build(deps): Bump the go_modules group across 1 directory with 12 updates

[dependabot]

Bumps the go_modules group with 10 updates in the / directory:

Package	From	To
github.com/CosmWasm/wasmd	0.45.0	0.53.3
filippo.io/edwards25519	1.1.0	1.1.1
github.com/docker/docker	27.1.1+incompatible	28.0.0+incompatible
github.com/dvsekhvalnov/jose2go	1.6.0	1.7.0
github.com/go-viper/mapstructure/v2	2.2.1	2.4.0
github.com/hashicorp/go-getter	1.7.5	1.7.9
github.com/opencontainers/runc	1.2.3	1.2.8
github.com/ulikunitz/xz	0.5.11	0.5.14
golang.org/x/crypto	0.41.0	0.45.0
golang.org/x/oauth2	0.25.0	0.27.0

Updates github.com/CosmWasm/wasmd from 0.45.0 to 0.53.3

Release notes

Sourced from github.com/CosmWasm/wasmd's releases.

v0.53.3

Fixes CWA-2025-004, CWA-2025-005 and CWA-2025-006

v0.53.2

See the CHANGELOG for details on the changes in this version.

v0.53.0

See the CHANGELOG for details on the changes in this version.

v0.52.0

Wasmd v0.52.0 Release

See the CHANGELOG for details on the changes in this version.

v0.51.0

Wasmd v0.51.0 Release

See the CHANGELOG for details on the changes in this version.

v0.50.0

Wasmd v0.50.0 Release

See the CHANGELOG for details on the changes in this version.

Big thanks to all the people who helped us with this release! 😍 Especially Binary Builders, Notional and the IBC-Go team 💪 And not to forget our sponsors. 🤗

v0.46.0

See the CHANGELOG for details on the changes in this version.

Changelog

Sourced from github.com/CosmWasm/wasmd's changelog.

Changelog

Unreleased

Full Changelog

v0.61.7 (2026-01-29)

Full Changelog

• Bump cosmos-sdk to v0.53.5
• Bump cometbft to v0.38.21
• Bump ibc-go to v10.5.0

v0.61.5 (2025-11-04)

Full Changelog

• Fix ContractInfo protobuf message #2390
• Retracted v0.61.0 v0.61.1 v0.61.2 v0.61.3 v0.61.4 because of unnecessary api breaking changes. See CosmWasm/wasmd#2386 for more details.

v0.61.4 (2025-08-29)

Full Changelog

• Bump wasmvm to v3.0.2 #2359

v0.61.3 (2025-08-27)

Full Changelog

• Bump wasmvm to v3.0.1 #2355

v0.61.2 (2025-07-29)

Full Changelog

• Bump cosmos-sdk to v0.53.4 #2334

v0.61.1 (2025-07-08)

Full Changelog

• Bump cosmos-sdk to v0.53.3 which includes a security fix to ISA-2025-005

v0.61.0 (2025-06-24)

Full Changelog

• Update to wasmvm 3.0.0 #2304

... (truncated)

Commits

• 9c7d001 Fix tests
• e9a51ce Add setup cost for IBC operations
• 532e6ca Add comments
• 2d89dd7 Restructure error handling
• 06a086b Fix
• 17a5e7a Improve readability
• 8d051f8 Fix
• c498a46 fix: no-cgo keeper signature (#2080)
• e5392ce Add changelog entry
• 17e3340 Add test for StoreCode simulation
• Additional commits viewable in compare view

Updates github.com/cometbft/cometbft from 0.37.13 to 0.38.11

Release notes

Sourced from github.com/cometbft/cometbft's releases.

v0.38.11

CHANGELOG

v0.38.10

See the CHANGELOG for this release.

v0.38.9

See the CHANGELOG for this release.

v0.38.8

See the CHANGELOG for this release.

v0.38.7

See the CHANGELOG for this release.

v0.38.6

See the CHANGELOG for this release.

v0.38.5

See the CHANGELOG for this release.

v0.38.4

See the CHANGELOG for this release.

v0.38.3

See the CHANGELOG for this release.

