo in README by @alexandear in docs: Fix typo in README stretchr/testify#1688
• Replace deprecated io/ioutil with io and os by @alexandear in Replace deprecated io/ioutil with io and os stretchr/testify#1684
• Document consequences of calling t.FailNow() by @greg0i

(truncated)

v1.10.0

What's Changed

Functional Changes

• Add PanicAssertionFunc by @fahimbagar in Add PanicAssertionFunc stretchr/testify#1337
• assert: deprecate CompareType by @dolmen in assert: deprecate CompareType stretchr/testify#1566
• assert: make YAML dependency pluggable via build tags by @dolmen in assert: make YAML dependency pluggable via build tags stretchr/testify#1579
• assert: new assertion NotElementsMatch by @hendrywiranto in assert: new assertion NotElementsMatch stretchr/testify#1600
• mock: in order mock calls by @ReyOrtiz in mock: in order mock calls stretchr/testify#1637
• Add assertion for NotErrorAs by @palsivertsen in Add assertion for NotErrorAs stretchr/testify#1129
• Record Return Arguments of a Call by @jayd3e in Record Return Arguments of a Call stretchr/testify#1636
• assert.EqualExportedValues: accepts everything by @redachl in assert.EqualExportedValues: accepts everything stretchr/testify#1586

Fixes

• assert: make tHelper a type alias by @dolmen in assert: make tHelper a type alias stretchr/testify#1562
• Do not get argument again unnecessarily in Arguments.Error() by @TomWright in Do not get argument again unnecessarily in Arguments.Error() stretchr/testify#820
• Fix time.Time compare by @myxo in Fix time.Time compare stretchr/testify#1582
• assert.Regexp: handle []byte array properly by @kevinburkesegment in assert.Regexp: handle []byte array properly stretchr/testify#1587
• assert: collect.FailNow() should not panic by @marshall-lee in assert: collect.FailNow() should not panic stretchr/testify#1481
• mock: simplify implementation of FunctionalOptions by @dolmen in mock: simplify implementation of FunctionalOptions stretchr/testify#1571
• mock: caller information for unexpected method call by @spirin in mock: caller information for unexpected method call stretchr/testify#1644
• suite: fix test failures by @stevenh in suite: fix test failures stretchr/testify#1421
• Fix issue InEpsilon has inconsistent results with expected or actual values of Inf stretchr/testify#1662 (comparing infs should fail) by @ybrustin in Fix issue #1662 (comparing infs should fail) stretchr/testify#1663
• NotSame should fail if args are not pointers NotSame should fail if args are not pointers stretchr/testify#1661 by @sikehish in NotSame should fail if args are not pointers #1661 stretchr/testify#1664
• Increase timeouts in Test_Mock_Called_blocks to reduce f

(truncated)

github.com/sirupsen/logrus (v1.9.3 → v1.9.4) — GitHub Release

Notable changes

• go.mod: update minimum supported go version to v1.17 go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• go.mod: bump up dependencies go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460
• Touch-up godoc and add "doc" links.
• README: fix links, grammar, and update examples.
• Add GNU/Hurd support Add GNU/Hurd support sirupsen/logrus#1364
• Add WASI wasip1 support Add WASI wasip1 support sirupsen/logrus#1388
• Remove uses of deprecated ioutil package refactor: replace the deprecated function in the ioutil package sirupsen/logrus#1472
• CI: update actions and golangci-lint CI: update actions and golangci-lint sirupsen/logrus#1459
• CI: remove appveyor, add macOS go.mod: bump up deps; CI: remove appveyor, add macOS sirupsen/logrus#1460

Full Changelog: sirupsen/logrus@v1.9.3...v1.9.4

oras.land/oras-go (v1.2.6 → v1.2.7) — GitHub Release

[!IMPORTANT]
v1.2.7 now requires Go 1.24.0 due to updated dependencies.

