pulumi-renovate[bot]
f1ff9e765f
Update vulnerable dependencies [SECURITY] ( #671 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github.com/containerd/containerd/v2](https://redirect.github.com/containerd/containerd )
| indirect | patch | `v2.0.3` -> `v2.0.7` |
|
[github.com/go-viper/mapstructure/v2](https://redirect.github.com/go-viper/mapstructure )
| indirect | minor | `v2.0.0` -> `v2.4.0` |
| [github.com/ulikunitz/xz](https://redirect.github.com/ulikunitz/xz ) |
indirect | patch | `v0.5.12` -> `v0.5.15` |
| golang.org/x/crypto | indirect | minor | `v0.39.0` -> `v0.45.0` |
### GitHub Vulnerability Alerts
####
[CVE-2024-40635](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg )
### Impact
A bug was found in containerd where containers launched with a User set
as a `UID:GID` larger than the maximum 32-bit signed integer can cause
an overflow condition where the container ultimately runs as root (UID
0). This could cause unexpected behavior for environments that require
containers to run as a non-root user.
### Patches
This bug has been fixed in the following containerd versions:
* 2.0.4 (Fixed in
1a43cb6a1005044ec0a9cf158e884chttps://redirect.github.com/p4ck3t0 ) and
[emxll](https://redirect.github.com/emxll ) for responsibly disclosing
this issue in accordance with the [containerd security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
### References
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635
### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
####
[CVE-2025-47291](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff )
# Impact
A bug was found in the containerd's CRI implementation where containerd
doesn't put usernamespaced containers under the Kubernetes' cgroup
hierarchy, therefore some Kubernetes limits are not honored. This may
cause a denial of service of the Kubernetes node.
# Patches
This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should
update to these versions to resolve the issue.
# Workarounds
Disable usernamespaced pods in Kubernetes temporarily.
# Credits
The containerd project would like to thank Rodrigo Campos Catelin and
Piotr Rogowski for responsibly disclosing this issue in accordance with
the [containerd security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
# For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at security@containerd.io
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
####
[CVE-2024-25621](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w )
### Impact
An overly broad default permission vulnerability was found in
containerd.
- `/var/lib/containerd` was created with the permission bits 0o711,
while it should be created with 0o700
- Allowed local users on the host to potentially access the metadata
store and the content store
- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755,
while it should be created with 0o700
- Allowed local users on the host to potentially access the contents of
Kubernetes local volumes. The contents of volumes might include setuid
binaries, which could allow a local user on the host to elevate
privileges on the host.
- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created
with 0o711, while it should be created with 0o700
The directory paths may differ depending on the daemon configuration.
When the `temp` directory path is specified in the daemon configuration,
that directory was also created with 0o711, while it should be created
with 0o700.
### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing
directories.
> [!NOTE]
>
> `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task`
are still created with 0o711.
> This is an expected behavior for supporting userns-remapped
containers.
### Workarounds
The system administrator on the host can manually chmod the directories
to not
have group or world accessible permisisons:
```
chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim
```
An alternative mitigation would be to run containerd in [rootless
mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md ).
### Credits
The containerd project would like to thank David Leadbeater for
responsibly disclosing this issue in accordance with the [containerd
security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
####
[CVE-2025-64329](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2 )
### Impact
A bug was found in containerd's CRI Attach implementation where a user
can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., [`kubectl
attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/ ))
could increase the memory usage of containerd.
### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
### Workarounds
Set up an admission controller to control accesses to `pods/attach`
resources.
e.g., [Validating Admission
Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ ).
### Credits
The containerd project would like to thank @​Wheat2018 for
responsibly disclosing this issue in accordance with the [containerd
security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
### References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
---
### containerd has an integer overflow in User ID handling in
github.com/containerd/containerd
[CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635 ) /
[GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg )
/ [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528 )
<details>
<summary>More information</summary>
#### Details
containerd has an integer overflow in User ID handling in
github.com/containerd/containerd
#### Severity
Unknown
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg )
-
[05044ec0a91a43cb6a10cf158e884chttps://osv.dev/vulnerability/GO-2025-3528 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### containerd has an integer overflow in User ID handling
[CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635 ) /
[GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg )
/ [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528 )
<details>
<summary>More information</summary>
#### Details
##### Impact
A bug was found in containerd where containers launched with a User set
as a `UID:GID` larger than the maximum 32-bit signed integer can cause
an overflow condition where the container ultimately runs as root (UID
0). This could cause unexpected behavior for environments that require
containers to run as a non-root user.
##### Patches
This bug has been fixed in the following containerd versions:
* 2.0.4 (Fixed in
1a43cb6a1005044ec0a9cf158e884chttps://redirect.github.com/p4ck3t0 ) and
[emxll](https://redirect.github.com/emxll ) for responsibly disclosing
this issue in accordance with the [containerd security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
##### References
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635
##### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
#### Severity
- CVSS Score: 4.6 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N`
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg )
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-40635 ](https://nvd.nist.gov/vuln/detail/CVE-2024-40635 )
-
[05044ec0a91a43cb6a10cf158e884chttps://github.com/containerd/containerd ](https://redirect.github.com/containerd/containerd )
-
[https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html ](https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-265r-hfxg-fhmg ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### containerd CRI plugin: Incorrect cgroup hierarchy assignment for
containers running in usernamespaced Kubernetes pods.
