Skip to content

Bump the go_modules group across 12 directories with 7 updates#24

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/libs/site-packages/vault-main/go_modules-2cd144fc1f
Open

Bump the go_modules group across 12 directories with 7 updates#24
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/libs/site-packages/vault-main/go_modules-2cd144fc1f

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 5, 2025

Bumps the go_modules group with 5 updates in the /libs/site-packages/vault-main directory:

Package From To
github.com/docker/docker 27.2.1+incompatible 28.0.0+incompatible
github.com/go-viper/mapstructure/v2 2.1.0 2.4.0
github.com/cloudflare/circl 1.6.0 1.6.1
github.com/opencontainers/runc 1.2.3 1.2.8
github.com/snowflakedb/gosnowflake 1.13.0 1.13.3

Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/vault/hcp_link/proto directory: golang.org/x/net.
Bumps the go_modules group with 3 updates in the /libs/site-packages/vault-main/sdk directory: github.com/docker/docker, golang.org/x/net and golang.org/x/oauth2.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/userpass directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/ldap directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/kubernetes directory: golang.org/x/net.
Bumps the go_modules group with 2 updates in the /libs/site-packages/vault-main/api/auth/gcp directory: golang.org/x/net and golang.org/x/oauth2.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/cert directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/azure directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/aws directory: golang.org/x/net.
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/approle directory: golang.org/x/net.

Updates github.com/docker/docker from 27.2.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges. docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits
  • af898ab Merge pull request #49495 from vvoland/update-buildkit
  • d67f035 vendor: github.com/moby/buildkit v0.20.0
  • 00ab386 Merge pull request #49491 from vvoland/update-buildkit
  • 1fde8c4 builder-next: fix cdi manager
  • cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
  • 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
  • b2b5590 Dockerfile: fix linting warnings
  • 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
  • 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
  • a3628f3 docs/api: add documentation for API v1.48
  • Additional commits viewable in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.1.0 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

New Contributors

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

New Contributors

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

... (truncated)

Commits

Updates github.com/cloudflare/circl from 1.6.0 to 1.6.1

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.1

  • Fixes some point checks on the FourQ curve.
  • Hybrid KEM fails on low-order points.

What's Changed

Full Changelog: cloudflare/circl@v1.6.0...v1.6.1

Commits
  • c6d33e3 Release v1.6.1
  • 0c3868e curve4q: Shared must fail with low order points.
  • 9fd570d curve4q: Test showing DH does not fails on identity point.
  • c988ceb fourq: Correctly unmarshalling point.
  • ef2611d fourq: Test showing point unmarshal fails.
  • 05eba44 fourq: Handle the case of Z=0 for IsOnCurve and IsEqual.
  • eef0878 fourq: Test showing isEqual and IsOnCurve fail.
  • 2298474 goldilocks; Handling points with z=0.
  • 5a940a1 goldilocks: Test for IsEqual must fail with Z=0
  • 48c3b6a ed25519: Fix isEqual to handle points with Z=0.
  • Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.2.3 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

  • CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

  • CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

  • CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.2.7] - 2025-09-05

さんをつけろよデコ助野郎!

Fixed

  • Removed preemptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered. (#4709, #4720)
  • Add time namespace to container config after checkpoint/restore. CRIU since version 3.14 uses a time namespace for checkpoint/restore, however it was not joining the time namespace in runc. (#4696, #4714)
  • Container processes will no longer inherit the CPU affinity of runc by default. Instead, the default CPU affinity of container processes will be the largest set of CPUs permitted by the container's cpuset cgroup and any other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)

... (truncated)

Commits
  • eeb7e60 VERSION: release v1.2.8
  • cdee962 merge private security patches into ghsa-release-1.2.8
  • b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
  • ee56b85 openat2: improve resilience on busy systems
  • 2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
  • 99e41a5 ci: only run lint-extra job on PRs to main
  • f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
  • 8f90185 selinux: use safe procfs API for labels
  • 948d6e9 rootfs: switch to fd-based handling of mountpoint targets
  • 7aa42ad libct: align param type for mountCgroupV1/V2 functions
  • Additional commits viewable in compare view

Updates github.com/snowflakedb/gosnowflake from 1.13.0 to 1.13.3

Release notes

Sourced from github.com/snowflakedb/gosnowflake's releases.