What's Changed

• build(deps): bump github.com/docker/cli from 27.1.0+incompatible to 27.1.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.1.0+incompatible to 27.1.1+incompatible oras-project/oras-go#797
• build(deps): bump github.com/docker/docker from 27.1.0+incompatible to 27.1.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.1.0+incompatible to 27.1.1+incompatible oras-project/oras-go#798
• build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 by @dependabot[bot] in build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 oras-project/oras-go#800
• build(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 by @dependabot[bot] in build(deps): bump golang.org/x/crypto from 0.25.0 to 0.26.0 oras-project/oras-go#802
• build(deps): bump github.com/docker/docker from 27.1.1+incompatible to 27.1.2+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.1.1+incompatible to 27.1.2+incompatible oras-project/oras-go#804
• build(deps): bump github.com/docker/cli from 27.1.1+incompatible to 27.1.2+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.1.1+incompatible to 27.1.2+incompatible oras-project/oras-go#805
• build(deps): bump github.com/docker/cli from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.1.2+incompatible to 27.2.0+incompatible oras-project/oras-go#809
• build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible oras-project/oras-go#810
• build(deps): bump github.com/containerd/containerd from 1.7.20 to 1.7.21 by @dependabot[bot] in build(deps): bump github.com/containerd/containerd from 1.7.20 to 1.7.21 oras-project/oras-go#811
• build(deps): bump golang.org/x/crypto from 0.26.0 to 0.27.0 by @dependabot[bot] in build(deps): bump golang.org/x/crypto from 0.26.0 to 0.27.0 oras-project/oras-go#824
• build(deps): bump github.com/containerd/containerd from 1.7.21 to 1.7.22 by @dependabot[bot] in build(deps): bump github.com/containerd/containerd from 1.7.21 to 1.7.22 oras-project/oras-go#825
• build(deps): bump github.com/docker/cli from 27.2.0+incompatible to 27.2.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.2.0+incompatible to 27.2.1+incompatible oras-project/oras-go#826
• build(deps): bump github.com/docker/docker from 27.2.0+incompatible to 27.2.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.2.0+incompatible to 27.2.1+incompatible oras-project/oras-go#827
• build(deps): bump github.com/docker/cli from 27.2.1+incompatible to 27.3.0+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.2.1+incompatible to 27.3.0+incompatible oras-project/oras-go#832
• build(deps): bump github.com/docker/docker from 27.2.1+incompatible to 27.3.0+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.2.1+incompatible to 27.3.0+incompatible oras-project/oras-go#831
• build(deps): bump github.com/docker/cli from 27.3.0+incompatible to 27.3.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/cli from 27.3.0+incompatible to 27.3.1+incompatible oras-project/oras-go#834
• build(deps): bump github.com/docker/docker from 27.3.0+incompatible to 27.3.1+incompatible by @dependabot[bot] in build(deps): bump github.com/docker/docker from 27.3.0+incompatible to 27.3.1+incompatible oras-project/oras-go#833
• build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 by @dependabot[bot] in build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 oras-project/oras-go#835
• build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 by @dependabot[bot] in build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 oras-project/oras-go#838
• build(deps): bump github.com/distribution/distribution/v3 from 3.0.0-beta.1 to 3.0.0-rc.1 by @dependabot[bot] in build(deps): bump github.com/distribution/distribution/v3 from 3.0.0-beta.1 to 3.0.0-rc.1 oras-project/oras-go#843
• build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot[bot] in build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 oras-project/oras-go#845
• build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot[bot] in build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 oras-project/oras-go#849
• build(deps): bump github.com/containerd/containerd from 1.7.23 to 1.7.24 by @dependabot[bot] in build(deps): bump github.com/containerd/containerd from 1.7.23 to 1.7.24 oras-project/oras-go#848
• build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by @dependabot[bot] in build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 oras-project/oras-go#853
• build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot[bot] in build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 oras-project/oras-go#858
• build(deps): bump github.com/docker/cli from 27.3.1+incompatible to 27.4.0+incompat

(truncated)

---

Generated by ADMS Sources: 4 GitHub Releases, 2 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.