[CVE-2025-47291](https://nvd.nist.gov/vuln/detail/CVE-2025-47291 ) /
[GHSA-cxfp-7pvr-95ff](https://redirect.github.com/advisories/GHSA-cxfp-7pvr-95ff )
/ [GO-2025-3701](https://pkg.go.dev/vuln/GO-2025-3701 )
<details>
<summary>More information</summary>
#### Details
##### Impact
A bug was found in the containerd's CRI implementation where containerd
doesn't put usernamespaced containers under the Kubernetes' cgroup
hierarchy, therefore some Kubernetes limits are not honored. This may
cause a denial of service of the Kubernetes node.
##### Patches
This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should
update to these versions to resolve the issue.
##### Workarounds
Disable usernamespaced pods in Kubernetes temporarily.
##### Credits
The containerd project would like to thank Rodrigo Campos Catelin and
Piotr Rogowski for responsibly disclosing this issue in accordance with
the [containerd security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
##### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at security@containerd.io
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U`
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff )
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-47291 ](https://nvd.nist.gov/vuln/detail/CVE-2025-47291 )
-
[https://github.com/containerd/containerd ](https://redirect.github.com/containerd/containerd )
-
[https://pkg.go.dev/vuln/GO-2025-3701 ](https://pkg.go.dev/vuln/GO-2025-3701 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-cxfp-7pvr-95ff ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Incorrect cgroup assignment for containers running in usernamespaced
Kubernetes pods in github.com/containerd/containerd
[CVE-2025-47291](https://nvd.nist.gov/vuln/detail/CVE-2025-47291 ) /
[GHSA-cxfp-7pvr-95ff](https://redirect.github.com/advisories/GHSA-cxfp-7pvr-95ff )
/ [GO-2025-3701](https://pkg.go.dev/vuln/GO-2025-3701 )
<details>
<summary>More information</summary>
#### Details
Incorrect cgroup assignment for containers running in usernamespaced
Kubernetes pods in github.com/containerd/containerd
#### Severity
Unknown
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-cxfp-7pvr-95ff )
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2025-3701 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### containerd affected by a local privilege escalation via wide
permissions on CRI directory
[CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621 ) /
[GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w )
<details>
<summary>More information</summary>
#### Details
##### Impact
An overly broad default permission vulnerability was found in
containerd.
- `/var/lib/containerd` was created with the permission bits 0o711,
while it should be created with 0o700
- Allowed local users on the host to potentially access the metadata
store and the content store
- `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755,
while it should be created with 0o700
- Allowed local users on the host to potentially access the contents of
Kubernetes local volumes. The contents of volumes might include setuid
binaries, which could allow a local user on the host to elevate
privileges on the host.
- `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created
with 0o711, while it should be created with 0o700
The directory paths may differ depending on the daemon configuration.
When the `temp` directory path is specified in the daemon configuration,
that directory was also created with 0o711, while it should be created
with 0o700.
##### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing
directories.
> [!NOTE]
>
> `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task`
are still created with 0o711.
> This is an expected behavior for supporting userns-remapped
containers.
##### Workarounds
The system administrator on the host can manually chmod the directories
to not
have group or world accessible permisisons:
```
chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim
```
An alternative mitigation would be to run containerd in [rootless
mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md ).
##### Credits
The containerd project would like to thank David Leadbeater for
responsibly disclosing this issue in accordance with the [containerd
security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
##### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
#### Severity
- CVSS Score: 7.3 / 10 (High)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w )
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-25621 ](https://nvd.nist.gov/vuln/detail/CVE-2024-25621 )
-
[7c59e8e9e9https://github.com/containerd/containerd ](https://redirect.github.com/containerd/containerd )
-
[https://github.com/containerd/containerd/blob/main/docs/rootless.md ](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-pwhc-rpq9-4c8w ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### containerd CRI server: Host memory exhaustion through Attach
goroutine leak
[CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329 ) /
[GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2 )
<details>
<summary>More information</summary>
#### Details
##### Impact
A bug was found in containerd's CRI Attach implementation where a user
can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., [`kubectl
attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/ ))
could increase the memory usage of containerd.
##### Patches
This bug has been fixed in the following containerd versions:
* 2.2.0
* 2.1.5
* 2.0.7
* 1.7.29
Users should update to these versions to resolve the issue.
##### Workarounds
Set up an admission controller to control accesses to `pods/attach`
resources.
e.g., [Validating Admission
Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ ).
##### Credits
The containerd project would like to thank @​Wheat2018 for
responsibly disclosing this issue in accordance with the [containerd
security
policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md ).
##### References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329
##### For more information
If you have any questions or comments about this advisory:
* Open an issue in
[containerd](https://redirect.github.com/containerd/containerd/issues/new/choose )
* Email us at [security@containerd.io ](mailto:security@containerd.io )
To report a security issue in containerd:
* [Report a new
vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new )
#### Severity
- CVSS Score: Unknown
- Vector String:
`CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2 ](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2 )
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-64329 ](https://nvd.nist.gov/vuln/detail/CVE-2025-64329 )
-
[083b53cd6fhttps://github.com/containerd/containerd ](https://redirect.github.com/containerd/containerd )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2 ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
####
[GHSA-fv92-fjc5-jj9h](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h )
### Summary
Use of this library in a security-critical context may result in leaking
sensitive information, if used to process sensitive fields.
### Details
OpenBao (and presumably HashiCorp Vault) have surfaced error messages
from `mapstructure` as follows:
98c3a59c04/sdk/framework/field_data.go (L43-L50)98c3a59c04/sdk/framework/field_data.go (L181-L193)1a66224d5e/mapstructure.go (L679-L686)1a66224d5e/mapstructure.go (L726-L730)1a66224d5e/mapstructure.go (L783-L787)http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf "
{"errors":["error converting input for field \"password\": '' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[asdf:my-sensitive-value]'"]}
```
### Impact
This is an information disclosure bug with little mitigation. See
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
for a previous version. That version was fixed, but this is in the
second part of that error message (starting at `'' expected a map, got
'string'` -- when the field type is `string` and a `map` is provided, we
see the above information leak -- the previous example had a `map` type
field with a `string` value provided).
This was rated 4.5 Medium by HashiCorp in the past iteration.
####
[GHSA-2464-8j7c-4cjm](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm )
### Summary
Use of this library in a security-critical context may result in leaking
sensitive information, if used to process sensitive fields.
### Details
OpenBao (and presumably HashiCorp Vault) have surfaced error messages
from `mapstructure` as follows:
98c3a59c04/sdk/framework/field_data.go (L43-L50)98c3a59c04/sdk/framework/field_data.go (L181-L193)8c61ec1924/mapstructure.go (L720-L727)8c61ec1924/mapstructure.go (L791-L798)8c61ec1924/decode_hooks.go (L180)https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h .
### PoC
To reproduce with OpenBao:
```
$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```
and in a new tab:
```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf "
--> server logs:
2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""
```
### Impact
This is an information disclosure bug with little mitigation. See
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
for a previous version. That version was fixed, but this is in the
second part of that error message (starting at `'' expected a map, got
'string'` -- when the field type is `string` and a `map` is provided, we
see the above information leak -- the previous example had a `map` type
field with a `string` value provided).
This was rated 4.5 Medium by HashiCorp in the past iteration.
---
### mapstructure May Leak Sensitive Information in Logs When Processing
Malformed Data
[GHSA-fv92-fjc5-jj9h](https://redirect.github.com/advisories/GHSA-fv92-fjc5-jj9h )
/ [GO-2025-3787](https://pkg.go.dev/vuln/GO-2025-3787 )
<details>
<summary>More information</summary>
#### Details
##### Summary
Use of this library in a security-critical context may result in leaking
sensitive information, if used to process sensitive fields.
##### Details
OpenBao (and presumably HashiCorp Vault) have surfaced error messages
from `mapstructure` as follows:
98c3a59c04/sdk/framework/field_data.go (L43-L50)98c3a59c04/sdk/framework/field_data.go (L181-L193)1a66224d5e/mapstructure.go (L679-L686)1a66224d5e/mapstructure.go (L726-L730)1a66224d5e/mapstructure.go (L783-L787)http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf "
{"errors":["error converting input for field \"password\": '' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[asdf:my-sensitive-value]'"]}
```
##### Impact
This is an information disclosure bug with little mitigation. See
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
for a previous version. That version was fixed, but this is in the
second part of that error message (starting at `'' expected a map, got
'string'` -- when the field type is `string` and a `map` is provided, we
see the above information leak -- the previous example had a `map` type
field with a `string` value provided).
This was rated 4.5 Medium by HashiCorp in the past iteration.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`
#### References
-
[https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h ](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h )
-
[https://github.com/go-viper/mapstructure ](https://redirect.github.com/go-viper/mapstructure )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-fv92-fjc5-jj9h ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### May leak sensitive information in logs when processing malformed
data in github.com/go-viper/mapstructure
[GHSA-fv92-fjc5-jj9h](https://redirect.github.com/advisories/GHSA-fv92-fjc5-jj9h )
/ [GO-2025-3787](https://pkg.go.dev/vuln/GO-2025-3787 )
<details>
<summary>More information</summary>
#### Details
May leak sensitive information in logs when processing malformed data in
github.com/go-viper/mapstructure
#### Severity
Unknown
#### References
-
[https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h ](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h )
This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2025-3787 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### Go-viper's mapstructure May Leak Sensitive Information in Logs in
github.com/go-viper/mapstructure
[GHSA-2464-8j7c-4cjm](https://redirect.github.com/advisories/GHSA-2464-8j7c-4cjm )
/ [GO-2025-3900](https://pkg.go.dev/vuln/GO-2025-3900 )
<details>
<summary>More information</summary>
#### Details
Go-viper's mapstructure May Leak Sensitive Information in Logs in
github.com/go-viper/mapstructure
#### Severity
Unknown
#### References
-
[https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm ](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm )
-
[742921c9bahttps://osv.dev/vulnerability/GO-2025-3900 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
---
### go-viper's mapstructure May Leak Sensitive Information in Logs When
Processing Malformed Data
[GHSA-2464-8j7c-4cjm](https://redirect.github.com/advisories/GHSA-2464-8j7c-4cjm )
/ [GO-2025-3900](https://pkg.go.dev/vuln/GO-2025-3900 )
<details>
<summary>More information</summary>
#### Details
##### Summary
Use of this library in a security-critical context may result in leaking
sensitive information, if used to process sensitive fields.
##### Details
OpenBao (and presumably HashiCorp Vault) have surfaced error messages
from `mapstructure` as follows:
98c3a59c04/sdk/framework/field_data.go (L43-L50)98c3a59c04/sdk/framework/field_data.go (L181-L193)8c61ec1924/mapstructure.go (L720-L727)8c61ec1924/mapstructure.go (L791-L798)8c61ec1924/decode_hooks.go (L180)https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h .
##### PoC
To reproduce with OpenBao:
```
$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```
and in a new tab:
```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf "
--> server logs:
2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""
```
##### Impact
This is an information disclosure bug with little mitigation. See
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
for a previous version. That version was fixed, but this is in the
second part of that error message (starting at `'' expected a map, got
'string'` -- when the field type is `string` and a `map` is provided, we
see the above information leak -- the previous example had a `map` type
field with a `string` value provided).
This was rated 4.5 Medium by HashiCorp in the past iteration.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`
#### References
-
[https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm ](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm )
-
[742921c9bahttps://github.com/go-viper/mapstructure ](https://redirect.github.com/go-viper/mapstructure )
-
[https://pkg.go.dev/vuln/GO-2025-3900 ](https://pkg.go.dev/vuln/GO-2025-3900 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-2464-8j7c-4cjm ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
####
[CVE-2025-58058](https://redirect.github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 )
### Summary
It is possible to put data in front of an LZMA-encoded byte stream
without detecting the situation while reading the header. This can lead
to increased memory consumption because the current implementation
allocates the full decoding buffer directly after reading the header.
The LZMA header doesn't include a magic number or has a checksum to
detect such an issue according to the
[specification](https://redirect.github.com/jljusten/LZMA-SDK/blob/master/DOC/lzma-specification.txt ).
Note that the code recognizes the issue later while reading the stream,
but at this time the memory allocation has already been done.
### Mitigations
The release v0.5.15 includes following mitigations:
- The ReaderConfig DictCap field is now interpreted as a limit for the
dictionary size.
- The default is 2 Gigabytes - 1 byte (2^31-1 bytes).
- Users can check with the [Reader.Header] method what the actual values
are in their LZMA files and set a smaller limit using ReaderConfig.
- The dictionary size will not exceed the larger of the file size and
the minimum dictionary size. This is another measure to prevent huge
memory allocations for the dictionary.
- The code supports stream sizes only up to a pebibyte (1024^5).
Note that the original v0.5.14 version had a compiler error for 32 bit
platforms, which has been fixed by v0.5.15.
### Methods affected
Only software that uses
[lzma.NewReader](https://pkg.go.dev/github.com/ulikunitz/xz/lzma#NewReader )
or
[lzma.ReaderConfig.NewReader](https://pkg.go.dev/github.com/ulikunitz/xz/lzma#ReaderConfig.NewReader )
is affected. There is no issue for software using the xz functionality.
I thank @​GregoryBuligin for his report, which is provided below.
### Summary
When unpacking a large number of LZMA archives, even in a single
goroutine, if the first byte of the archive file is 0 (a zero byte added
to the beginning), an error __writeMatch: distance out of range__
occurs. Memory consumption spikes sharply, and the GC clearly cannot
handle this situation.
### Details
Judging by the error __writeMatch: distance out of range__, the problems
occur in the code around this function.
c8314b8f21/lzma/decoderdict.go (L81)https://nvd.nist.gov/vuln/detail/CVE-2025-58058 ) /
[GHSA-jc7w-c686-c4v9](https://redirect.github.com/advisories/GHSA-jc7w-c686-c4v9 )
/ [GO-2025-3922](https://pkg.go.dev/vuln/GO-2025-3922 )
<details>
<summary>More information</summary>
#### Details
##### Summary
It is possible to put data in front of an LZMA-encoded byte stream
without detecting the situation while reading the header. This can lead
to increased memory consumption because the current implementation
allocates the full decoding buffer directly after reading the header.
The LZMA header doesn't include a magic number or has a checksum to
detect such an issue according to the
[specification](https://redirect.github.com/jljusten/LZMA-SDK/blob/master/DOC/lzma-specification.txt ).
Note that the code recognizes the issue later while reading the stream,
but at this time the memory allocation has already been done.
##### Mitigations
The release v0.5.15 includes following mitigations:
- The ReaderConfig DictCap field is now interpreted as a limit for the
dictionary size.
- The default is 2 Gigabytes - 1 byte (2^31-1 bytes).
- Users can check with the [Reader.Header] method what the actual values
are in their LZMA files and set a smaller limit using ReaderConfig.
- The dictionary size will not exceed the larger of the file size and
the minimum dictionary size. This is another measure to prevent huge
memory allocations for the dictionary.
- The code supports stream sizes only up to a pebibyte (1024^5).
Note that the original v0.5.14 version had a compiler error for 32 bit
platforms, which has been fixed by v0.5.15.
##### Methods affected
Only software that uses
[lzma.NewReader](https://pkg.go.dev/github.com/ulikunitz/xz/lzma#NewReader )
or
[lzma.ReaderConfig.NewReader](https://pkg.go.dev/github.com/ulikunitz/xz/lzma#ReaderConfig.NewReader )
is affected. There is no issue for software using the xz functionality.
I thank @​GregoryBuligin for his report, which is provided below.
##### Summary
When unpacking a large number of LZMA archives, even in a single
goroutine, if the first byte of the archive file is 0 (a zero byte added
to the beginning), an error __writeMatch: distance out of range__
occurs. Memory consumption spikes sharply, and the GC clearly cannot
handle this situation.
##### Details
Judging by the error __writeMatch: distance out of range__, the problems
occur in the code around this function.
c8314b8f21/lzma/decoderdict.go (L81)https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 ](https://redirect.github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 )
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-58058 ](https://nvd.nist.gov/vuln/detail/CVE-2025-58058 )
-
[88ddf1d0d9https://github.com/ulikunitz/xz ](https://redirect.github.com/ulikunitz/xz )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-jc7w-c686-c4v9 ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Memory leaks when decoding a corrupted multiple LZMA archives in
github.com/ulikunitz/xz
[CVE-2025-58058](https://nvd.nist.gov/vuln/detail/CVE-2025-58058 ) /
[GHSA-jc7w-c686-c4v9](https://redirect.github.com/advisories/GHSA-jc7w-c686-c4v9 )
/ [GO-2025-3922](https://pkg.go.dev/vuln/GO-2025-3922 )
<details>
<summary>More information</summary>
#### Details
Memory leaks when decoding a corrupted multiple LZMA archives in
github.com/ulikunitz/xz
#### Severity
Unknown
#### References
-
[https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 ](https://redirect.github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 )
-
[88ddf1d0d9https://osv.dev/vulnerability/GO-2025-3922 ) and the [Go
Vulnerability Database](https://redirect.github.com/golang/vulndb )
([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license )).
</details>
#### [CVE-2025-58181](https://nvd.nist.gov/vuln/detail/CVE-2025-58181 )
SSH servers parsing GSSAPI authentication requests do not validate the
number of mechanisms specified in the request, allowing an attacker to
cause unbounded memory consumption.
#### [CVE-2025-47914](https://nvd.nist.gov/vuln/detail/CVE-2025-47914 )
SSH Agent servers do not validate the size of messages when processing
new identity requests, which may cause the program to panic if the
message is malformed due to an out of bounds read.
---
### Release Notes
<details>
<summary>containerd/containerd
(github.com/containerd/containerd/v2)</summary>
###
[`v2.0.7`](https://redirect.github.com/containerd/containerd/releases/tag/v2.0.7 ):
containerd 2.0.7
[Compare
Source](https://redirect.github.com/containerd/containerd/compare/v2.0.6...v2.0.7 )
Welcome to the v2.0.7 release of containerd!
The seventh patch release for containerd 2.0 includes various bug fixes
and updates.
##### Security Updates
- **containerd**
-
[**GHSA-pwhc-rpq9-4c8w**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w )
-
[**GHSA-m6hq-p25p-ffr2**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2 )
- **runc**
-
[**GHSA-qw9x-cqr3-wc7r**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r )
-
[**GHSA-cgrx-mc8f-2prm**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm )
-
[**GHSA-9493-h29p-rfm2**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2 )
##### Highlights
##### Container Runtime Interface (CRI)
- **Disable event subscriber during task cleanup**
([#​12406](https://redirect.github.com/containerd/containerd/pull/12406 ))
- **Add SystemdCgroup to default runtime options**
([#​12254](https://redirect.github.com/containerd/containerd/pull/12254 ))
- **Fix userns with container image VOLUME mounts that need copy**
([#​12241](https://redirect.github.com/containerd/containerd/pull/12241 ))
##### Image Distribution
- **Add dial timeout field to hosts toml configuration**
([#​12136](https://redirect.github.com/containerd/containerd/pull/12136 ))
##### Runtime
- **Update runc binary to v1.3.3**
([#​12479](https://redirect.github.com/containerd/containerd/pull/12479 ))
- **Fix lost container logs from quickly closing io**
([#​12376](https://redirect.github.com/containerd/containerd/pull/12376 ))
- **Create bootstrap.json with 0644 permission**
([#​12184](https://redirect.github.com/containerd/containerd/pull/12184 ))
- **Fix pidfd leak in UnshareAfterEnterUserns**
([#​12178](https://redirect.github.com/containerd/containerd/pull/12178 ))
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues .
##### Contributors
- Austin Vazquez
- Phil Estes
- Rodrigo Campos
- Wei Fu
- Akihiro Suda
- Derek McGowan
- Maksym Pavlenko
- ningmingxiao
- Kirtana Ashok
- Akhil Mohan
- Andrew Halaney
- Jin Dong
- Jose Fernandez
- Mike Baynton
- Philip Laine
- Swagat Bora
- wheat2018
##### Changes
<details><summary>56 commits</summary>
<p>
- Prepare release notes for v2.0.7
([#​12482](https://redirect.github.com/containerd/containerd/pull/12482 ))
-
[`4931e24f1`](4931e24f16205bc4f2db5f708b76a48cd112d82905290b5bc84d1edf4addhttps://redirect.github.com/containerd/containerd/pull/12479 ))
-
[`b46dc6a67`](b46dc6a67chttps://redirect.github.com/containerd/containerd/pull/12361 ))
-
[`5e9c82178`](5e9c8217807f59248dcde1373e8a8ae1a910a6a9fd04b7f176b4937797516e45022a1e09ce0f2a1ede63a740b8https://redirect.github.com/containerd/containerd/pull/12376 ))
-
[`f953ee8a3`](f953ee8a3chttps://redirect.github.com/containerd/containerd/pull/12448 ))
-
[`f6f15f513`](f6f15f5135https://redirect.github.com/containerd/containerd/pull/12406 ))
-
[`2a2329cbd`](2a2329cbd0https://redirect.github.com/containerd/containerd/pull/12428 ))
-
[`dfb954743`](dfb9547437https://redirect.github.com/containerd/containerd/pull/12420 ))
-
[`f6b02f6bb`](f6b02f6bb8https://redirect.github.com/containerd/containerd/pull/12275 ))
-
[`75c13ee3f`](75c13ee3fchttps://redirect.github.com/containerd/containerd/pull/12254 ))
-
[`427cdd06c`](427cdd06c9https://redirect.github.com/containerd/containerd/pull/12255 ))
-
[`0b35e19fb`](0b35e19fb1https://redirect.github.com/containerd/containerd/pull/12241 ))
-
[`3212afc2f`](3212afc2f2b855c6e103https://redirect.github.com/containerd/containerd/pull/12223 ))
-
[`05c0c99f4`](05c0c99f43afdede4ced47205f814d6f4abd970aa2f0d65d781c32accd71https://redirect.github.com/containerd/containerd/pull/12187 ))
-
[`9e72e91e6`](9e72e91e63https://redirect.github.com/containerd/containerd/pull/12184 ))
-
[`009622e04`](009622e042https://redirect.github.com/containerd/containerd/pull/12178 ))
- [`5bec0a332`](https://redirec
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through
Friday ( * * * * 1-5 ) (UTC).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->
---------
Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
Co-authored-by: pulumi-bot <bot@pulumi.com >
2025-11-20 20:33:06 +00:00
Pulumi Bot
c7ab0e0f35
Update GitHub Actions workflows. ( #669 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 9575e75e5316d699a77abf48a351abe840e1bed5.
2025-11-20 05:54:04 +00:00
pulumi-renovate[bot]
b1e526630c
Update module golang.org/x/crypto to v0.45.0 [SECURITY] ( #668 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/crypto | require | minor | `v0.39.0` -> `v0.45.0` |
### GitHub Vulnerability Alerts
#### [CVE-2025-58181](https://nvd.nist.gov/vuln/detail/CVE-2025-58181 )
SSH servers parsing GSSAPI authentication requests do not validate the
number of mechanisms specified in the request, allowing an attacker to
cause unbounded memory consumption.
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - Monday through
Friday ( * * * * 1-5 ) (UTC).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->
---------
Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
Co-authored-by: pulumi-bot <bot@pulumi.com >
2025-11-20 02:14:14 +00:00
Pulumi Bot
32ecb82eb6
Update GitHub Actions workflows. ( #667 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit f76cbff100ad8e6e3192b379edb5bcf1f536eb3e.
2025-11-15 05:55:02 +00:00
Pulumi Bot
77b931b32c
Update GitHub Actions workflows. ( #666 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit ed916848970fd62ea0f62c7e6ac674d4d5ca05ef.
2025-11-14 05:58:25 +00:00
Pulumi Bot
487acd799c
Update GitHub Actions workflows. ( #663 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 962009a157587c5c11d686e51206a2d312bc4618.
2025-11-11 05:53:59 +00:00
Pulumi Bot
8e273d9f68
Update GitHub Actions workflows. ( #662 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit 52b77e4c448dd747630cff0918ade69cef3b4f16.
2025-11-10 15:47:40 -08:00
Pulumi Bot
faffc8cc45
Update GitHub Actions workflows. ( #633 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 5619381e924fbac90750f41b6a27cadcd11c4c2d.
2025-10-22 05:56:54 +00:00
Alberto Pose
2b1230f252
Introduce ${GOTEST} Makefile variable to override test runner. ( #632 )
...
Allow to use other tools like `gotestsum` locally.
2025-10-20 15:20:48 +01:00
Pulumi Bot
eaf5461bbc
Update GitHub Actions workflows. ( #631 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit f0bcdaf5cb0825e542d0a2eb71f05d538135a9bc.
2025-10-18 05:52:38 +00:00
Alberto Pose
38e65a3f81
Remove URL and Token arguments from CacheFromGitHubActions. ( #626 )
...
Fixes #75
Arguments URL and Token have been removed but `$ACTIONS_CACHE_URL` and
`$ACTIONS_RUNTIME_TOKEN` env variables could be injected if desired.
---------
Co-authored-by: Bryce Lampe <bryce@pulumi.com >
2025-10-17 11:00:40 +01:00
Pulumi Bot
1811524e66
Update GitHub Actions workflows. ( #629 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 16969054030269fefacac22b8536d1f80ed8e2d9.
2025-10-16 05:52:39 +00:00
Pulumi Bot
361335bba0
Update GitHub Actions workflows. ( #628 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 0fccf404186fee66f0a9bb9b53959a52b4812c5e.
2025-10-14 05:54:14 +00:00
Pulumi Bot
49deed7d9c
Update GitHub Actions workflows. ( #627 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit b4e68d0418afb9fa72c1e31347a01f7fae952eff.
2025-10-10 05:51:39 +00:00
Alberto Pose
ff8995c434
Move _index.md and installation-configuration.md into the repo. ( #622 )
...
Related to: https://github.com/pulumi/registry/pull/8814
Make this provider follow the Pulumi official convention of [using the
`_index.md` and
`installation-configuration.md`](https://www.pulumi.com/docs/iac/build-with-pulumi/publishing-packages/#write-documentation ).
2025-10-09 09:34:35 +01:00
Pulumi Bot
c159079132
Update GitHub Actions workflows. ( #624 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 45de636c4cb364e6fc2ab50006d5358239005657.
2025-10-09 05:52:11 +00:00
Pulumi Bot
24ebad1ee5
Update GitHub Actions workflows. ( #623 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 93823adfede429861d981e43f485afda9292376e.
2025-10-08 05:55:33 +00:00
Alberto Pose
40c723d82f
Remove installation of pulumi CLI and golangci-lint from Makefile ( #621 )
...
Installation of runtime and tools should now be done through `mise`.
In addition, the following binaries are included with `pulumi` CLI:
* pulumi-language-go
* pulumi-language-nodejs
* pulumi-language-python
* pulumi-language-java
* pulumi-language-dotnet
* pulumi-converter-yaml
2025-10-07 16:18:53 +01:00
Pulumi Bot
36362d0317
Update GitHub Actions workflows. ( #620 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 23f84aba12118601865d1a686c2c46a4ec3fa729.
2025-10-03 22:26:52 +00:00
Pulumi Bot
0b684b81fb
Update GitHub Actions workflows. ( #619 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 58bbf9b943afc66c10382b6fa89dc3e226f18f20.
2025-10-03 05:53:37 +00:00
Pulumi Bot
ebf4290bb2
Update GitHub Actions workflows. ( #617 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 72d9a2e28cf75e7d1ba2c5e6324d26546c95e4cb.
2025-10-02 05:55:45 +00:00
Pulumi Bot
c7b2867559
Update GitHub Actions workflows. ( #616 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit d2d946e761bab19abc5e5a598d44cf709dae77e9.
2025-10-01 05:54:01 +00:00
Bryce Lampe
5e589f61ec
Upgrade go-provider to 1.1.2 ( #615 )
...
Fixes https://github.com/pulumi/pulumi-docker-build/issues/579 .
2025-09-30 16:40:35 -07:00
Pulumi Bot
5f0c2ede72
Update GitHub Actions workflows. ( #613 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit f16439eadce749cfc5fc959f926069e5943f4640.
2025-09-29 22:24:54 +00:00
Pulumi Bot
d27e6d14db
Update GitHub Actions workflows. ( #612 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit e43a0e1c1f44e3e431240deb0ac363cf172ae9a9.
2025-09-29 15:36:43 -04:00
Cory Hall
6ae16f10ff
chore: update modulePath in ci-mgmt ( #607 )
...
This is needed for https://github.com/pulumi/ci-mgmt/pull/1730
2025-09-29 12:01:37 -04:00
Pulumi Bot
f17e43bad7
Update GitHub Actions workflows. ( #604 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 2b81d6d332c32c7ebc106fb53b745cbbfec266c7.
2025-09-16 05:49:46 +00:00
Pulumi Bot
bce330f598
Update GitHub Actions workflows. ( #603 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 0337d8381eace02d1b6fb82d43e3ab543bf5774a.
2025-09-12 23:58:08 +00:00
Pulumi Bot
5107181566
Update GitHub Actions workflows. ( #602 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit c390ce58d72b0eb947d844358c3204353b21839c.
2025-09-11 19:03:02 +00:00
Bryce Lampe
0a2dd6e758
Confirming ESC fixes ( #599 )
...