Release

Release

Release

Commits
  • 3d3e3b0 PATCH: Bumped up GoLang connector PATCH version from 1.13.2 to 1.13.3 (#1383)
  • ba94a48 SNOW-1155452 Fix race condition on perm checking for easy logging (#1382)
  • 14db80d SNOW-18254476 Readd PrPr for PAT and OAuth (#1381)
  • 96413d8 SNOW-1825500: Add OAuth Authorization Code, Client Credentials & Refresh Toke...
  • bee8f03 SNOW-2042000 Treat all non-Windows systems the same (#1372)
  • 750a0f3 SNOW-2034185: Remove reencryption when retry PUT upload (#1364)
  • c195281 SNOW-2026797 Adding PAT tests (#1374)
  • ae006c1 SNOW-2040000 change default tag to bptp-stable (#1366)
  • fb3995b SNOW-1825476 Remove PAT with password instead of token (#1357)
  • 912819c NO-SNOW Hide logger enabled flag behind mutex (#1358)
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates github.com/docker/docker from 27.2.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
    • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
  • docker images --tree now shows metadata badges. docker/cli#5744
  • docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
  • Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
  • docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
  • Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

  • The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
    • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
    • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
  • DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
    • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
  • Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
    • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
    • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
  • The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
  • Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
  • Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
    • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
    • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
    • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
    • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
  • If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

  • dockerd now requires ipset support in the Linux kernel. moby/moby#48596
    • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
    • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
      • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
  • Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
  • Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits
  • af898ab Merge pull request #49495 from vvoland/update-buildkit
  • d67f035 vendor: github.com/moby/buildkit v0.20.0
  • 00ab386 Merge pull request #49491 from vvoland/update-buildkit
  • 1fde8c4 builder-next: fix cdi manager
  • cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
  • 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
  • b2b5590 Dockerfile: fix linting warnings
  • 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
  • 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
  • a3628f3 docs/api: add documentation for API v1.48
  • Additional commits viewable in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/oauth2 from 0.24.0 to 0.27.0

Commits
  • 681b4d8 jws: split token into fixed number of parts
  • 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
  • 109dabf endpoints: add links/provider for Discord
  • ac571fa oauth2: fix docs for Config.DeviceAuth
  • 314ee5b endpoints: add patreon endpoint
  • b9c813b google: add warning about externally-provided credentials
  • 49a531d all: make method and struct comments match the names
  • See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/net from 0.37.0 to 0.38.0

Commits
  • e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign...
  • ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest
  • 1f1fa29 publicsuffix: regenerate table
  • 1215081 http2: improve error when server sends HTTP/1
  • 312450e html: ensure <search> tag closes <p> and update tests
  • 09731f9 http2: improve handling of lost PING in Server
  • 55989e2 http2/h2c: use ResponseController for hijacking connections
  • 2914f46 websocket: re-recommend gorilla/websocket
  • See full diff in compare view

Updates golang.org/x/oauth2 from 0.19.0 to 0.27.0

Commits
  • 681b4d8 jws: split token into fixed number of parts

@dependabot
Bump the go_modules group across 12 directories with 7 updates
e4ce48f 
Bumps the go_modules group with 5 updates in the /libs/site-packages/vault-main directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/docker/docker](https://github.com/docker/docker) | `27.2.1+incompatible` | `28.0.0+incompatible` |
| [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `2.1.0` | `2.4.0` |
| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.6.0` | `1.6.1` |
| [github.com/opencontainers/runc](https://github.com/opencontainers/runc) | `1.2.3` | `1.2.8` |
| [github.com/snowflakedb/gosnowflake](https://github.com/snowflakedb/gosnowflake) | `1.13.0` | `1.13.3` |

Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/vault/hcp_link/proto directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 3 updates in the /libs/site-packages/vault-main/sdk directory: [github.com/docker/docker](https://github.com/docker/docker), [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/oauth2](https://github.com/golang/oauth2).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/userpass directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/ldap directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/kubernetes directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 2 updates in the /libs/site-packages/vault-main/api/auth/gcp directory: [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/oauth2](https://github.com/golang/oauth2).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/cert directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/azure directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/aws directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /libs/site-packages/vault-main/api/auth/approle directory: [golang.org/x/net](https://github.com/golang/net).