v0.38.2

See the CHANGELOG for this release.

v0.38.1

See the CHANGELOG for this release.

v0.38.0

See the CHANGELOG for this release.

v0.38.0-rc3

See the CHANGELOG for changes available in this pre-release, but not yet officially released.

v0.38.0-rc2

See the CHANGELOG for changes available in this pre-release, but not yet officially released.

v0.38.0-rc1

See the CHANGELOG for changes available in this pre-release, but not yet officially released.

v0.38.0-alpha.2

See the CHANGELOG for changes available in this pre-release, but not yet officially released.

v0.38.0-alpha.1

See the CHANGELOG for changes available in this pre-release, but not yet officially released.

... (truncated)

Changelog

Sourced from github.com/cometbft/cometbft's changelog.

v0.38.11

August 12, 2024

This release fixes a panic in consensus where CometBFT would previously panic if there's no extension signature in non-nil Precommit EVEN IF vote extensions themselves are disabled.

It also includes a few other bug fixes and performance improvements.

BUG FIXES

• [types] Only check IFF vote is a non-nil Precommit if extensionsEnabled types (#3565)

IMPROVEMENTS

• [indexer] Fixed ineffective select break statements; they now point to their enclosing for loop label to exit (#3544)

v0.38.10

July 16, 2024

This release fixes a bug in v0.38.x that prevented ABCI responses from being correctly read when upgrading from v0.37.x or below. It also includes a few other bug fixes and performance improvements.

BUG FIXES

• [p2p] Node respects configured max_num_outbound_peers limit when dialing peers provided by a seed node (#486)
• [rpc] Fix an issue where a legacy ABCI response, created on v0.37 or before, is not returned properly in v0.38 and up on the /block_results RPC endpoint. (#3002)
• [blocksync] Do not stay in blocksync if the node's validator voting power is high enough to block the chain while it is not online (#3406)

IMPROVEMENTS

• [p2p/conn] Update send monitor, used for sending rate limiting, once per batch of packets sent (#3382)
• [libs/pubsub] Allow dash (-) in event tags (#3401)
• [p2p/conn] Remove the usage of a synchronous pool of buffers in secret connection, storing instead the buffer in the connection struct. This reduces the synchronization primitive usage, speeding up the code. (#3403)

... (truncated)

Commits

• e1b4453 v0.38.11 (#3684)
• 66a0447 build(deps): Bump docker/build-push-action from 6.5.0 to 6.6.1 (#3676)
• cd3519d build(deps): Bump bufbuild/buf-setup-action from 1.35.1 to 1.36.0 (#3675)
• c17d1f6 fix(types): Only require extension signature if extensions are enabled (#3565)
• f85d897 feat(mempool): add error ErrRecheckFull (backport #3654) (#3656)
• 9de925c fix(e2e): replace docker-compose w/ docker compose (backport #3614) (#3616)
• e9bd8a9 build(deps): Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 (#3610)
• 61ca12e build(deps): Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 (#3584)
• cba216a build(deps): Bump docker/login-action from 3.2.0 to 3.3.0 (#3585)
• aaf83e9 build(deps): Bump docker/build-push-action from 6.4.1 to 6.5.0 (#3586)
• Additional commits viewable in compare view

Updates github.com/cosmos/cosmos-sdk from 0.47.17 to 0.50.9

Release notes

Sourced from github.com/cosmos/cosmos-sdk's releases.

v0.50.9

Cosmos SDK v0.50.9 Release Notes

💬 Release Discussion

🚀 Highlights

For this month patch release of the v0.50.x line, some bugs were fixed.

Notably, we fixed the following:

• PreBlock events (mainly x/upgrade) are now emitted
• Improve compatibility of depinject v1.0.0 with app.yaml / app.json

📝 Changelog

Check out the changelog for an exhaustive list of changes, or compare changes from the last release.

Refer to the upgrading guide when migrating from v0.47.x to v0.50.1. Note, that the next SDK release, v0.52, will not include x/params migration, when migrating from < v0.47, v0.50.x or v0.47.x, is a mandatory migration.

v0.50.8

Cosmos SDK v0.50.8 Release Notes

💬 Release Discussion

🚀 Highlights

For this month patch release of the v0.50.x line, a few improvements were added to the SDK and some bugs were fixed.

Notably, we added and fixed the following:

• Allow to import private key from mnemonic file using <appd> keys add testing --recover --source ./mnemonic.txt
• Fixed json parsing in simd q wait-tx

📝 Changelog

Check out the changelog for an exhaustive list of changes, or compare changes from the last release.

Refer to the upgrading guide when migrating from v0.47.x to v0.50.1. Note, that the next SDK release, v0.51, will not include x/params migration, when migrating from < v0.47, v0.50.x or v0.47.x, is a mandatory migration.

v0.50.7

Cosmos SDK v0.50.7 Release Notes

💬 Release Discussion

🚀 Highlights

... (truncated)

Changelog

Sourced from github.com/cosmos/cosmos-sdk's changelog.

v0.50.9 - 2024-08-07

Bug Fixes

• (baseapp) #21159 Return PreBlocker events in FinalizeBlockResponse.
• #20939 Fix collection reverse iterator to include pagination.key in the result.
• (client/grpc) #20969 Fix node.NewQueryServer method not setting cfg.
• (testutil/integration) #21006 Fix NewIntegrationApp method not writing default genesis to state.
• (runtime) #21080 Fix app.yaml / app.json incompatibility with depinject v1.0.0.

v0.50.8 - 2024-07-15

Features

• (client) #20690 Import mnemonic from file

Improvements

• (x/authz,x/feegrant) #20590 Provide updated keeper in depinject for authz and feegrant modules.
• #20631 Fix json parsing in the wait-tx command.
• (x/auth) #20438 Add --skip-signature-verification flag to multisign command to allow nested multisigs.

v0.50.7 - 2024-06-04

Improvements

• (debug) #20328 Add consensus address for debug cmd.
• (runtime) #20264 Expose grpc query router via depinject.
• (x/consensus) #20381 Use Comet utility for consensus module consensus param updates.
• (client) #20356 Overwrite client context when available in SetCmdClientContext.

Bug Fixes

• (simulation) #17911 Fix all problems with executing command make test-sim-custom-genesis-fast for simulation test.
• (simulation) #18196 Fix the problem of validator set is empty after InitGenesis in simulation test.
• (baseapp) #20346 Correctly assign execModeSimulate to context for simulateTx.
• (baseapp) #20144 Remove txs from mempool when AnteHandler fails in recheck.
• (baseapp) #20107 Avoid header height overwrite block height.
• (cli) #20020 Make bootstrap-state command support both new and legacy genesis format.
• (testutil/sims) #20151 Set all signatures and don't overwrite the previous one in GenSignedMockTx.

v0.50.6 - 2024-04-22

Features

• (types) #19759 Align SignerExtractionAdapter in PriorityNonceMempool Remove.
• (client) #19870 Add new query command wait-tx. Alias event-query-tx-for to wait-tx for backward compatibility.

Improvements

... (truncated)

Commits

• 8bfcf55 ci: attempt to fix goreleaser (backport #21194) (#21196)
• 16d3025 chore: prepare v0.50.9 (#21163)
• 3f6796f fix(baseapp): return events from preblocker in FinalizeBlockResponse (backpor...
• 3fc8074 build(deps): Bump cosmossdk.io/x/tx from 0.13.3 to 0.13.4 (#21170)
• a565daa chore: bring in v0.13.x x/tx in release/v0.50.x (#21158)
• 31ef899 docs: Fix cli usage examples (backport #21150) (#21154)
• ffd5696 fix(simapp): concurrent map writes when calling GetSigners (backport #21073) ...
• 91d412c feat: check latest block if no arg in q block and q block-results (backpo...
• e135030 fix(runtime): remove appv1alpha1.Config from runtime (backport #21042) (#21...
• 0702719 feat: use depinject v1.0.0 (#21000)
• Additional commits viewable in compare view

Updates filippo.io/edwards25519 from 1.1.0 to 1.1.1

Commits

• d1c650a extra: initialize receiver in MultiScalarMult
• See full diff in compare view

Updates github.com/docker/docker from 27.1.1+incompatible to 28.0.0+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
  • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
• The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
• Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
• Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
  • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
  • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
  • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
  • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
• If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

• dockerd now requires ipset support in the Linux kernel. moby/moby#48596
  • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
  • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
    • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
• Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
• Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

Commits

• af898ab Merge pull request #49495 from vvoland/update-buildkit
• d67f035 vendor: github.com/moby/buildkit v0.20.0
• 00ab386 Merge pull request #49491 from vvoland/update-buildkit
• 1fde8c4 builder-next: fix cdi manager
• cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
• 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
• b2b5590 Dockerfile: fix linting warnings
• 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
• 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
• a3628f3 docs/api: add documentation for API v1.48
• Additional commits viewable in compare view

Updates github.com/dvsekhvalnov/jose2go from 1.6.0 to 1.7.0

Commits

• 0a0673d Merge pull request #34 from dvsekhvalnov/issue-33-deflate-limit
• c3fff7c docs
• e51b47f docs
• c7dde52 fixing workflow
• a194baa added go versions and OSs to matrix
• f31cfc6 fixing yaml
• 1a4ba55 added matrix to workflow
• d2baff2 go workflow
• b14c81a added limitation for deflate decompression stream
• See full diff in compare view

Updates github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.4.0

Release notes

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

• refactor: replace interface{} with any by @​sagikazarmark in go-viper/mapstructure#115
• build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @​dependabot[bot] in go-viper/mapstructure#114
• Generic tests by @​sagikazarmark in go-viper/mapstructure#118
• Fix godoc reference link in README.md by @​peczenyj in go-viper/mapstructure#107
• feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @​ErfanMomeniii in go-viper/mapstructure#117
• feat: add back previous StringToSlice as a weak function by @​sagikazarmark in go-viper/mapstructure#119

New Contributors

• @​ErfanMomeniii made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in go-viper/mapstructure#46
• build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in go-viper/mapstructure#47
• [enhancement] Add check for reflect.Value in ComposeDecodeHookFunc by @​mahadzaryab1 in go-viper/mapstructure#52
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot in go-viper/mapstructure#51
• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot in go-viper/mapstructure#50
• build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot in go-viper/mapstructure#55
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot in go-viper/mapstructure#58
• ci: add Go 1.24 to the test matrix by @​sagikazarmark in go-viper/mapstructure#74
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by @​dependabot in go-viper/mapstructure#72
• build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in go-viper/mapstructure#76
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in go-viper/mapstructure#78
• feat: add decode hook for netip.Prefix by @​tklauser in go-viper/mapstructure#85
• Updates by @​sagikazarmark in go-viper/mapstructure#86
• build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by @​dependabot in go-viper/mapstructure#87
• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in go-viper/mapstructure#93
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by @​dependabot in go-viper/mapstructure#92
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by @​dependabot in go-viper/mapstructure#97
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot in go-viper/mapstructure#96
• Update README.md by @​peczenyj in go-viper/mapstructure#90
• Add omitzero tag. by @​Crystalix007 in go-viper/mapstructure#98
• Use error structs instead of duplicated strings by @​m1k1o in go-viper/mapstructure#102
• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot in go-viper/mapstructure#101
• feat: add common error interface by @​sagikazarmark in go-viper/mapstructure#105
• update linter by @​sagikazarmark in go-viper/mapstructure#106
• Feature allow unset pointer by @​rostislaved in go-viper/mapstructure#80

New Contributors

• @​tklauser made their first contribution in go-viper/mapstructure#85
• @​peczenyj made their first contribution in go-viper/mapstructure#90
• @​Crystalix007 made their first contribution in go-viper/mapstructure#98
• @​rostislaved made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

Commits

• b9794a5 Merge pull request #119 from go-viper/string-to-weak-slice
• 17cdcb0 feat: add back previous StringToSlice as a weak function
• 3caca36 Merge pull request #117 from ErfanMomeniii/main
• 9a861bc Merge pull request #107 from peczenyj/patch-2
• 86ed5b5 refactor: update
• ace5b4e chore: add interface any linter
• 1a4f1ae Merge pull request #118 from go-viper/generic-tests
• a268909 fix: lint
• 17f1fd4 test: add more comments
• b48c856 test: expand tests
• Additional commits viewable in compare view

Updates github.com/hashicorp/go-getter from 1.7.5 to 1.7.9

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.9

What's Changed

• Speed up XZ decompression by 5x with bufio wrapper by @​vsarunas in hashicorp/go-getter#520
• Fix CI Workflow by @​mohanmanikanta2299 in hashicorp/go-getter#522
• test: Remove use of "mitchellh/go-testing-interface" for stdlib by @​jrasell in hashicorp/go-getter#523
• fix: url redact of multiple sshkey by @​dduzgun-security in hashicorp/go-getter#528
• Publish arm binaries by @​sethvargo in hashicorp/go-getter#525
• fix errcheck lint errors and run it as part of pr checks by @​abhijeetviswa in hashicorp/go-getter#530
• fix additional lint errors and increase linter scope by @​abhijeetviswa in hashicorp/go-getter#531
• IND-3728 enabling dependabot by @​KaushikiAnand in hashicorp/go-getter#529
• fix: go-getter subdir paths by @​dduzgun-security in hashicorp/go-getter#540

New Contributors

• @​vsarunas made their first contribution in hashicorp/go-getter#520
• @​jrasell made their first contribution in hashicorp/go-getter#523
• @​sethvargo made their first contribution in hashicorp/go-getter#525
• @​abhijeetviswa made their first contribution in hashicorp/go-getter#530
• @​KaushikiAnand made their first contribution in hashicorp/go-getter#529

Full Changelog: hashicorp/go-getter@v1.7.8...v1.7.9

v1.7.8

What's Changed

• sec: fix s3 and gcs host checks by @​dduzgun-security in hashicorp/go-getter#512

Full Changelog: hashicorp/go-getter@v1.7.7...v1.7.8

v1.7.7

What's Changed

• Clean up git repo on disk when the ref checkout fails by @​james-warren0 in hashicorp/go-getter#504
• [COMPLIANCE] Add Copyright and License Headers by @​hashicorp-copywrite in hashicorp/go-getter#409
• Add CODEOWNERS file in .github/CODEOWNERS by @​mukeshjc in hashicorp/go-getter#505
• IND-1804 Bump up dependencies to remediate vulnerabiities by @​mohanmanikanta2299 in hashicorp/go-getter#513
• Updating arguments in github release CI by @​mohanmanikanta2299 in hashicorp/go-getter#514
• Updating .goreleaser.yml file with valid version by @​mohanmanikanta2299 in hashicorp/go-getter#515

New Contributors

• @​james-warren0 made their first contribution in hashicorp/go-getter#504
• @​mukeshjc made their first contribution in hashicorp/go-getter#505
• @​mohanmanikanta2299 made their first contribution in hashicorp/go-getter#513

Full Changelog: hashicorp/go-getter@v1.7.6...v1.7.7

v1.7.6

What's Changed

• fix: Avoid panic when s3 URL is invalid by @​liamg in hashicorp/go-getter#501

New Contributors

• @​liamg made their first contribution in hashicorp/go-getter#501

... (truncated)

Commits

• e702211 Merge pull request #532 from hashicorp/dependabot/github_actions/actions-8948...
• df0a14f [chore] : Bump the actions group with 8 updates
• 87541b2 fix: go-getter subdir paths (#540)
• 3713030 [Compliance] - PR Template Changes Required
• af2dd3c Merge pull request #529 from hashicorp/dependabot-intge
• bf52629 updating dependabot.yml
• 1f63e10 changelog added, updated dependabot.yaml
• 45af459 fix additional lint errors and increase linter scope
• c8c6aba fix errcheck lint errors and run it as part of pr checks
• 9b76f98 copywrite header added
• Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.2.3 to 1.2.8

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind...

  Description has been truncated