Validating https://github.com/pulumi/ci-mgmt/pull/1705 .
2025-09-10 14:19:45 -07:00
Pulumi Bot
a0e387d0a8
Update GitHub Actions workflows. ( #597 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit 42e0ba87f4de47d7ab085a3916669e193ec1ff4e.
---------
Co-authored-by: Bryce Lampe <bryce@pulumi.com >
2025-09-10 19:49:21 +00:00
Bryce Lampe
daa144c232
Use ESC for secrets ( #594 )
...
Refs https://github.com/pulumi/ci-mgmt/issues/1481
2025-09-10 09:45:06 -07:00
Pulumi Bot
1203c3b31f
Update GitHub Actions workflows. ( #595 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit 4125efba3dbbc633190a388a9f8b0408d755089c.
2025-09-10 16:11:45 +00:00
Pulumi Bot
62ff8bf2d2
Update GitHub Actions workflows. ( #593 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 2ce6f269d9892f74ed14f645f41e402e7ff8d416.
Co-authored-by: Bryce Lampe <bryce@pulumi.com >
2025-09-05 21:49:19 +00:00
Pulumi Bot
3b7e31b388
Automated upgrade: bump pulumi/pulumi to 3.192.0 ( #592 )
...
Automated upgrade: bump pulumi/pulumi to 3.192.0
---------
Co-authored-by: Bryce Lampe <bryce@pulumi.com >
2025-09-05 14:36:43 -07:00
Pulumi Bot
c46d343c53
Update GitHub Actions workflows. ( #586 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit ed2094cef48b491325b4ceebfceb6c0a555f1c04.
2025-08-28 05:49:05 +00:00
Pulumi Bot
4166f9da1b
Update GitHub Actions workflows. ( #585 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 89dd865db8cef8be4f3f0a978cf8007892e51567.
2025-08-27 19:47:54 +00:00
Bryce Lampe
4e934974ee
Update p-go-provider to fix version replacement behavior ( #584 )
...
Updates p-go-provider to pull in
https://github.com/pulumi/pulumi-go-provider/pull/410 . In particular
this fixes an issue where the provider would get replaced on version
changes.
Fixes https://github.com/pulumi/pulumi-docker-build/issues/581
2025-08-27 11:14:21 -07:00
Pulumi Bot
4262717644
Update GitHub Actions workflows. ( #582 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 19c542b12a65e3f3ec1d8213111262a9887dcda0.
2025-08-26 05:48:46 +00:00
Pulumi Bot
997794b59f
Update GitHub Actions workflows. ( #580 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit dfe14f327ab8b4653dc5a4edf60e1f13814519e9.
2025-08-23 05:46:29 +00:00
Pulumi Bot
a168c92f12
Update GitHub Actions workflows. ( #577 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 9b60d6c643780f4a645273cb6a5b3dcce6687d94.
2025-08-15 21:38:53 +00:00
Pulumi Bot
91fdae679d
Update GitHub Actions workflows. ( #575 )
...
This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit 4ac37ece8be37ce71d07d3e42b89c7c306173b9b.
2025-08-15 16:45:42 +00:00
Pulumi Bot
ee4aa2505e
Update GitHub Actions workflows. ( #574 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit f90df7559c86efa5ae3108b58c7d554865f2eb56.
2025-08-15 05:47:34 +00:00
Pulumi Bot
9fa5fcabe5
Update GitHub Actions workflows. ( #572 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit b21f824c0283ef293cdf550403adf1d4bbfcfdb1.
2025-08-14 05:48:17 +00:00
Matthew (Matt) Jeffryes
b7d239127c
Update pulumi/pulumi dependency to 3.187.0 ( #568 )
...
Fixes https://github.com/pulumi/pulumi-docker-build/issues/551
(sort of - the underlying problem that this repo pins SDK dependencies
that don't get automatically update by the workflow still exists, but it
should at least work until the codegen APIs change again.)
2025-08-12 14:47:58 -07:00
Pulumi Bot
c4526b3f31
Update GitHub Actions workflows. ( #567 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 44b6bb6137363838b9ea58d69a7ad2f45bb93b7f.
2025-08-12 05:51:01 +00:00
Pulumi Bot
eebb4e8d0e
Update GitHub Actions workflows. ( #566 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit c53718801bb3dd185442d5f4161ab52eae5e2ab7.
2025-08-09 05:48:18 +00:00
Pulumi Bot
3bca7cb8c7
Update GitHub Actions workflows. ( #564 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit b3ee77fa5b79734c33e2a074744b4f5873e72478.
2025-08-06 05:52:02 +00:00
Pulumi Bot
3a50555d36
Update GitHub Actions workflows. ( #563 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit a94a4e21904c11dcb4a6d42bed9806407ac2cdad.
2025-07-26 05:49:46 +00:00
Pulumi Bot
591c008fb9
Update GitHub Actions workflows. ( #561 )
...
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 584f336d188f5bdd50ba9a49066dfcc18c1ac79d.
2025-07-24 05:49:39 +00:00