Updates `github.com/docker/docker` from 27.2.1+incompatible to 28.0.0+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v27.2.1...v28.0.0)

Updates `github.com/go-viper/mapstructure/v2` from 2.1.0 to 2.4.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](go-viper/mapstructure@v2.1.0...v2.4.0)

Updates `github.com/cloudflare/circl` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.6.0...v1.6.1)

Updates `github.com/opencontainers/runc` from 1.2.3 to 1.2.8
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/v1.2.8/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.2.3...v1.2.8)

Updates `github.com/snowflakedb/gosnowflake` from 1.13.0 to 1.13.3
- [Release notes](https://github.com/snowflakedb/gosnowflake/releases)
- [Changelog](https://github.com/snowflakedb/gosnowflake/blob/master/CHANGELOG.md)
- [Commits](snowflakedb/gosnowflake@v1.13.0...v1.13.3)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `github.com/docker/docker` from 27.2.1+incompatible to 28.0.0+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v27.2.1...v28.0.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/oauth2` from 0.24.0 to 0.27.0
- [Commits](golang/oauth2@v0.24.0...v0.27.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/oauth2` from 0.19.0 to 0.27.0
- [Commits](golang/oauth2@v0.24.0...v0.27.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](golang/net@v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.0.0+incompatible
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.4.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/snowflakedb/gosnowflake
  dependency-version: 1.13.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/docker/docker
  dependency-version: 28.0.0+incompatible
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.27.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.27.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Nov 5, 2025
@socket-security
Copy link

socket-security bot commented Nov 5, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang.org/​x/​oauth2@​v0.17.0 ⏵ v0.32.071 +1100 +20100100100
Addedgithub.com/​Azure/​azure-sdk-for-go/​sdk/​azcore@​v1.17.071100100100100
Updatedgithub.com/​docker/​docker@​v27.2.1+incompatible ⏵ v28.0.0+incompatible72 +1100 +2100100100
Addedgithub.com/​joyent/​triton-go@​v1.7.1-0.20200416154420-6801d15b779f7210010010070
Addedgithub.com/​Azure/​go-autorest/​autorest@​v0.11.2972100100100100
Addedgo.mongodb.org/​atlas@​v0.37.072100100100100
Addedgithub.com/​hashicorp/​consul-template@​v0.39.17310010010070
Addedgithub.com/​Azure/​azure-storage-blob-go@​v0.15.073100100100100
Addedgithub.com/​google/​go-github@​v17.0.0+incompatible7310010010080
Addedgithub.com/​hashicorp/​vault/​sdk@​v0.15.27310010010070
Updatedgolang.org/​x/​crypto@​v0.36.0 ⏵ v0.43.074 +1100100100100
Addedk8s.io/​apimachinery@​v0.32.174100100100100
Updatedgo.opentelemetry.io/​otel@​v1.31.0 ⏵ v1.35.075 +1100100100100
Updatedgolang.org/​x/​net@​v0.37.0 ⏵ v0.46.075 +1100 +3100100100
Updatedgolang.org/​x/​tools@​v0.29.0 ⏵ v0.37.075 +1100100100100
Updatedgoogle.golang.org/​grpc@​v1.63.2 ⏵ v1.70.075 +1100100100100
Addedgithub.com/​aliyun/​alibaba-cloud-sdk-go@​v1.63.847510010010060
Addedgithub.com/​okta/​okta-sdk-golang/​v5@​v5.0.275100100100100
Addedgithub.com/​oracle/​oci-go-sdk@​v24.3.0+incompatible76100100100100
Addedgo.mongodb.org/​mongo-driver@​v1.17.37610010010080
Addedgithub.com/​hashicorp/​hcp-sdk-go@​v0.138.07610010010070
Addedgithub.com/​michaelklishin/​rabbit-hole/​v2@​v2.12.076100100100100
Updatedgithub.com/​aws/​aws-sdk-go@​v1.51.8 ⏵ v1.55.676 +1100100100100
Updatedcloud.google.com/​go/​spanner@​v1.63.0 ⏵ v1.73.076 -2100100100100
Updatedgolang.org/​x/​text@​v0.23.0 ⏵ v0.30.078 +1100100100100
Updatedgoogle.golang.org/​api@​v0.214.0 ⏵ v0.221.079 +1100100100100
Addedgithub.com/​gocql/​gocql@​v1.0.082100100100100
Addedgithub.com/​go-git/​go-git/​v5@​v5.14.082100100100100
Addedcloud.google.com/​go/​storage@​v1.43.084100100100100
Updatedgolang.org/​x/​sys@​v0.31.0 ⏵ v0.37.084100100100100
Addedgithub.com/​hashicorp/​hcl/​v2@​v2.16.28410010010070
See 115 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Nov 5, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Authorization Bypass Through User-Controlled Key in go-restful in golang github.com/emicklei/go-restful

CVE: GHSA-r48q-9g5r-8q2h Authorization Bypass Through User-Controlled Key in go-restful (CRITICAL)

Affected versions: < 2.16.0

Patched version: 2.16.0

From: ?golang/github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/emicklei/go-restful@v0.0.0-20170410110728-ff4f55a20633. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 5, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments